-----Original Message-----
From: Michael Painter [mailto:tvhawaii () shaka com]
Sent: Sunday, February 08, 2004 9:04 AM
To: Dimitri Bertolami; security-basics () securityfocus com
Subject: Re: Hidden Ports
----- Original Message -----
From: "Dimitri Bertolami" <Dimitri () staf pi be>
To: <security-basics () securityfocus com>
Sent: Friday, February 06, 2004 9:50 AM
Subject: RE: Hidden Ports
guys and galls,
I'll explain a bit more about this one ..
[snip]
quote: (david)
-------------------------------------------
Not necessarily. These tools are often part of a rootkit, which would
naturally hide itself. In fact, they usually load as part of the OS
kernel, and not as a process.
-------------------------------------------
http://www.megasecurity.org/trojans/h/hackerdefender/Hackerdefende
r0.21.html
(text below taken from the site)
Idea
----
Main idea of this program was to use API functions WriteProcessMemory
and CreateRemoteThread to create a new thread in all running processes.
New thread will rewrite some functions in system modules (mostly
kernel32.dll)
and inject fake code which will check API results and change this result
in specific cases.
Program must be absolutely hidden for all others. Program installs
hidden backdoors and register as hidden system service.
--
meaning , you really honestly don't see the 500 connections to
port 21 on
your hidden FTP Server, because according to
your "rewritten" kernel there simply aren't any of these
services or ports
in use, you can consider a rootkit like an Evil
MS patch (from hackers) MS patches the correct way, rootkits
patch the wrong
way. but a patch is a patch and windows won't
recognise the patch as "not" being a part of it's own
architecture once it's
installed.
any questions, feel free to ask..
Cheers,
Dimitri
What do you folks think of ZoneAlarmPro?
When I look in:Program Control | Components, there are ~1,125
dlls listed. If I right click on kernel32.dll and select More Info,
in Overview I get:
"ZoneAlarm Pro has recorded KERNEL32.DLL in its list of
components in the Program Control section. The component was recorded
because either a program using the component requested network
access, or a program that already had network access attempted to
load the component. Information about the component is recorded
whether the user allowed the program access/server rights or denied
it.
Many programs require network access for normal operation, and
use components to perform their network access. These are expected
uses and are not a cause for concern. However, viruses and Trojan
horse programs can modify or replace components with hacked
versions that can be used to carry out attacks. If you suspect a
component is not legitimate, you should not allow it access.
Because the purpose of component files is often not obvious, you
should conduct some research if you have any suspicions about a
component's legitimacy. Detailed information about KERNEL32.DLL
is available on the Technical Info tab of this article.
Depending on the Access setting for a component, ZoneAlarm Pro
will either allow a program using that component to access the
network or act as a server, or will ask you for permission each
time it is used. If you trust KERNEL32.DLL, you can give it an
Access setting of Allow, and that will give programs using it
access/server rights without needing to ask for permission each time.
If you are not sure about KERNEL32.DLL, you can give it a setting
of Ask, which will remind you that you need to decide next time it
is used. If you know there is a problem with KERNEL32.DLL, you
should either delete if from your system or fix the problem."
And under Details, they say:
"This article presents detailed information on component KERNEL32.DLL.
What is a new or changed component?
A component is a small program or set of functions (also known as
a Dynamic Link Library or DLL) that larger programs call on to
perform specific tasks. Some components may be used by several
different programs simultaneously.
ZoneAlarm Pro considers a component a New Component the first
time a program using the component makes an attempt to connect to or
receive connections from the Internet or your local network, or
the first time a component is loaded by a program that is already
connected to the network. ZoneAlarm Pro also considers the
component to be a New Component if the component entry within the
ZoneAlarm Pro Components List has been removed.
ZoneAlarm Pro considers a component a Changed Component if it has
been modified since the last time it accessed the Internet or your
local network. If you have upgraded a component and the upgrade
replaced the component with a new copy, then ZoneAlarm Pro detects
the change in the file. Some components are automatically updated
by programs, and ZoneAlarm Pro detects any change in the component
file itself, no matter how slight."
And finally:
"ZoneAlarm Pro authenticates your programs and their shared
components by recording their MD5 signatures the first time the program
requests network or Internet access, then checking those
signatures when the program requests access again."
Do any other "Firewalls" do anything like this and if so, what do
you think of it?
Sorry to be so long-winded but didn't know how many had a chance
to use ZA.
--Michael
------------------------------------------------------------------
---------
Ethical Hacking at InfoSec Institute. Mention this ad and get
$720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
------------------------------------------------------------------
----------
Intro
