Security Basics mailing list archives
RE: hidden tasks
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Thu, 25 Sep 2003 12:27:30 +0100
Hi Roland
1. To prevent a connection or infection from a remote PC. 2. To control the own machine: what tasks are running and what data is
produced
Regarding the second question the answer is often to easy: Check the task
manager,
look into the registry for the autorun hives....(check the answers > for
"Hard Drive
keeps filling up")
As far as looking for trojans or stuff like that, the task manager should be considered 'unconfirmed' information
I think a good programmer can mask his program as if it would be a MS
program.
So you see it in a real task manager (the NT task manager does not show
all tasks)
but you think it is a normal MS program. About the autorun: Even when all
autostartup
places in the registry are empty, we still have a lot of tasks running.
So would
it not be possible that a process is started like this system processes
without
having an entry in the autostart places in the registry?
I believe that the NTRootkit hooks system calls, which could hide running processes from _anything_ that tries to view them. You should be able to find information abotu how NTRootkit does this with a google search. So how do services start? Well they have their own run keys in the registry. I can install a service by adding it to the registry, for example. So, from there, i can start something automagically, without making it very obvious what it is. So yes, it is absolutely possible.
How difficult is it to replace the kernel with a kernel that is doing the
same
but additionally also collects all typing and send it to the internet one
time
a month. It does not need a schedule service to do this. It can count to
30 days
by itself. Or a Kernel driver or user driver. Would it be possible to
modify e.g.
the sound driver so it will also collects all typing and send it to the
internet
after it played sound for 999 hours? I am not a programmer so it do not
know if a
MS program needs a certificate or something else in order to replace it?
The problem
with images or MD5 hash checker or Black Ice Defender or Windows File
Protection (WFP)
is that you have to update them after each system update. This is to
difficult
for the normal user. There are also workarounds for e.g. WFP: The WFP runs
on the
system itself so a user with control over the system can make easy an own
update of the
WFP...
You can replace your kernel if you want to any time. Look for articles in the internet about how to replace the startup picture for Windows XP, for example, and you can test it yourself in a non-destructive way. This change takes place in the kernel, as you are replacing a picture resource in your kernel. The major difference between a linux kernel and the windows kernel is that the windows kernel is not open source. So it is more difficult to just add your own code and recompile. I recommend you look for more information about rootkits on NT, there is a good amount of info about these things out there. Chris Meidinger IT Technology and Services badenIT GmbH Innovationstechnologie für Ihre Zukunft Tel. +49 761 279 2280 Fax. +49 761 279 2200 Tullastrasse 70 79108 Freiburg Deutschland -----Original Message----- From: H Carvey [mailto:keydet89 () yahoo com] Sent: Monday, September 22, 2003 1:55 PM To: security-basics () securityfocus com Subject: Re: hidden tasks In-Reply-To: <D0651C658F6ED7119A8D00B0D064C7980280C1 () mail bknkids de> What you're referring to is entirely possible, as well as actually out there...
Would it be possible that instead of the shown task a trojan is running on
the system?
This is not only possible, but it's been done. There are trojans and backdoors that get written to %WINDIR%\system or %WINDIR%\temp, called "svchost.exe". This is the same name as Microsoft's file, but the path is different. Since Task Manager doesn't show the image paths for the processes that are running.
The trojan has the name of a known MS program, the same version number, the
same manufacturer name, the same description and the same path/type like in
Dr Watson's tasklist. The size of the file is the same like the original MS
file.
Earlier you said "On NT systems (or other windows systems)"...what you describe is possible, though on Win2K and above, improbable. The reason being that Win2K and above have WFP running, so any file protected by WFP that the attacker attempts to overwrite or delete is replaced automatically. There are ways around this, but the other thing to consider is that the likelihood of a file being the exact same size as the original MS file, and having all of the product version information intact is pretty slim. But again...even if this is the case, the very fact that the functionality is different would give the file a different hash or checksum.
Is it possible that there is a trojan running but we do not see it with a
virusscanner (because it is new),
Yes, this is possible, and it doesn't have to be "new". Several backdoors are not picked up by A/V software. IRC Bots like russiantopz, PowerBot and GTBot use mirc32.exe as their base, which is a legit app...and is therefore not picked up.
not in the task list (as it seams to be a
MS application)
Not appearing in the task list has little to do with whether the file is an MS application or not.
not in any autorun place (as it is started like a system task),
Do you mean a service? If you do, wouldn't that be an "autorun place"?
not with netstat or other sniffer(it makes the connections just one time a
month)? Scheduled task? If it's a running process, you should be able to see it, unless it's been hidden with a Hoglund-style kernel-mode rootkit. Hope that helps, Harlan --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- hidden tasks Philipp, Roland (Sep 19)
- Re: hidden tasks Roger A. Grimes (Sep 19)
- Re: hidden tasks Jim Duggan (Sep 19)
- Re: hidden tasks Roger A. Grimes (Sep 22)
- Re: hidden tasks Jim Duggan (Sep 19)
- Volunteer free time n30 (Sep 26)
- <Possible follow-ups>
- RE: hidden tasks Hagen, Eric (Sep 19)
- Re: hidden tasks H Carvey (Sep 22)
- RE: hidden tasks Philipp, Roland (Sep 24)
- RE: hidden tasks Harlan Carvey (Sep 24)
- RE: hidden tasks Meidinger Chris (Sep 25)
- RE: hidden tasks Meidinger Chris (Sep 25)
- Re: hidden tasks Roger A. Grimes (Sep 19)