Announcement

Collapse
No announcement yet.

Possible trojan seeded by an outside developer

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • kallahar
    replied
    I'd set up a box as a honeypot and watch the traffic, see exactly what information is being transferred.

    I'd also make sure that you have the source code (if that was part of the contract) before making any acusations which will hurt your business relationship...

    Leave a comment:


  • AlxRogan
    replied
    Agreed that you definitely have something to be concerned about, but it could be harmless. I worked for a client some time ago that had a developer in Canada write them a VPN client. While we were working on an assessment, I fired up tcpdump to make sure the authentication was not cleartext. I noticed ICMP traffic to a .ca address as well as to cisco.com and ibm.com when the firewall was disallowing the VPN to connect. We didn't have the source code, but by some trial and error and .ini file reading, we determined that the developer had left in a "heartbeat" pinger that would ping his personal site in .ca and those two commercial sites if you couldn't initally connect to the VPN server. Just one example, but I would certainly contact the developer with your logs and ask them what's up.

    Good luck!

    Leave a comment:


  • skroo
    replied
    Originally posted by jpm379
    Yes..the outsourced company pinged me. They are in Viet Nam.
    While definitely coincidental, there's nothing to suggest (so far) that they're up to something shady. Not that I'm discounting what you're saying, but from the description you've so far given there's just not enough to go on to definitively point to a possible trojan. Having said that...

    I'm going to contact them about this as soon as I get further into it. If this is some innocent programming error then so be it. If it is anything else, then I'm not the first client this has happened to. My liability is pretty high if anything compromises a customer's computer through my software.
    Grab a copy of Process Explorer stat and make sure that the application in question is the one firing off the outbound requests seen at your firewall. While I presonally think you've got more than good reason to be suspicious, no sense going off half-cocked on them if it later turns out to be benign.

    Leave a comment:


  • jpm379
    replied
    Originally posted by Voltage Spike
    First, a clarification. Do you mean to say that the outsourced company pinged you? In other words, they sent you an update and then, after a short time period, attempted to connect to an unauthorized/unknown resource inside your network?

    Second, a question. Have you tried asking them what the application is doing? I would imagine the developers to be more qualified than we are in answering this question. Perhaps you could explain to them that your customers are not willing to purchase a product that contacts servers outside of their control...
    Yes..the outsourced company pinged me. They are in Viet Nam.

    I'm going to contact them about this as soon as I get further into it. If this is some innocent programming error then so be it. If it is anything else, then I'm not the first client this has happened to. My liability is pretty high if anything compromises a customer's computer through my software.
    Thanks

    Leave a comment:


  • Voltage Spike
    replied
    First, a clarification. Do you mean to say that the outsourced company pinged you? In other words, they sent you an update and then, after a short time period, attempted to connect to an unauthorized/unknown resource inside your network?

    Second, a question. Have you tried asking them what the application is doing? I would imagine the developers to be more qualified than we are in answering this question. Perhaps you could explain to them that your customers are not willing to purchase a product that contacts servers outside of their control...

    Leave a comment:


  • jpm379
    started a topic Possible trojan seeded by an outside developer

    Possible trojan seeded by an outside developer

    I came to a source that I felt would know the answer.

    I run a small development shop and outsource a lot of my work to an off shore company. This past week I was sent two updates of an .exe and after both installs my firewall stops the app from connectin to an IP address. This is not a web based app. The IP is a dead end in CA. Then I get pinged by this offshore company, I guess to see if anyone was home.

    1. This is a commercial application that will be released shortly for both demo and registered apps.
    2. The owner of the company I used is pretty flaky at times.
    3. There is absolutely no reason for the .exe of this software to "phone home"

    I've run all the usual SpyBot, keylogger detection, trojan etc. with no luck. I am the business end of my company...management and sales so I can only go so far on the tech side. My in house guy is no help.

    I smell a problem but I thought I would get other more experienced opinions.
    Thanks
Working...
X