Re: Virus/trojan tunnel out from behind firewall?

[Ben Efros <Ben-bugtraq () efros com>]

I have done this type of tunneling out from inside a protected network a
few times. 
I've utilized the following configuration: SSH, PPP, Linux, and httptunnel
(once replaced ssh with stunnel).

I did this to bypass an extremely restrictive internet filter.  I could
use the tunnel as a two-way path between networks and had full access to
the inner network.

I used SSH to compress / encrypt all the traffic.
PPP was used to emulate network devices and allow me a "gateway" to the
foreign network
httptunnel was used to bypass the "firewall" which only allowed DNS and
HTTP traffic out.
The HTTP traffic was filtered... and banners were added to every page that
passed through the proxy, so this got messy and involved some tweaking.

If you can only get unfiltered DNS outbound... then you can utilize a DNS
"tunneling" application to do things similar to how httptunnel works.


This whole process is quite easy if you gain root access on an internal
(protected) machine.  You need to have the internal ("protected") system
initiate an httptunnel to a remote ("server") system that is running a
listening copy of httptunnel that then forwards the connection into ssh
(using the identities and NOT password authentication so that it auto-logs
in).  Once SSHD on your remote system that you control gets the
connection, it executes PPP that echos the PPP traffic to STDOUT and
reading on STDIN and not a serial device.  Now at this point, your
protected ("secure") machine has PPP running and also sending stuff
through STDOUT and listening on STDIN.

You now have a VALID two-way tunnel that is using SSH and PPP devices. 
You can add an auto-reconnect feature and have crond run it when the
connection fails also... because it will fail occasionally.

If anyone needs help and can't figure out the details of commands that
they need to run then let me know and I'll try to help.

It should also be possible to use a steganography tool to "encode" data
into "images" that appear valid when viewed in web browsers... instead of
using httptunnel.  This would add to the "secrecy" of your transmissions
:)

Ben Efros

> For sites which allow unrestricted outbound connections, it would 
> probably be impossible to detect if the trojan did nothing else 
> destructive to arouse suspicion. 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com