[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-disclosure] Corporate Virus Threats

To: "Full Disclosure" <full-disclosure@xxxxxxxxxxxxxxxxx>, "Terminal Entry" <Security@xxxxxxxxxx>
Subject: RE: [Full-disclosure] Corporate Virus Threats
From: "Castigliola, Angelo" <ACastigliola@xxxxxxxxxxxxxxxxx>
Date: Fri, 30 Jun 2006 09:42:34 -0400

>When the malicious code writers build their viruses and Trojans why not
>code the threats to detect the use of proxy servers and if used, connect
>through them.

Typically you can get to the internet through the default gateway directly from 
the computer without needing to configure proxy settings. A better question 
would be why do viruses run in user-mode versus kernel mode (see 
http://www.phrack.org/show.php?p=62&a=6 "Kernel-mode backdoors for Windows 
NT")? My guess is that 15-18 year old kids that write viruses mostly use 
recycled code and are often poorly written.

>Working in Corporate America, most firewall configurations block outbound
>TCP 80, as the proxies listen on other non-standard TCP ports.

I do not agree with this. Most corporations allow outbound TCP 80.

I think this thread is more appropriate for focus-virus and not 
Full-disclosure. 

Angelo Castigliola III
Enterprise Security Architecture
UnumProvident 

The posts and threads in this email do not reflect the opinions of nor are 
endorsed by UnumProvident, Inc., nor any of its employees.
________________________________________
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Terminal Entry
Sent: Thursday, June 29, 2006 10:14 AM
To: Bug Traq; Full Disclosure
Subject: [Full-disclosure] Corporate Virus Threats

When the malicious code writers build their viruses and Trojans why not code 
the threats to detect the use of proxy servers and if used, connect through 
them.  Working in Corporate America, most firewall configurations block 
outbound TCP 80, as the proxies listen on other non-standard TCP ports.  A 
virus should first check to determine if a proxy is used and if so use that 
proxy to download the malicious code, backdoor, etc.

Thoughts...
 
Terminal Entry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: FW: [Full-disclosure] Are consumers being misled by "phishing"?
Next by Date: [Full-disclosure] [FLSA-2006:189672] Updated thunderbird package fixes security issues
Previous by thread: Re: [Full-disclosure] Corporate Virus Threats
Next by thread: [Full-disclosure] Novell Security Announcement NOVELL-SA:2006:001
Index(es):
- Date
- Thread