On Sun, Feb 24, 2002 at 10:22:12PM -0600, Rich Puhek wrote: > David Carmean wrote: > > Have there been any cases of a trojan/virus/etc tunnelling out from > > behind a firewall and thus providing an attacker a way into the > > "chewy center"? > > Do you mean a trojan/virus that actively establishes a tunnel through > SSH, etc to an outside machine as a method of bypassing a stateful > firewall? > > Or do you just mean that a trojan/virus/etc has provided an opening > despite the firewall? > > I'd also consider the gray areas in between, like worms/trojans that > transfer into (passwds, etc) back through SMTP, HTTP, or IRC. I was thinking more of the first example, an ssh/stunnel/other tunnel out from the infected host to some other compromised box, which would give an attacker a wormhole into the center of a corporate network. In realtime. For sites which allow unrestricted outbound connections, it would probably be impossible to detect if the trojan did nothing else destructive to arouse suspicion. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 25 2002 - 14:25:45 PST