How often does malicious code (like Active X) steal corporate information by sending it via HTTP (through a corporate proxy)? Is remote control of a corporate PC possible through such outgoing HTTP? How can we prevent that at the proxy/firewall level?
This mechanism is definitely an increasing vector of attack, given that most organizations allow unfettered outgoing HTTP and HTTPS access. There are numerous tools (such as Reverse WWW Shell, available at www.thehackerschoice.com) that push a shell out over outgoing HTTP access. From the network perspective, it looks like outgoing HTTP, possibly even authenticating to a proxy with a static user ID and password. For the attacker, though, it's really incoming shell access, executing commands on the attacker's behalf. The attacker has to install some software on the internal system first, and configure it to poll the attacker for commands to run.
There's even a commercial service that implements remote access to the desktop via HTTP, called GoToMyPC.com. It's very scary indeed, letting your users (and evil attackers) anywhere on the Internet control your machines remotely via outgoing HTTP secured only by a user-chosen password. As we all know, users choose lame passwords unless there is some sort of password complexity requirement, which doesn't exist at GoToMyPC.com.
So, what can you do? First off, block access to GoToMyPC.com at your border firewall or gateway unless you have a very specific business need for it. Additionally, block access to the popular www.anonymizer.com Web site sometimes used for these kind of attacks to launder the source address of the attacker. For a more thorough solution, consider deploying or updating your HTTP filtering mechanisms to block access to remote-control sites and services. The same tool that you use to help limit access to porn can be used to stop access to these remote-control/anonymizing sites. SurfControl has a product that blocks access to unwanted URLs. They classify GoToMyPC.com and Anonymizer.com as "remote proxies" and can be configured to block such access. You can test any URL to see if SurfControl filters it by using a handy test form at their Web site.
Of course, if the attacker uses his or her own Web site instead of something registered with SurfControl, you are out of luck with that solution. That's why strong internal host security is a must. Run up-to-date antivirus tools and use network-based IDS tools to look for spurious traffic that could be an indication of a backdoor.
For more info on this topic, please visit these SearchSecurity.com resources: