Security Basics mailing list archives
RE: hidden tasks
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 24 Sep 2003 03:49:23 -0700 (PDT)
Roland,
Thanks a lot for your answers, Harlan, Eric, Roger and Jim.
Glad I could help.
Regarding the second question the answer is often to easy: Check the task manager, look into the registry for the autorun hives....(check the answers for "Hard Drive keeps filling up")
I used to teach an IR course for Windows systems...checking the Task Manager is not necessarily that good of a response. Also, there really aren't any "autorun hives"...rather there are keys that will autorun programs. Sorry to be a stickler for terminology, but it's important to be clear and correct, particularly when dealing with an incident.
I think a good programmer can mask his program as if it would be a MS program. So you see it in a real task manager (the NT task manager does not show all tasks) but you think it is a normal MS program.
It doesn't take a "good programmer". Anyone can do this. There are worms and backdoors that hide as 'svchost.exe', and from the Task Manager, one cannot tell the difference between the one in the correct location (ie, %WINDIR%\system32) and one in another location.
About the autorun: Even when all autostartup places in the registry are empty, we still have a lot of tasks running. So would it not be possible that a process is started like this system processes without having an entry in the autostart places in the registry?
Again, terminology is important. What are you referring to? Are you talking about services keys?
How difficult is it to replace the kernel with a kernel that is doing the same but additionally also collects all typing and send it to the internet one time a month.
Replace the kernel? Maybe patch, but replace? I would think that such a thing would be exceedingly difficult, and if it were possible, it would likely be perpetrated by someone with loftier goals in mind than attacking your site (no offense).
Or a Kernel driver or user driver.
This is what a rootkit does.
The problem with images or MD5 hash checker or Black Ice Defender or Windows File Protection (WFP) is that you have to update them after each system update. This is to difficult for the normal user. There are also workarounds for e.g. WFP: The WFP runs on the system itself so a user with control over the system can make easy an own update of the WFP...
I think you need to take a closer look at WFP. Yes, it can be modified to include other files under it's protection, but again...rather than making assumptions about the service, take a look on the MS site. It's very easy to find info on WFP. To be very honest, my impression of this exchange is that you're very, very paranoid. While a small amount of paranoia is healthy, you're not balancing it with knowledge. Yes, a lot of what you describe *could* happen, but many of the things you're thinking about are not likely to happen. Some of what you describe (ie, replacing the kernel) are a bit more difficult than you may suspect. Hope this helps in some way, Harlan --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- hidden tasks Philipp, Roland (Sep 19)
- Re: hidden tasks Roger A. Grimes (Sep 19)
- Re: hidden tasks Jim Duggan (Sep 19)
- Re: hidden tasks Roger A. Grimes (Sep 22)
- Re: hidden tasks Jim Duggan (Sep 19)
- Volunteer free time n30 (Sep 26)
- <Possible follow-ups>
- RE: hidden tasks Hagen, Eric (Sep 19)
- Re: hidden tasks H Carvey (Sep 22)
- RE: hidden tasks Philipp, Roland (Sep 24)
- RE: hidden tasks Harlan Carvey (Sep 24)
- RE: hidden tasks Meidinger Chris (Sep 25)
- RE: hidden tasks Meidinger Chris (Sep 25)
- Re: hidden tasks Roger A. Grimes (Sep 19)