RE: Hidden Ports

• Previous message: Aditya [ Aditya Lalit Deshmukh ]: "RE: firewalls that can ssl ftp?"
• In reply to: Michael Painter: "Re: Hidden Ports"
• Next in thread: H Carvey: "Re: Hidden Ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Michael Painter" <tvhawaii@shaka.com>, "Dimitri Bertolami" <Dimitri@staf.pi.be>, <security-basics@securityfocus.com>
Date: Tue, 10 Feb 2004 19:04:07 +0530

this is done by the firewalls to prevent authenticated files from being replaced by trojans and connecting to the internet.

there are many firewalls that do this :
zone alarm,
tiny firewall
kerio firewall
sygate firewall
etc

do this basically adds to the system security so it is good to keep it enabled.

-aditya

> -----Original Message-----
> From: Michael Painter [mailto:tvhawaii@shaka.com]
> Sent: Sunday, February 08, 2004 9:04 AM
> To: Dimitri Bertolami; security-basics@securityfocus.com
> Subject: Re: Hidden Ports
>
>
> ----- Original Message -----
> From: "Dimitri Bertolami" <Dimitri@staf.pi.be>
> To: <security-basics@securityfocus.com>
> Sent: Friday, February 06, 2004 9:50 AM
> Subject: RE: Hidden Ports
>
>
> > guys and galls,
> >
> > I'll explain a bit more about this one ..
> [snip]
> > quote: (david)
> > -------------------------------------------
> > Not necessarily. These tools are often part of a rootkit, which would
> > naturally hide itself. In fact, they usually load as part of the OS
> > kernel, and not as a process.
> > -------------------------------------------
> >
> http://www.megasecurity.org/trojans/h/hackerdefender/Hackerdefende
> r0.21.html
> > (text below taken from the site)
> > Idea
> > ----
> >
> > Main idea of this program was to use API functions WriteProcessMemory
> > and CreateRemoteThread to create a new thread in all running processes.
> > New thread will rewrite some functions in system modules (mostly
> > kernel32.dll)
> > and inject fake code which will check API results and change this result
> > in specific cases.
> > Program must be absolutely hidden for all others. Program installs
> > hidden backdoors and register as hidden system service.
> > --
> > meaning , you really honestly don't see the 500 connections to
> port 21 on
> > your hidden FTP Server, because according to
> > your "rewritten" kernel there simply aren't any of these
> services or ports
> > in use, you can consider a rootkit like an Evil
> > MS patch (from hackers) MS patches the correct way, rootkits
> patch the wrong
> > way. but a patch is a patch and windows won't
> > recognise the patch as "not" being a part of it's own
> architecture once it's
> > installed.
> >
> >
> > any questions, feel free to ask..
> > Cheers,
> > Dimitri
>
>
>
> What do you folks think of ZoneAlarmPro?
> When I look in:Program Control | Components, there are ~1,125
> dlls listed. If I right click on kernel32.dll and select More Info,
> in Overview I get:
> "ZoneAlarm Pro has recorded KERNEL32.DLL in its list of
> components in the Program Control section. The component was recorded
> because either a program using the component requested network
> access, or a program that already had network access attempted to
> load the component. Information about the component is recorded
> whether the user allowed the program access/server rights or denied
> it.
>
> Many programs require network access for normal operation, and
> use components to perform their network access. These are expected
> uses and are not a cause for concern. However, viruses and Trojan
> horse programs can modify or replace components with hacked
> versions that can be used to carry out attacks. If you suspect a
> component is not legitimate, you should not allow it access.
> Because the purpose of component files is often not obvious, you
> should conduct some research if you have any suspicions about a
> component's legitimacy. Detailed information about KERNEL32.DLL
> is available on the Technical Info tab of this article.
>
> Depending on the Access setting for a component, ZoneAlarm Pro
> will either allow a program using that component to access the
> network or act as a server, or will ask you for permission each
> time it is used. If you trust KERNEL32.DLL, you can give it an
> Access setting of Allow, and that will give programs using it
> access/server rights without needing to ask for permission each time.
> If you are not sure about KERNEL32.DLL, you can give it a setting
> of Ask, which will remind you that you need to decide next time it
> is used. If you know there is a problem with KERNEL32.DLL, you
> should either delete if from your system or fix the problem."
>
> And under Details, they say:
>
> "This article presents detailed information on component KERNEL32.DLL.
>
> What is a new or changed component?
>
> A component is a small program or set of functions (also known as
> a Dynamic Link Library or DLL) that larger programs call on to
> perform specific tasks. Some components may be used by several
> different programs simultaneously.
>
> ZoneAlarm Pro considers a component a New Component the first
> time a program using the component makes an attempt to connect to or
> receive connections from the Internet or your local network, or
> the first time a component is loaded by a program that is already
> connected to the network. ZoneAlarm Pro also considers the
> component to be a New Component if the component entry within the
> ZoneAlarm Pro Components List has been removed.
>
> ZoneAlarm Pro considers a component a Changed Component if it has
> been modified since the last time it accessed the Internet or your
> local network. If you have upgraded a component and the upgrade
> replaced the component with a new copy, then ZoneAlarm Pro detects
> the change in the file. Some components are automatically updated
> by programs, and ZoneAlarm Pro detects any change in the component
> file itself, no matter how slight."
>
> And finally:
>
> "ZoneAlarm Pro authenticates your programs and their shared
> components by recording their MD5 signatures the first time the program
> requests network or Internet access, then checking those
> signatures when the program requests access again."
>
> Do any other "Firewalls" do anything like this and if so, what do
> you think of it?
>
> Sorry to be so long-winded but didn't know how many had a chance
> to use ZA.
>
> --Michael
>
>
>
>
> ------------------------------------------------------------------
> ---------
> Ethical Hacking at InfoSec Institute. Mention this ad and get
> $720 off any
> course! All of our class sizes are guaranteed to be 10 students or less.
> We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
> Prevention,
> and many other technical hands on courses.
> Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
> any course!
> ------------------------------------------------------------------
> ----------
>
>

________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------

• Previous message: Aditya [ Aditya Lalit Deshmukh ]: "RE: firewalls that can ssl ftp?"
• In reply to: Michael Painter: "Re: Hidden Ports"
• Next in thread: H Carvey: "Re: Hidden Ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]