I assume that regardless of what type of Trojan/Rootkit etc. may have snuck onto your machine - at some point it will want/need to open a port and reach out to someone ?

So if you believed there was an outside possibility that you may be infected, how long would you expect to have to watch/log port activity (with netstat, Port Explorer etc.) before being reasonably sure that there is nothing that wants to call out ?

P.S. I don't personally think I have such an issue at the moment - I just don't remember reading anything about the frequency/patterns with which such intruders try to get back out to the net ?

Would you expect suspicious activity within for example, a week of watching logs, or is there no reliable standard ? Or is there a degree of built-in dormancy that means some malware will remain inactive for long periods of time (a month or more) before becoming active and trying to call out?

I'm not a super expert in this area, but from what I understand not all rootkits and trojans will just open a port, or try to call home in such a visible way. Often rootkits can remain completely hidden from any port monitoring through various techniques. So even if a rootkit (some rootkits, not all) was connecting out from your computer you wouldn't be able to tell, even when using a port monitor.

Also some trojans hijack other programs, through dll injection techniques etc.., and can even wait till you use that program, and then send the stolen data along with the program your running (e.g. Internet Explorer) out to the internet, so you would think a legitimate program was accessing the net, but in reality the trojan was also sending out data along with it.

Finding trojans and rootkits seems to be getting more and more difficult, so make sure you have a good updated anti-virus and maybe good anti-trojan too. It wouldn't hurt to have something like Process Guard or Antihook either to block rootkits and trojans in the first place. Of course there are many other things that can be done to stop malware too, just look around the forum for other ideas.

Thanks for the reply trillian.

I had assumed that either a port that was identiable as malignant would appear in the listening ports lists. Or at least, should a port be masquerading as a legitimate service - the remote port/address would present as being inappropriate.

Either way I figured a decent port log should have been able to pick it up.

Looks like I'll have to do more homework :) .http://www.it-class.net/images/smile/add10.gif

Trillion mentions some of the ways trojans can connect out. Several ways to prevent:

1) secure the firewall and browser (or by process blocker) to stop injection techniques from bypassing those safeguards. Not so easy, as Thermite and CopyCat are successful in most cases.

2) configure the firewall to alert to unauthorized outbound connections.

In the trojans I've been able to test, I've noticed that most have a built in SMTP email engine, or are coded to establish an outbound connection by hijacking another application, or by using itself as a dropper, which usually copies itself to the system with another filename.

Different ways of disabling firewalls have appeared in various articles - not all are successful. I've yet to be able to test a program that can do this.

EDIT: for comments about rootkits, see Posts #6 and #7 below.

I've posted a few tests in other threads - here are some that show how the firewall alerts to an unauthorized outbound attempt, beginning with the recent dfk-threat-simulator test (the firewall results given here).

My interest in these tests is to assume the trojan/worm does get installed and to see if the firewall is successful in preventing the trojan/worm from calling out. If so, then the damage is contained within the system and does not contaminate anyone else.

http://www.rsjones.net/dfk_fw

http://www.rsjones.net/Bagle

http://www.rsjones.net/Codec

http://www.rsjones.net/DriveBySite

http://www.rsjones.net/SoberQ


regards,

-rich
________________
~~Be ALERT!!! ~~

-{ Quote: "... and can even wait till you use that program, and then send the stolen data along with the program your running (e.g. Internet Explorer) out to the internet, " }-Can you cite a source for this? Are you aware of any trojans that can do this?

thanks,

-rich
________________
~~Be ALERT!!! ~~

From Gavin (at DiamondCS) in a recent email exchange:

Rootkits dont need to evade firewalls. They can pass straight through them by modifying things at the kernel level. This is why we are so adamant that rootkit scanners are NOT good enough. They can lead to a false sense of security. Rootkits do already exist which are not detected by any of these scanners.

-{ Quote: "Rootkits dont need to evade firewalls. They can pass straight through them by modifying things at the kernel level. This is why we are so adamant that rootkit scanners are NOT good enough. They can lead to a false sense of security. Rootkits do already exist which are not detected by any of these scanners.

Hacker Defender for instance, piggybacks on any port already open. It doesn't need a port, all open ports become backdoors. It checks incoming data for a special packet signature, and if contained then it knows the data is meant for IT. It then removes the data and the packet never arrives at the service it was "intended" for. Noone is the wiser because the driver removes the data before it passes up the chain to a higher level to be processed." }-

-{ Quote: "From Gavin (at DiamondCS) in a recent email exchange:

...Hacker Defender for instance, piggybacks on any port already open. It doesn't need a port, all open ports become backdoors." }-Thanks for that quote.

I had forgotten about Hxdef, but remember now reading that all doesn't always work as planned, and certain conditions sometimes have to be met. From the FAQ:

-------------------------------------
4)
Q: How is that I can't connect to backdoor on ports 135/TCP, 137/TCP, 138/TCP,
139/TCP or 445/TCP when target box has them open?

A: As mentioned in 5. Backdoor section of this readme backdoor need server
with incomming buffer larger or equal to 256 bits. And also system ports may
not work. If you have a problem with find open port that works you can simply
run netcat and listen on your own port. You should add this netcat port to
Hidden Ports in inifile then.
--------------------------------------

Having said that, though, I note that Windows rootkits are often described as a type of trojan. See

http://diamondcs.com.au/processguard/index.php?page=attack-rootkits

"Rootkits are a special class of trojan."

But it's becoming evident that rootkits need to be considered in a separate class by themselves, since their evolution is in a direction away from the traditional trojan, and ways of dealing with traditional trojans will no longer be applicable as rootkits evolve further.

So, I will edit my comments in above posts refer to traditional trojans, where the outbound connection can be stopped by the firewall.

I still would like to know what Trillion was specifically referring to per my question in Post #5.

Finally, in the tests I ran, I had to permit the trojan to install.
In the real world, of course, no one would ever let that happen, right?!
http://www.rsjones.net/guard1.jpg

-rich
________________
~~Be ALERT!!! ~~

I am sure by now you people have viewed the video Microsoft did on rootkits.

If not it is nicely done. hacker defender is the rootkit mostly talked about. The version he used was the free version for demo purposes.
Yes I know the video is almost 8 meg download but I think it is worth it.
Talks about both usermode and kernel mode kits.
HD sets up it's own port as listening one you don't see.
I think we have talked about changing file names in the past. anti-keylogger was one of the first to change it's exe name randomly on boot. This was to try fool anti-anything software from searching for a set name. I talked about it and got alot of greif from posters here about that technique.
Now we are seeing more and more programmers doing this same exact thing.
rootkit revealer for instance does it.

Here is the video: http://www.microsoft.com/technet/community/columns/sectip/st1005.mspx

and here is another link thrown in just for fun:
http://www.governmentsecurity.org/

controler

changing file name is considered innovative? LOL.. i thought the first thing you d with rootkits is to customise the name of the files.. same for keyloggers.

-{ Quote: "But it's becoming evident that rootkits need to be considered in a separate class by themselves, since their evolution is in a direction away from the traditional trojan, and ways of dealing with traditional trojans will no longer be applicable as rootkits evolve further" }-

We can always depend on Rmus to come up with a deep insightful comment.

It's all good.

I'll check out that video controler cheers.

At this point just clarify one thing for me could you ?

If it is a genuine Trojan/Rootkit (by that I mean one that secretly gains access to your information/services and then attempts to covertly communicate with the originators client). In order to share your information, does it not still have to use a remote address that is potentially identifiable as rogue ?

While we're posting links - here's one from bleepingcomputer titled How Malware hides and is installed as a Service http://www.bleepingcomputer.com/tutorials/tutorial83.html#list

Why yes chaning names con fuses the rootkit. Why? because the rootkit is looking for a string with a certian name. Duh?

Now for da firewall. Well ok ready? If it is a kernel rootkit it sits between your firwall and windows and delivers all OK info to the software firewall.
Note I said software AD? LOL
\

controler

you can use Ethereal to see your network activity. a rootkit can't hide that can it?

-{ Quote: "you can use Ethereal to see your network activity. a rootkit can't hide that can it?" }-

Yes it can.

-{ Quote: "Why yes chaning names con fuses the rootkit. Why? because the rootkit is looking for a string with a certian name. Duh?

Note I said software AD? LOL
\

controler" }-

Indeed, old hat.

but if the infected machine is connected through another comp running ethereal hxdef traffic is visible.
while ethereal on the infected computer cannot see nothing.

I think I have heard of some using VMWare and a honeypot in that way, to veiw the data on the honeypoted machine.

So then DA, why do so many still think they are safe witha software firewall?

con

-{ Quote: "Yes it can." }-
LOL i suppose that makes sense, serves me right for not thinking. i think the trick is to not install a rootkit in the first place ;D

Yeah, Processguard is another program that is good at stopping rootkits. ;)
Since rootkits attack the operating system's kernel, a security program that protects the kernel from all the rootkits out there is a very good thing. Its so difficult to detect and destroy rootkits AFTER they attack the computer, so prevent the rootkit from ever installing in the first place to avoid all the trouble.

A simple-looking diagram to show it all ( EXAMPLE):
Rootkithttps://webserver.brandeis.edu/pub/Security/PhysicalProtection/thief.jpg---->PROCESSGUARDhttp://www.diamondcs.com.au/processguard/img/logo.gif (THE ROOTKIT IS BLOCKED BY PROCESSGUARD THUS STOPPING IT FROM ATTACKING THE KERNEL.)

-{ Quote: "Yeah, Processguard is another program that is good at stopping rootkits. ;)
Since rootkits attack the operating system's kernel, a security program that protects the kernel from all the rootkits out there is a very good thing. Its so difficult to detect and destroy rootkits AFTER they attack the computer, so prevent the rootkit from ever installing in the first place to avoid all the trouble.

A simple-looking diagram to show it all ( EXAMPLE):
Rootkithttps://webserver.brandeis.edu/pub/Security/PhysicalProtection/thief.jpg---->PROCESSGUARDhttp://www.diamondcs.com.au/processguard/img/logo.gif (THE ROOTKIT IS BLOCKED BY PROCESSGUARD THUS STOPPING IT FROM ATTACKING THE KERNEL.)" }-



So will AntiHook and that's a freebie. :)

-{ Quote: "I think I have heard of some using VMWare and a honeypot in that way, to veiw the data on the honeypoted machine.

So then DA, why do so many still think they are safe witha software firewall?

con" }-

Because they are not as knowledgable as you?
Of course the same people think PG can protect them from rootkits. lol.

-{ Quote: "Of course the same people think PG can protect them from rootkits. lol." }-
Very true.

Thanks,

Chris

Can you be more specific - at which point(s) and why will PG fail to prevent the initial instillation of a rootkit ?

Assuming basics of Global Protection & services protection are in place.

Thanks :)

-{ Quote: "Can you be more specific - at which point(s) and why will PG fail to prevent the initial instillation of a rootkit ?

Assuming basics of Global Protection & services protection are in place." }-


In my opinion what can and will happen is that the user will be tricked into thinking the software is legit and allow the alert that PG displays for blocking Driver\Service installations. Of course if you never allow these then you should be fine. I'll use a program that alerts anytime an executable file is run as demonstration.

You download game.exe and try to run it. (thinking it is the game you want.)
You program alerts you that an executable game.exe is trying to run
You thinking this has to be allowed to install the game Click OK.
Game.exe turned out to be virus.exe in simple terms and now you're infected.

So yes ProcessGuard does the job it says if you never allow driver/service installs. But if you do not investigate further and just allow the driver install since you think the program needs it to run you could become infected. And since you have PG and think you can never get a rootkit you probably don't use a rootkit detector so you will be infected and probably never have a clue.

This is with any software though. There is no absolute in any situation. ProcessGuard is a good product don't get me wrong (I am a registered user). But it is not the end all. I'm sure you have seen in this and many other forums that best best defense is a layered defense.

P.S. Mods please feel free to split this topic since we are now talking about PG. Thanks :)

I hope this answered your question,

Chris

It's all good Chris and as long as We come back to....Is there a standard for Trojan/Rootkit to phone home....every once and awhile we'll be fine :lurking:

Chris cheers for replying.

I agree absolutely with the layered defence, I have a decent enough set-up, but I couldn't possibly expect my mum to deal with it on her machine, Luckily her online activity is quite conservative, as is her software instillation.. For me it's a sort of hobby and learning process, so it isn't a hassle - it's part of the game.

Also I agree you can have as many layers as possible, ain't no good if the user gives out a free pass.

I'm still unclear about how an illegitimate program, even using a false name, can send packets to a crackers client without there being a record of a remote address somewhere.

Sorry for being thick, its just one of those things I haven't quite got straight yet. I get how it can receive/hijack incoming packets meant for it. I get that the malignant process can appear benign and be easily missed unless you follow through and do a deeper check.

At this point I have still to watch the video that Controler pointed me towards, although I now have it downloaded. So if it's in there I'll hopefully get a better grip.

Cheers :)

Edit: Bubba snuck in before I'd finished lol

eyes-open

The video does explain it in very easy to understand terms. The author shows the difference between usermode and kernel mode kits, which in turn shows how those two modes interact with windows. he also goes into BIOS rootkits (video cards ect) briefly.

After you watch the video, come back and let us know what you think.

controler

You know what would be funny......if you got a rootkit from downloading and watching that video about how to stop rootkits. ;D

yea but Microsoft would never do that would they?

Can the nest generation Vista stop rootkits?

-{ Quote: "yea but Microsoft would never do that would they?

Can the nest generation Vista stop rootkits?" }-

I was just joking around.....I don't think M$ would ever purposefully infect anyone with a rootkit....but then again who knows if they haven't already....after all they did have some secret meetings with US Homeland security not too long ago.

Maybe M$ is now just a front operation for the men in black. Or better still maybe M$ is now run by the MIB, who is run by the shadow government, run by aliens for outer space...... who are really on a mission to take over the world....make slaves of everyone..... and mate with earth women. ;D ;D ;D

Hi eyes-open,

One thing to keep in mind is that, even if you are able to somehow identify the remote address, it will very likely be a proxy in a chain of proxies used to hide the cracker. If you suspect a rootkit infection, your time would be better spent pulling out the HD, slaving it to a clean machine, and doing some forensics on it. If you find a rootkit and its accessories, salvage what's important to you from the HD, and then format it.

Nick

@ controler > Excellent video - first thing it does is crucial, gets the terminology right. Just this one act makes rootkits more definable and therefore easier to deal with as a technology.

It certainly doesn't present any magic bullets - but that's ok too. Yet again it presents the responses that many of us are already familiar with. Layered/in-depth protection, secure passwords, patched systems etc - the basics. You don't have to be a whizzkid - just diligent.

The sections on proprietary Rootkit detectors and also going the way of making your own comparative file lists using, for example a portable OS such as a LiveCD is also very accessible. It doesn't go into great depth - just enough to add to the overview that helps demystify the whole subject.

Here is the link again - for those that want to get the video:-
http://www.microsoft.com/technet/community/columns/sectip/st1005.mspx

@ nick s

Hi nick, I totally agree, the reason I was interested in accessing the port information wasn't to track a cracker. It was more about trying to identify patterns of illegitimate port activity that may or may not have been able to confirm the presence of malicious software stealthed by a rootkit. Specifically I wondered if you can't detect a positive infection, if you waited and watched long enough, would the absence of a call that wasn't explainable, be sufficient to re-assure. That's why I wondered if there was a standard that would indicate the length of such a time scale. I see now how netstat can be compromised and that at least from within the OS this activity would remain invisible (assuming it could retain stability).

The irony being that I have discovered that the Rootkit .ini file may indeed reference a pattern of behaviour - unfortunately the same file initiates hiding the very activity that would identify the pattern (at least from the compromised OS), It's actually very tidy.

Well, for me this has been a really useful thread. Many thanks everyone for all your help 8)

-{ Quote: "...The irony being that I have discovered that the Rootkit .ini file may indeed reference a pattern of behaviour - unfortunately the same file initiates hiding the very activity that would identify the pattern (at least from the compromised OS), It's actually very tidy." }-Unfortunately, the external .ini file, which could be seen in Safe Mode, is probably a thing of the past. Although, ATM, you have to pay for that feature. The latest free version of Hacker Defender runs in Safe Mode and hides its external .ini there as well.

Regarding identifiable-patterns-of-behavior, I would assume that the cracker knows that the trick to not getting caught is not to have any.

Nick