Re: [PEN-TEST] penetrating trojan

[Darbean <darjoan () SINA COM>]

Sorry for forgeting to paste the address of  " Placing Backdoors Through
Firewalls" in the last mail. That is: http://thc.inferno.tusculum.edu/

Darjoan

----- Original Message -----
From: Sven Bruelisauer <sven () OPEN CH>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Friday, December 01, 2000 10:57 PM
Subject: [PEN-TEST] penetrating trojan


> Hello,
>
> Recently, associated with a penetration test of one of our customers, we
> had a long discussion about various hacker techniques including well
> known trojans such as bo2k or sub7.
>
> Despite of a huge variety of plug-ins that are available for bo2j for
> example, I did not encounter one that makes the trojan the initiator of
> a connection. The trojan may send the ip of the compromised system to
> his master or accept encrypted connections even over tunneling as I
> detected once.
>
> So all companies that have Network Address Translation enabled, are safe
> from such trojans since the "master" never will be able to contact the
> trojan (the victims IP will not be routed from the outside) !?
>
> What would make the situation a lot more dangerous is when the trojan
> itself had the connection started, let's say over port 80 using http
> protocol, e.g. pretending being a browser. Most Firewall settings would
> allow such a connection and the trojan could unfold his power (assuming
> he was not detected by a local anti virus program.
>
> Why did I never encounter such a trojan? Am I missing something ... has
> anybody heard of such attacks?
>
> Regards
>   sven
> -------------------------------------------------------------
> OOOOOOOOOOO         sven bruelisauer      sven () open ch
> O         O          cellular:   (+41) 79 6091401
> O open    O          work:                (+41) 1  4557400
> O systems O
> O         O          http://www.open.ch
> OOOOOOOOOOO