Return-Path: <sentto-279987-5133-1028692462-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 06 Aug 2002 20:55:11 -0700 (PDT) Received: (qmail 5062 invoked by uid 510); 7 Aug 2002 03:53:08 -0000 Received: from n38.grp.scd.yahoo.com (66.218.66.106) by all.net with SMTP; 7 Aug 2002 03:53:08 -0000 X-eGroups-Return: sentto-279987-5133-1028692462-fc=all.net@returns.groups.yahoo.com Received: from [66.218.67.201] by n38.grp.scd.yahoo.com with NNFMP; 07 Aug 2002 03:54:24 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_7_4); 7 Aug 2002 03:54:22 -0000 Received: (qmail 40991 invoked from network); 7 Aug 2002 03:54:22 -0000 Received: from unknown (66.218.66.217) by m9.grp.scd.yahoo.com with QMQP; 7 Aug 2002 03:54:22 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta2.grp.scd.yahoo.com with SMTP; 7 Aug 2002 03:54:23 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g773sZx24974 for iwar@onelist.com; Tue, 6 Aug 2002 20:54:35 -0700 Message-Id: <200208070354.g773sZx24974@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 6 Aug 2002 20:54:34 -0700 (PDT) Subject: [iwar] [fc:Trojan.Horse.Technology.Exploits.IE.Hole] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20 X-Spam-Level: Trojan Horse Technology Exploits IE Hole Researchers show a tool that could admit hackers by pretending to be a trusted Microsoft application. <a href="http://www.pcworld.com/news/article/0,aid,103620,00.asp">http://www.pcworld.com/news/article/0,aid,103620,00.asp> PCWorld.com Monday, August 05, 2002 LAS VEGAS--A new technology could let a Trojan horse disguise itself as Internet Explorer and let hackers steal data from your PC by fooling firewalls into thinking it's a trusted Microsoft application, say three security consultants. The trio of South African researchers demonstrated the technique for breeching firewalls Sunday at DefCon. The annual security conference draws hackers, security professionals, and even cybercrime investigators. Security pros have been warning for two years that a Trojan horse bypassing firewall detection is the inevitable next step in hacking technology. At DefCon, it appeared in the form of Setiri, a demo Trojan horse that can operate without a user or firewall detecting its actions. The researchers say they will not release Setiri into the wild for hackers to use, but called on Microsoft to plug the holes that permit it to operate. Change of Command The Trojan horse gets loaded onto a victim's PC in the same manner as other Trojan horses--either embedded in an e-mail attachment or downloaded file, or installed physically onto a PC via a disk. But Setiri differs from other Trojan horses in that it does not contain executable commands that can cause its malicious actions to be blocked by the firewall. Instead, the program launches an invisible window in Internet Explorer to connect stealthily to a Web server through an anonymous proxy site called Anonymizer.com. The site is intended to enable anonymous surfing, but Setiri uses it to execute commands on your PC without your knowledge. Such commands can include downloading a keystroke-logging program to your system or uploading files or passwords to a remote PC. Because the stolen data is passed back through the Anonymizer proxy, you cannot trace the location of the remote computer. The Trojan horse exploits a standard feature in Internet Explorer that lets invisible browser windows open and connect to the Internet. The browser windows open in the background and don't appear on the desktop, so you can't see what they're doing. If you look for evidence of an open window in your Windows Task Manager, the window will be listed as IEXPLORE.EXE, just like a regular Internet Explorer window. Internet Explorer uses invisible windows for many legitimate purposes, such as sending registration info to the Net. The e-mail program Eudora makes use of invisible browser windows to download pictures in e-mail. Prevention, Protection One possible way to thwart the Trojan horse would be for Microsoft to turn off the invisible window function, says researcher Roelof Temmingh. But doing so would hinder some IE operations. The only way to prevent Setiri from going to the Web site where its commands are stored, Temmingh says, is to configure a firewall to deny access to the Anonymizer site. But Haroon Meer, Temmingh's colleague, says this wouldn't stop other variations of the Trojan horse, which might use a different proxy Web site or even use a trusted Web site, where a hacker could conceivably embed malicious code. According to the demonstrators, a Microsoft programmer in attendance said the company will look for ways to restrict invisible browsers to certain actions. A Microsoft spokesperson would only say the company is committed to keeping customer information safe, and that Microsoft is evaluating the scenario presented in the Setiri demonstration. Users can, of course, help protect themselves from getting the Trojan horse in the first place, the researchers noted. Security experts routinely warn users to not open e-mail attachments from unknown sources, and to be careful about the sites from which they download programs. Scare Tactics? Temmingh, Meer, and colleague Charl van der Walt, consultants for SensePost, say they demonstrated the Trojan horse not to scare users and system administrators. They want to raise awareness about what may already be in the wild, and promote discussion of what must be done to protect systems from such programs. "We are three guys who work full-time jobs and we came up with this program just in our spare time," said Temmingh. "So imagine what guys with a lot of time on their hands have already come up with." In fact, after the DefCon presentation a hacker in the audience told Temmingh that he and friends have already devised a Trojan horse that does what Temmingh's test Trojan horse does. "This stuff could be happening on your machine right now. It's out there, and you must think about the problems with this now," Temmingh says. Van der Walt urges a closer look at firewalls and invisible programs. "The idea is to look at this mechanism that's trusted by firewalls and see how such a Trojan horse can abuse that trust," he says. "We need to look at what methods should be allowed for invisible programs to operate." Meer says the three hope Microsoft will soon deal with the invisible window function. But he acknowledges that this will be difficult, since "it will take some functionality away from IE if Microsoft tries to limit the invisible browser." The three also say that their demo should prompt the firewall developers to reexamine how they handle Net access and designate trustworthy applications. "The message is, don't think you're safe because you have the usual defenses, such as a firewall," Meer says. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Will You Find True Love? Will You Meet the One? Free Love Reading by phone! http://us.click.yahoo.com/it_ffB/R_ZEAA/Ey.GAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:32 PDT