Re: 'rooted' NT/2K boxen?

["Cody Hatch" <cody () halosec com>]

I saw a Win2000 machine rooted just last week by an autorooter taking
advantage of the pre-10pack rollup Microsoft put out just recently. It
was hacked through a Unicode attack by an auto-rooter from Russia,
connected to an ftp site in Moscow and downloaded a file named "lb.exe",
which, when run connects to an IRC server in Moscow, loads an
auto-rooter with a list of servers to attack, and hides the processes
from netstat, Program Manager, etc. It was pretty slick.

Cody Hatch
HALO Network Security

> > I haven't seen any type of windows 'rootkit' myself.
> > For example a replacement of netstat, nbtstat,
> > route, and other utilities to give proccess
> > information etc...
> >
> > If anyone knows of any let me know I'm interested.
> > Of course the problem with getting windows
> > source is an issue. 
>  
> Older versions of Hoglund's NTRootkit are available
> here:
> http://www.megasecurity.org/Tools/Nt_rootkit_all.html
>
> The 'newest' version I've been able to find is here:
> http://www.ntndis.com/downloads.shtml
>
> click on "Windows NT Rootkit Source".
>
> Not sure how that applies to my original question, but
> there it is...
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - your guide to health and wellness
> http://health.yahoo.com
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com