Ask the Expert

Malicious code attacks via HTTP

How often does malicious code (like Active X) steal corporate information by sending it via HTTP (through a corporate proxy)? Is remote control of a corporate PC possible through such outgoing HTTP? How can we prevent that at the proxy/firewall level?

    Requires Free Membership to View

This mechanism is definitely an increasing vector of attack, given that most organizations allow unfettered outgoing HTTP and HTTPS access. There are numerous tools (such as Reverse WWW Shell, available at www.thehackerschoice.com) that push a shell out over outgoing HTTP access. From the network perspective, it looks like outgoing HTTP, possibly even authenticating to a proxy with a static user ID and password. For the attacker, though, it's really incoming shell access, executing commands on the attacker's behalf. The attacker has to install some software on the internal system first, and configure it to poll the attacker for commands to run.

There's even a commercial service that implements remote access to the desktop via HTTP, called GoToMyPC.com. It's very scary indeed, letting your users (and evil attackers) anywhere on the Internet control your machines remotely via outgoing HTTP secured only by a user-chosen password. As we all know, users choose lame passwords unless there is some sort of password complexity requirement, which doesn't exist at GoToMyPC.com.

So, what can you do? First off, block access to GoToMyPC.com at your border firewall or gateway unless you have a very specific business need for it. Additionally, block access to the popular www.anonymizer.com Web site sometimes used for these kind of attacks to launder the source address of the attacker. For a more thorough solution, consider deploying or updating your HTTP filtering mechanisms to block access to remote-control sites and services. The same tool that you use to help limit access to porn can be used to stop access to these remote-control/anonymizing sites. SurfControl has a product that blocks access to unwanted URLs. They classify GoToMyPC.com and Anonymizer.com as "remote proxies" and can be configured to block such access. You can test any URL to see if SurfControl filters it by using a handy test form at their Web site.

Of course, if the attacker uses his or her own Web site instead of something registered with SurfControl, you are out of luck with that solution. That's why strong internal host security is a must. Run up-to-date antivirus tools and use network-based IDS tools to look for spurious traffic that could be an indication of a backdoor.


For more info on this topic, please visit these SearchSecurity.com resources:
  • Web Security Tip: Integrated content filtering
  • Featured Topic: 21st Century Firewalls
  • Executive Security Briefing: Downstream liability makes the case for security spending

    This was first published in March 2004

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: