Penetration Testing mailing list archives

Re: [PEN-TEST] penetrating trojan

From: Pierre Vandevenne <pierre () datarescue com>
Date: Sun, 3 Dec 2000 19:39:22 +0100

On Sun, 3 Dec 2000 12:35:52 +0300, Kazennov Vladimir wrote:

I think that normal defense for workstation is firewall that have
rules in which you may define name of application (f.e @guard). For example only
your mailer can setup outbound connection to 25 port of only your


It could probably help if the situation gets worse. But there are a few
things to keep in mind : if the protection is hard to manage (and
@guard is in a corporate environment), it won't be managed. If a few
easy to manage solutions emerge as standards, the fact that the trojan
gets to execute at one point will mean that it is able to disable or
reconfigure these local protections, just as early virus writers
learned to disable resident anti-virus. In that respect, a bottleneck
on a secured server will be more secure but of course will have to
leave some doors open. Now, if one steps back a bit and look at the
larger picture, one must also remember that trojans functions can be
_very_ obfuscated. Any attacker with some resources can, for example,
launch a nice free screen saver, download accelerator (whatever utility
likely to attract a large public) containing an obfuscated trojan part,
or a part that can update itself to a trojan later ( à la Hybris for
example ) - definitely something to consider if you are worrying about
the security of a critical organization.

IMHO, it is impossible to properly address the risk of mobile code
within the bounds of the current operating systems. We are confronted
to a problem that has, for now, no totally satisfying technical answer.
We are forced to look at the human side of the problem : I know this is
extremely hard to achieve in practice, but a reasonnable and lucid
penetration resistance assessment should include an evaluation of the
target organization's average user computing practices and eventually
recommend user education (eventhough we know that the results are
limited at best) and sounder computing practices. Many organizations
spend fortunes hardening themselves without taking that factor into
account :-(


---
Pierre Vandevenne - DataRescue sa/nv
Home of the IDA Pro Disassembler  -  Version 4.14 now available !
http://www.datarescue.com/idabase/ida.htm

Current thread:

[PEN-TEST] penetrating trojan Sven Bruelisauer (Dec 02)
- Re: [PEN-TEST] penetrating trojan Deus, Attonbitus (Dec 02)
- Re: [PEN-TEST] penetrating trojan Conor Crowley (Dec 02)
  - Re: [PEN-TEST] penetrating trojan Arthur Clune (Dec 03)
    - Re: [PEN-TEST] penetrating trojan Tom Vandepoel (Dec 03)
    - Re: [PEN-TEST] penetrating trojan van der Kooij, Hugo (Dec 04)
- Re: [PEN-TEST] penetrating trojan Kazennov Vladimir (Dec 04)
  - Re: [PEN-TEST] penetrating trojan Pierre Vandevenne (Dec 04)
- Re: [PEN-TEST] penetrating trojan Jean-Christophe Touvet (Dec 05)
- Re: [PEN-TEST] penetrating trojan Darbean (Dec 06)
- Re: [PEN-TEST] penetrating trojan Darbean (Dec 06)
- <Possible follow-ups>
- Re: [PEN-TEST] penetrating trojan Randall, Mark (ISSCalifornia) (Dec 05)
  - Re: [PEN-TEST] penetrating trojan Simon Waters (Dec 06)
    - Re: [PEN-TEST] OT: Lotus Notes name service (was: penetrating trojan) Michael Rowe (Dec 06)
    - Re: [PEN-TEST] OT: Lotus Notes name service (was: penetratingtrojan) Simon Waters (Dec 07)
- Re: [PEN-TEST] penetrating trojan Panagiotis Dimitriou (Dec 06)
  - Re: [PEN-TEST] penetrating trojan Sven Bruelisauer (Dec 07)
    - Re: [PEN-TEST] penetrating trojan Guy Cohen (Dec 07)

(Thread continues...)