Security Basics mailing list archives
Re: Hidden windows ports, files and services.
From: Mark Reis <mcr2z () cs virginia edu>
Date: Mon, 20 Dec 2004 17:01:14 -0500
Hello Again,I've discovered the answer to part 2 - the machine was infected by a root kit that was intercepting all of system calls being issued by - active ports, fport and such. I actually found myself being quite impressed by this kit. Even running Dependency Walker and comparing it with my test machine was negative.
The first clue was when I was inspecting the attributes on the system dll, I found some discrepancies on the flags. This led to me ultimately finding multiple duplicate DLLs in c:\windows\system32 called somedll.dll.tmp. What it appeared to being doing was returning the sizes and values of the original backed up files - thus masking the true trojans.
-Mark
Current thread:
- RE: Hidden windows ports, files and services. Justin Acquaro (Dec 20)
- <Possible follow-ups>
- RE: Hidden windows ports, files and services. Beauford, Jason (Dec 20)
- Re: Hidden windows ports, files and services. Mark Reis (Dec 20)
- Re: Hidden windows ports, files and services. Barrie Dempster (Dec 21)
- Re: Hidden windows ports, files and services. Mark Reis (Dec 20)