Telecom and Logistics Associates 

new6.gif (1031 bytes) TLAalert    Security Service 
Translate this page from:  publication: Christian ALT 
  Save Time and Money

TLAnews: Security NEWs Service

 3.7.2000 SecurityTrojan behind a firewall, information leak outside
Trojan behind a firewall can diffuse information to IRC channels(Chat). Where hackers are quietly waiting for information the trojan gathers in the internal network. They can enter the company network through E-mail, CDs, floppy disks, Remote Accesses, mobile users Laptops

En français: Un "trojan" derrière un Firewall, fuite d'information sur l'exterieur
 Les "trojans" derrière un firewall peuvent diffuser de l'information sur les cannaux des IRC(Chat), où les pirates attendent tranquillement les informations sur le réseau interne que le "trojan" diffuse. Ils peuvent entrer dans une entreprise par la messagerie, les CDs, les disquettes, les accès distants, les utilisateurs mobiles et leurs PCs portables.

Home
Consulting
Tech Doc
FW-1 FAQ
Training
Products
TLAnews
Archive
Advertising
 

TLAnews.com
Information for security concerned people

 
Register to TLAnews letter
English version
Once located behind a firewall a trojan known as Pretty Park will attempt to send information outside the company network using Internet and its Chat servers. Those servers are part of what we call Interactive Relay Chat (IRC). Some channels are dedicated to hackers. Then the hacker just waits until its trojan sends information back to the right IRC channel.

Anyone can open a channel, you just have to connect to an IRC server and instruct the server to create a new channel called #infoLeak. Then adapt the trojan to have information leak to that specific channel and wait.

 
Résumé en français
Une fois qu'un cheval de Troie a pu être placé derrière un firewall, dans le cas de Pretty Park, il essaiera de transmettre de l'information sur le réseau Internet en se servant des "Interactiv Relay Chat (IRC)", pafois appelé "tchache". Certains de ces serveurs contiennent des cannaux dédiés aux pirates. Il suffit alors d'écouter régulièrement le canal sur lequel diffuse le trojan pour récupèrer l'information transmise.

Chacun peut ouvrir un canal spécifique sur les  serveurs d'IRC avec quelques instrucions. Ensuite il suffit d'adapter le trojan et d'attendre le flux d'information.

It is easy to understand that if the trojan managed to get passwords on the internal network, it would not be appreciated that this information be diffused on an IRC channel.

Those situation are not always detected by anti-virus software, especially if the trojan was adapted for a special purpose. Many companies do not control what people bring in the company's information system and relay heavily on anti-virus software. But when a mobile user or consultant comes in with a laptop, seldom does a company check the content of that system.

To a more technical description we describe now what you will see on firewall if such an attempt is made. Below you will find the log description of  a trojan accessing an IRC server to diffuse information about the internal net. As you can see the trojan resides on station 194.2.42.33, and attempts to build a connection with an IRC server on machine 207.46.216.29, which is located on Internet. An access to an IRC server is characterised by a connection using port 6667. We called the service P6667

Date Time interface   track action service source Destination protocol  
7Jun2000 11:37:49 El90x1 firewall log drop P6667 194.2.42.33 207.46.216.29 tcp  
7Jun2000 11:37:50 El90x1 firewall log drop P6667 194.2.42.33 207.46.216.74 tcp  
7Jun2000 11:39:37 El90x1 firewall log drop P6667 194.2.42.33 207.46.216.29 tcp  
7Jun2000 11:39:38 El90x1 firewall log drop P6667 194.2.42.33 207.46.216.74 tcp  
7Jun2000 11:50:02 El90x1 firewall log drop P6667 194.2.42.33 207.46.216.74 tcp  

 

In our case we are fortunate enough to see that our firewall is blocking the information leak from our internal network to the outside IRC server. At regular intervals our trojan is attempting a connection to the IRC server, which is blocked by the firewall.

Unless your company has real good reasons to let you access IRC (chats) channels, all connections to IRC servers should be forbidden by your security policy. Firewalls must be configured to stop any attempt of that kind and an alarm should be sent to the security manager.

Do remember that many attack methods exists against people accessing IRC, in order to fool them. And never accept from  anybody a file, an image, or even worth to connect to a certain application on Internet. There are wild practices on IRC channels.

In an article to come we will describe the IRC channels dedicated to hacking and their corresponding servers

Related information:

IRC (Internet Relay Chat) is a virtual meeting place where people from all over the world can meet and talk; you'll find the whole diversity of human interests, ideas, and issues here, and you'll be able to participate in group discussions on one of the many thousands of IRC channels, or just talk in private to family or friends, wherever they are in the world.

to get some help in an IRC type on the  command line : /help

 

 
Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: juillet 03, 2000 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.