Security Basics mailing list archives
Re: hidden tasks
From: H Carvey <keydet89 () yahoo com>
Date: 22 Sep 2003 12:54:58 -0000
In-Reply-To: <D0651C658F6ED7119A8D00B0D064C7980280C1 () mail bknkids de> What you're referring to is entirely possible, as well as actually out there...
Would it be possible that instead of the shown task a trojan is running on the system?
This is not only possible, but it's been done. There are trojans and backdoors that get written to %WINDIR%\system or %WINDIR%\temp, called "svchost.exe". This is the same name as Microsoft's file, but the path is different. Since Task Manager doesn't show the image paths for the processes that are running.
The trojan has the name of a known MS program, the same version number, the same manufacturer name, the same description and the same path/type like in Dr Watson's tasklist. The size of the file is the same like the original MS file.
Earlier you said "On NT systems (or other windows systems)"...what you describe is possible, though on Win2K and above, improbable. The reason being that Win2K and above have WFP running, so any file protected by WFP that the attacker attempts to overwrite or delete is replaced automatically. There are ways around this, but the other thing to consider is that the likelihood of a file being the exact same size as the original MS file, and having all of the product version information intact is pretty slim. But again...even if this is the case, the very fact that the functionality is different would give the file a different hash or checksum.
Is it possible that there is a trojan running but we do not see it with a virusscanner (because it is new),
Yes, this is possible, and it doesn't have to be "new". Several backdoors are not picked up by A/V software. IRC Bots like russiantopz, PowerBot and GTBot use mirc32.exe as their base, which is a legit app...and is therefore not picked up.
not in the task list (as it seams to be a MS application)
Not appearing in the task list has little to do with whether the file is an MS application or not.
not in any autorun place (as it is started like a system task),
Do you mean a service? If you do, wouldn't that be an "autorun place"?
not with netstat or other sniffer(it makes the connections just one time a month)?
Scheduled task? If it's a running process, you should be able to see it, unless it's been hidden with a Hoglund-style kernel-mode rootkit. Hope that helps, Harlan --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- hidden tasks Philipp, Roland (Sep 19)
- Re: hidden tasks Roger A. Grimes (Sep 19)
- Re: hidden tasks Jim Duggan (Sep 19)
- Re: hidden tasks Roger A. Grimes (Sep 22)
- Re: hidden tasks Jim Duggan (Sep 19)
- Volunteer free time n30 (Sep 26)
- <Possible follow-ups>
- RE: hidden tasks Hagen, Eric (Sep 19)
- Re: hidden tasks H Carvey (Sep 22)
- RE: hidden tasks Philipp, Roland (Sep 24)
- RE: hidden tasks Harlan Carvey (Sep 24)
- RE: hidden tasks Meidinger Chris (Sep 25)
- RE: hidden tasks Meidinger Chris (Sep 25)
- Re: hidden tasks Roger A. Grimes (Sep 19)