[Dshield] Re: gotomypc.com part 2

Cunningham, Andy acunningham at rsasecurity.com
Wed May 15 08:07:45 GMT 2002


Folks

The problem is exacerbated by the fact that there is a "Reverse WWW shell"
that attackers can use and configure to talk to their own web server from a
compromised machine (or even include in a trojan).

It should be possible to write signatures for each of these, but also
looking for large HTTP GET requests (command output) returning a very small
page (the next command to run), and/or repeated HTTP GET requests at the
same time interval.

AndyC 


> -----Original Message-----
> From: Jim Tagart [mailto:Jim.Tagart at bellcold.com]
> Sent: 15 May 2002 05:09
> To: 'list at dshield.org'
> Subject: RE: [Dshield] Re: gotomypc.com part 2
> 
> 
> Yep, you've got to block all the potential gateway, servers 
> and domains and
> yes, even home users and consumer networks by not allowing 
> this first of all
> by Policy and Procedure, second by audit and third by 
> monitoring/ sniffing
> for these things.
> 
> The IDSs need to ramp up and detect these services, at least 
> then you can
> shut them down quickly until something better is here, 
> 
> I need to learn how to write Snort rules finally.
> 
> Jim
> 
> > -----Original Message-----
> > From:	Bruce Campbell [SMTP:bruce_campbell at ripe.net]
> > Sent:	Tuesday, May 14, 2002 6:02 PM
> > To:	'list at dshield.org'
> > Subject:	RE: [Dshield] Re: gotomypc.com part 2
> > 
> > On Tue, 14 May 2002, Jim Tagart wrote:
> > 
> > > 	Nope, not bold today but found this on their site
> > >
> > > 	<snip>
> > > 	How it works?
> > >
> > > 	Host computer runs totalrc.exe, a software agent to 
> enable remote
> > > control. Client takes remote control/view of the Host 
> through 	a
> > Web
> > > browser. Gateway provides communications between Host and 
> Client. In
> > order
> > > to provide remote control client opens 	Gateway's URL in the Web
> > Browser.
> > > The default gateway is http://www.totalrc.net. This 
> gateway is free for
> > all
> > > users.
> > > 	</snip>
> > >
> > > 	So blocking the http://www.totalrc.net site should do it.
> > 
> > Blocking www.totalrc.net would block clients, at your site, from
> > connecting to the gateway site.  It would not block hosts 
> within your site
> > from running totalrc.exe and connecting to poll.gotomypc.com .
> > 
> > --==--
> > Bruce.
> > 
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 




More information about the list mailing list