RE: hidden tasks

[Harlan Carvey <keydet89 () yahoo com>]

Roland,

> Thanks a lot for your answers, Harlan, Eric, Roger
> and Jim.

Glad I could help.
 
> Regarding the second question the answer is often to
> easy: Check the task
> manager, look into the registry for the autorun
> hives....(check the answers
> for "Hard Drive keeps filling up")

I used to teach an IR course for Windows
systems...checking the Task Manager is not necessarily
that good of a response.  Also, there really aren't
any "autorun hives"...rather there are keys that will
autorun programs.  Sorry to be a stickler for
terminology, but it's important to be clear and
correct, particularly when dealing with an incident.
 
> I think a good programmer can mask his program as if
> it would be a MS
> program. So you see it in a real task manager (the
> NT task manager does not
> show all tasks) but you think it is a normal MS
> program.

It doesn't take a "good programmer".  Anyone can do
this.  There are worms and backdoors that hide as
'svchost.exe', and from the Task Manager, one cannot
tell the difference between the one in the correct
location (ie, %WINDIR%\system32) and one in another
location.

> About the autorun: Even when all autostartup places
> in the registry are
> empty, we still have a lot  of tasks running. So
> would it not be possible
> that a process is started like this system processes
> without having an entry
> in the autostart places in the registry? 

Again, terminology is important.  What are you
referring to?  Are you talking about services keys?  

> How difficult is it to replace the kernel with a
> kernel that is doing the
> same but additionally also collects all typing and
> send it to the internet one time a month. 

Replace the kernel?  Maybe patch, but replace?  I
would think that such a thing would be exceedingly
difficult, and if it were possible, it would likely be
perpetrated by someone with loftier goals in mind than
attacking your site (no offense).

> Or a Kernel driver or user driver. 

This is what a rootkit does.

> The problem with images or MD5 hash checker or Black
> Ice Defender or Windows
> File Protection (WFP) is that you have to update
> them after each system
> update. This is to difficult for the normal user.
> There are also workarounds
> for e.g. WFP: The WFP runs on the system itself so a
> user with control over
> the system can make easy an own update of the WFP...

I think you need to take a closer look at WFP.  Yes,
it can be modified to include other files under it's
protection, but again...rather than making assumptions
about the service, take a look on the MS site.  It's
very easy to find info on WFP.

To be very honest, my impression of this exchange is
that you're very, very paranoid.  While a small amount
of paranoia is healthy, you're not balancing it with
knowledge.  Yes, a lot of what you describe *could*
happen, but many of the things you're thinking about
are not likely to happen.  Some of what you describe
(ie, replacing the kernel) are a bit more difficult
than you may suspect.

Hope this helps in some way,

Harlan

---------------------------------------------------------------------------
----------------------------------------------------------------------------