Security Incidents mailing list archives
Re: Virus/trojan tunnel out from behind firewall?
From: Ben Efros <Ben-bugtraq () efros com>
Date: Mon, 25 Feb 2002 20:32:53 -0800
I have done this type of tunneling out from inside a protected network a few times. I've utilized the following configuration: SSH, PPP, Linux, and httptunnel (once replaced ssh with stunnel). I did this to bypass an extremely restrictive internet filter. I could use the tunnel as a two-way path between networks and had full access to the inner network. I used SSH to compress / encrypt all the traffic. PPP was used to emulate network devices and allow me a "gateway" to the foreign network httptunnel was used to bypass the "firewall" which only allowed DNS and HTTP traffic out. The HTTP traffic was filtered... and banners were added to every page that passed through the proxy, so this got messy and involved some tweaking. If you can only get unfiltered DNS outbound... then you can utilize a DNS "tunneling" application to do things similar to how httptunnel works. This whole process is quite easy if you gain root access on an internal (protected) machine. You need to have the internal ("protected") system initiate an httptunnel to a remote ("server") system that is running a listening copy of httptunnel that then forwards the connection into ssh (using the identities and NOT password authentication so that it auto-logs in). Once SSHD on your remote system that you control gets the connection, it executes PPP that echos the PPP traffic to STDOUT and reading on STDIN and not a serial device. Now at this point, your protected ("secure") machine has PPP running and also sending stuff through STDOUT and listening on STDIN. You now have a VALID two-way tunnel that is using SSH and PPP devices. You can add an auto-reconnect feature and have crond run it when the connection fails also... because it will fail occasionally. If anyone needs help and can't figure out the details of commands that they need to run then let me know and I'll try to help. It should also be possible to use a steganography tool to "encode" data into "images" that appear valid when viewed in web browsers... instead of using httptunnel. This would add to the "secrecy" of your transmissions :) Ben Efros
For sites which allow unrestricted outbound connections, it would probably be impossible to detect if the trojan did nothing else destructive to arouse suspicion.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Virus/trojan tunnel out from behind firewall? David Carmean (Feb 24)
- RE: Virus/Trojan tunnel out from behind firewall? Bill Royds (Feb 25)
- Re: Virus/trojan tunnel out from behind firewall? Rich Puhek (Feb 25)
- Re: Virus/trojan tunnel out from behind firewall? David Carmean (Feb 25)
- Re: Virus/trojan tunnel out from behind firewall? Rich Puhek (Feb 25)
- Re: Virus/trojan tunnel out from behind firewall? Ben Efros (Feb 26)
- Re: Virus/trojan tunnel out from behind firewall? Mike Shaw (Feb 25)
- RE: Virus/trojan tunnel out from behind firewall? M.Verba (Feb 26)
- Re: Virus/trojan tunnel out from behind firewall? David Carmean (Feb 25)
- Re: Virus/trojan tunnel out from behind firewall? Ryan Russell (Feb 25)