Home page logo
/

basics logo Security Basics mailing list archives

Re: Hidden windows ports, files and services.
From: Mark Reis <mcr2z () cs virginia edu>
Date: Mon, 20 Dec 2004 17:01:14 -0500

Hello Again,

I've discovered the answer to part 2 - the machine was infected by a root kit that was intercepting all of system calls being issued by - active ports, fport and such. I actually found myself being quite impressed by this kit. Even running Dependency Walker and comparing it with my test machine was negative.

The first clue was when I was inspecting the attributes on the system dll, I found some discrepancies on the flags. This led to me ultimately finding multiple duplicate DLLs in c:\windows\system32 called somedll.dll.tmp. What it appeared to being doing was returning the sizes and values of the original backed up files - thus masking the true trojans.

-Mark


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]