Trojan horse - more information
I’ve followed up on some info regarding the specific trojan used, and it seems like it’s the Hotword.B trojan.
The symantec analysis (and a similar one on Aladdin’s site) show that the protocol used to get a configuration file was FTP. No mention of the protocol used to actually get the data out, but it may as well be FTP.
This surprises me - in many organizations in Israel that I’ve been in, FTP is disallowed at the perimiter. I guess those attacked didn’t bother to disallow it, or - more properly - allow only a limited set of protocols. An average organization with a private network, a properly configured HTTP proxy (i.e. only HTTP traffic) and no direct routing to the Internet would have been safe from this particular attack.
And on a different note, the Aladdin link above was in an unsolicited message I got from Aladdin. I might have given them my email address at some time in the past, but I did not intend it to be used to send me UCE. A lot of Israeli security companies are trying to jump on the bandwagon and make money off the trojan discovery.
My previous post on this topic is here.
