- Posts: 72
- Thank you received: 0
Security Article by Sahirh
20 years 3 months ago #2262
by Cheetah
Kind Regards,
<b>Cheetah</b>
<i>The outcome of devotion is, quality!</i>
Replied by Cheetah on topic Re: Security Article by Sahirh
End users must be taught how to respond to anti virus alerts. This is especially true in the enterprise -- an attacker doesn't need to try and bypass your fortress like firewall if all he has to do is email trojans to a lot of people in the company. It just takes one uninformed user to open the infected package and he will have a backdoor to the internal network.
May be it gets installed, but how does the attacker reach inside through this is still a question? with mostly 2-3 levels of private segments inside on a properly configured network. But its a different question if it sends documents outside as you described earlier.
But I wont call that a backdoor.
May be it gets installed, but how does the attacker reach inside through this is still a question? with mostly 2-3 levels of private segments inside on a properly configured network. But its a different question if it sends documents outside as you described earlier.
But I wont call that a backdoor. Kind Regards,
<b>Cheetah</b>
<i>The outcome of devotion is, quality!</i>
20 years 3 months ago #2267
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Security Article by Sahirh
Hi Cheetah, I appreciate your pointing out the errors in the article as well as opening the field for healthy debate !! I do however stand by both my statements.
With regard to the first one, network level protection was meant with specific regard to firewalls. An anti virus scanner which would pick up on a viral threat would not be network level protection. I suppose one could argue that an IDS might be able to pick up on something like this, but that would be very easy to bypass (as i said, zip the file, encrypt it, change the byte signature) and thus would not be effective protection.
One must analyse what is the vulnerability being exploited here ? It is inherently a human weakness (thus the crude form of social engineering). The actual exploitation takes place with the user opening the malicious package. You could even do something as simple as mail someone a batch file virus. No virus scanner, IDS, anything would light up to something like that don't you agree ?
With reference to your second point, I have personally used reverse connect trojans on many occasions. The situation was such that there was no way to access the internal LAN (it was NATed). However I knew that the internal users had www access. I used a reverse www trojan that connected back to me. On my end I was running what appeared to be a legitimate webserver. The trojan connects and communicates with this 'webserver' through what looks like absolutely legitimate web traffic, however the commands I send and the responses are encoded in the requests and replies.
There are a whole breed of reverse connect trojans for situations where the attacker has no access into the network. Outbound filtering is invariably less restrictive.. people use that Internet access to do something, and if nothing is being allowed in, then something is being allowed out.
Take a worst case scenario -- a network where the firewall is so restrictive that nothing is allowed out from a users workstation.. no surfing or anything. All mail is sent by the users to the local MTA which handles sending it out. A trojan you could use here is one that modifies a binary on the system to do something everytime the user runs it.
For example, trojan the 'ls' binary on a *nix style system, everytime it is called, it will first mail out a copy of /etc/passwd and then display the ls output. While exploiting the network further would require some thought, the point I'm trying to illustrate is very simple. Its one of Scott Culp's (Microsoft Security Response Manager) Ten Immutable Laws of Security :
Law 1: If a bad guy can persuade you to run his program on your computer, its not your computer anymore.
If you're interested in the other laws, they are here :
www.microsoft.com/technet/columns/security/essays/10imlaws.asp
As proof of concept, here's a reverse www trojan.. its a little dirty, but with some cleanups, works beautifully :
www.thc.org/download.php?t=r&d=rwwwshell-2.0.pl.gz
About the broken links hehe I have no argument. They will be fixed.
!! I do however stand by both my statements.With regard to the first one, network level protection was meant with specific regard to firewalls. An anti virus scanner which would pick up on a viral threat would not be network level protection. I suppose one could argue that an IDS might be able to pick up on something like this, but that would be very easy to bypass (as i said, zip the file, encrypt it, change the byte signature) and thus would not be effective protection.
One must analyse what is the vulnerability being exploited here ? It is inherently a human weakness (thus the crude form of social engineering). The actual exploitation takes place with the user opening the malicious package. You could even do something as simple as mail someone a batch file virus. No virus scanner, IDS, anything would light up to something like that don't you agree ?
With reference to your second point, I have personally used reverse connect trojans on many occasions. The situation was such that there was no way to access the internal LAN (it was NATed). However I knew that the internal users had www access. I used a reverse www trojan that connected back to me. On my end I was running what appeared to be a legitimate webserver. The trojan connects and communicates with this 'webserver' through what looks like absolutely legitimate web traffic, however the commands I send and the responses are encoded in the requests and replies.
There are a whole breed of reverse connect trojans for situations where the attacker has no access into the network. Outbound filtering is invariably less restrictive.. people use that Internet access to do something, and if nothing is being allowed in, then something is being allowed out.
Take a worst case scenario -- a network where the firewall is so restrictive that nothing is allowed out from a users workstation.. no surfing or anything. All mail is sent by the users to the local MTA which handles sending it out. A trojan you could use here is one that modifies a binary on the system to do something everytime the user runs it.
For example, trojan the 'ls' binary on a *nix style system, everytime it is called, it will first mail out a copy of /etc/passwd and then display the ls output. While exploiting the network further would require some thought, the point I'm trying to illustrate is very simple. Its one of Scott Culp's (Microsoft Security Response Manager) Ten Immutable Laws of Security :
Law 1: If a bad guy can persuade you to run his program on your computer, its not your computer anymore.
If you're interested in the other laws, they are here :
www.microsoft.com/technet/columns/security/essays/10imlaws.asp
As proof of concept, here's a reverse www trojan.. its a little dirty, but with some cleanups, works beautifully :
www.thc.org/download.php?t=r&d=rwwwshell-2.0.pl.gz
About the broken links hehe I have no argument. They will be fixed.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.155 seconds