Re: Hidden Ports

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <JGEIIEMEINOFOPANNLKAAEDGDCAA.Dimitri () staf pi be>



> you have to ping the compromised host with a certain packetsize (or
> packettype, like SYN) before it will open the
> port.so a simple nmap on the target won't reveal the opened port...

The reason nmap won't detect it is, as you say, until the trigger appears, the port isn't open.  Essentially, the 
backdoor listens to the stack for the properly-formatted trigger packet...while listening, the port isn't open.  Once 
the trigger is received, the port then opens...at that point, it *can* be detected by nmap.

> good antivirus detects this, but a good hacker can also make this undetected
> for antivirussoftware by only changing
> a couple of bytes with any free hexeditor software. so to make sure you got
> rid of the virus completely :

Maybe...depends on the bytes.  The "hacker" would have to know how the various anti-virus products check for 
signatures, and then modify the bytes within that signature.

> format c:
> hope this was an interesting read for the group ,

Not really.

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------