Vulnerability Development mailing list archives
Interesting "hosts" & "services" issue
From: Bluefish <11a () GMX NET>
Date: Wed, 9 Aug 2000 04:02:43 +0200
I was doing some thinking regarding how to make a backdoor program somewhat harder to detect. This is mostly a windows95/98 issue as other operating systems does offer some security :) Anyway, I was thinking on ways to make the communication from the backdoor to whoever is in control of it less obvious, and make the following assumptions: 1. user does not check that files such as WINDOWS\HOSTS are in order. 2. user uses a software such as netstat (or any other which by default rely on HOSTS-file), and does so without using the proper command line switches Anyway, the obvious change of HOSTS is to add "xxx.xxx.xxx.xxx innocent.victim.com" But a more interresting change would be "xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy" why's the later preferable? well, because in the first example a e.g. traceroute might uncover the hoax, where the later will, correctly, be interprented as an IP by traceroute... Similary, modifying WINDOWS\SERVICES might also simplify fooling a user. Making something look like e.g. 205.188.5.233:5190 will make people think the communication is merely ICQ... Nothing in this mail is really any vulnerability, or a new one. The big problem is that windows 9x allows any program to do what ever they want. But of course, the numerous people using wNT/w2K as administrator are vulnerable to this as well. Although these tricks are rather obvious, it might very well be the difference between a backdoor being found or not. The user gets suspicious, but NETSTAT looks as it should, and the user thinks [s]he is imagining things. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Interesting "hosts" & "services" issue Bluefish (Aug 09)
- <Possible follow-ups>
- Re: Interesting "hosts" & "services" issue J. Oquendo (Aug 10)
- Re: Interesting "hosts" & "services" issue Bluefish (Aug 10)
- Re: Interesting "hosts" & "services" issue Arturo Busleiman (Aug 10)
- Re: Interesting "hosts" & "services" issue Daniel McCranie (Aug 13)