Re: Interesting "hosts" & "services" issue

["J. Oquendo" <intrusion () ENGINEER COM>]

<mytwocents>

Wouldn't specifying a port number to listen in on the code of the actual trojan result in achieving this? EG. If you 
created the trojan to listen in on port 139 wouldn't netstat see this as a nbsession thing-a-ma-jiggy or so? Something 
like...

#include <stdio.h>
#include <signal.h>
#include <foo.h>
#include <morefoo.h>

#define PORT 139 /* (netbios) */

Well it would definitely have to be spec'd out for a Windows machine but you get the idea. An interesting thought 
though would be to do something ported to Windows in the fashion that the crew over at S0ftpj have done. An ICMP based 
shell like backdoor. Windows' netstat does not show icmp based information if I'm not mistaken on that either... (I 
SAID WINDOWS NETSTAT NOT FIREWALL'ING SOFTWARE... (to those ready to respond with wacky comments))

http://www.s0ftpj.org/en/site.html (search 007shell)

</my2cents>

------Original Message------
From: Bluefish <11a () GMX NET>
To: VULN-DEV () SECURITYFOCUS COM
Sent: August 9, 2000 2:02:43 AM GMT
Subject: Interesting "hosts" & "services" issue


I was doing some thinking regarding how to make a backdoor program
somewhat harder to detect. This is mostly a windows95/98 issue as other
operating systems does offer some security :)

Anyway, I was thinking on ways to make the communication from the backdoor
to whoever is in control of it less obvious, and make the following
assumptions:
  1. user does not check that files such as WINDOWS\HOSTS are in order.
  2. user uses a software such as netstat (or any other which by default
     rely on HOSTS-file), and does so without using the proper command
     line switches

Anyway, the obvious change of HOSTS is to add
    "xxx.xxx.xxx.xxx innocent.victim.com"

But a more interresting change would be
    "xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy"

why's the later preferable? well, because in the first example a e.g.
traceroute might uncover the hoax, where the later will, correctly, be
interprented as an IP by traceroute...

Similary, modifying WINDOWS\SERVICES might also simplify fooling a user.
Making something look like e.g. 205.188.5.233:5190 will make people think
the communication is merely ICQ...

Nothing in this mail is really any vulnerability, or a new one. The big
problem is that windows 9x allows any program to do what ever they want.
But of course, the numerous people using wNT/w2K as administrator are
vulnerable to this as well. Although these tricks are rather obvious, it
might very well be the difference between a backdoor being found or not.
The user gets suspicious, but NETSTAT looks as it should, and the user
thinks [s]he is imagining things.

...:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup