Security Incidents mailing list archives
Windows Rootkits/API Hooking
From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 13 Mar 2003 12:55:08 -0800 (PST)
In the past couple of weeks, there have been several Trojans and backdoors that have appeared on Symantec's SecurityResponse site that use API hooking to hide themselves. I was wondering if anyone has solid proof of a system that was compromised using something along these lines? The recent thread regarding an open port 109 and "winlogon.exe" hasn't shown anything solid to support a "Windows kernel rootkit". Has anyone seen something like this? For example, has an external port scan shown a TCP port open that did NOT appear in the netstat/fport output? Or has there been some other phantom evidence, and it later turned out that the system was "infected" with API hooking malware? Thanks, Carv __________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Windows Rootkits/API Hooking Harlan Carvey (Mar 13)