Thanks for the links...now, has anyone ever seen them in use? BTW...Hoglund's rootkit is a good link, but it's out of context...the context of the thread was about modifications to the binaries themselves, not the kernel. --- Joris De Donder <l0tat_private> wrote: > > HC> Remember...the Linux/*nix architectures are > different > HC> from that of NT/2K...and XP. I'm not saying > that this > HC> can't be done...I'm simply asking if anyone can > show, > HC> with proof, that this *has* been done? And it > doesn't > HC> have to be just netstat.exe...it can be any > other > HC> native tool. And binding the .exe file using > HC> SaranWrap or EliteWrap doesn't count, as the > basic > HC> functionality still exists and all network > connects > HC> (netstat) will still be shown... > > * Fake netstat.exe (4/23/02): > http://kcom.org/tfiles/pafiledb.php?action=category&id=9 > > * Another fake netstat.exe (Apr 24 17:18:22 2001): > http://packetstormsecurity.org/UNIX/penetration/rootkits/Netstat.zip > > * "A Rootkit for netstat under win2k, By ThreaT": > http://www.madchat.org/coding/nethide.txt > > * Netstatp with source code: > http://packetstormsecurity.org/NT/IDS/netstatp.zip > [Could be used to build a netstat.exe clone] > > * ReactOS: > http://www.reactos.com/ > "ReactOS is an Open Source effort to develop a > quality > operating system that is compatible with Windows NT > applications and drivers." > [Source code could be used to build a trojan > cmd.exe,...] > > * NTRootkit: > http://www.rootkit.com (seems to be down) > http://www.phrack.com/show.php?p=55&a=5 > http://www.megasecurity.org/Tools/Nt_rootkit_all.html > "The NTRootKit project provides a framework for > trojaning > the NT kernel and applications, in much the same > manner as > rootkits for Linux and the various flavors of > Unix." > > "New features: > Embedded TCP/IP stack (stateless) > [...snip...] > NOTE: THIS MEANS THAT ROOTKIT DOES NOT SHOW UP IN > NETSTAT > Ideed, why would it? It's not using the NT stack." > > > Regards, > Joris De Donder > > __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri May 31 2002 - 09:01:05 PDT