lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <dc718edc0606291049k3dbd4501h6e41c5ff00a143c5@mail.gmail.com>
Date: Thu Jun 29 18:49:33 2006
From: kkadow at gmail.com (Kevin)
Subject: Corporate Virus Threats

On 6/29/06, Terminal Entry <Security@...dro.net> wrote:
> When the malicious code writers build their viruses and Trojans why not code
> the threats to detect the use of proxy servers and if used, connect through
> them.

One reason why not is that it's easier to aim for the largest
population of easy targets, which will always be the home consumer.

There are other optimizations a worm or trojan author would choose
when targeting code to a corporate environment;  so far I haven't
seen malware optimized for intranet deployment :)


> Working in Corporate America, most firewall configurations block
> outbound TCP 80, as the proxies listen on other non-standard TCP ports.

You'd think that, but when I talk to vendors about "proxy aware" support
in their custom applications, they seem genuinely surprised that
any corporation mandates HTTP traffic to go only via proxy.

>  A virus should first check to determine if a proxy is used and if so use that
> proxy to download the malicious code, backdoor, etc.

There are already a few worms/trojans using the MSIE API instead of
carrying their own http client library.   Call the API appropriately,
and you'll use a proxy as needed, without any extra work/code.

Same goes for using Outlook instead of an integrated SMTP engine.

One tricky part, many proxy gateways require authentication,
in some cases the credentials will not (or can not) be cached.

Kevin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ