RE: hidden tasks

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 09/24/03

  • Next message: Tony Preston: "Re: Hard Drive keeps filling up"
    Date: Wed, 24 Sep 2003 03:49:23 -0700 (PDT)
    To: security-basics@securityfocus.com
    
    

    Roland,

    > Thanks a lot for your answers, Harlan, Eric, Roger
    > and Jim.

    Glad I could help.
     
    > Regarding the second question the answer is often to
    > easy: Check the task
    > manager, look into the registry for the autorun
    > hives....(check the answers
    > for "Hard Drive keeps filling up")

    I used to teach an IR course for Windows
    systems...checking the Task Manager is not necessarily
    that good of a response. Also, there really aren't
    any "autorun hives"...rather there are keys that will
    autorun programs. Sorry to be a stickler for
    terminology, but it's important to be clear and
    correct, particularly when dealing with an incident.
     
    > I think a good programmer can mask his program as if
    > it would be a MS
    > program. So you see it in a real task manager (the
    > NT task manager does not
    > show all tasks) but you think it is a normal MS
    > program.

    It doesn't take a "good programmer". Anyone can do
    this. There are worms and backdoors that hide as
    'svchost.exe', and from the Task Manager, one cannot
    tell the difference between the one in the correct
    location (ie, %WINDIR%\system32) and one in another
    location.

    > About the autorun: Even when all autostartup places
    > in the registry are
    > empty, we still have a lot of tasks running. So
    > would it not be possible
    > that a process is started like this system processes
    > without having an entry
    > in the autostart places in the registry?

    Again, terminology is important. What are you
    referring to? Are you talking about services keys?

    > How difficult is it to replace the kernel with a
    > kernel that is doing the
    > same but additionally also collects all typing and
    > send it to the internet one time a month.

    Replace the kernel? Maybe patch, but replace? I
    would think that such a thing would be exceedingly
    difficult, and if it were possible, it would likely be
    perpetrated by someone with loftier goals in mind than
    attacking your site (no offense).

    > Or a Kernel driver or user driver.

    This is what a rootkit does.

    > The problem with images or MD5 hash checker or Black
    > Ice Defender or Windows
    > File Protection (WFP) is that you have to update
    > them after each system
    > update. This is to difficult for the normal user.
    > There are also workarounds
    > for e.g. WFP: The WFP runs on the system itself so a
    > user with control over
    > the system can make easy an own update of the WFP...

    I think you need to take a closer look at WFP. Yes,
    it can be modified to include other files under it's
    protection, but again...rather than making assumptions
    about the service, take a look on the MS site. It's
    very easy to find info on WFP.

    To be very honest, my impression of this exchange is
    that you're very, very paranoid. While a small amount
    of paranoia is healthy, you're not balancing it with
    knowledge. Yes, a lot of what you describe *could*
    happen, but many of the things you're thinking about
    are not likely to happen. Some of what you describe
    (ie, replacing the kernel) are a bit more difficult
    than you may suspect.

    Hope this helps in some way,

    Harlan

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Tony Preston: "Re: Hard Drive keeps filling up"

    Relevant Pages

    • Re: A lot of problems with debian sid on a Notebook
      ... your usual package manager is able to remove kernels. ... Wiki and internet are full of informations about that, but, in short, enable contrib and non-free repo in your /etc/apt/sources.list, know your hardware with $lspci or $lsusb and you should have enough informations to discover what you need to install. ... For your kernel problem, just try to start aptitude in a terminal, without argument, and search for "linux-image-" and you will be able to remove kernels you do not want. ... On my side, I've more or less always used command line tools, since my childhood, so it is not so surprising that I now mostly use it, with only few softwares. ...
      (Debian-User)
    • Re: A lot of problems with debian sid on a Notebook
      ... your usual package manager is able to remove kernels. ... Aptitude will warn you if you are removing the last kernel of your system. ... If your network manager gives you problem... ... For your kernel problem, just try to start aptitude in a terminal, without argument, and search for "linux-image-" and you will be able to remove kernels you do not want. ...
      (Debian-User)
    • RE: hidden tasks
      ... As far as looking for trojans or stuff like that, the task manager should be ... > places in the registry are empty, we still have a lot of tasks running. ... You can replace your kernel if you want to any time. ... The major difference between a linux kernel and the windows kernel ...
      (Security-Basics)
    • Re: concurrent installs of previous + current kernels
      ... manager installs a new version of the kernel. ... causes the system to hang on boot. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
      (Debian-User)
    • Re: VMS Forever?
      ... running down VMS to a prime customer? ... requires a distributed lock manager be integrated with the kernel. ...
      (comp.os.vms)