Security Incidents mailing list archives

Re: Re[2]: Compromised Win2000 machine.

From: H C <keydet89 () yahoo com>
Date: Fri, 31 May 2002 07:22:42 -0700 (PDT)

Thanks for the links...now, has anyone ever seen them
in use?

BTW...Hoglund's rootkit is a good link, but it's out
of context...the context of the thread was about
modifications to the binaries themselves, not the
kernel.

--- Joris De Donder <l0t () securax org> wrote:


HC> Remember...the Linux/*nix architectures are
different
HC> from that of NT/2K...and XP.  I'm not saying
that this
HC> can't be done...I'm simply asking if anyone can
show,
HC> with proof, that this *has* been done?  And it
doesn't
HC> have to be just netstat.exe...it can be any
other
HC> native tool.  And binding the .exe file using
HC> SaranWrap or EliteWrap doesn't count, as the
basic
HC> functionality still exists and all network
connects
HC> (netstat) will still be shown...

* Fake netstat.exe (4/23/02):

http://kcom.org/tfiles/pafiledb.php?action=category&id=9


* Another fake netstat.exe (Apr 24 17:18:22 2001):

http://packetstormsecurity.org/UNIX/penetration/rootkits/Netstat.zip


* "A Rootkit for netstat under win2k, By ThreaT":
http://www.madchat.org/coding/nethide.txt

* Netstatp with source code:
http://packetstormsecurity.org/NT/IDS/netstatp.zip
  [Could be used to build a netstat.exe clone]

* ReactOS:
http://www.reactos.com/
 "ReactOS is an Open Source effort to develop a
quality
 operating system that is compatible with Windows NT
 applications and drivers."
  [Source code could be used to build a trojan
cmd.exe,...]

* NTRootkit:
http://www.rootkit.com (seems to be down)
http://www.phrack.com/show.php?p=55&a=5

http://www.megasecurity.org/Tools/Nt_rootkit_all.html

 "The NTRootKit project provides a framework for
trojaning
 the NT kernel and applications, in much the same
manner as
 rootkits for Linux and the various flavors of
Unix."

 "New features:
 Embedded TCP/IP stack (stateless)
 [...snip...]
 NOTE: THIS MEANS THAT ROOTKIT DOES NOT SHOW UP IN
NETSTAT
 Ideed, why would it?  It's not using the NT stack."

 
Regards,
Joris De Donder



__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: Compromised Win2000 machine., (continued)
- RE: Compromised Win2000 machine. Kit (May 28)
  - RE: Compromised Win2000 machine. Don Weber (May 29)
    - RE: Compromised Win2000 machine. H C (May 29)
    - Re: Compromised Win2000 machine. Daniel Hay (May 29)
    - Re: Compromised Win2000 machine. Mark Newby (May 29)
    - Re: Compromised Win2000 machine. H C (May 29)
    - Re: Compromised Win2000 machine. Patrick Andry (May 29)
    - Re: Compromised Win2000 machine. H C (May 30)
    - Re: Compromised Win2000 machine. - Follow UP Daniel Hay (May 30)
    - Re[2]: Compromised Win2000 machine. Joris De Donder (May 31)
    - Re: Re[2]: Compromised Win2000 machine. H C (May 31)
- Re: Compromised Win2000 machine. ghb the irrepressible (May 29)