RE: hidden tasks

["Philipp, Roland" <Roland.Philipp () bknkids com>]

Thanks a lot for your answers, Harlan, Eric, Roger and Jim.

In my network each PC has a data and a system partition. The system can be
reinstalled in 3 minutes from an image that is on a hidden partition. This
is the reason that in the last 3 years I had no problems with software
failures.

I asked security focus to see if the people do not forget the main topics on
security:

1. To prevent a connection or infection from a remote PC.
2. To control the own machine: what tasks are running and what data is
produced

Most mailings are about the first point.

Regarding the second question the answer is often to easy: Check the task
manager, look into the registry for the autorun hives....(check the answers
for "Hard Drive keeps filling up")

I think a good programmer can mask his program as if it would be a MS
program. So you see it in a real task manager (the NT task manager does not
show all tasks) but you think it is a normal MS program.
About the autorun: Even when all autostartup places in the registry are
empty, we still have a lot  of tasks running. So would it not be possible
that a process is started like this system processes without having an entry
in the autostart places in the registry? 
How difficult is it to replace the kernel with a kernel that is doing the
same but additionally also collects all typing and send it to the internet
one time a month. It does not need a schedule service to do this. It can
count to 30 days by itself.
Or a Kernel driver or user driver. Would it be possible to modify e.g. the
sound driver so it will also collects all typing and send it to the internet
after it played sound for 999 hours?
I am not a programmer so it do not know if a MS program needs a certificate
or something else in order to replace it?
The problem with images or MD5 hash checker or Black Ice Defender or Windows
File Protection (WFP) is that you have to update them after each system
update. This is to difficult for the normal user. There are also workarounds
for e.g. WFP: The WFP runs on the system itself so a user with control over
the system can make easy an own update of the WFP...

thanks again for the answers

cheers
Roland
 

-----Original Message-----
From: H Carvey [mailto:keydet89 () yahoo com]
Sent: Monday, September 22, 2003 1:55 PM
To: security-basics () securityfocus com
Subject: Re: hidden tasks


In-Reply-To: <D0651C658F6ED7119A8D00B0D064C7980280C1 () mail bknkids de>

What you're referring to is entirely possible, as well as actually out
there...



> Would it be possible that instead of the shown task a trojan is running on

> the system?



This is not only possible, but it's been done.  There are trojans and
backdoors that get written to %WINDIR%\system or %WINDIR%\temp, called
"svchost.exe".  This is the same name as Microsoft's file, but the path is
different.  Since Task Manager doesn't show the image paths for the
processes that are running. 



> The trojan has the name of a known MS program, the same version number, the

> same manufacturer name, the same description and the same path/type like in

> Dr Watson's tasklist. The size of the file is the same like the original MS

> file.



Earlier you said "On NT systems (or other windows systems)"...what you
describe is possible, though on Win2K and above, improbable.  The reason
being that Win2K and above have WFP running, so any file protected by WFP
that the attacker attempts to overwrite or delete is replaced automatically.
There are ways around this, but the other thing to consider is that the
likelihood of a file being the exact same size as the original MS file, and
having all of the product version information intact is pretty slim.  But
again...even if this is the case, the very fact that the functionality is
different would give the file a different hash or checksum.



> Is it possible that there is a trojan running but we do not see it with a

> virusscanner (because it is new), 



Yes, this is possible, and it doesn't have to be "new".  Several backdoors
are not picked up by A/V software.  IRC Bots like russiantopz, PowerBot and
GTBot use mirc32.exe as their base, which is a legit app...and is therefore
not picked up.



> not in the task list (as it seams to be a

> MS application) 



Not appearing in the task list has little to do with whether the file is an
MS application or not.



> not in any autorun place (as it is started like a system task), 



Do you mean a service?  If you do, wouldn't that be an "autorun place"?  



> not with netstat or other sniffer(it makes the connections just one time a
month)?



Scheduled task?  If it's a running process, you should be able to see it,
unless it's been hidden with a Hoglund-style kernel-mode rootkit.



Hope that helps,



Harlan

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------