Security Article by Sahirh

I agree with Sahirh on both points.

First of all this a basic primer and you can find exceptions to almost anything, but in the first objection, that is exactly what email viruses do - try to trick you into opening them. If they are opened, it is difficult to put the Genie back in the bottle. They try to trick you with interesting subject or by sending you a message from someone you know. It only takes one uninformed person or mistake to start the ball rolling. No amount of "network level protection" is going to stop this. Only education.

On the second point, I am not sure what your definition of backdoor is, but here is one from:

www.securityfocus.com/infocus/1701

The Basics of Backdoors

What is a backdoor? A backdoor is a "mechanism surreptitiously introduced into a computer system to facilitate unauthorized access to the system,"[4] and can be classified into (at least) three categories:

Active

Active backdoors originate outbound connections to one or more hosts. These connections can either provide full, fluid network access between the hosts (i.e. reverse tunnel-based) or be part of a process that actively monitors the compromised system, records information, sends data out in distinct "chunks" and receives both acknowledgements and/or commands from the remote systems.

Passive

Passive backdoors listen on one or more ports for incoming connections from one or more hosts. Similar to the active backdoors, these programs can either be used to establish a forward tunnel into the compromised network or accept distinct commands and return the requested information.

Attack-based

This category of backdoor could also be classified as the "unknown backdoor." It generally arises from a buffer-overflow exploit of poorly-written programs resulting in some type (e.g. root/Administrator-level, user-level, fully-interactive, one-instruction) of command-level access to the compromised system.

There is one common element among the three types of backdoors - they all work by circumventing the elaborate multi-layer security infrastructure you have worked diligently to design and deploy. Most real (i.e. non-script-kiddies) hackers can determine almost immediately if it's worth attempting to meet your perimeter routers and firewalls with a head-on attack. Textbook methods can be relatively easily employed to help discover the types and configurations equipment protecting the borders of your network. Some of these discovery tools can even help detect the presence of proactive network intrusion detection systems (IDS). While there are still daily exceptions, most perimeter networks are configured well enough to make backdoors the emerging method-of-choice for deep-network penetration for a number of reasons:

For example, if you have NAT setup, no one can get into your system directly as any packet getting to the router/firewall will see that there is a inbound packet with no corresponding outbound packet and it will be dropped. But if a trojan is dropped into your system (by email) and it starts up and sends a packet out to the attacker he can now respond and there would be a corresponding outbound packet. He then got in by the back door.

Good points there. Nice to see they've got reverse connect backdoors in the securityfocus definition.

Given that most networks are so similar in design, the same general technique I've given in a walkthrough of an attack (in the article) can be applied to lots of situations

Point 1. I was partially agreed, to point one as I already mentioned, if it was on the network layer protection. However, on a properly configured antivirus domain, the risk is very little as is my perception.

For example on a threeway protection, with proper configuration though

1. Application level Protection on the Gateway for http, ftp, smtp traffic to be analysed to viruses, attachments with specific extentions. No security concious admin is going to allow bat or pif or any other form of executable extenstions (you name it) to travel freely through their gateway.

2. Protection on the servers, again with automatic deployment of updates.

3. Protection at the client level, again with automatic pushing of updates.

Point 2. Yes now I agree with respect to reverse trojans.

My idea though as you rightly said was a constructive criticsm. I very well aprreacite the inputs.

No problem with criticisms.

Sahirh and I disagree all the time (then he realizes his mistake :lol:)

Now back to point 1.

Let us assume you are not going to disconnect yourself from the network.

You tell everyone to be careful about Word Macros. One of your users gets a perfectly valid Work document in his email - say it is from a client - that comes up and says there are macros - do you want to open. The user opens the Word document and Voila - macro virus. These thing happen. Not sure how you are going to network prevent that.

I was just gonna blabber about macro viruses.. they've fallen out of favour since this recent onslaught of worms based on exploits.. however does the name 'Melissa' ring a bell ?

Ok, what about HTML files ? Its trivial (my favourite word in these arguments) to construct a fairly malicious HTML page... one that can delete files etc. Far more so if the target is using Internet Explorer (do you know that there are at least 15 critical vulnerabilites in IE that there is no patch for.. I forget the name of that brilliant Chinese researcher who has them listed on his site. He's a dude who doesn't even have a computer and he's pulled some real whoppers out of IE.. anyway I digress..)

Now lets have some more fun.. I construct a nice trojan, and I zip it up with a password so that fancy content monitoring device cannot start peeking inside it. Heres the email your users get with the trojan as an attachment:

[code:1]
from: admin@victim.com
to: allusers@victim.com
subject: critical update -- please update.

As you all know we are very strict with our anti virus policy here at victim.com, a major bug was found in the McBarfee / Snorton antivirus package we use, I am including the patch that you must apply. To prevent anyone from having the file tampered with, it is zipped with a password which is '5up3r-4dm1n'. I request you all to follow the following instructions and update the software.

1. Press ctrl+shift+esc, click processes, find the process 'snorton.exe' or 'mcbarfee.exe' and kill this process
2. Unzip the zip file using the password provided
3. Run the executable 'Snortonsuperfix.exe'

Note that you have to stop the antivirus program before you can apply the patch because this is not a new set of virus definitions, but a patch to the actual program itself.


Thank you,
Have a nice day,

Super Admin.

[/code:1]

What we have here is a spoofed email from someone in authority talking about a situation that most people do not understand, step by step instructions on what to do to make everything secure and safe against evildoers.

I can think of a large number of very intelligent people who will run that patch. By the time super-admin runs around telling everyone that he never sent that mail, the damage is done. All further communications from his email address are now viewed suspiciously (including the one he sends to everyone telling them how to get rid of the backdoor).

In an organisation of 500 drones, I require only 1 idiot. Look at your workplace and tell me you don't see someone who would actually fall for this...