Re: Intrusion Question

From: winged (winged_at_nofollow.com)
Date: 02/16/05


Date: 16 Feb 2005 00:16:58 EST

Michael J. Pelletier wrote:
> Mark St Laurent wrote:
>
>
>>Is it possable for someone to be remote controlling a machine IE moving
>>mouse opening programs etc. without showing an active connection in the
>>output of netstat -a. I saw this happen today but think being the user had
>>wireless keyboard and mouse attached to his PC that he might be getting
>>crossed with another wireless keyboard mouse at a adjacent machine. No
>>intruder was listed and if I VNC into same machine it shows connection
>>established at port 5900 for example. RDP and VNC (3383 & 5900 only are
>>excepted but confined to local subnet) otherwise full XPSP2 firewall
>>features enabled.
>>
>>I have never posted to this group before, if not on topic please redirect
>>me to correct group.
>
>
> First, if it were a hack, it is possible to install a hacked version of
> netstat (or any binary) that was programmed no to list a specific IP, etc.
> I am not saying that this is your situation but, yes it is possible. This
> used has a wireless keyboard and mouse? If so, try putting him back on the
> regular keyboard and mouse. See if it happens then.
>
> The only thing that bothers me is, if it were some kind of "cross talk" (two
> wireless keyboards and mice interfering with each other) I would think that
> the movement would be erratic. Was the mouse movement erratic?
>
> Michael
>
It is also possible to hide communications and programs in alternate
data streams.

I would consider setting up a sniffer after I went back to wired
configuration.

Yes it is possible to hide communications from netstat using several
programic methods. A number of remote control Trojans are very capable
of hiding the communications from the local machine and very difficult
to detect using standard IDS tools, as the attacker may be using a known
encrypted port (such as 443) for communications. It is fairly easy to
"hide" the communication from netstat. This is easiest to do by adding
a winsock modification to the local system, but can be accomplished via
an activeX control or service or other imagined choices. You can also
hide services so that the task manager pane does not display the running
process. Sometimes administrators or security folks must do this as
well, however ideally they would not go into control mode. Back Orifice
for example does this better than some better than some well known
remote administration tools.

I would run a number of tools to try to track remote controller
activities, the sniffer will provide where the system is communicating
with and will be much easier to identify the communication. I would
then rebuild the system once proper enforcement entity gave direction to
do so.

Winged