RE: Hidden Ports

["Aditya [ Aditya Lalit Deshmukh ]" <aditya.deshmukh () online gateway technolabs net>]

this is done by the firewalls to prevent authenticated files from being replaced by trojans and connecting to the 
internet.

there are many firewalls that do this :
zone alarm,
tiny firewall
kerio firewall
sygate firewall
etc

do this basically adds to the system security so it is good to keep it enabled.

-aditya

> -----Original Message-----
> From: Michael Painter [mailto:tvhawaii () shaka com]
> Sent: Sunday, February 08, 2004 9:04 AM
> To: Dimitri Bertolami; security-basics () securityfocus com
> Subject: Re: Hidden Ports
>
>
> ----- Original Message ----- 
> From: "Dimitri Bertolami" <Dimitri () staf pi be>
> To: <security-basics () securityfocus com>
> Sent: Friday, February 06, 2004 9:50 AM
> Subject: RE: Hidden Ports
>
>
> > guys and galls,
> >
> > I'll explain a bit more about this one ..
> [snip]
> > quote: (david)
> > -------------------------------------------
> > Not necessarily.  These tools are often part of a rootkit, which would
> > naturally hide itself.  In fact, they usually load as part of the OS
> > kernel, and not as a process.
> > -------------------------------------------
> http://www.megasecurity.org/trojans/h/hackerdefender/Hackerdefende
> r0.21.html
> > (text below taken from the site)
> > Idea
> > ----
> >
> > Main idea of this program was to use API functions WriteProcessMemory
> > and CreateRemoteThread to create a new thread in all running processes.
> > New thread will rewrite some functions in system modules (mostly
> > kernel32.dll)
> > and inject fake code which will check API results and change this result
> > in specific cases.
> > Program must be absolutely hidden for all others. Program installs
> > hidden backdoors and register as hidden system service.
> > --
> > meaning ,  you really honestly don't see the 500 connections to 
> port 21 on
> > your hidden FTP Server, because according to
> > your "rewritten" kernel there simply aren't any of these 
> services or ports
> > in use, you can consider a rootkit like an Evil
> > MS patch (from hackers) MS patches the correct way, rootkits 
> patch the wrong
> > way. but a patch is a patch and windows won't
> > recognise the patch as "not" being a part of it's own 
> architecture once it's
> > installed.
> >
> >
> > any questions, feel free to ask..
> > Cheers,
> > Dimitri
>
>
>
> What do you folks think of ZoneAlarmPro?
> When I look in:Program Control | Components, there are ~1,125 
> dlls listed.  If I right click on kernel32.dll and select More Info,
> in Overview I get:
> "ZoneAlarm Pro has recorded KERNEL32.DLL in its list of 
> components in the Program Control section. The component was recorded
> because either a program using the component requested network 
> access, or a program that already had network access attempted to
> load the component. Information about the component is recorded 
> whether the user allowed the program access/server rights or denied
> it.
>
> Many programs require network access for normal operation, and 
> use components to perform their network access. These are expected
> uses and are not a cause for concern. However, viruses and Trojan 
> horse programs can modify or replace components with hacked
> versions that can be used to carry out attacks. If you suspect a 
> component is not legitimate, you should not allow it access.
> Because the purpose of component files is often not obvious, you 
> should conduct some research if you have any suspicions about a
> component's legitimacy. Detailed information about KERNEL32.DLL 
> is available on the Technical Info tab of this article.
>
> Depending on the Access setting for a component, ZoneAlarm Pro 
> will either allow a program using that component to access the
> network or act as a server, or will ask you for permission each 
> time it is used. If you trust KERNEL32.DLL, you can give it an
> Access setting of Allow, and that will give programs using it 
> access/server rights without needing to ask for permission each time.
> If you are not sure about KERNEL32.DLL, you can give it a setting 
> of Ask, which will remind you that you need to decide next time it
> is used. If you know there is a problem with KERNEL32.DLL, you 
> should either delete if from your system or fix the problem."
>
> And under Details, they say:
>
> "This article presents detailed information on component KERNEL32.DLL.
>
> What is a new or changed component?
>
> A component is a small program or set of functions (also known as 
> a Dynamic Link Library or DLL) that larger programs call on to
> perform specific tasks. Some components may be used by several 
> different programs simultaneously.
>
> ZoneAlarm Pro considers a component a New Component the first 
> time a program using the component makes an attempt to connect to or
> receive connections from the Internet or your local network, or 
> the first time a component is loaded by a program that is already
> connected to the network. ZoneAlarm Pro also considers the 
> component to be a New Component if the component entry within the
> ZoneAlarm Pro Components List has been removed.
>
> ZoneAlarm Pro considers a component a Changed Component if it has 
> been modified since the last time it accessed the Internet or your
> local network. If you have upgraded a component and the upgrade 
> replaced the component with a new copy, then ZoneAlarm Pro detects
> the change in the file. Some components are automatically updated 
> by programs, and ZoneAlarm Pro detects any change in the component
> file itself, no matter how slight."
>
> And finally:
>
> "ZoneAlarm Pro authenticates your programs and their shared 
> components by recording their MD5 signatures the first time the program
> requests network or Internet access, then checking those 
> signatures when the program requests access again."
>
> Do any other "Firewalls" do anything like this and if so, what do 
> you think of it?
>
> Sorry to be so long-winded but didn't know how many had a chance 
> to use ZA.
>
> --Michael
>
>
>
>
> ------------------------------------------------------------------
> ---------
> Ethical Hacking at InfoSec Institute. Mention this ad and get 
> $720 off any 
> course! All of our class sizes are guaranteed to be 10 students or less. 
> We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion 
> Prevention, 
> and many other technical hands on courses. 
> Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
> any course!  
> ------------------------------------------------------------------
> ----------


________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------