Security Basics mailing list archives
Re: hidden tasks
From: "Jim Duggan" <on_a_thousand () hotmail com>
Date: Fri, 19 Sep 2003 14:34:35 -0700
Hes right about the former, there are actually a few rootkits for windows boxes. One in particular can hide files folder and registry keys from the users/OSs view, fake free disk space (for large dumps) hide open ports and listen for a specially crafted tiny tcp packet on all open ports as to slip by services even with a small threashhold. aka it can listen on port 80 alongside IIS on an infected box effectively getting past any firewalls and with the user/logs non the wiser. All done with API hooking. Albeit these are still somewhat rare and i doubt this is your case, but its somethin to keep in mind -Jason ----- Original Message ----- From: "Roger A. Grimes" <rogerg () cox net> To: "Philipp, Roland" <Roland.Philipp () bknkids com>; <security-basics () securityfocus com> Sent: Friday, September 19, 2003 12:55 PM Subject: Re: hidden tasks
I'm teaching a class so I can't go into detail right now, but yes, there
are
several ways a trojan can hide from or on the task manager list. With that said, I haven't heard of a trojan that exactly mimics the file characteristics that you suggest, but the best thing to do is compare the suspected executable's hash (use any MD5 hash checker) against a known
clean
copy. Once you have the hash checker and two files, your answer on
whether
it is a trojan or not is 15 seconds away. Roger
****************************************************************************
**** *Roger A. Grimes, Computer Security Consultant *CPA, MCSE (NT/2000), CNE (3/4), A+ *email: rogerg () cox net *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode *Author of upcoming Honeypots for Windows (Apress)
****************************************************************************
***** ----- Original Message ----- From: "Philipp, Roland" <Roland.Philipp () bknkids com> To: <security-basics () securityfocus com> Sent: Friday, September 19, 2003 1:38 PM Subject: hidden tasksHi all On NT systems (or other windows systems) the task manager shows somerunningtasks, Dr Watson shows all running tasks at the time the system snapshotwastaken. Would it be possible that instead of the shown task a trojan is running
on
the system? The trojan has the name of a known MS program, the same version number,thesame manufacturer name, the same description and the same path/type likeinDr Watson's tasklist. The size of the file is the same like the originalMSfile. Is it possible that there is a trojan running but we do not see it with
a
virusscanner (because it is new), not in the task list (as it seams to
be
aMS application) not in any autorun place (as it is started like a system task), not with netstat or other sniffer(it makes the connections just
one
time a month)? Can anybody provide me with information/links about this? any ideas? cheers Roland-------------------------------------------------------------------------- -Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm-------------------------------------------------------------------------- ----------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- hidden tasks Philipp, Roland (Sep 19)
- Re: hidden tasks Roger A. Grimes (Sep 19)
- Re: hidden tasks Jim Duggan (Sep 19)
- Re: hidden tasks Roger A. Grimes (Sep 22)
- Re: hidden tasks Jim Duggan (Sep 19)
- Volunteer free time n30 (Sep 26)
- <Possible follow-ups>
- RE: hidden tasks Hagen, Eric (Sep 19)
- Re: hidden tasks H Carvey (Sep 22)
- RE: hidden tasks Philipp, Roland (Sep 24)
- RE: hidden tasks Harlan Carvey (Sep 24)
- RE: hidden tasks Meidinger Chris (Sep 25)
- RE: hidden tasks Meidinger Chris (Sep 25)
- Re: hidden tasks Roger A. Grimes (Sep 19)