Re: How to tell if a firewall alert is suspicious or not

On 21 Sep 2005 08:35:17 +0200, Volker Birk <bumens@dingens.org> wrote:

>Art <null@zilch.com> wrote:
>> Here one of the logs:
>> *************************************************
>> 9/20/2005 7:06:06 PM Allowed 10 Outgoing TCP
>> www.dingens.org [212.75.36.180] 00-12-17-49-03-54 80
>> 192.168.1.101 00-0F-66-70-99-A2 1746 C:\Program
>> Files\Proxomitron Naoko-4\Proxomitron.exe art1 ART Normal
>> 1 9/20/2005 7:05:41 PM 9/20/2005 7:05:41 PM Ask all
>> running apps
>> *********************************************
>> Sygate records the event every time.
>
>Nice. Proxomitron is your filtering Web-Proxy? Just compare, please,
>what Sygate is logging, if you enter "www.dingens.org" into your browser
>yourself.
>
>> >You can find it here: http://copton.net/vortraege/pfw/wwwsh.tar.bz2
>> >Of course, this is not a real "Trojan", because you can see, what's goin'
>> >on while it runs, and it has no routine to spread it. The reasons are
>> >clear: we just want to show, that we're talking not without having a
>> >base to stand on, but we don't want to publish real malware.
>> I still encourage you to design a more polished demo that will be be
>> convincing to average users.
>
>What do you mean with "more polished"?

I think it would be more impressive to average users if you had it
invoke IE rather than have them have to start it themselves, for
one thing. It would dazzle them to see IE pop up. You should
get a bit into "show biz" like Steve Gibson :) You shouldn't serve
up a boring message on the screen. The message should say something
like:

THIS DEMONSTRATES THE ABILITY OF TROJANS AND SPYWARE
TO EASILY BYPASS YOUR FIREWALL!!!

YOUR BROWSER IS NOW DISPLAYING A PAGE FROM OUR SERVER!!!

Much as technical people dislike this sort of thing, I think it's
important to hit the user over the head with a sledgehammer
when it comes to a demonstration program. And don't call it a
POC. Call it a demo program.

Art

http://home.epix.net/~artnpeg
Received on Thu Sep 29 20:09:54 2005