Announcement

Collapse
No announcement yet.

Encrypted viruses

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Encrypted viruses

    I am a student of information security (as we all should be) and i came across an article that said that certain ports remain open on firewalls so that encrypted traffic and flow between the network.

    Is it or would it be possible for someone to create a virus that is encrypted which would allow it to bypass firewall rule sets ?

    Moderator: I dont wish to create such a virus.. just wanted to know if it were indeed possible to have encrypted traffic escape firewall ACL's
    I saw your mom on myspace!

  • #2
    Link to the article because you're not making any sense.

    "encrypted traffic can flow between the network"

    what the hell does that mean?
    We own everything so you don't have to!

    Comment


    • #3
      Originally posted by ciph3r
      i came across an article that said that certain ports remain open on firewalls so that encrypted traffic and flow between the network.
      Layer 3/4 filters with firewall rules don't look at Layer 7 content. These firewalls generally allow/deny access by Port number and/or IP address.

      Filters/Proxies with firewall capability that can examine Layer 7 data generally can't see plain-text of encrypted conversations (unless they are used with MiM attacks and able to decrypt the content.) As a result, many network admins choose to allow certain encrypted traffic (often based on ports) because they can't tell what the traffic is, but know it is used for normal work (e.g. SSL and SSH.)

      For a virus to, "spread in an encrypted way to a service," but in an automated fashion would make that virus seem more like a worm. It would also (generally) require an exploitable weakness in an open service that offers encryption.

      Is it or would it be possible for someone to create a virus that is encrypted which would allow it to bypass firewall rule sets ?
      The concept of a Virus that encrypt/decrypt itself has been around for a while and is discussed in books and online. This technique was originally suggested (AFAIK) to avoid scan detection by AntiVirus Software.

      Worms are presently using this with e-mail propagation of zip files sent as attachments with "encryption" to avoid mail scanner detection. If this can be done with worms, and a virus can be a payload of a worm (yes, and yes) then viruses can use this. (This is not a new concept.)

      Moderator: I dont wish to create such a virus..
      I'm not a moderator.

      [I] just wanted to know if it were indeed possible to have encrypted traffic escape firewall ACL's
      Yes, it is, and/or no it isn't. Which answer you get depends on what you mean by, "getting by a firewall's rules," and what those rules are.
      Last edited by TheCotMan; March 22, 2005, 11:46. Reason: spilling miztaches

      Comment


      • #4
        Originally posted by gzzah
        Link to the article...
        Excellent point. You [ciph3r] must pay tribute to the forums. Your first donation must be in the form of links to your topic as requested by gzzah.
        Last edited by TheCotMan; March 22, 2005, 12:46. Reason: fix dropped char

        Comment


        • #5
          Originally posted by ciph3r
          I am a student of information security (as we all should be) and i came across an article that said that certain ports remain open on firewalls so that encrypted traffic and flow between the network.

          Is it or would it be possible for someone to create a virus that is encrypted which would allow it to bypass firewall rule sets ?
          Virus have been able to encrypt themselves as long as I can remember.. some using simple encryption to make themselves hard to debug to others using polymorphic techniques to avoid detection. This would not help bypass firewall rulesets, it would help it bypass av scanners and IDS (which could be on the firewall).

          By "ports remaining open on firewalls for encyrpted traffic", I assume you mean something like VPN connections to the firewall. If that be the case, the virus (or worm, as it sounds like you are describing) would have to either infect a host connecting to the VPN (which in that event it is a moot point, the virus/worm will only see it as a network connection.. nothing special) or have the correct info (shared secret, certificate, etc) to be able to connect to the VPN itself.
          The latter be the case, it would only work against that target network.
          Happiness is a belt-fed weapon.

          Comment

          Working...
          X