Security Incidents mailing list archives

Re: Virus/trojan tunnel out from behind firewall?

From: Rich Puhek <rpuhek () etnsystems com>
Date: Mon, 25 Feb 2002 01:37:24 -0600


David Carmean wrote:


On Sun, Feb 24, 2002 at 10:22:12PM -0600, Rich Puhek wrote:

David Carmean wrote:

Have there been any cases of a trojan/virus/etc tunnelling out from
behind a firewall and thus providing an attacker a way into the
"chewy center"?


Do you mean a trojan/virus that actively establishes a tunnel through
SSH, etc to an outside machine as a method of bypassing a stateful
firewall?

Or do you just mean that a trojan/virus/etc has provided an opening
despite the firewall?

I'd also consider the gray areas in between, like worms/trojans that
transfer into (passwds, etc) back through SMTP, HTTP, or IRC.


I was thinking more of the first example, an ssh/stunnel/other tunnel
out from the infected host to some other compromised box, which would
give an attacker a wormhole into the center of a corporate network.
In realtime.

For sites which allow unrestricted outbound connections, it would
probably be impossible to detect if the trojan did nothing else
destructive to arouse suspicion.


That would be a challenge, especially if the outside box was listening
on say, port 80. I'd assume that the outside box was basically the
"host" or master machine, probably running on a less secure network (one
that allowed incoming connections to privileged ports).

Next defense would be noticing odd traffic (excessive data transfer,
excessive length of connection between the two machines if the tunnel
was kept up instead of discrete transactions like innocent HTTP, etc.).

--Rich

_________________________________________________________
                         
Rich Puhek               
ETN Systems Inc.         
2125 1st Ave East        
Hibbing MN 55746         
                         
tel:   218.262.1130  
email: rpuhek () etnsystems com 
_________________________________________________________

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Virus/trojan tunnel out from behind firewall? David Carmean (Feb 24)
- RE: Virus/Trojan tunnel out from behind firewall? Bill Royds (Feb 25)
- Re: Virus/trojan tunnel out from behind firewall? Rich Puhek (Feb 25)
  - Re: Virus/trojan tunnel out from behind firewall? David Carmean (Feb 25)
    - Re: Virus/trojan tunnel out from behind firewall? Rich Puhek (Feb 25)
    - Re: Virus/trojan tunnel out from behind firewall? Ben Efros (Feb 26)
  - Re: Virus/trojan tunnel out from behind firewall? Mike Shaw (Feb 25)
    - RE: Virus/trojan tunnel out from behind firewall? M.Verba (Feb 26)
- Re: Virus/trojan tunnel out from behind firewall? Ryan Russell (Feb 25)