Windows Rootkits/API Hooking
From: Harlan Carvey (keydet89@yahoo.com)
Date: 03/13/03
- Previous message: Harlan Carvey: "Re: [unisog] Re: Port 109 Mystery"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 13 Mar 2003 12:55:08 -0800 (PST) From: Harlan Carvey <keydet89@yahoo.com> To: incidents@securityfocus.com
In the past couple of weeks, there have been several
Trojans and backdoors that have appeared on Symantec's
SecurityResponse site that use API hooking to hide
themselves.
I was wondering if anyone has solid proof of a system
that was compromised using something along these
lines? The recent thread regarding an open port 109
and "winlogon.exe" hasn't shown anything solid to
support a "Windows kernel rootkit".
Has anyone seen something like this? For example, has
an external port scan shown a TCP port open that did
NOT appear in the netstat/fport output? Or has there
been some other phantom evidence, and it later turned
out that the system was "infected" with API hooking
malware?
Thanks,
Carv
__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
- Previous message: Harlan Carvey: "Re: [unisog] Re: Port 109 Mystery"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
