Security Incidents mailing list archives
Re: Trojan of somesort - Update
From: Harlan Carvey <keydet89 () yahoo com>
Date: Fri, 28 May 2004 04:07:37 -0700 (PDT)
Derek,
And using port knocking will make things even more invisible.
I believe you're right about that, but with the caveat that things will be even more invisible, but only to those folks who are doing external port scans, or searching systems based on file names. As I've shown in my upcoming book ("Windows Forensics and Incident Recovery", from Addison-Wesley), even things like rootkits leave a footprint. Sure, sometimes it's like trying to catch the wind...it slips through your fingers, but you still see the effect it has on leaves, etc...but there are ways to automate even simple checks to see what's going on on systems. For example, WMI (though .vbs or Perl) allows you to get things like PIDs, command lines, and exe paths for processes...most Windows admins don't go beyond the Task Manager. Same with services...there's a proof-of-concept tool out called RKDetect that claims to detect the HackerDefender rootkit by checking for disparities between WMI and SCM queries for services. My point is that while Windows admins continue to default to things like Task Manager, Event Viewer, and the occaisional "I didn't see anything suspicious in 'netstat'", these things will remain effectively invisible. Trojan, backdoor, and worm technology doesn't have to advance all that quickly b/c it's far too easy to stay ahead of the vast majority of the folks who own and manage these machines.
Anyone seen RATs using this?
I'd be very interested to see the results to this question...along with solid proof.
Current thread:
- Re: Trojan of somesort - Update, (continued)
- Re: Trojan of somesort - Update Gadi Evron (May 28)
- Re: Trojan of somesort - Update Paul Schmehl (May 28)
- Re: Trojan of somesort - Update Harlan Carvey (May 28)
- Re: Trojan of somesort - Update Gadi Evron (May 28)
- Changing file times, was -> Re: Trojan of somesort - Update Harlan Carvey (May 28)
- Re: Changing file times, was -> Re: Trojan of somesort - Update Gadi Evron (May 28)
- RE: Trojan of somesort - Update David Gillett (May 28)
- Re: Trojan of somesort - Update Harlan Carvey (May 28)
- Administrivia: Trojan of somesort - Hack definition branch == dead Daniel Hanson (May 29)