Windows Rootkits/API Hooking

[Harlan Carvey <keydet89 () yahoo com>]

In the past couple of weeks, there have been several
Trojans and backdoors that have appeared on Symantec's
SecurityResponse site that use API hooking to hide
themselves.  

I was wondering if anyone has solid proof of a system
that was compromised using something along these
lines?  The recent thread regarding an open port 109
and "winlogon.exe" hasn't shown anything solid to
support a "Windows kernel rootkit". 

Has anyone seen something like this?  For example, has
an external port scan shown a TCP port open that did
NOT appear in the netstat/fport output?  Or has there
been some other phantom evidence, and it later turned
out that the system was "infected" with API hooking
malware?

Thanks,

Carv

__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>