Re: DS trojan opens ports fport does not detect?

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <4110.199.72.0.130.1071202370.squirrel () www zounds net>


> Recently, when attempting to play Dungeon Siege with a friend, I installed
> a crack he found on the internet.  (we each purchased the game)

Do you have the location where you downloaded the crack?

> His machine began responding to port scans on tcp 25 and 110. 

Just out of curiosity, did you port scan him after installing the crack?  If so, what tool did you use?  Was it a plain 
vanilla TCP connect scan, or a stealth scan, or what?  And when you say "responding", what do you mean?  That the 
scanner found the ports to be open, or did you actually get a response, such as a banner?

> I could
> telnet to these ports, and the response was to clear my screen, and on any
> keypress, to drop the connection.  He said he could not telnet to port 25
> on his machine via localhost.

If the response was clear on your screen, what was the response?

> After installing the crack on my machine, i found i could telnet to port
> 25 and get the connection with no banner.

Did you telnet to localhost?  Curious, as you stated that your friend could not do this...

> Neither Norton anti virus nor adaware found anything.  I erased the dll,
> and  port 25 closed for a while, but it is open again (sigh).

It's not surprising that NAV or AdAware wouldn't find this stuff, but it does sound unusual that you would delete the 
DLL, and that the port would be open again.  This might be explained by the fact that perhaps the DLL itself isn't to 
blame.  Maybe something else, or something you installed along with the DLL was the culprit.

> But using tools like netstat, fport, or tcpview did not show any activity
> on 25 or 110.  

Go to http://www.diamondcs.com.au/openports/, and get openports.exe.  

> Zone alarm isnt detecting is making outgoing connections. 

> From what you've said so far, it doesn't sound like it would...so your ZA results aren't suprising.  It's good that 
> you're being thorough, though. 

What I'm curious about at this point is...was your friend running ZA?  If so, why were ports 25 and 110 shown as open 
on his system?

> Isnt the point of a tool like fport to detect and find the application
> that opens ports?  Is it common for these tools to be evaded?

Well, as with any tool, you have to know what you're doing.  One doesn't use a hammer when they have to tighten a 
bolt...usually.  It might help if you provided information regarding the configuration of the systems in question, to 
include operating systems, installed Service Packs and hotfixes, etc. 

Also, if you have a concern about a tool and how it operates, contacting the author(s) of the tool would be the 
prefered route.  Of course, they're going to ask you a lot of the same things I mentioned above, too.  Without that 
information, it's most likely that the "incident" will be chalked up to a bunch of clueless gamers.

Let me know if there's anything I can do to help.

Harlan

---------------------------------------------------------------------------
----------------------------------------------------------------------------