Security Basics mailing list archives

RE: hidden tasks


From: "Hagen, Eric" <ehagen () DenverNewspaperAgency com>
Date: Fri, 19 Sep 2003 13:14:06 -0600

What you describe is possible.  The only solution to something like this
would be to apply some sort of heuristic scanning techniques.  Software such
as Black Ice Defender keep records of file CRCs and then provide a warning
if the file changes.  It gives you the option to auto-terminate any
applications that are not in the 'baseline' that you  determine.  When you
install an application, you can enable 'install mode' to allow it to run and
then it will prompt you to run another baseline after installation so that
the new installation will be the new 'baseline'.

All of these things seem hyper-paranoid, but there are situations where it
may be warranted.

Eric Hagen

-----Original Message-----
From: Philipp, Roland [mailto:Roland.Philipp () bknkids com]
Sent: Friday, September 19, 2003 11:38 AM
To: security-basics () securityfocus com
Subject: hidden tasks


Hi all

On NT systems (or other windows systems) the task manager shows some running
tasks, Dr Watson shows all running tasks at the time the system snapshot was
taken.

Would it be possible that instead of the shown task a trojan is running on
the system?

The trojan has the name of a known MS program, the same version number, the
same manufacturer name, the same description and the same path/type like in
Dr Watson's tasklist. The size of the file is the same like the original MS
file.
Is it possible that there is a trojan running but we do not see it with a
virusscanner (because it is new), not in the task list (as it seams to be a
MS application) not in any autorun place (as it is started like a system
task), not with netstat or other sniffer(it makes the connections just one
time a month)?

Can anybody provide me with information/links about this?

any ideas?

cheers

Roland
 

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------


Current thread: