Security Incidents mailing list archives
Re: Re[2]: Compromised Win2000 machine.
From: H C <keydet89 () yahoo com>
Date: Fri, 31 May 2002 07:22:42 -0700 (PDT)
Thanks for the links...now, has anyone ever seen them in use? BTW...Hoglund's rootkit is a good link, but it's out of context...the context of the thread was about modifications to the binaries themselves, not the kernel. --- Joris De Donder <l0t () securax org> wrote:
HC> Remember...the Linux/*nix architectures are different HC> from that of NT/2K...and XP. I'm not saying that this HC> can't be done...I'm simply asking if anyone can show, HC> with proof, that this *has* been done? And it doesn't HC> have to be just netstat.exe...it can be any other HC> native tool. And binding the .exe file using HC> SaranWrap or EliteWrap doesn't count, as the basic HC> functionality still exists and all network connects HC> (netstat) will still be shown... * Fake netstat.exe (4/23/02):
http://kcom.org/tfiles/pafiledb.php?action=category&id=9
* Another fake netstat.exe (Apr 24 17:18:22 2001):
http://packetstormsecurity.org/UNIX/penetration/rootkits/Netstat.zip
* "A Rootkit for netstat under win2k, By ThreaT": http://www.madchat.org/coding/nethide.txt * Netstatp with source code: http://packetstormsecurity.org/NT/IDS/netstatp.zip [Could be used to build a netstat.exe clone] * ReactOS: http://www.reactos.com/ "ReactOS is an Open Source effort to develop a quality operating system that is compatible with Windows NT applications and drivers." [Source code could be used to build a trojan cmd.exe,...] * NTRootkit: http://www.rootkit.com (seems to be down) http://www.phrack.com/show.php?p=55&a=5
http://www.megasecurity.org/Tools/Nt_rootkit_all.html
"The NTRootKit project provides a framework for trojaning the NT kernel and applications, in much the same manner as rootkits for Linux and the various flavors of Unix." "New features: Embedded TCP/IP stack (stateless) [...snip...] NOTE: THIS MEANS THAT ROOTKIT DOES NOT SHOW UP IN NETSTAT Ideed, why would it? It's not using the NT stack." Regards, Joris De Donder
__________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Compromised Win2000 machine., (continued)
- RE: Compromised Win2000 machine. Kit (May 28)
- RE: Compromised Win2000 machine. Don Weber (May 29)
- RE: Compromised Win2000 machine. H C (May 29)
- Re: Compromised Win2000 machine. Daniel Hay (May 29)
- Re: Compromised Win2000 machine. Mark Newby (May 29)
- Re: Compromised Win2000 machine. H C (May 29)
- Re: Compromised Win2000 machine. Patrick Andry (May 29)
- Re: Compromised Win2000 machine. H C (May 30)
- Re: Compromised Win2000 machine. - Follow UP Daniel Hay (May 30)
- Re[2]: Compromised Win2000 machine. Joris De Donder (May 31)
- Re: Re[2]: Compromised Win2000 machine. H C (May 31)
- RE: Compromised Win2000 machine. Don Weber (May 29)
- RE: Compromised Win2000 machine. Kit (May 28)