Re: [PEN-TEST] penetrating trojan

[Panagiotis Dimitriou <pdimit () SPACE GR>]

I've found a perl-based trojan that might do the trick (you can find it
attached). I've never tested but it looks fine.
Any feedback would be appreciated..



 <<...>>
Panos Dimitriou
IT Security Analyst
SPACE HELLAS


> -----Original Message-----
> From: Tom Vandepoel [SMTP:Tom.Vandepoel () UBIZEN COM]
> Sent: 03 December 2000 00:19
> To:   PEN-TEST () SECURITYFOCUS COM
> Subject:      Re: [PEN-TEST] penetrating trojan
>
> Arthur Clune wrote:
>
> > > I too can picture some terrifying scenarios where the connection is
> client
> > > initiated on port 80.
> >
> > Surely you can use netcat and "at" to get a system
> > to "phone home", or am I missing something here?
>
> That's the first step; haven't seen stuff like that in the wild yet.
> Ofcourse the goal of a pen-trojan is not to spread widely, but to
> quietly enter a network. So it will be less likely be discovered in the
> wild.
> I have spent some small amount of time trying to encapsulate netcat into
> a self-depacking vbs script; I have been using the GodMessage trojan as
> a template, but I haven't got it working yet. Shouldn't be that hard,
> though.
>
> I generally recommend customers to be very restrictive on outbound
> traffic, just to reduce the chance of a trojan 'phoning home'. Ofcourse,
> put httptunnel together with some smart vbs scripting and this doesn't
> matter anymore...
>
> We all know the real problem lies somewhere else; mobile code is
> security nightmare...
>
> Tom.
>
>
> --
> _________________________________________________
>
> Tom Vandepoel
> Sr. Network Security Engineer
>
> www.ubizen.com
> tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00
> Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
> _________________________________________________