Vulnerability Development mailing list archives
Re: Interesting "hosts" & "services" issue
From: "J. Oquendo" <intrusion () ENGINEER COM>
Date: Wed, 9 Aug 2000 14:03:08 -0400
<mytwocents> Wouldn't specifying a port number to listen in on the code of the actual trojan result in achieving this? EG. If you created the trojan to listen in on port 139 wouldn't netstat see this as a nbsession thing-a-ma-jiggy or so? Something like... #include <stdio.h> #include <signal.h> #include <foo.h> #include <morefoo.h> #define PORT 139 /* (netbios) */ Well it would definitely have to be spec'd out for a Windows machine but you get the idea. An interesting thought though would be to do something ported to Windows in the fashion that the crew over at S0ftpj have done. An ICMP based shell like backdoor. Windows' netstat does not show icmp based information if I'm not mistaken on that either... (I SAID WINDOWS NETSTAT NOT FIREWALL'ING SOFTWARE... (to those ready to respond with wacky comments)) http://www.s0ftpj.org/en/site.html (search 007shell) </my2cents> ------Original Message------ From: Bluefish <11a () GMX NET> To: VULN-DEV () SECURITYFOCUS COM Sent: August 9, 2000 2:02:43 AM GMT Subject: Interesting "hosts" & "services" issue I was doing some thinking regarding how to make a backdoor program somewhat harder to detect. This is mostly a windows95/98 issue as other operating systems does offer some security :) Anyway, I was thinking on ways to make the communication from the backdoor to whoever is in control of it less obvious, and make the following assumptions: 1. user does not check that files such as WINDOWS\HOSTS are in order. 2. user uses a software such as netstat (or any other which by default rely on HOSTS-file), and does so without using the proper command line switches Anyway, the obvious change of HOSTS is to add "xxx.xxx.xxx.xxx innocent.victim.com" But a more interresting change would be "xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy" why's the later preferable? well, because in the first example a e.g. traceroute might uncover the hoax, where the later will, correctly, be interprented as an IP by traceroute... Similary, modifying WINDOWS\SERVICES might also simplify fooling a user. Making something look like e.g. 205.188.5.233:5190 will make people think the communication is merely ICQ... Nothing in this mail is really any vulnerability, or a new one. The big problem is that windows 9x allows any program to do what ever they want. But of course, the numerous people using wNT/w2K as administrator are vulnerable to this as well. Although these tricks are rather obvious, it might very well be the difference between a backdoor being found or not. The user gets suspicious, but NETSTAT looks as it should, and the user thinks [s]he is imagining things. ...:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup
Current thread:
- Interesting "hosts" & "services" issue Bluefish (Aug 09)
- <Possible follow-ups>
- Re: Interesting "hosts" & "services" issue J. Oquendo (Aug 10)
- Re: Interesting "hosts" & "services" issue Bluefish (Aug 10)
- Re: Interesting "hosts" & "services" issue Arturo Busleiman (Aug 10)
- Re: Interesting "hosts" & "services" issue Daniel McCranie (Aug 13)