Re: Hidden Ports

From: Michael Painter (tvhawaii_at_shaka.com)
Date: 02/08/04

  • Next message: H Carvey: "Re: Prohibiting Chat Software Activation on Client Machines"
    To: "Dimitri Bertolami" <Dimitri@staf.pi.be>, <security-basics@securityfocus.com>
    Date: Sat, 7 Feb 2004 17:34:23 -1000
    
    

    ----- Original Message -----
    From: "Dimitri Bertolami" <Dimitri@staf.pi.be>
    To: <security-basics@securityfocus.com>
    Sent: Friday, February 06, 2004 9:50 AM
    Subject: RE: Hidden Ports

    > guys and galls,
    >
    > I'll explain a bit more about this one ..
    [snip]
    > quote: (david)
    > -------------------------------------------
    > Not necessarily. These tools are often part of a rootkit, which would
    > naturally hide itself. In fact, they usually load as part of the OS
    > kernel, and not as a process.
    > -------------------------------------------
    > http://www.megasecurity.org/trojans/h/hackerdefender/Hackerdefender0.21.html
    > (text below taken from the site)
    > Idea
    > ----
    >
    > Main idea of this program was to use API functions WriteProcessMemory
    > and CreateRemoteThread to create a new thread in all running processes.
    > New thread will rewrite some functions in system modules (mostly
    > kernel32.dll)
    > and inject fake code which will check API results and change this result
    > in specific cases.
    > Program must be absolutely hidden for all others. Program installs
    > hidden backdoors and register as hidden system service.
    > --
    > meaning , you really honestly don't see the 500 connections to port 21 on
    > your hidden FTP Server, because according to
    > your "rewritten" kernel there simply aren't any of these services or ports
    > in use, you can consider a rootkit like an Evil
    > MS patch (from hackers) MS patches the correct way, rootkits patch the wrong
    > way. but a patch is a patch and windows won't
    > recognise the patch as "not" being a part of it's own architecture once it's
    > installed.
    >
    >
    > any questions, feel free to ask..
    > Cheers,
    > Dimitri

    What do you folks think of ZoneAlarmPro?
    When I look in:Program Control | Components, there are ~1,125 dlls listed. If I right click on kernel32.dll and select More Info,
    in Overview I get:
    "ZoneAlarm Pro has recorded KERNEL32.DLL in its list of components in the Program Control section. The component was recorded
    because either a program using the component requested network access, or a program that already had network access attempted to
    load the component. Information about the component is recorded whether the user allowed the program access/server rights or denied
    it.

    Many programs require network access for normal operation, and use components to perform their network access. These are expected
    uses and are not a cause for concern. However, viruses and Trojan horse programs can modify or replace components with hacked
    versions that can be used to carry out attacks. If you suspect a component is not legitimate, you should not allow it access.
    Because the purpose of component files is often not obvious, you should conduct some research if you have any suspicions about a
    component's legitimacy. Detailed information about KERNEL32.DLL is available on the Technical Info tab of this article.

    Depending on the Access setting for a component, ZoneAlarm Pro will either allow a program using that component to access the
    network or act as a server, or will ask you for permission each time it is used. If you trust KERNEL32.DLL, you can give it an
    Access setting of Allow, and that will give programs using it access/server rights without needing to ask for permission each time.
    If you are not sure about KERNEL32.DLL, you can give it a setting of Ask, which will remind you that you need to decide next time it
    is used. If you know there is a problem with KERNEL32.DLL, you should either delete if from your system or fix the problem."

    And under Details, they say:

    "This article presents detailed information on component KERNEL32.DLL.

    What is a new or changed component?

    A component is a small program or set of functions (also known as a Dynamic Link Library or DLL) that larger programs call on to
    perform specific tasks. Some components may be used by several different programs simultaneously.

    ZoneAlarm Pro considers a component a New Component the first time a program using the component makes an attempt to connect to or
    receive connections from the Internet or your local network, or the first time a component is loaded by a program that is already
    connected to the network. ZoneAlarm Pro also considers the component to be a New Component if the component entry within the
    ZoneAlarm Pro Components List has been removed.

    ZoneAlarm Pro considers a component a Changed Component if it has been modified since the last time it accessed the Internet or your
    local network. If you have upgraded a component and the upgrade replaced the component with a new copy, then ZoneAlarm Pro detects
    the change in the file. Some components are automatically updated by programs, and ZoneAlarm Pro detects any change in the component
    file itself, no matter how slight."

    And finally:

    "ZoneAlarm Pro authenticates your programs and their shared components by recording their MD5 signatures the first time the program
    requests network or Internet access, then checking those signatures when the program requests access again."

    Do any other "Firewalls" do anything like this and if so, what do you think of it?

    Sorry to be so long-winded but didn't know how many had a chance to use ZA.

    --Michael

    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
    and many other technical hands on courses.
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
    any course!
    ----------------------------------------------------------------------------


  • Next message: H Carvey: "Re: Prohibiting Chat Software Activation on Client Machines"

    Relevant Pages

    • RE: Hidden Ports
      ... this is done by the firewalls to prevent authenticated files from being replaced by trojans and connecting to the internet. ... kerio firewall ... or a program that already had network access attempted to ... > Depending on the Access setting for a component, ZoneAlarm Pro ...
      (Security-Basics)
    • Configuring ZoneAlarm Pro 2.6
      ... I have a small network at my house, there are 2Pcs and 1 notebook, i access ... the over with a isdn (using a 8-port Hub to get the 3 computers to the isdn ... when ZoneAlarm Pro is online, ... everything is solved when i turn off ZAP and restart the computer. ...
      (Security-Basics)
    • Re: Another (probably simple) ICS problem thats driving me nuts!
      ... Here you can find instructions for ICS: ... However you would get, better flexible Network, and better more secure ... > the network cards. ... Running XP Pro SP2 + ZoneAlarm Pro. ...
      (microsoft.public.windowsxp.network_web)
    • BEFSR41v3 and ZoneAlarm
      ... I set up a network, but I've been ... Can I use ZoneAlarm and not ZoneAlarm Pro? ... ZoneAlarm will not be recognized by the router. ... What I'm having trouble understanding is why the network *did* operate, ...
      (comp.security.firewalls)
    • Re: DVRs and PVRs around the world (was: File fragmentation)
      ... Have you tried changing the HDD inside the HDVR to a larger ... connected directly to a home network. ... even recording directly to network shares, ...
      (uk.tech.tv.video.pvr)