Security Basics mailing list archives
RE: hidden tasks
From: "Philipp, Roland" <Roland.Philipp () bknkids com>
Date: Wed, 24 Sep 2003 12:01:52 +0100
Thanks a lot for your answers, Harlan, Eric, Roger and Jim. In my network each PC has a data and a system partition. The system can be reinstalled in 3 minutes from an image that is on a hidden partition. This is the reason that in the last 3 years I had no problems with software failures. I asked security focus to see if the people do not forget the main topics on security: 1. To prevent a connection or infection from a remote PC. 2. To control the own machine: what tasks are running and what data is produced Most mailings are about the first point. Regarding the second question the answer is often to easy: Check the task manager, look into the registry for the autorun hives....(check the answers for "Hard Drive keeps filling up") I think a good programmer can mask his program as if it would be a MS program. So you see it in a real task manager (the NT task manager does not show all tasks) but you think it is a normal MS program. About the autorun: Even when all autostartup places in the registry are empty, we still have a lot of tasks running. So would it not be possible that a process is started like this system processes without having an entry in the autostart places in the registry? How difficult is it to replace the kernel with a kernel that is doing the same but additionally also collects all typing and send it to the internet one time a month. It does not need a schedule service to do this. It can count to 30 days by itself. Or a Kernel driver or user driver. Would it be possible to modify e.g. the sound driver so it will also collects all typing and send it to the internet after it played sound for 999 hours? I am not a programmer so it do not know if a MS program needs a certificate or something else in order to replace it? The problem with images or MD5 hash checker or Black Ice Defender or Windows File Protection (WFP) is that you have to update them after each system update. This is to difficult for the normal user. There are also workarounds for e.g. WFP: The WFP runs on the system itself so a user with control over the system can make easy an own update of the WFP... thanks again for the answers cheers Roland -----Original Message----- From: H Carvey [mailto:keydet89 () yahoo com] Sent: Monday, September 22, 2003 1:55 PM To: security-basics () securityfocus com Subject: Re: hidden tasks In-Reply-To: <D0651C658F6ED7119A8D00B0D064C7980280C1 () mail bknkids de> What you're referring to is entirely possible, as well as actually out there...
Would it be possible that instead of the shown task a trojan is running on
the system?
This is not only possible, but it's been done. There are trojans and backdoors that get written to %WINDIR%\system or %WINDIR%\temp, called "svchost.exe". This is the same name as Microsoft's file, but the path is different. Since Task Manager doesn't show the image paths for the processes that are running.
The trojan has the name of a known MS program, the same version number, the
same manufacturer name, the same description and the same path/type like in
Dr Watson's tasklist. The size of the file is the same like the original MS
file.
Earlier you said "On NT systems (or other windows systems)"...what you describe is possible, though on Win2K and above, improbable. The reason being that Win2K and above have WFP running, so any file protected by WFP that the attacker attempts to overwrite or delete is replaced automatically. There are ways around this, but the other thing to consider is that the likelihood of a file being the exact same size as the original MS file, and having all of the product version information intact is pretty slim. But again...even if this is the case, the very fact that the functionality is different would give the file a different hash or checksum.
Is it possible that there is a trojan running but we do not see it with a
virusscanner (because it is new),
Yes, this is possible, and it doesn't have to be "new". Several backdoors are not picked up by A/V software. IRC Bots like russiantopz, PowerBot and GTBot use mirc32.exe as their base, which is a legit app...and is therefore not picked up.
not in the task list (as it seams to be a
MS application)
Not appearing in the task list has little to do with whether the file is an MS application or not.
not in any autorun place (as it is started like a system task),
Do you mean a service? If you do, wouldn't that be an "autorun place"?
not with netstat or other sniffer(it makes the connections just one time a
month)? Scheduled task? If it's a running process, you should be able to see it, unless it's been hidden with a Hoglund-style kernel-mode rootkit. Hope that helps, Harlan --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- hidden tasks Philipp, Roland (Sep 19)
- Re: hidden tasks Roger A. Grimes (Sep 19)
- Re: hidden tasks Jim Duggan (Sep 19)
- Re: hidden tasks Roger A. Grimes (Sep 22)
- Re: hidden tasks Jim Duggan (Sep 19)
- Volunteer free time n30 (Sep 26)
- <Possible follow-ups>
- RE: hidden tasks Hagen, Eric (Sep 19)
- Re: hidden tasks H Carvey (Sep 22)
- RE: hidden tasks Philipp, Roland (Sep 24)
- RE: hidden tasks Harlan Carvey (Sep 24)
- RE: hidden tasks Meidinger Chris (Sep 25)
- RE: hidden tasks Meidinger Chris (Sep 25)
- Re: hidden tasks Roger A. Grimes (Sep 19)