RE: Hidden Ports

From: Aditya [ Aditya Lalit Deshmukh ] (aditya.deshmukh_at_online.gateway.technolabs.net)
Date: 02/10/04

  • Next message: bob martin: "Website password policies"
    To: "Michael Painter" <tvhawaii@shaka.com>, "Dimitri Bertolami" <Dimitri@staf.pi.be>, <security-basics@securityfocus.com>
    Date: Tue, 10 Feb 2004 19:04:07 +0530
    
    

    this is done by the firewalls to prevent authenticated files from being replaced by trojans and connecting to the internet.

    there are many firewalls that do this :
    zone alarm,
    tiny firewall
    kerio firewall
    sygate firewall
    etc

    do this basically adds to the system security so it is good to keep it enabled.

    -aditya

    > -----Original Message-----
    > From: Michael Painter [mailto:tvhawaii@shaka.com]
    > Sent: Sunday, February 08, 2004 9:04 AM
    > To: Dimitri Bertolami; security-basics@securityfocus.com
    > Subject: Re: Hidden Ports
    >
    >
    > ----- Original Message -----
    > From: "Dimitri Bertolami" <Dimitri@staf.pi.be>
    > To: <security-basics@securityfocus.com>
    > Sent: Friday, February 06, 2004 9:50 AM
    > Subject: RE: Hidden Ports
    >
    >
    > > guys and galls,
    > >
    > > I'll explain a bit more about this one ..
    > [snip]
    > > quote: (david)
    > > -------------------------------------------
    > > Not necessarily. These tools are often part of a rootkit, which would
    > > naturally hide itself. In fact, they usually load as part of the OS
    > > kernel, and not as a process.
    > > -------------------------------------------
    > >
    > http://www.megasecurity.org/trojans/h/hackerdefender/Hackerdefende
    > r0.21.html
    > > (text below taken from the site)
    > > Idea
    > > ----
    > >
    > > Main idea of this program was to use API functions WriteProcessMemory
    > > and CreateRemoteThread to create a new thread in all running processes.
    > > New thread will rewrite some functions in system modules (mostly
    > > kernel32.dll)
    > > and inject fake code which will check API results and change this result
    > > in specific cases.
    > > Program must be absolutely hidden for all others. Program installs
    > > hidden backdoors and register as hidden system service.
    > > --
    > > meaning , you really honestly don't see the 500 connections to
    > port 21 on
    > > your hidden FTP Server, because according to
    > > your "rewritten" kernel there simply aren't any of these
    > services or ports
    > > in use, you can consider a rootkit like an Evil
    > > MS patch (from hackers) MS patches the correct way, rootkits
    > patch the wrong
    > > way. but a patch is a patch and windows won't
    > > recognise the patch as "not" being a part of it's own
    > architecture once it's
    > > installed.
    > >
    > >
    > > any questions, feel free to ask..
    > > Cheers,
    > > Dimitri
    >
    >
    >
    > What do you folks think of ZoneAlarmPro?
    > When I look in:Program Control | Components, there are ~1,125
    > dlls listed. If I right click on kernel32.dll and select More Info,
    > in Overview I get:
    > "ZoneAlarm Pro has recorded KERNEL32.DLL in its list of
    > components in the Program Control section. The component was recorded
    > because either a program using the component requested network
    > access, or a program that already had network access attempted to
    > load the component. Information about the component is recorded
    > whether the user allowed the program access/server rights or denied
    > it.
    >
    > Many programs require network access for normal operation, and
    > use components to perform their network access. These are expected
    > uses and are not a cause for concern. However, viruses and Trojan
    > horse programs can modify or replace components with hacked
    > versions that can be used to carry out attacks. If you suspect a
    > component is not legitimate, you should not allow it access.
    > Because the purpose of component files is often not obvious, you
    > should conduct some research if you have any suspicions about a
    > component's legitimacy. Detailed information about KERNEL32.DLL
    > is available on the Technical Info tab of this article.
    >
    > Depending on the Access setting for a component, ZoneAlarm Pro
    > will either allow a program using that component to access the
    > network or act as a server, or will ask you for permission each
    > time it is used. If you trust KERNEL32.DLL, you can give it an
    > Access setting of Allow, and that will give programs using it
    > access/server rights without needing to ask for permission each time.
    > If you are not sure about KERNEL32.DLL, you can give it a setting
    > of Ask, which will remind you that you need to decide next time it
    > is used. If you know there is a problem with KERNEL32.DLL, you
    > should either delete if from your system or fix the problem."
    >
    > And under Details, they say:
    >
    > "This article presents detailed information on component KERNEL32.DLL.
    >
    > What is a new or changed component?
    >
    > A component is a small program or set of functions (also known as
    > a Dynamic Link Library or DLL) that larger programs call on to
    > perform specific tasks. Some components may be used by several
    > different programs simultaneously.
    >
    > ZoneAlarm Pro considers a component a New Component the first
    > time a program using the component makes an attempt to connect to or
    > receive connections from the Internet or your local network, or
    > the first time a component is loaded by a program that is already
    > connected to the network. ZoneAlarm Pro also considers the
    > component to be a New Component if the component entry within the
    > ZoneAlarm Pro Components List has been removed.
    >
    > ZoneAlarm Pro considers a component a Changed Component if it has
    > been modified since the last time it accessed the Internet or your
    > local network. If you have upgraded a component and the upgrade
    > replaced the component with a new copy, then ZoneAlarm Pro detects
    > the change in the file. Some components are automatically updated
    > by programs, and ZoneAlarm Pro detects any change in the component
    > file itself, no matter how slight."
    >
    > And finally:
    >
    > "ZoneAlarm Pro authenticates your programs and their shared
    > components by recording their MD5 signatures the first time the program
    > requests network or Internet access, then checking those
    > signatures when the program requests access again."
    >
    > Do any other "Firewalls" do anything like this and if so, what do
    > you think of it?
    >
    > Sorry to be so long-winded but didn't know how many had a chance
    > to use ZA.
    >
    > --Michael
    >
    >
    >
    >
    > ------------------------------------------------------------------
    > ---------
    > Ethical Hacking at InfoSec Institute. Mention this ad and get
    > $720 off any
    > course! All of our class sizes are guaranteed to be 10 students or less.
    > We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
    > Prevention,
    > and many other technical hands on courses.
    > Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
    > any course!
    > ------------------------------------------------------------------
    > ----------
    >
    >

    ________________________________________________________________________
    Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

    ---------------------------------------------------------------------------
    Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

    Protect your network with the comprehensive security solution that
    integrates six applications for ease of use and lower TCO.

    Firewall - Virus protection - Spam protection - URL blocking - VPN
    - Wireless security.

    Download 30-day evaluation at:
    http://www.astaro.com/php/contact/securityfocus.php
    ----------------------------------------------------------------------------


  • Next message: bob martin: "Website password policies"

    Relevant Pages

    • RE: can ping but not browse
      ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
      (Fedora)
    • Re: Using a Linksys router, should I also use Zonealarm?
      ... public internet to access corporate network. ... In the "old days" when people used to use Dial-In instead of VPN you ware ... protected by corporate Firewall -- since there was no public Internet ...
      (microsoft.public.security)
    • Re: Entire Network
      ... Internet access is different and just because a firewall isn't ... Second, if it isn't the firewall, then often it is a case of the system ... any way a network guru. ... > The network connection works just fine from both computers for internet ...
      (microsoft.public.windowsxp.basics)
    • Re: Using a Linksys router, should I also use Zonealarm? Internet Acceptable Use Policy
      ... my browser's access to the Internet is restricted. ... I thought it was the company's firewall extending a slap on my ... > public internet to access corporate network. ... > NAT is Network Address Translation. ...
      (microsoft.public.security)
    • Re: firewall recommendation
      ... > I've been using Zonealarm Pro under XP Pro for a while. ... > informs me when aa program attempts to access the internet. ... Uh, norton personal firewall does, but remember that this is an opinion ... magazine. ...
      (comp.security.firewalls)