Security Basics mailing list archives
RE: hidden tasks
From: "Hagen, Eric" <ehagen () DenverNewspaperAgency com>
Date: Fri, 19 Sep 2003 13:14:06 -0600
What you describe is possible. The only solution to something like this would be to apply some sort of heuristic scanning techniques. Software such as Black Ice Defender keep records of file CRCs and then provide a warning if the file changes. It gives you the option to auto-terminate any applications that are not in the 'baseline' that you determine. When you install an application, you can enable 'install mode' to allow it to run and then it will prompt you to run another baseline after installation so that the new installation will be the new 'baseline'. All of these things seem hyper-paranoid, but there are situations where it may be warranted. Eric Hagen -----Original Message----- From: Philipp, Roland [mailto:Roland.Philipp () bknkids com] Sent: Friday, September 19, 2003 11:38 AM To: security-basics () securityfocus com Subject: hidden tasks Hi all On NT systems (or other windows systems) the task manager shows some running tasks, Dr Watson shows all running tasks at the time the system snapshot was taken. Would it be possible that instead of the shown task a trojan is running on the system? The trojan has the name of a known MS program, the same version number, the same manufacturer name, the same description and the same path/type like in Dr Watson's tasklist. The size of the file is the same like the original MS file. Is it possible that there is a trojan running but we do not see it with a virusscanner (because it is new), not in the task list (as it seams to be a MS application) not in any autorun place (as it is started like a system task), not with netstat or other sniffer(it makes the connections just one time a month)? Can anybody provide me with information/links about this? any ideas? cheers Roland --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- hidden tasks Philipp, Roland (Sep 19)
- Re: hidden tasks Roger A. Grimes (Sep 19)
- Re: hidden tasks Jim Duggan (Sep 19)
- Re: hidden tasks Roger A. Grimes (Sep 22)
- Re: hidden tasks Jim Duggan (Sep 19)
- Volunteer free time n30 (Sep 26)
- <Possible follow-ups>
- RE: hidden tasks Hagen, Eric (Sep 19)
- Re: hidden tasks H Carvey (Sep 22)
- RE: hidden tasks Philipp, Roland (Sep 24)
- RE: hidden tasks Harlan Carvey (Sep 24)
- RE: hidden tasks Meidinger Chris (Sep 25)
- RE: hidden tasks Meidinger Chris (Sep 25)
- Re: hidden tasks Roger A. Grimes (Sep 19)