Security Basics mailing list archives
Re: hidden tasks
From: "Roger A. Grimes" <rogerg () cox net>
Date: Sat, 20 Sep 2003 12:01:34 -0400
I was referring to a trojan file attempting to mimic the file size, time-stamp, etc. I can easily be done...but I haven't heard of a trojan that did it. Roger ----- Original Message ----- From: "Jim Duggan" <on_a_thousand () hotmail com> To: "Roger A. Grimes" <rogerg () cox net>; <Roland.Philipp () bknkids com>; <security-basics () securityfocus com> Sent: Friday, September 19, 2003 5:34 PM Subject: Re: hidden tasks
Hes right about the former, there are actually a few rootkits for windows boxes. One in particular can hide files folder and registry keys from the users/OSs view, fake free disk space (for large dumps) hide open ports and listen for a specially crafted tiny tcp packet on all open ports as to
slip
by services even with a small threashhold. aka it can listen on port 80 alongside IIS on an infected box effectively getting past any firewalls
and
with the user/logs non the wiser. All done with API hooking. Albeit
these
are still somewhat rare and i doubt this is your case, but its somethin to keep in mind -Jason ----- Original Message ----- From: "Roger A. Grimes" <rogerg () cox net> To: "Philipp, Roland" <Roland.Philipp () bknkids com>; <security-basics () securityfocus com> Sent: Friday, September 19, 2003 12:55 PM Subject: Re: hidden tasksI'm teaching a class so I can't go into detail right now, but yes, thereareseveral ways a trojan can hide from or on the task manager list. With that said, I haven't heard of a trojan that exactly mimics the file characteristics that you suggest, but the best thing to do is compare
the
suspected executable's hash (use any MD5 hash checker) against a knowncleancopy. Once you have the hash checker and two files, your answer onwhetherit is a trojan or not is 15 seconds away. Roger
****************************************************************************
**** *Roger A. Grimes, Computer Security Consultant *CPA, MCSE (NT/2000), CNE (3/4), A+ *email: rogerg () cox net *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows byO'Reilly*http://www.oreilly.com/catalog/malmobcode *Author of upcoming Honeypots for Windows (Apress)
****************************************************************************
***** ----- Original Message ----- From: "Philipp, Roland" <Roland.Philipp () bknkids com> To: <security-basics () securityfocus com> Sent: Friday, September 19, 2003 1:38 PM Subject: hidden tasksHi all On NT systems (or other windows systems) the task manager shows somerunningtasks, Dr Watson shows all running tasks at the time the system
snapshot
wastaken. Would it be possible that instead of the shown task a trojan is
running
onthe system? The trojan has the name of a known MS program, the same version
number,
thesame manufacturer name, the same description and the same path/type
like
inDr Watson's tasklist. The size of the file is the same like the
original
MSfile. Is it possible that there is a trojan running but we do not see it
with
avirusscanner (because it is new), not in the task list (as it seams tobeaMS application) not in any autorun place (as it is started like a
system
task), not with netstat or other sniffer(it makes the connections justonetime a month)? Can anybody provide me with information/links about this? any ideas? cheers Roland---------------------------------------------------------------------------Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm------------------------------------------------------------------------------------------------------------------------------------------------------ - -------------------------------------------------------------------------- --
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- hidden tasks Philipp, Roland (Sep 19)
- Re: hidden tasks Roger A. Grimes (Sep 19)
- Re: hidden tasks Jim Duggan (Sep 19)
- Re: hidden tasks Roger A. Grimes (Sep 22)
- Re: hidden tasks Jim Duggan (Sep 19)
- Volunteer free time n30 (Sep 26)
- <Possible follow-ups>
- RE: hidden tasks Hagen, Eric (Sep 19)
- Re: hidden tasks H Carvey (Sep 22)
- RE: hidden tasks Philipp, Roland (Sep 24)
- RE: hidden tasks Harlan Carvey (Sep 24)
- RE: hidden tasks Meidinger Chris (Sep 25)
- RE: hidden tasks Meidinger Chris (Sep 25)
- Re: hidden tasks Roger A. Grimes (Sep 19)