Re[2]: Compromised Win2000 machine.

From: Joris De Donder (l0tat_private)
Date: Fri May 31 2002 - 06:55:17 PDT

  • Next message: Crist J. Clark: "Application Scanning 1033/tcp?"

    HC> Remember...the Linux/*nix architectures are different
    HC> from that of NT/2K...and XP.  I'm not saying that this
    HC> can't be done...I'm simply asking if anyone can show,
    HC> with proof, that this *has* been done?  And it doesn't
    HC> have to be just can be any other
    HC> native tool.  And binding the .exe file using
    HC> SaranWrap or EliteWrap doesn't count, as the basic
    HC> functionality still exists and all network connects
    HC> (netstat) will still be shown...
    * Fake netstat.exe (4/23/02):
    * Another fake netstat.exe (Apr 24 17:18:22 2001):
    * "A Rootkit for netstat under win2k, By ThreaT":
    * Netstatp with source code:
      [Could be used to build a netstat.exe clone]
    * ReactOS:
     "ReactOS is an Open Source effort to develop a quality
     operating system that is compatible with Windows NT
     applications and drivers."
      [Source code could be used to build a trojan cmd.exe,...]
    * NTRootkit: (seems to be down)
     "The NTRootKit project provides a framework for trojaning
     the NT kernel and applications, in much the same manner as
     rootkits for Linux and the various flavors of Unix."
     "New features:
     Embedded TCP/IP stack (stateless)
     Ideed, why would it?  It's not using the NT stack."
    Joris De Donder
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Fri May 31 2002 - 09:32:32 PDT