[iwar] [fc:Trojan.Horse.Technology.Exploits.IE.Hole]

From: Fred Cohen (fc@all.net)
Date: 2002-08-06 20:54:34


Return-Path: <sentto-279987-5133-1028692462-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 06 Aug 2002 20:55:11 -0700 (PDT)
Received: (qmail 5062 invoked by uid 510); 7 Aug 2002 03:53:08 -0000
Received: from n38.grp.scd.yahoo.com (66.218.66.106) by all.net with SMTP; 7 Aug 2002 03:53:08 -0000
X-eGroups-Return: sentto-279987-5133-1028692462-fc=all.net@returns.groups.yahoo.com
Received: from [66.218.67.201] by n38.grp.scd.yahoo.com with NNFMP; 07 Aug 2002 03:54:24 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_7_4); 7 Aug 2002 03:54:22 -0000
Received: (qmail 40991 invoked from network); 7 Aug 2002 03:54:22 -0000
Received: from unknown (66.218.66.217) by m9.grp.scd.yahoo.com with QMQP; 7 Aug 2002 03:54:22 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta2.grp.scd.yahoo.com with SMTP; 7 Aug 2002 03:54:23 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g773sZx24974 for iwar@onelist.com; Tue, 6 Aug 2002 20:54:35 -0700
Message-Id: <200208070354.g773sZx24974@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Tue, 6 Aug 2002 20:54:34 -0700 (PDT)
Subject: [iwar] [fc:Trojan.Horse.Technology.Exploits.IE.Hole]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20
X-Spam-Level: 

Trojan Horse Technology Exploits IE Hole

Researchers show a tool that could admit hackers by pretending to be a
trusted Microsoft application.

<a href="http://www.pcworld.com/news/article/0,aid,103620,00.asp">http://www.pcworld.com/news/article/0,aid,103620,00.asp>
PCWorld.com Monday, August 05, 2002

LAS VEGAS--A new technology could let a Trojan horse disguise itself as
Internet Explorer and let hackers steal data from your PC by fooling
firewalls into thinking it's a trusted Microsoft application, say three
security consultants.

The trio of South African researchers demonstrated the technique for
breeching firewalls Sunday at DefCon. The annual security conference
draws hackers, security professionals, and even cybercrime
investigators.

Security pros have been warning for two years that a Trojan horse
bypassing firewall detection is the inevitable next step in hacking
technology. At DefCon, it appeared in the form of Setiri, a demo Trojan
horse that can operate without a user or firewall detecting its actions.
The researchers say they will not release Setiri into the wild for
hackers to use, but called on Microsoft to plug the holes that permit it
to operate.

Change of Command

The Trojan horse gets loaded onto a victim's PC in the same manner as
other Trojan horses--either embedded in an e-mail attachment or
downloaded file, or installed physically onto a PC via a disk.

But Setiri differs from other Trojan horses in that it does not contain
executable commands that can cause its malicious actions to be blocked
by the firewall.

Instead, the program launches an invisible window in Internet Explorer
to connect stealthily to a Web server through an anonymous proxy site
called Anonymizer.com. The site is intended to enable anonymous surfing,
but Setiri uses it to execute commands on your PC without your
knowledge. Such commands can include downloading a keystroke-logging
program to your system or uploading files or passwords to a remote PC.
Because the stolen data is passed back through the Anonymizer proxy, you
cannot trace the location of the remote computer.

The Trojan horse exploits a standard feature in Internet Explorer that
lets invisible browser windows open and connect to the Internet. The
browser windows open in the background and don't appear on the desktop,
so you can't see what they're doing. If you look for evidence of an open
window in your Windows Task Manager, the window will be listed as
IEXPLORE.EXE, just like a regular Internet Explorer window.

Internet Explorer uses invisible windows for many legitimate purposes,
such as sending registration info to the Net. The e-mail program Eudora
makes use of invisible browser windows to download pictures in e-mail.

Prevention, Protection

One possible way to thwart the Trojan horse would be for Microsoft to
turn off the invisible window function, says researcher Roelof Temmingh.
But doing so would hinder some IE operations.

The only way to prevent Setiri from going to the Web site where its
commands are stored, Temmingh says, is to configure a firewall to deny
access to the Anonymizer site.

But Haroon Meer, Temmingh's colleague, says this wouldn't stop other
variations of the Trojan horse, which might use a different proxy Web
site or even use a trusted Web site, where a hacker could conceivably
embed malicious code.

According to the demonstrators, a Microsoft programmer in attendance
said the company will look for ways to restrict invisible browsers to
certain actions. A Microsoft spokesperson would only say the company is
committed to keeping customer information safe, and that Microsoft is
evaluating the scenario presented in the Setiri demonstration.

Users can, of course, help protect themselves from getting the Trojan
horse in the first place, the researchers noted. Security experts
routinely warn users to not open e-mail attachments from unknown
sources, and to be careful about the sites from which they download
programs.

Scare Tactics?

Temmingh, Meer, and colleague Charl van der Walt, consultants for
SensePost, say they demonstrated the Trojan horse not to scare users and
system administrators. They want to raise awareness about what may
already be in the wild, and promote discussion of what must be done to
protect systems from such programs. "We are three guys who work
full-time jobs and we came up with this program just in our spare time,"
said Temmingh. "So imagine what guys with a lot of time on their hands
have already come up with."

In fact, after the DefCon presentation a hacker in the audience told
Temmingh that he and friends have already devised a Trojan horse that
does what Temmingh's test Trojan horse does. "This stuff could be
happening on your machine right now. It's out there, and you must think
about the problems with this now," Temmingh says.

Van der Walt urges a closer look at firewalls and invisible programs.
"The idea is to look at this mechanism that's trusted by firewalls and
see how such a Trojan horse can abuse that trust," he says. "We need to
look at what methods should be allowed for invisible programs to
operate."

Meer says the three hope Microsoft will soon deal with the invisible
window function. But he acknowledges that this will be difficult, since
"it will take some functionality away from IE if Microsoft tries to
limit the invisible browser."

The three also say that their demo should prompt the firewall developers
to reexamine how they handle Net access and designate trustworthy
applications.

"The message is, don't think you're safe because you have the usual
defenses, such as a firewall," Meer says.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Will You Find True Love?
Will You Meet the One?
Free Love Reading by phone!
http://us.click.yahoo.com/it_ffB/R_ZEAA/Ey.GAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:32 PDT