Re: Hidden Ports

["Michael Painter" <tvhawaii () shaka com>]

----- Original Message ----- 
From: "Dimitri Bertolami" <Dimitri () staf pi be>
To: <security-basics () securityfocus com>
Sent: Friday, February 06, 2004 9:50 AM
Subject: RE: Hidden Ports


> guys and galls,
>
> I'll explain a bit more about this one ..
[snip]
> quote: (david)
> -------------------------------------------
> Not necessarily.  These tools are often part of a rootkit, which would
> naturally hide itself.  In fact, they usually load as part of the OS
> kernel, and not as a process.
> -------------------------------------------
> http://www.megasecurity.org/trojans/h/hackerdefender/Hackerdefender0.21.html
> (text below taken from the site)
> Idea
> ----
>
> Main idea of this program was to use API functions WriteProcessMemory
> and CreateRemoteThread to create a new thread in all running processes.
> New thread will rewrite some functions in system modules (mostly
> kernel32.dll)
> and inject fake code which will check API results and change this result
> in specific cases.
> Program must be absolutely hidden for all others. Program installs
> hidden backdoors and register as hidden system service.
> --
> meaning ,  you really honestly don't see the 500 connections to port 21 on
> your hidden FTP Server, because according to
> your "rewritten" kernel there simply aren't any of these services or ports
> in use, you can consider a rootkit like an Evil
> MS patch (from hackers) MS patches the correct way, rootkits patch the wrong
> way. but a patch is a patch and windows won't
> recognise the patch as "not" being a part of it's own architecture once it's
> installed.
>
>
> any questions, feel free to ask..
> Cheers,
> Dimitri



What do you folks think of ZoneAlarmPro?
When I look in:Program Control | Components, there are ~1,125 dlls listed.  If I right click on kernel32.dll and select 
More Info,
in Overview I get:
"ZoneAlarm Pro has recorded KERNEL32.DLL in its list of components in the Program Control section. The component was 
recorded
because either a program using the component requested network access, or a program that already had network access 
attempted to
load the component. Information about the component is recorded whether the user allowed the program access/server 
rights or denied
it.

Many programs require network access for normal operation, and use components to perform their network access. These 
are expected
uses and are not a cause for concern. However, viruses and Trojan horse programs can modify or replace components with 
hacked
versions that can be used to carry out attacks. If you suspect a component is not legitimate, you should not allow it 
access.
Because the purpose of component files is often not obvious, you should conduct some research if you have any 
suspicions about a
component's legitimacy. Detailed information about KERNEL32.DLL is available on the Technical Info tab of this article.

Depending on the Access setting for a component, ZoneAlarm Pro will either allow a program using that component to 
access the
network or act as a server, or will ask you for permission each time it is used. If you trust KERNEL32.DLL, you can 
give it an
Access setting of Allow, and that will give programs using it access/server rights without needing to ask for 
permission each time.
If you are not sure about KERNEL32.DLL, you can give it a setting of Ask, which will remind you that you need to decide 
next time it
is used. If you know there is a problem with KERNEL32.DLL, you should either delete if from your system or fix the 
problem."

And under Details, they say:

"This article presents detailed information on component KERNEL32.DLL.

What is a new or changed component?

A component is a small program or set of functions (also known as a Dynamic Link Library or DLL) that larger programs 
call on to
perform specific tasks. Some components may be used by several different programs simultaneously.

ZoneAlarm Pro considers a component a New Component the first time a program using the component makes an attempt to 
connect to or
receive connections from the Internet or your local network, or the first time a component is loaded by a program that 
is already
connected to the network. ZoneAlarm Pro also considers the component to be a New Component if the component entry 
within the
ZoneAlarm Pro Components List has been removed.

ZoneAlarm Pro considers a component a Changed Component if it has been modified since the last time it accessed the 
Internet or your
local network. If you have upgraded a component and the upgrade replaced the component with a new copy, then ZoneAlarm 
Pro detects
the change in the file. Some components are automatically updated by programs, and ZoneAlarm Pro detects any change in 
the component
file itself, no matter how slight."

And finally:

"ZoneAlarm Pro authenticates your programs and their shared components by recording their MD5 signatures the first time 
the program
requests network or Internet access, then checking those signatures when the program requests access again."

Do any other "Firewalls" do anything like this and if so, what do you think of it?

Sorry to be so long-winded but didn't know how many had a chance to use ZA.

--Michael




---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------