[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Treating the "New Trojan Sending Data To Russia" Problem
From:       Chris Wasser <cwasser () v-wave ! com>
Date:       2000-07-30 4:22:53
[Download RAW message or body]

On Sat, Jul 29, 2000 at 05:08:33PM -0500, James Moore wrote:
> In a SANS News Flash dtd July 28, 2000, they advised blocking all traffic 
> to or from 194.87.6.X (see an excerpt from the SANS Flash below for 
> details). I have added the following rules to my ipf.rules file - 
> analysis and comments are welcome:

It's not a trojan. It's a monitoring software such as those employed by paid-to-surf \
programs. It's client tracking, nothing more. You'll notice that this "suspected \
trojan" is using port 8080 and the sniffed traffic is client->webserver \
communications (from the full SANS report)

Generally, sites should use a default policy of deny-all anyways and open up only \
those services which are required. Unfortunately, Conseal PC Firewall is hardly what \
I'd call superior packet filtering software and these SANS guys seem rather obtuse \
(some of their earlier reports)

Take it as you will.


[prev in list] [next in list] [prev in thread] [next in thread]