Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: strange windows behaviour.
From: J Mike Rollins <rollins () wfu edu>
Date: Wed, 8 Oct 2003 13:45:38 -0400 (EDT)

One trick that hackers are exploiting is to store executable files as NTFS
Streams.  You should check you registry for programs set to run at startup
with the following format

        rundll32.exe C:\Some\Directory:trojan.dll

The : in front of the trojan signifies that the file is really an NTFS
Stream.  Trojans stored in this format may not be detected by many virus
scanners.

NTFS Streams cannot be listed by the dir command.  What you can do to
verify the existence of one of the Streams is to do

        notepad.exe C:\Some\Directory:trojan.dll

If you see content, then the stream is really there.


On Mon, 6 Oct 2003, Peter Moody wrote:


Hello all,

I've got a bit of a problem, and I was wondering if anyone on this list
has seen similar things.  Recently, we've been having student windows
machines on our residential network begin spewing large, massive (on the
order of hundreds of thousands in a few hours) spam messages at our mail
servers.  We promptly disconnect the machines and head down to do some
forensic work on the boxes when we get a chance (usually after they call
to complain that the internet has died).

I've been trying to find information on this, but the most I've been
able to come up with is an advisory from symantec's threat management
system saying Mprox (some sort of MS proxy) is to blame.  None of the
machines I've gone and examined have had this program running or on the
system anywhere for that matter.

Has anyone else had similar problems of late?  This all started for us
about a week ago and it's showing no signs of going away any time soon.

Thanks.

-Peter

--
Peter Moody                             <peter () ucsc edu>
Information Security Administrator      831/459.5409
Communications and Technology Services. http://mustard.ucsc.edu/pubkey
UC, Santa Cruz.
:wq



Mike

    Network Operations and Security, Wake Forest University
======================================================================
          J. Mike Rollins              rollins () wfu edu
     Wake Forest University     http://www.wfu.edu/~rollins
        Winston-Salem, NC            work: (336) 758-1938
======================================================================


---------------------------------------------------------------------------
----------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]