RE: hidden tasks

[Meidinger Chris <chris.meidinger () badenit de>]

Hi Roland 


> 1. To prevent a connection or infection from a remote PC.
> 2. To control the own machine: what tasks are running and what data is
produced

> Regarding the second question the answer is often to easy: Check the task
manager, 
> look into the registry for the autorun hives....(check the answers > for
"Hard Drive
> keeps filling up")

As far as looking for trojans or stuff like that, the task manager should be
considered 'unconfirmed' information

> I think a good programmer can mask his program as if it would be a MS
program. 
> So you see it in a real task manager (the NT task manager does not show
all tasks) 
> but you think it is a normal MS program. About the autorun: Even when all
autostartup 
> places in the registry are empty, we still have a lot  of tasks running.
So would 
> it not be possible that a process is started like this system processes
without 
> having an entry in the autostart places in the registry? 

I believe that the NTRootkit hooks system calls, which could hide running
processes from _anything_ that tries to view them. You should be able to
find information abotu how NTRootkit does this with a google search.

So how do services start? Well they have their own run keys in the registry.
I can install a service by adding it to the registry, for example. So, from
there, i can start something automagically, without making it very obvious
what it is. So yes, it is absolutely possible.

> How difficult is it to replace the kernel with a kernel that is doing the
same 
> but additionally also collects all typing and send it to the internet one
time 
> a month. It does not need a schedule service to do this. It can count to
30 days 
> by itself. Or a Kernel driver or user driver. Would it be possible to
modify e.g. 
> the sound driver so it will also collects all typing and send it to the
internet 
> after it played sound for 999 hours? I am not a programmer so it do not
know if a 
> MS program needs a certificate or something else in order to replace it?
The problem 
> with images or MD5 hash checker or Black Ice Defender or Windows File
Protection (WFP)
> is that you have to update them after each system update. This is to
difficult 
> for the normal user. There are also workarounds for e.g. WFP: The WFP runs
on the 
> system itself so a user with control over the system can make easy an own
update of the
> WFP...

You can replace your kernel if you want to any time. Look for articles in
the internet about how to replace the startup picture for Windows XP, for
example, and you can test it yourself in a non-destructive way. This change
takes place in the kernel, as you are replacing a picture resource in your
kernel. The major difference between a linux kernel and the windows kernel
is that the windows kernel is not open source. So it is more difficult to
just add your own code and recompile. 

I recommend you look for more information about rootkits on NT, there is a
good amount of info about these things out there.

Chris Meidinger
IT Technology and Services

badenIT GmbH
Innovationstechnologie für Ihre Zukunft

Tel. +49 761 279 2280
Fax. +49 761 279 2200

Tullastrasse 70
79108 Freiburg
Deutschland 
 

-----Original Message-----
From: H Carvey [mailto:keydet89 () yahoo com]
Sent: Monday, September 22, 2003 1:55 PM
To: security-basics () securityfocus com
Subject: Re: hidden tasks


In-Reply-To: <D0651C658F6ED7119A8D00B0D064C7980280C1 () mail bknkids de>

What you're referring to is entirely possible, as well as actually out
there...



> Would it be possible that instead of the shown task a trojan is running 
> on

> the system?



This is not only possible, but it's been done.  There are trojans and
backdoors that get written to %WINDIR%\system or %WINDIR%\temp, called
"svchost.exe".  This is the same name as Microsoft's file, but the path is
different.  Since Task Manager doesn't show the image paths for the
processes that are running. 



> The trojan has the name of a known MS program, the same version number, 
> the

> same manufacturer name, the same description and the same path/type 
> like in

> Dr Watson's tasklist. The size of the file is the same like the 
> original MS

> file.



Earlier you said "On NT systems (or other windows systems)"...what you
describe is possible, though on Win2K and above, improbable.  The reason
being that Win2K and above have WFP running, so any file protected by WFP
that the attacker attempts to overwrite or delete is replaced automatically.
There are ways around this, but the other thing to consider is that the
likelihood of a file being the exact same size as the original MS file, and
having all of the product version information intact is pretty slim.  But
again...even if this is the case, the very fact that the functionality is
different would give the file a different hash or checksum.



> Is it possible that there is a trojan running but we do not see it with 
> a

> virusscanner (because it is new),



Yes, this is possible, and it doesn't have to be "new".  Several backdoors
are not picked up by A/V software.  IRC Bots like russiantopz, PowerBot and
GTBot use mirc32.exe as their base, which is a legit app...and is therefore
not picked up.



> not in the task list (as it seams to be a

> MS application) 



Not appearing in the task list has little to do with whether the file is an
MS application or not.



> not in any autorun place (as it is started like a system task), 



Do you mean a service?  If you do, wouldn't that be an "autorun place"?  



> not with netstat or other sniffer(it makes the connections just one time a
month)?



Scheduled task?  If it's a running process, you should be able to see it,
unless it's been hidden with a Hoglund-style kernel-mode rootkit.



Hope that helps,



Harlan

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------