Skip to main content

Security Article by Sahirh

More
20 years 10 months ago #2261 by Cheetah
Another threat comes in the form of viruses, most often these may be propagated by email and use some crude form of social engineering (such as using the subject line "I love you" or "Re: The documents you asked for") to trick people into opening them. No form of network level protection can guard against these attacks.

The above statement in bold is not correct. I dont agree with this, partially unless its about the OSI network layer.

Kind Regards,
<b>Cheetah</b>
<i>The outcome of devotion is, quality!</i>
More
20 years 10 months ago #2262 by Cheetah
End users must be taught how to respond to anti virus alerts. This is especially true in the enterprise -- an attacker doesn't need to try and bypass your fortress like firewall if all he has to do is email trojans to a lot of people in the company. It just takes one uninformed user to open the infected package and he will have a backdoor to the internal network.

May be it gets installed, but how does the attacker reach inside through this is still a question? with mostly 2-3 levels of private segments inside on a properly configured network. But its a different question if it sends documents outside as you described earlier. :) But I wont call that a backdoor.

Kind Regards,
<b>Cheetah</b>
<i>The outcome of devotion is, quality!</i>
More
20 years 10 months ago #2263 by Cheetah
Replied by Cheetah on topic Link not correct
www.sans.org/rr/papers/index.php?id=264

Display is correct, but the href is not. It leads to the previous link, which is mixter.void.ru/ .

You may correct it.

Kind Regards,
<b>Cheetah</b>
<i>The outcome of devotion is, quality!</i>
More
20 years 10 months ago #2264 by Cheetah
Replied by Cheetah on topic Error in another Link
The netcat link dont lead to the correct one.

correct: netcat.sourceforge.net/

You may correct this.

Kind Regards,
<b>Cheetah</b>
<i>The outcome of devotion is, quality!</i>
More
20 years 10 months ago #2265 by Cheetah
Replied by Cheetah on topic Conclusion
Hi author,

Finally, I would like to conclude conveying that a very decent security primer article, leading to a lot of very decent links and tools.

Its well worth the time spend on this.

Regards
Cheetah

Kind Regards,
<b>Cheetah</b>
<i>The outcome of devotion is, quality!</i>
More
20 years 10 months ago #2267 by sahirh
Hi Cheetah, I appreciate your pointing out the errors in the article as well as opening the field for healthy debate :) !! I do however stand by both my statements.

With regard to the first one, network level protection was meant with specific regard to firewalls. An anti virus scanner which would pick up on a viral threat would not be network level protection. I suppose one could argue that an IDS might be able to pick up on something like this, but that would be very easy to bypass (as i said, zip the file, encrypt it, change the byte signature) and thus would not be effective protection.

One must analyse what is the vulnerability being exploited here ? It is inherently a human weakness (thus the crude form of social engineering). The actual exploitation takes place with the user opening the malicious package. You could even do something as simple as mail someone a batch file virus. No virus scanner, IDS, anything would light up to something like that don't you agree ?

With reference to your second point, I have personally used reverse connect trojans on many occasions. The situation was such that there was no way to access the internal LAN (it was NATed). However I knew that the internal users had www access. I used a reverse www trojan that connected back to me. On my end I was running what appeared to be a legitimate webserver. The trojan connects and communicates with this 'webserver' through what looks like absolutely legitimate web traffic, however the commands I send and the responses are encoded in the requests and replies.

There are a whole breed of reverse connect trojans for situations where the attacker has no access into the network. Outbound filtering is invariably less restrictive.. people use that Internet access to do something, and if nothing is being allowed in, then something is being allowed out.

Take a worst case scenario -- a network where the firewall is so restrictive that nothing is allowed out from a users workstation.. no surfing or anything. All mail is sent by the users to the local MTA which handles sending it out. A trojan you could use here is one that modifies a binary on the system to do something everytime the user runs it.

For example, trojan the 'ls' binary on a *nix style system, everytime it is called, it will first mail out a copy of /etc/passwd and then display the ls output. While exploiting the network further would require some thought, the point I'm trying to illustrate is very simple. Its one of Scott Culp's (Microsoft Security Response Manager) Ten Immutable Laws of Security :

Law 1: If a bad guy can persuade you to run his program on your computer, its not your computer anymore.

If you're interested in the other laws, they are here :
www.microsoft.com/technet/columns/security/essays/10imlaws.asp

As proof of concept, here's a reverse www trojan.. its a little dirty, but with some cleanups, works beautifully :
www.thc.org/download.php?t=r&d=rwwwshell-2.0.pl.gz

About the broken links hehe I have no argument. They will be fixed.

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor &amp; Security Advisor
tftfotw.blogspot.com
Time to create page: 0.130 seconds