Spamhuntress

I’m continuing the coverage on trojans/zombies and similar problems.

One machine was caught sending spam. Obviously a zombie. Except it turns out that wasn’t a regular machine. It was a server set up as a router. A very secure system, set up in such a way that I don’t see how it could have been hijacked.

But wait, it could have been used as a proxy. I tested it myself, and it was not an open proxy. It was however set up to be a proxy for machines on the inside of that network. So, if a machine on the inside of said proxy had somehow gotten infected with a trojan, this very secure server would happily ferry requests back and forth between the infected machine and the internet at large.

How?

Basically, a good firewall is usually doing stateful inspection. Which means if someone on the outside is sending you a request, it’s denied unless the router is configured to send on requests on a specific port to a specific machine. But an infected machine will send out a request FIRST, and the connections from the bad guys are responses. So a previously infected machine will cut through any firewall relying on NAT and stateful inspection.

But many firewalls are set to block many dangerous ports. Enter the new breed of trojans. They configure the trojans on the infected machines to be working on random high ports. Ports that apparently weren’t blocked in this case, and probably aren’t in most cases.

So system administrators may have mysteries on their hands - routers that are reported to be spamming, yet the real culprit is one of the users inside the network. To the outside world, the machine on the inside is never visible, except in some cases the headers will show a private network IP address.

And how can a computer on the inside of a corporate network be “previously infected”?

How many laptops are used on a typical network? How many of those laptops are wielded by clueless users, who connect anywhere and everywhere they can find a connection to the internet? I’d say quite a few. And if some of those laptops are slightly older, chances are they’re running Windows 2000, or even unpatched versions of Windows XP. Parasite city…

This entry was posted on Friday, October 28th, 2005 at 1:28 pm and is filed under Parasites. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.