Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

fulldisclosure logo Full Disclosure mailing list archives

RE: Corporate Virus Threats
From: "Castigliola, Angelo" <ACastigliola () unumprovident com>
Date: Fri, 30 Jun 2006 09:42:34 -0400
When the malicious code writers build their viruses and Trojans why not
code the threats to detect the use of proxy servers and if used, connect
through them.


Typically you can get to the internet through the default gateway directly from the computer without needing to 
configure proxy settings. A better question would be why do viruses run in user-mode versus kernel mode (see 
http://www.phrack.org/show.php?p=62&a=6 "Kernel-mode backdoors for Windows NT")? My guess is that 15-18 year old kids 
that write viruses mostly use recycled code and are often poorly written.


Working in Corporate America, most firewall configurations block outbound
TCP 80, as the proxies listen on other non-standard TCP ports.


I do not agree with this. Most corporations allow outbound TCP 80.

I think this thread is more appropriate for focus-virus and not Full-disclosure. 

Angelo Castigliola III
Enterprise Security Architecture
UnumProvident 

The posts and threads in this email do not reflect the opinions of nor are endorsed by UnumProvident, Inc., nor any of 
its employees.
________________________________________
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
Terminal Entry
Sent: Thursday, June 29, 2006 10:14 AM
To: Bug Traq; Full Disclosure
Subject: [Full-disclosure] Corporate Virus Threats

When the malicious code writers build their viruses and Trojans why not code the threats to detect the use of proxy 
servers and if used, connect through them.  Working in Corporate America, most firewall configurations block outbound 
TCP 80, as the proxies listen on other non-standard TCP ports.  A virus should first check to determine if a proxy is 
used and if so use that proxy to download the malicious code, backdoor, etc.

Thoughts...
 
Terminal Entry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]