Re: How to tell if a firewall alert is suspicious or not

On 21 Sep 2005 00:24:55 +0200, Volker Birk <bumens@dingens.org> wrote:

>Art <null@zilch.com> wrote:
>> >http://www.dingens.org/breakout-en.c
>> >http://www.dingens.org/breakout-en.exe
>> Thanks Volker. I found that Sygate recorded the incident in its
>> traffic log. So it wasn't oblivious to your POC.
>
>Oh yes, it is. What's in the log is exactly, what there is, if the
>user just uses her/his browser.

Here one of the logs:
*************************************************
9/20/2005 7:06:06 PM Allowed 10 Outgoing TCP
www.dingens.org [212.75.36.180] 00-12-17-49-03-54 80
192.168.1.101 00-0F-66-70-99-A2 1746 C:\Program
Files\Proxomitron Naoko-4\Proxomitron.exe art1 ART Normal
1 9/20/2005 7:05:41 PM 9/20/2005 7:05:41 PM Ask all
running apps
*********************************************
Sygate records the event every time.

>> I think POCs of this kind do a lot of good. I hope you plan to
>> polish it up. Give some thought on to how to impress average
>> users with the fact their fw is indeed being bypassed without
>> their knowledge.
>
>Alexander Bernauer wrote a remote control software for Windows based
>on this POC - the wwwsh. This is, what some people are calling a
>"Trojan".
>
>You can find it here: http://copton.net/vortraege/pfw/wwwsh.tar.bz2
>
>Of course, this is not a real "Trojan", because you can see, what's goin'
>on while it runs, and it has no routine to spread it. The reasons are
>clear: we just want to show, that we're talking not without having a
>base to stand on, but we don't want to publish real malware.

I still encourage you to design a more polished demo that will be be
convincing to average users.

Art

http://home.epix.net/~artnpeg
Received on Thu Sep 29 20:09:47 2005