Re: 'rooted' NT/2K boxen?

["KJK::Hyperion" <noog () libero it>]

At 00.42 03/05/2002, you wrote:
> > which, when run connects to an IRC server in Moscow,
> > loads an
> > auto-rooter with a list of servers to attack, and
> > hides the processes
> > from netstat, Program Manager, etc. It was pretty
> > slick.
> This is interesting.  First off, neither netstat nor Program Manager show 
> process information, so hiding process info from them isn't tough.  I'm 
> going to assume you mean Task Manager...but again, that's an API call to 
> hide a process from TM.

unlikely. The Task Manager obtains the full process list directly from the 
kernel, then filters it depending on the user's settings (only processes in 
the current session, only my processes, etc.). You cannot absolutely hide 
from it like you did in Windows 95 with RegisterServiceProcess (that didn't 
hide processes at all, BTW, it was just the task manager that sucked), 
unless you crack it (like this rootkit does) or you intercept the system 
call NtQuerySystemInformation (the latter is extremely harder, but it takes 
care of any kind of process enumeration). An interesting all-kernel rootkit 
for Windows NT was available from rootkit.com some time ago, but the site 
has been dead for months now


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com