Re: httptunnel

[youngk () ttc com]

> (I've been waiting for something like BackOrifice to use
> HTTP instead of UDP for its remote control session.)

A couple of network test engineers and myself designed something exactly
like this. The "protocol" would even go past firewall virus scanners and
proxies designed to prevent this. We were even trying to figure out how to
have a morphing trojan horse to get past the same scanners.

We decided not to continue due to problems if the program slipped out into
the public and malicious "things" were done with it (can anyone say
lawsuit??). Of course, this app would have had nothing to do with our
company, but we didn't even want to take the chance that it might be
associated with it...

> We currently do not use proxy authentication for HTTP requests
> which originate internally.  May change that.  I presume that
> that could help thwart a covert trojan program trying to get
> out w/ HTTP.  Thoughts?

Simple... just have the trojan horse wait a couple of seconds after
Netscape/IE is opened. By that time, the user would have authenticated with
the firewall. Since most people have a time window before they have to
re-authenticate, the trojan horse would be able to run during this time.
Even single-use password systems would be vulnerable due to that time
frame.

Only firewalls which authenticate every time you retrieve a file from
outside the domain which you authenticated against would be safe. However,
I think that due to the fact that many web pages now have links to graphics
on advertisement networks (which would cause you to re-authenticate several
times as it downloads the different graphics), very few people have this
kind of setup.



--Keith

-youngk () ttc com