|
-
May 18th, 2003, 10:22 PM
#11
Banned
It is very difficult to tell who is telling the truth in the forum if you are a newbie like me who has a lot to learn about network security. [/B][/QUOTE]
Now you have done it, never point out the trouth it will get you anti-points and you will get banned. you have more than likley got a warning now, so your best bet is to become very smart and give good answers and ask smart questions ( how your supposed to know a smart Question from a bad one, when your a newbie.) Or get your nose stuck up someones but crack real quick, but remember do not point out the facts. 
-
May 18th, 2003, 11:46 PM
#12
Junior Member
assist with Trojan/Backdoors
great topic!...along with AV, Firewalls, Watch Guards and intrusion detection I would suggest utilizing a system that only allows a list of particular programs to run on your computer.
ISS' Blace Ice has a basic one that is coupled with their IDS. While you can still get around this it makes it infinatley more difficult.
.02
-
May 19th, 2003, 04:39 AM
#13
Wow great post man. There is alot in there that i didnt know about virus scanners and firewalls. well i think im gonna save that one to my desktop so can read it many times over. Great post keep up the good work. -Twisted-
-
May 19th, 2003, 06:23 AM
#14
Junior Member
They can use the port-less ICMP
Would you care to explain this, or maybe direct me towards a URL.
-
May 19th, 2003, 07:19 AM
#15
Member
I want to ask about myth3 as I dont understand it :/
"It is entirely unnecessary for a piece of mal-ware to listen on a "port", whatever that means"
I thought that if a program does not listen to trafic, it is not going to communicate, and if it opens connection even from time to time, that is opening a port that a software firewall should allert the user about ?
If the trojan is to communicate over the net, it has to use tcp/ip to be able to communicate over routers, and that means opening ports ? I do not know what port-less TCP/IP is, but on a hardware firewall one opens some ports and drops all other trafic. If some trafic is port-less, it should not go throug the firewall.
Im not saying it is so, just asking....
The nice thing about software firewalls is that it does not only look what port and IP is used to communicate, it also looks what program is communicating. So even if a trojan was to use a well known port, the firewall should alert the user because a strange program is using the net?
Or do you (slarty) mean that a trojan can operate in the same subnet (behind the same router) and that way somehow communicate without listening / opening ports ?
I do agree that software firewalls does not protect the home user 100%. But it should catch any new programs trying to communicate over tcp/ip.
Problem with this how I see it is that when I allow multiplayer games, ICQ etc. to use the Internet, someon can use the security holes of those allowed programs to do their malicious stuff 
Please note that im not an expert on TCP/IP and im just asking about this.
-
May 19th, 2003, 10:25 AM
#16
I thought that if a program does not listen to trafic, it is not going to communicate, and if it opens connection even from time to time, that is opening a port that a software firewall should allert the user about ?
Note that I refer to your "software firewalls" as "host firewalls" - not all software firewalls are "host firewalls"
There are two possibilities (as I stated)
- It uses non TCP/UDP IP traffic, for example ICMP or some other IP protocol. The host firewalls *may* protect you from this by restricting this in the same way as TCP / UDP. To do this, it will need to open ICMP or RAW sockets, something which may be restricted by the host firewall.
The other is much more sinister
- It "piggybacks" its traffic on some existing program and protocol. Rather than doing its own networking, the backdoor uses your web browser or your mail client to communicate. It communicates using email or HTTP requests.
The host firewalls won't protect against that, because it is going to be already on their authorised list.
-
May 19th, 2003, 11:43 AM
#17
Member
Ok, so is RAW sockets an API that programmers can use to make IP routable package to send data from your computer? Maybe that would be able to by pass the host firewall ? Would that program be able to listen / recive data also? By passing the kernell maybe ? http://www.linuxchix.org/content/cou...ty/raw_sockets
Guess some programming guru could write code to read data directly on the network level, to be able to send and recive, without the host firewall knowing this ? Or mabye this is not possible ? Anyway this gives me the feeling that an externall firewall (one that is not running on the host) is a good secondary "line of defence", in stead of just trusting a host firewall.
Gues its also very important to drop all ICMP trafic, so that a programmer is not sending real data in an ping package for instance?
Still the "biggest" threat would probobly be that a trojan is using a security hole in one of the allowed programs as you say.
In that sense a host firewall on a standalone client that is not connected to a LAN and is not running any network services, is really not protecting anything  Its only good to alert if a trojan is opening its own tcp or udp ports maybe...
I have only one PC @ home, that is only running TCP/IP network service on my WinXP (I removed the default microsoft client/server, and the Quality of service that I dont know what it does) so I guess I dont really need a host firlewall at all, as I allow programs that use the Inet to bypass the firewall anyway 
I think the OS programmers should do a security feature that prompts the user every time some program is set to autostart or is assosiated to run with some file extension. That way maybe it would be hard to get a trojan installed on a pc to autostart with windows? But then again there migt be countles ways to get a program running, other that the registry run, services, ini and startup folders, makeing it impossible to do that kind of security stuff.
Now I understand why our commpany network security guy is getting grey hair so soon :/
All those users installing strange stuff on their workstations, I wonder when a trojan is going undetected by our AV&fw
-
May 19th, 2003, 06:32 PM
#18
Nice tut.slarty
I think the OS programmers should do a security feature that prompts the user every time some program is set to autostart or is assosiated to run with some file extension. That way maybe it would be hard to get a trojan installed on a pc to autostart with windows? But then again there migt be countles ways to get a program running, other that the registry run, services, ini and startup folders, makeing it impossible to do that kind of security stuff.(quote HippoDuck)
The Kerio Personal Firewall 3
Version 3.0.0 beta 6 tries to combat all these problems.
http://www.kerio.com/beta_section.html
I m trying it out and it looks way more advanced than any other software-firewall!
I m waiting for the final version.
Grtz kadeng
i m gone,thx everyone for so much fun and good info.
cheers and good bye
-
May 19th, 2003, 08:17 PM
#19
Junior Member
Abtrusion Protector
Abtrusion Protector prevents Windows from loading unrecognized or unknown software. Only software that you have safely installed or explicitly allowed can be loaded into memory. Contrary to typical anti-virus scanners, Abtrusion Protector is not dependent on frequent virus definition updates.
http://www.abtrusion.com/abtrusion_protector_ps.asp
FYI
-
October 10th, 2003, 01:00 AM
#20
I realize that this thread is fairly old, but I found something that demonstrates a point that slarty made here.
2. The recipies for detecting them (netstat, looking at the registry, process listing) often cited on AO can be fooled fairly easily.
I read this thread recently, and I wondered how netstat could be fooled and today I came across a program that demonstrates how this can be done. I took this quote from a text file that came zipped with it:
Many tutorials on how to determine if your computer's infected with a trojan tell you to run "netstat -a" to see if any ports are listed as "listening", because "listening" ports can be trojans. In all honesty this was a good idea, because netstat never lies... or does it? I have to admit that netstat was my usual way of checking for trojans, until now. I was wondering how you could hide the fact that there was a trojan installed on one of your victim's computers... the authors of these trojans go through great effort to hide the trojan from Windows and so on, but netstat still wins. Not anymore.
My program requires you to rename the original "netstat.exe" to "systray.exe" (they are almost identical in size - the original systray.exe is in the "system" directory), and then upload MY netstat to their windows directory (in place of the old netstat). The next time they run netstat to check for trojans, it wont show certain ports (four in total) : 666 (dunno), 27374 (Subseven - the best trojan out there!), 31337 (Back Orifice - yeah cDc man !!!) and 12345 (NetBus I think?). Anyway - if you want to change any of these ports (I can only think of a billion reasons why you might want to), just modify the source code and recompile, in Turbo C++. Consider your victim 0wned !!!
I left out the name of the program to avoid causing a stir.
Just thought it was worth mentioning incase anyone was confused about this like I was.
~FrameWork
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote