Re: Trojan of somesort - Update

[Harlan Carvey <keydet89 () yahoo com>]

Derek,

> And using port knocking will make things even more
> invisible.  

I believe you're right about that, but with the caveat
that things will be even more invisible, but only to
those folks who are doing external port scans, or
searching systems based on file names.  

As I've shown in my upcoming book ("Windows Forensics
and Incident Recovery", from Addison-Wesley), even
things like rootkits leave a footprint.  Sure,
sometimes it's like trying to catch the wind...it
slips through your fingers, but you still see the
effect it has on leaves, etc...but there are ways to
automate even simple checks to see what's going on on
systems.  For example, WMI (though .vbs or Perl)
allows you to get things like PIDs, command lines, and
exe paths for processes...most Windows admins don't go
beyond the Task Manager.  Same with services...there's
a proof-of-concept tool out called RKDetect that
claims to detect the HackerDefender rootkit by
checking for disparities between WMI and SCM queries
for services.  

My point is that while Windows admins continue to
default to things like Task Manager, Event Viewer, and
the occaisional "I didn't see anything suspicious in
'netstat'", these things will remain effectively
invisible.  Trojan, backdoor, and worm technology
doesn't have to advance all that quickly b/c it's far
too easy to stay ahead of the vast majority of the
folks who own and manage these machines.

> Anyone seen RATs using this?

I'd be very interested to see the results to this
question...along with solid proof.