|
Vulnerability Development
mailing list archives
Interesting "hosts" & "services" issue
From: Bluefish <11a () GMX NET>
Date: Wed, 9 Aug 2000 04:02:43 +0200
I was doing some thinking regarding how to make a backdoor program
somewhat harder to detect. This is mostly a windows95/98 issue as other
operating systems does offer some security :)
Anyway, I was thinking on ways to make the communication from the backdoor
to whoever is in control of it less obvious, and make the following
assumptions:
1. user does not check that files such as WINDOWS\HOSTS are in order.
2. user uses a software such as netstat (or any other which by default
rely on HOSTS-file), and does so without using the proper command
line switches
Anyway, the obvious change of HOSTS is to add
"xxx.xxx.xxx.xxx innocent.victim.com"
But a more interresting change would be
"xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy"
why's the later preferable? well, because in the first example a e.g.
traceroute might uncover the hoax, where the later will, correctly, be
interprented as an IP by traceroute...
Similary, modifying WINDOWS\SERVICES might also simplify fooling a user.
Making something look like e.g. 205.188.5.233:5190 will make people think
the communication is merely ICQ...
Nothing in this mail is really any vulnerability, or a new one. The big
problem is that windows 9x allows any program to do what ever they want.
But of course, the numerous people using wNT/w2K as administrator are
vulnerable to this as well. Although these tricks are rather obvious, it
might very well be the difference between a backdoor being found or not.
The user gets suspicious, but NETSTAT looks as it should, and the user
thinks [s]he is imagining things.
..:::::::::::::::::::::::::::::::::::::::::::::::::..
http://www.11a.nu || http://bluefish.11a.nu
eleventh alliance development & security team
 By Date 
By Thread
Current thread:
- Interesting "hosts" & "services" issue Bluefish (Aug 09)
|
Intro
