Netx - ?

Discussion in 'Port Explorer' started by Q Section, May 11, 2003.

Thread Status:
Not open for further replies.
  1. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Hello Everybody

    PE and netstat both show open ports which on every list we know are reported as "unassigned". Upon every reboot the port numbers change (now they are 1140 & 1173) but everything else remains the same. During this investigation we saw some mention of "netx" and now can not re-find this reference. Netx appears to be related to either a server and/or Java. Can someone render some input please?

    HMSS Q Section
     

    Attached Files:

  2. Dan Perez

    Dan Perez Guest

    Can this be what you are looking for?

    http://jnlp.sourceforge.net/netx/index.html
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I've never seen explorer.exe in the list, but it seems ok here.
     
  4. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Hello Dan

    Yes we did see that info on that page but we actually have not got a clue what it means since we are not into programming and have not sought any special Java anything of which we are aware.

    Hello Jooske

    So....who would be in the know about this little question in PE? We want to completely nail down every last detail with the same pro-active zeal you had (have) when you first started your security education? We do not know if you have seen some other posts of ours regarding TrueLaunch Bar and its plugins but it uses Explorer to operate and parse the weather from a weather site. We have that set to update weather only once every hour otherwise it should not be active. Perhaps it (TLB) is not releasing Explorer at all. We will contact the creator (author) about this question and report back. Once again thank you for your wisdom and expertise.

    HMSS Q Section
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Explorer.exe will show up in a couple of cases. Either you have typed a URL in the WINDOWS Explorer address bar and Windows has used that window to load its HTML controls and essentially become an iexplore.exe process..

    Or there could be a DLL loaded into explorer.exe so grab Process Explorer from www.sysinternals.com (we have a better tool coming soon but very hard to work on so much at once)

    With Process Explorer make sure it is set to show DLLs, usually you can click the yellow cog icon to switch to DLL module view.. then show us what you have loaded in explorer.exe

    Just one other thing :) Windows apps select random local ports for a connection, so looking up known apps by selecting "What is port x" could either show every app in existence or just trojans and very common services. When the local port is anywhere from 1025 to 4000 then its usually going to be ok ! This might seem a very general comment, however 99.9% of old trojans will show up red anyway :D
     
  6. Dan Perez

    Dan Perez Guest

    HI QSection,

    I am afraid I am not a programmer either but I did a little more searching and found that JNLP is implemented, by default, within Java2 for implementation of certain Java applications. It is a required component for 'Web Start' appets.

    You may want to look at some of the listings of Web Start applications to see what is in common there with your own system usage.

    This link may help,

    http://lopica.sourceforge.net/faq.html#applinks

    Hope this helps
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    http://www.teamcti.com/pview/
    Digging on my system found this nice Process Viewer as well, looks a lot like this Process Explorer and the Faber Toys, which all have possibilities to dig deeper which DLLs and other stuff are used by a certain process; it's small and free too and shows the sizes of each element, which i still miss in Faber Toys. In FT i like among others the descriptions about each element, including what a certain DLL is meant to do f.e.
    Gavin, this PV has a debugger function built in, you might like to look at it. And it has a command-line version shipping with it, easy for scripting and scheduling etc.
    Think Dan might think it worth a look as well!
     
  8. Dan Perez

    Dan Perez Guest

    I hadn't seen that one before, Jooske, but it seems very good.

    Thanks for the tip!
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You're welcome Dan.
    Think all these have their own handy details, and as all are small and free best grab them all.
    I also like from systernals their Real time Registry Viewer, of which i expect in case there is a nasty with registry keys we can see which it is using and delete the right one if needed.
    In fact the registry activity from what we see in the Window logging in PE.

    They've lots of those handy tools there, as i guess about every internetter knows.
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    On the process viewer and loaded DLLs tool, we will release it tomorrow! :D

    Windows NT 2000 XP only sorry :eek:
    But it is very useful for trojans that load DLLs into other processes, those trojans are usually NT only too.

    I even manually removed a "rootkit" the other day with nothing but this tool ;) ..just by forcibly killing off DLLs inside many processes until the hidden EXE file showed up, which i killed and deleted. Rootkit gone ! :) Not a true low level rootkit, but the files were invisible in Windows Explorer, and it would have been very hard to remove without this tool.

    ..ok some processes and DLLs didnt cooperate with trying to unload the rootkit's DLLs, but we got there in the end by perservering :D
     
  11. Dan Perez

    Dan Perez Guest

    Sounds very interesting Gavin.

    I can't wait to try it out! :D
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Does it mean win9* users can still be victims, will the dangers not endanger win9* users, or will there be a tool for those users in future, or will we need to check with the monitoring tools mentioned from others even though these might not be able to get to those rootkits and whatever nasties?
    The tools you and i posted all work for all windows versions, this is why i ask what's the big difference technically which makes them unavailable for the win9* series?
     
  13. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    There are still DLL injecting and Win9x kernel modifying trojans, but the exact trojans are different. We may develop a Windows 9x tool which works similarly, however this is not a priority, sorry. Windows NT 2000 and XP are targeted by some trojans which only run on those systems, and use DLL injection techniques.

    Windows XP has really sold a lot of copies and is the most used OS now already from a few polls I have seen o_O Cant be sure but now 2000 and XP occupy a large percentage of machines.

    Hopefully the beta release last night was tested enough to release soon, today or tomorrow :) It should be ok, it is very stable in my testing. Just another reason to somehow get onto Windows 2000 Jooske ! :D

    ..
    Windows 9x doesnt have CreateRemoteThread which is used to create a new thread in another process. There are hacks which create a very similar function, however these are somewhat buggy and can crash the host process in many cases. It also simply doesn't work sometimes ! I find this funny when analysing the trojans that try to do those things on a Win98 machine :)
     
  14. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    hey wait,
    what about some support for our w3.11 users like me :p
     
  15. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    So those of us using 98SE are a little better off regarding those particular trojans. Hmmm - great! Gavin - please also see this: www.google.com/press/zeitgeist.html and look down a little on the right of the page regarding o/s usages. Not to argue or be challenging but we knew that Google has been collecting this statistical information for awhile.
    Thank you for your great work. :)

    HMSS Q Section
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Thanks for that :D

    Windows XP is moving up fast isn't it.. ;) Well.. XP + 2000 + NT still means > 50 % :p
     
Thread Status:
Not open for further replies.