From: Martin Mačok (martin.macok@underground.cz)
Date: Fri Jan 09 2004 - 18:50:59 EST
On Fri, Jan 09, 2004 at 06:32:48AM -0800, Random Task wrote:
> The modification we'd like to make to our site would be a remote
> exploit of some sort, and I'm not totally sure where to go with that.
> It is of utmost importance that this program can be easily and
> totally removed after the testing is complete.
Implement expiration in your trojan code and set it for several days
(for duration of the test). After the expiration date make sure the
trojan does not do anything (ie. immediately exit). If you want to it
to be "totally removed", *do not do any* automagic removal in your
code but ask the user to contact his security administrator (and make
sure he knows how to do it).
Each copy of the Trojan could possibly identify itself when it calls
home (unique identifier) so you can tell who forwarded which copy
further in test period.
The "call home" technique is sometimes not trivial. You should test it
*with the help of the client* before the actual test:
- consult what sort of OS/MUA/browser combination is expected (to not
use MS Outlook(IE) tricks in Lotus Notes environment etc.),
- test if the trojan can go "in" in email attachment (sometimes not
allowed or just removed from the message by SMTP content filters,
usually by decision based on filename extension) or as a HTML
message with URL to your webserver/trojan code,
- test if it is possible to execute the trojan in their typical
desktop environment and how easy is that (what steps are required
to be performed by the user),
- test if the trojan is able to "call home" from their LAN - direct
TCP/IP connection, http(s) proxy (authentication!), email through
SMTP server, DNS query etc. You could also place the PC inside their
LAN,
- finally, get the list of the target users (email recipients)
Try to make sure the client does understand the test and its purpose.
Especially that he does not plan to use the test results as a "reason"
for firing someone. You don't want to make enemies :-)
> * Use IE remote exploits to start a netcat listening session (not
> * Create a screen saver application of some sort that would gather
> * Create a free automated "security scanner" application similar to
No need to. Just popup some window and do the work in background (make
sure the background job still runs *after* the user closes the window)
or simply do not do anything (only the background job).
> Cons to doing this, as I see it: the employee may forward the message
> outside their company, skewing results and running on systems without
> permission. (this would only be if a screensaver/application were
> used)
This happens. Make sure the trojan does not do anything harmful under
any circumstance, only the minimun needed.
--
Martin Mačok http://underground.cz/
martin.macok@underground.cz http://Xtrmntr.org/ORBman/
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:45 EDT