Re: 'rooted' NT/2K boxen?

From: KJK::Hyperion (noogat_private)
Date: Fri May 03 2002 - 17:24:59 PDT

  • Next message: Lance Spitzner: "Reverse Challenge - Binary released"

    At 00.42 03/05/2002, you wrote:
    > > which, when run connects to an IRC server in Moscow,
    > > loads an
    > > auto-rooter with a list of servers to attack, and
    > > hides the processes
    > > from netstat, Program Manager, etc. It was pretty
    > > slick.
    >This is interesting.  First off, neither netstat nor Program Manager show 
    >process information, so hiding process info from them isn't tough.  I'm 
    >going to assume you mean Task Manager...but again, that's an API call to 
    >hide a process from TM.
    unlikely. The Task Manager obtains the full process list directly from the 
    kernel, then filters it depending on the user's settings (only processes in 
    the current session, only my processes, etc.). You cannot absolutely hide 
    from it like you did in Windows 95 with RegisterServiceProcess (that didn't 
    hide processes at all, BTW, it was just the task manager that sucked), 
    unless you crack it (like this rootkit does) or you intercept the system 
    call NtQuerySystemInformation (the latter is extremely harder, but it takes 
    care of any kind of process enumeration). An interesting all-kernel rootkit 
    for Windows NT was available from some time ago, but the site 
    has been dead for months now
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Mon May 06 2002 - 11:08:42 PDT