Penetration Testing mailing list archives

Re: [PEN-TEST] penetrating trojan

From: Panagiotis Dimitriou <pdimit () SPACE GR>
Date: Thu, 7 Dec 2000 09:52:42 +0200


Sorry, but the attachment had been stripped by the moderator. However, the
script I was talking about can be found inside the article " Placing
Backdoors Through
Firewalls"  (http://thc.inferno.tusculum.edu/files/thc/rwwwshell-1.6.perl).

-----Original Message-----
From: Panagiotis Dimitriou
Sent: 05 December 2000 10:00
To:   'Penetration Testers'
Subject:      RE: [PEN-TEST] penetrating trojan

I've found a perl-based trojan that might do the trick (you can find it
attached). I've never tested but it looks fine.
Any feedback would be appreciated..



 << OLE Object: Package >>
Panos Dimitriou
IT Security Analyst
SPACE HELLAS


      -----Original Message-----
      From:   Tom Vandepoel [SMTP:Tom.Vandepoel () UBIZEN COM]
      Sent:   03 December 2000 00:19
      To:     PEN-TEST () SECURITYFOCUS COM
      Subject:        Re: [PEN-TEST] penetrating trojan

      Arthur Clune wrote:

      > > I too can picture some terrifying scenarios where the connection
is client
      > > initiated on port 80.
      >
      > Surely you can use netcat and "at" to get a system
      > to "phone home", or am I missing something here?
      >

      That's the first step; haven't seen stuff like that in the wild yet.
      Ofcourse the goal of a pen-trojan is not to spread widely, but to
      quietly enter a network. So it will be less likely be discovered in
the
      wild.
      I have spent some small amount of time trying to encapsulate netcat
into
      a self-depacking vbs script; I have been using the GodMessage trojan
as
      a template, but I haven't got it working yet. Shouldn't be that
hard,
      though.

      I generally recommend customers to be very restrictive on outbound
      traffic, just to reduce the chance of a trojan 'phoning home'.
Ofcourse,
      put httptunnel together with some smart vbs scripting and this
doesn't
      matter anymore...

      We all know the real problem lies somewhere else; mobile code is
      security nightmare...

      Tom.


      --
      _________________________________________________

      Tom Vandepoel
      Sr. Network Security Engineer

      www.ubizen.com
      tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00
      Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
      _________________________________________________

Current thread:

Re: [PEN-TEST] OT: Lotus Notes name service (was: penetrating trojan), (continued)
- - - Re: [PEN-TEST] OT: Lotus Notes name service (was: penetrating trojan) Michael Rowe (Dec 06)
    - Re: [PEN-TEST] OT: Lotus Notes name service (was: penetratingtrojan) Simon Waters (Dec 07)
- Re: [PEN-TEST] penetrating trojan Panagiotis Dimitriou (Dec 06)
  - Re: [PEN-TEST] penetrating trojan Sven Bruelisauer (Dec 07)
    - Re: [PEN-TEST] penetrating trojan Guy Cohen (Dec 07)
    - Re: [PEN-TEST] penetrating trojan C.E.Steiner (Dec 10)
- Re: [PEN-TEST] penetrating trojan Joakim Sandström (Dec 07)
  - Re: [PEN-TEST] penetrating trojan David Knaack (Dec 07)
    - Re: [PEN-TEST] penetrating trojan Robert van der Meulen (Dec 07)
  - Re: [PEN-TEST] penetrating trojan Can Erkin Acar (Dec 10)
- Re: [PEN-TEST] penetrating trojan Panagiotis Dimitriou (Dec 10)