Re: hidden tasks

["Jim Duggan" <on_a_thousand () hotmail com>]

Hes right about the former, there are actually a few rootkits for windows
boxes.  One in particular can hide files folder and registry keys from the
users/OSs view, fake free disk space (for large dumps) hide open ports and
listen for a specially crafted tiny tcp packet on all open ports as to slip
by services even with a small threashhold.  aka it can listen on port 80
alongside IIS on an infected box effectively getting past any firewalls and
with the user/logs non the wiser.   All done with API hooking. Albeit these
are still somewhat rare and i doubt this is your case, but its somethin to
keep in mind

-Jason

----- Original Message ----- 
From: "Roger A. Grimes" <rogerg () cox net>
To: "Philipp, Roland" <Roland.Philipp () bknkids com>;
<security-basics () securityfocus com>
Sent: Friday, September 19, 2003 12:55 PM
Subject: Re: hidden tasks


> I'm teaching a class so I can't go into detail right now, but yes, there
are
> several ways a trojan can hide from or on the task manager list.
>
> With that said, I haven't heard of a trojan that exactly mimics the file
> characteristics that you suggest, but the best thing to do is compare the
> suspected executable's hash (use any MD5 hash checker) against a known
clean
> copy.  Once you have the hash checker and two files, your answer on
whether
> it is a trojan or not is 15 seconds away.
>
> Roger
****************************************************************************
> ****
> *Roger A. Grimes, Computer Security Consultant
> *CPA, MCSE (NT/2000), CNE (3/4), A+
> *email: rogerg () cox net
> *cell: 757-615-3355
> *Author of Malicious Mobile Code:  Virus Protection for Windows by
O'Reilly
> *http://www.oreilly.com/catalog/malmobcode
> *Author of upcoming Honeypots for Windows (Apress)
****************************************************************************
> *****
>
> ----- Original Message ----- 
> From: "Philipp, Roland" <Roland.Philipp () bknkids com>
> To: <security-basics () securityfocus com>
> Sent: Friday, September 19, 2003 1:38 PM
> Subject: hidden tasks
>
>
> > Hi all
> >
> > On NT systems (or other windows systems) the task manager shows some
> running
> > tasks, Dr Watson shows all running tasks at the time the system snapshot
> was
> > taken.
> >
> > Would it be possible that instead of the shown task a trojan is running
on
> > the system?
> >
> > The trojan has the name of a known MS program, the same version number,
> the
> > same manufacturer name, the same description and the same path/type like
> in
> > Dr Watson's tasklist. The size of the file is the same like the original
> MS
> > file.
> > Is it possible that there is a trojan running but we do not see it with
a
> > virusscanner (because it is new), not in the task list (as it seams to
be
> a
> > MS application) not in any autorun place (as it is started like a system
> > task), not with netstat or other sniffer(it makes the connections just
one
> > time a month)?
> >
> > Can anybody provide me with information/links about this?
> >
> > any ideas?
> >
> > cheers
> >
> > Roland
>
> --------------------------------------------------------------------------
> -
> > Captus Networks
> > Are you prepared for the next Sobig & Blaster?
> >  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> >  - Precisely Define and Implement Network Security
> >  - Automatically Control P2P, IM and Spam Traffic
> > FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
> > http://www.captusnetworks.com/ads/42.htm
>
> --------------------------------------------------------------------------
> --
> >
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------