Disturbing trend - Hiding in plain sight - Page 4
Page 4 of 5 FirstFirst ... 2345 LastLast
Results 31 to 40 of 44

Thread: Disturbing trend - Hiding in plain sight

  1. #31
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    There is a relational amplification affect here. As you increase the number of hosts on your network, the bigger the smoke screen for SSH data streams. We live in a mixed environment along which serves traffic to not only regular employees but also business partners, state and federal agencies, etc., etc.. As Tiger states, the ability to effectively trigger on pure SSH sessions will be extremely difficult and labor intensive if possible at all.

    PS

    Websense rulez.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #32
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    There are dark forces hiding in SSH now. It's always been the universal by pass besides port 80. It seems the only resolve is stoping the infection. In fact one could go as far as blocking installation packages in windows along with executables. Only allowing baseline windows system process' access. Websense will block msi.

    /EDIT
    Websense rulez
    It's religious.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  3. #33
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Sorry for the double post, just saw Tiger.

    Websense comes with 800,000 sha-1 executable hashes. In fact you can even drill down. For instance say you use Norton. It won't just tell you it's Norton or Symantec it will list the executables assigned to each module like Antivirus or ghost. You can rn reports of what it finds before locking anything down. I let my surfcontrol license run out for a number of reasons. Reporting, BAD categorization etc. Websense will give you a competative upgrade....
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  4. #34
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Horse,
    Can you say whether this malware acts as an application in it's own write, or if it uses other applications, to establish a connection to C&C. What I mean is, is the malware a server/client or does it hijack a running process, like IE, Iserver.exe, etc.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  5. #35
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    The ones I have seen are individual processes independent of others, spawned by calling an exe planted usually in the Windows folder.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #36
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    The ones I have seen are individual processes independent of others, spawned by calling an exe planted usually in the Windows folder.
    I am fishing, but you know that

    Would not, any old common or garden software firewall catch the out going connection?
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  7. #37
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Yes, unless it travels over an encrypted connection such as SSL or SSH. Here is where the trouble lies.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #38
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    And the commercial solutions do not allow for, block all ssh/ssl traffic, unless trusted. Because its' encrypted it becomes trusted.

    Security certificate, seems to be the only solution. In what is an open system.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  9. #39
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    I see four solutions for this problem.

    1. Host based firewalling which only allows trusted applications to open new sockets
    2. Some sort of authentication whereby applications request permission to use encrypted connections. However since program ID fields are not part of standard IP headers, this would be difficult.
    3. Rewriting the stack to include program ID information in all IP headers, then stripping this at the gateway.
    4. A different approach to authentication whereby before allowing an encrypted connection out, the gateway contacts the host and requests information on the generating application independently of the stream in question. Although this would require host software, it would not be more involved than installing Netware login clients.

    Would any of this work?
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  10. #40
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    4. A different approach to authentication whereby before allowing an encrypted connection out, the gateway contacts the host and requests information on the generating application independently of the stream in question. Although this would require host software, it would not be more involved than installing Netware login clients.
    This is sort of what I meant by using security certificates.

    It's about time we should be able to ring fence windows system folder and prevent write access to all but trusted applications.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides