Penetration Testing mailing list archives

Re: [PEN-TEST] penetrating trojan

From: Conor Crowley <ccrowley () CONORCROWLEY COM>
Date: Fri, 1 Dec 2000 13:46:09 -0800

I too can picture some terrifying scenarios where the connection is client
initiated on port 80. A proxy service can help defend against this in that
only legit web traffic is passed, but the next step for the BO plug-in coder
would be to disguise the tunnel as HTTP. And since the source for BO and
programs like hypertunnel are openly available, do NOT count on being immune
just because you're NATting, have aa firewall and also use a proxy. You have
to assume others have and actively are currently putting 1+1 together.

Only defense I can think is a nIDS. But... of course it would need to be a
known signature, at the moment, this is likely to be home-grown, so
signatures will vary.

A *really* tight desktop policy will also help.

Ahhh!!!!!!!!!!! The thought of this makes my skin crawl. Think I'll go stick
my head in the sand for a while.

BTW, if you find one pre-made. Let me know!

..Conor
----- Original Message -----
From: "Sven Bruelisauer" <sven () OPEN CH>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Friday, December 01, 2000 6:57 AM
Subject: [PEN-TEST] penetrating trojan

Hello,

Recently, associated with a penetration test of one of our customers, we
had a long discussion about various hacker techniques including well
known trojans such as bo2k or sub7.

Despite of a huge variety of plug-ins that are available for bo2j for
example, I did not encounter one that makes the trojan the initiator of
a connection. The trojan may send the ip of the compromised system to
his master or accept encrypted connections even over tunneling as I
detected once.

So all companies that have Network Address Translation enabled, are safe
from such trojans since the "master" never will be able to contact the
trojan (the victims IP will not be routed from the outside) !?

What would make the situation a lot more dangerous is when the trojan
itself had the connection started, let's say over port 80 using http
protocol, e.g. pretending being a browser. Most Firewall settings would
allow such a connection and the trojan could unfold his power (assuming
he was not detected by a local anti virus program.

Why did I never encounter such a trojan? Am I missing something ... has
anybody heard of such attacks?

Regards
  sven
-------------------------------------------------------------
OOOOOOOOOOO         sven bruelisauer      sven () open ch
O         O          cellular:   (+41) 79 6091401
O open    O          work:                (+41) 1  4557400
O systems O
O         O          http://www.open.ch
OOOOOOOOOOO

Current thread:

[PEN-TEST] penetrating trojan Sven Bruelisauer (Dec 02)
- Re: [PEN-TEST] penetrating trojan Deus, Attonbitus (Dec 02)
- Re: [PEN-TEST] penetrating trojan Conor Crowley (Dec 02)
  - Re: [PEN-TEST] penetrating trojan Arthur Clune (Dec 03)
    - Re: [PEN-TEST] penetrating trojan Tom Vandepoel (Dec 03)
    - Re: [PEN-TEST] penetrating trojan van der Kooij, Hugo (Dec 04)
- Re: [PEN-TEST] penetrating trojan Kazennov Vladimir (Dec 04)
  - Re: [PEN-TEST] penetrating trojan Pierre Vandevenne (Dec 04)
- Re: [PEN-TEST] penetrating trojan Jean-Christophe Touvet (Dec 05)
- Re: [PEN-TEST] penetrating trojan Darbean (Dec 06)
- Re: [PEN-TEST] penetrating trojan Darbean (Dec 06)
- <Possible follow-ups>
- Re: [PEN-TEST] penetrating trojan Randall, Mark (ISSCalifornia) (Dec 05)
  - Re: [PEN-TEST] penetrating trojan Simon Waters (Dec 06)

(Thread continues...)