Interesting "hosts" & "services" issue

[Bluefish <11a () GMX NET>]

I was doing some thinking regarding how to make a backdoor program
somewhat harder to detect. This is mostly a windows95/98 issue as other
operating systems does offer some security :)

Anyway, I was thinking on ways to make the communication from the backdoor
to whoever is in control of it less obvious, and make the following
assumptions:
  1. user does not check that files such as WINDOWS\HOSTS are in order.
  2. user uses a software such as netstat (or any other which by default
     rely on HOSTS-file), and does so without using the proper command
     line switches

Anyway, the obvious change of HOSTS is to add
    "xxx.xxx.xxx.xxx innocent.victim.com"

But a more interresting change would be
    "xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy"

why's the later preferable? well, because in the first example a e.g.
traceroute might uncover the hoax, where the later will, correctly, be
interprented as an IP by traceroute...

Similary, modifying WINDOWS\SERVICES might also simplify fooling a user.
Making something look like e.g. 205.188.5.233:5190 will make people think
the communication is merely ICQ...

Nothing in this mail is really any vulnerability, or a new one. The big
problem is that windows 9x allows any program to do what ever they want.
But of course, the numerous people using wNT/w2K as administrator are
vulnerable to this as well. Although these tricks are rather obvious, it
might very well be the difference between a backdoor being found or not.
The user gets suspicious, but NETSTAT looks as it should, and the user
thinks [s]he is imagining things.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team