Security Incidents mailing list archives
Re: Trojan modifying ntdll.dll and cmd.exe
From: Harlan Carvey <keydet89 () yahoo com>
Date: Fri, 16 May 2003 03:57:21 -0700 (PDT)
Eric, I'd like to ask a couple of questions, to get some clarification.
We have encountered a trojan that has modified both cmd.exe and ntdll.dll on a Windows 2000 machine. The files failed our CRC check (TDS was used for this, these out of 29 CRC-checked files were flagged as modified and Windows also flagged it).
What is "TDS"? It sounds as if it might be Tripwire, but I'm not familiar w/ the acronym. What were the other 27 files that were "modified"? How did Windows flag this?
It was installed on a well protected machine (behind a firewall, zone alarm, Norton anti-virus, locked-down) and believe the application installing it was either a vendor-installed patch this morning (we have notified the vendor and are getting their feedback and verifying) or through a web-based IE exploit on a fully patched IE installation.
Interesting. Were there any other installations, perhaps a patch? Also, what leads you to think that an IE-based exploit is involved? Is this speculation, or do you have hard evidence that points to this? If you have evidence, can you share it? It might point out the signature you're looking for.
Has anyone on this list encountered a trojan specifically targetting BOTH of these files? Clearly many target cmd.exe and both (cmd.exe and ntdll.dll) are great candidates for modification by a hacker. Cmd.exe has of course been swapped-out since the beginning of time. We'd like to learn more about the signature of this particular one.
I'm not entirely clear on a couple of things. First, you're right that a recent exploit does target ntdll.dll, but not for modification...the exploit is a buffer overflow. Second, I'm not clear on what you mean by cmd.exe being a "great candidate for modification" or having been "swapped-out since the beginning of time". To be quite honest, there isn't anything in the post, other than the subject line, to suggest that a Trojan was involved. I think that there's a much simpler explanation to this, one that can be found through the collection and analysis of hard data...process list, installed services and drivers, port-to-process mapping, etc. Hope that helps...I'd really appreciate any information you can provide to clear this up a bit. Thanks, Harlan __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
Current thread:
- Trojan modifying ntdll.dll and cmd.exe Eric Greenberg (May 15)
- Re: Trojan modifying ntdll.dll and cmd.exe Harlan Carvey (May 16)
- RE: Trojan modifying ntdll.dll and cmd.exe Bojan Zdrnja (May 20)
- Re: Trojan modifying ntdll.dll and cmd.exe Harlan Carvey (May 16)