RE: Hidden Ports

From: Aditya [ Aditya Lalit Deshmukh ] (
Date: 02/10/04

  • Next message: bob martin: "Website password policies"
    To: "Michael Painter" <>, "Dimitri Bertolami" <>, <>
    Date: Tue, 10 Feb 2004 19:04:07 +0530

    this is done by the firewalls to prevent authenticated files from being replaced by trojans and connecting to the internet.

    there are many firewalls that do this :
    zone alarm,
    tiny firewall
    kerio firewall
    sygate firewall

    do this basically adds to the system security so it is good to keep it enabled.


    > -----Original Message-----
    > From: Michael Painter []
    > Sent: Sunday, February 08, 2004 9:04 AM
    > To: Dimitri Bertolami;
    > Subject: Re: Hidden Ports
    > ----- Original Message -----
    > From: "Dimitri Bertolami" <>
    > To: <>
    > Sent: Friday, February 06, 2004 9:50 AM
    > Subject: RE: Hidden Ports
    > > guys and galls,
    > >
    > > I'll explain a bit more about this one ..
    > [snip]
    > > quote: (david)
    > > -------------------------------------------
    > > Not necessarily. These tools are often part of a rootkit, which would
    > > naturally hide itself. In fact, they usually load as part of the OS
    > > kernel, and not as a process.
    > > -------------------------------------------
    > >
    > r0.21.html
    > > (text below taken from the site)
    > > Idea
    > > ----
    > >
    > > Main idea of this program was to use API functions WriteProcessMemory
    > > and CreateRemoteThread to create a new thread in all running processes.
    > > New thread will rewrite some functions in system modules (mostly
    > > kernel32.dll)
    > > and inject fake code which will check API results and change this result
    > > in specific cases.
    > > Program must be absolutely hidden for all others. Program installs
    > > hidden backdoors and register as hidden system service.
    > > --
    > > meaning , you really honestly don't see the 500 connections to
    > port 21 on
    > > your hidden FTP Server, because according to
    > > your "rewritten" kernel there simply aren't any of these
    > services or ports
    > > in use, you can consider a rootkit like an Evil
    > > MS patch (from hackers) MS patches the correct way, rootkits
    > patch the wrong
    > > way. but a patch is a patch and windows won't
    > > recognise the patch as "not" being a part of it's own
    > architecture once it's
    > > installed.
    > >
    > >
    > > any questions, feel free to ask..
    > > Cheers,
    > > Dimitri
    > What do you folks think of ZoneAlarmPro?
    > When I look in:Program Control | Components, there are ~1,125
    > dlls listed. If I right click on kernel32.dll and select More Info,
    > in Overview I get:
    > "ZoneAlarm Pro has recorded KERNEL32.DLL in its list of
    > components in the Program Control section. The component was recorded
    > because either a program using the component requested network
    > access, or a program that already had network access attempted to
    > load the component. Information about the component is recorded
    > whether the user allowed the program access/server rights or denied
    > it.
    > Many programs require network access for normal operation, and
    > use components to perform their network access. These are expected
    > uses and are not a cause for concern. However, viruses and Trojan
    > horse programs can modify or replace components with hacked
    > versions that can be used to carry out attacks. If you suspect a
    > component is not legitimate, you should not allow it access.
    > Because the purpose of component files is often not obvious, you
    > should conduct some research if you have any suspicions about a
    > component's legitimacy. Detailed information about KERNEL32.DLL
    > is available on the Technical Info tab of this article.
    > Depending on the Access setting for a component, ZoneAlarm Pro
    > will either allow a program using that component to access the
    > network or act as a server, or will ask you for permission each
    > time it is used. If you trust KERNEL32.DLL, you can give it an
    > Access setting of Allow, and that will give programs using it
    > access/server rights without needing to ask for permission each time.
    > If you are not sure about KERNEL32.DLL, you can give it a setting
    > of Ask, which will remind you that you need to decide next time it
    > is used. If you know there is a problem with KERNEL32.DLL, you
    > should either delete if from your system or fix the problem."
    > And under Details, they say:
    > "This article presents detailed information on component KERNEL32.DLL.
    > What is a new or changed component?
    > A component is a small program or set of functions (also known as
    > a Dynamic Link Library or DLL) that larger programs call on to
    > perform specific tasks. Some components may be used by several
    > different programs simultaneously.
    > ZoneAlarm Pro considers a component a New Component the first
    > time a program using the component makes an attempt to connect to or
    > receive connections from the Internet or your local network, or
    > the first time a component is loaded by a program that is already
    > connected to the network. ZoneAlarm Pro also considers the
    > component to be a New Component if the component entry within the
    > ZoneAlarm Pro Components List has been removed.
    > ZoneAlarm Pro considers a component a Changed Component if it has
    > been modified since the last time it accessed the Internet or your
    > local network. If you have upgraded a component and the upgrade
    > replaced the component with a new copy, then ZoneAlarm Pro detects
    > the change in the file. Some components are automatically updated
    > by programs, and ZoneAlarm Pro detects any change in the component
    > file itself, no matter how slight."
    > And finally:
    > "ZoneAlarm Pro authenticates your programs and their shared
    > components by recording their MD5 signatures the first time the program
    > requests network or Internet access, then checking those
    > signatures when the program requests access again."
    > Do any other "Firewalls" do anything like this and if so, what do
    > you think of it?
    > Sorry to be so long-winded but didn't know how many had a chance
    > to use ZA.
    > --Michael
    > ------------------------------------------------------------------
    > ---------
    > Ethical Hacking at InfoSec Institute. Mention this ad and get
    > $720 off any
    > course! All of our class sizes are guaranteed to be 10 students or less.
    > We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
    > Prevention,
    > and many other technical hands on courses.
    > Visit us at to get $720 off
    > any course!
    > ------------------------------------------------------------------
    > ----------

    Delivered using the Free Personal Edition of Mailtraq (

    Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

    Protect your network with the comprehensive security solution that
    integrates six applications for ease of use and lower TCO.

    Firewall - Virus protection - Spam protection - URL blocking - VPN
    - Wireless security.

    Download 30-day evaluation at:

  • Next message: bob martin: "Website password policies"