Security Incidents mailing list archives

RE: Virus/trojan tunnel out from behind firewall?

From: "M.Verba" <M.Verba () verizon net>
Date: Mon, 25 Feb 2002 21:23:39 -0500

Interesting... I  have been reading and following up on this discussion. I
seemed to have received this below email. I did not open it, as it was from
a person with a hotmail.com address. In addition, the link provided I did
not open - as it seems to be a link created  using the geocities domain.

Is this a hoax?

-----Original Message-----
From: Mike Shaw [mailto:mshaw () wwisp com]
Sent: Monday, February 25, 2002 6:31 PM
To: Rich Puhek; David Carmean
Cc: incidents () securityfocus com
Subject: Re: Virus/trojan tunnel out from behind firewall?


Sounds like "shell shoveling".  With the source code to Netcat, a decent
coder could make a shell shovelling program easily.  Then 'glue' it to the
elf-bowling du-jour and fakemail to your favorite target.  This will bypass
many if not the majority of FW configs.

If you wanted to get real jiggy, you could make it connect to an IRC server
and wait for commands to 'shovel' on cue.  OR, periodically check an HTTP
discussion group waiting for the key-phrase.   Call it ''manchurian
1.0"....*sigh* if I only had the time.

-Mike

At 10:22 PM 2/24/2002 -0600, Rich Puhek wrote:

David Carmean wrote:


Greetings.  New to the list; have looked through a few months of
the archives and hadn't seen this come up:

Have there been any cases of a trojan/virus/etc tunnelling out from
behind a firewall and thus providing an attacker a way into the
"chewy center"?


Do you mean a trojan/virus that actively establishes a tunnel through
SSH, etc to an outside machine as a method of bypassing a stateful
firewall?

Or do you just mean that a trojan/virus/etc has provided an opening
despite the firewall?

I'd also consider the gray areas in between, like worms/trojans that
transfer into (passwds, etc) back through SMTP, HTTP, or IRC.

--Rich


_________________________________________________________

Rich Puhek
ETN Systems Inc.
_________________________________________________________

---------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

--- Begin Message --- From: <cyber_flash () hotmail com>
Date: Mon, 25 Feb 2002 15:16:40 -0500



Description:
---------------
In Macromedia Flash 5 it is possible to save the main 
timeline variables of a movie to a file using the 
undocumented fscommand "save".

This windows 9X demo

http://www.geocities.com/cyber_flash5/

initializes the timeline variable with a trojan script 
using Flash's own built-in actionscript which will be 
saved in a file called "trojan.bat" located in the Start 
Up folder path: C:\\WINDOWS\\Start 
Menu\\Programs\\StartUp\\

On the next reboot the batch file is run, creating a 
harmless "trojan.exe" (fire flames graphic display) 
program which is executed!

This works only from Windows projectors (not in a 
browser) and mainly affects website authors.

Exploit?
----------
fscommand("save",path\\filename)

This function is not documented nor supported by 
macromedia but is still present in their latest updated 
flash player!?

Solution:
-----------
Macromedia will quite probably remove the "save" 
fscommand call in the near future and until then, 
always be careful when opening unknown email 
attachments etc.,...

Macromedia has been notified of this potential threat.

Thanks.

--- End Message ---

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Virus/trojan tunnel out from behind firewall? David Carmean (Feb 24)
- RE: Virus/Trojan tunnel out from behind firewall? Bill Royds (Feb 25)
- Re: Virus/trojan tunnel out from behind firewall? Rich Puhek (Feb 25)
  - Re: Virus/trojan tunnel out from behind firewall? David Carmean (Feb 25)
    - Re: Virus/trojan tunnel out from behind firewall? Rich Puhek (Feb 25)
    - Re: Virus/trojan tunnel out from behind firewall? Ben Efros (Feb 26)
  - Re: Virus/trojan tunnel out from behind firewall? Mike Shaw (Feb 25)
    - RE: Virus/trojan tunnel out from behind firewall? M.Verba (Feb 26)
- Re: Virus/trojan tunnel out from behind firewall? Ryan Russell (Feb 25)