What is Network Blackjack??

Discussion in 'malware problems & news' started by snapdragin, Jul 31, 2002.

Thread Status:
Not open for further replies.
  1. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    i checked TDS-3's System Analysis--Netstat to see what ports were opening/listening etc., and i've seen this here before but didn't really know what it was since i seem to have quite a few things in Netstat listed as listening. But this time i thought i'd check it out with a google search to see exactly what this Network Blackjack is. It's listening on port TCP 1025 (the other port listed there to the right is 20517)

    when i did a google search with just Network Blackjack the page wouldn't display....but when i reversed the names, alot of gambling listed sites came up, some....seemed more than just gambling. :doubt:

    i went to the Internet Storm Centre and from what i think i am seeing, and probably not understanding, but this is looking like a trojan to me.......umm...is it?

    my TDS-3, NOD32, Trojan Hunter, AdAware+, Spybot Search&Destroy are all up to date, and i do regular scans, and nothing has alerted to anything suspicious or any suspicious ports.

    my firewall, Sygate Pesonal Firewall ver 5, doesn't show anything out of the ordinary...but then i am still getting use to reading the different IP's and packets. (i'm on cable and with a D-Link router/firewall....XP-Home, have XP's internal firewall disabled, and on a cable modem)

    i really hope someone can tel me that is not a trojan and i have nothing to worry about. But i'd sure like to know what it is that's listening.....i have never played BlackJack..~l~ and have not played any on-line gambling games on this pc.....or any other pc.

    (oh..did a deep files search of the entire HD and nothing came up even close to anything with that name or close to it)

    any enlightment would be very much appreciated. :)
     
  2. Port 1025 is often one of the first port used by the operating system for outbound connections, thus it is likely you will see outbound connections from port 1025. If you run netstat you will see something like:

    [ netstat -vatn
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
    tcp 0 0 1.2.3.4:1025 2.3.4.5:22 ESTABLISHED


    I would think that the reference to Network Blackjack is just the fact it also uses the port..but nothing to do with you>


    what proggie came up with this blackjack thing... TDS?


    This will give you an idea of what you are seeing if you read the page at this link... you will find Network Blackjack there.
    But you have nothing to worry about.

    http://www.glocksoft.com/Reports/PortScanner.htm



    AATools Port scanner detects active ports on the target machine and then it displays some kind of ad-hoc list of port assignments, some of which are registered assignments, some of which are unregistered uses, and some of which are just guesses about whether a port might be used by a Trojan.
    Port Description/Possible Trojan simply shows what trojans and programs are known to commonly use a particular port. For example, a port description on port 25 shows this: SMTP - Simple Mail Transfer Protocol, RATs: Ajan, Antigen, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy. That doesn't mean that you're infected with all of those trojans! It just lets you know which trojans and programs have been known to frequent that port.
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    hi MyNetThingyMan!

    Thank you for your reply!

    yes, i used TDS-3's Netstat.....
    i have quite a few things there showing as listening.....but none of them seem to be anything out of the norm (but then i am still quite the newbie when it comes to anything network-wise....have only had the D-link and XP-Home since March/02 and still trying to figure out what belongs to what and why) ~l~

    i looked a li'l deeper for some information on this and from one of my searches a forum where they were discussing Network BlackJack, someone there posted a link about that port.

    http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/ntwrkstn/reskit/port_ntw.asp

    you'd have to scroll down just about to the bottom of that page before it gives reference to that name.
    -------------------------------
    "Table C.2 Port Assignments for Registered Ports"
    1025/tcp, udp blackjack Network blackjack
    ------------------------------

    i am still not sure what blackjack really is all about...but it looks like it is not a trojan ~whew~ :)
    but i sure wish they'd use another less suspicious name for it! LOL

    *fixed my url
     
  4. "but it looks like it is not a trojan "

    Yes it is.. :) but you do not have it.
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    i have seen a similar description somewhere while i was trying to learn more about the different ports-------and i think i *GULPED* when i seen all those nasties listed......of course....full scan of everything!!

    thank you again for putting my mind at ease.... :D
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    no no.....you WERE putting my mind at ease LOL!
    don't stop now!
     
  7. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    There was a networked blackjack game(also known as 21) that was available and connected on port 1025. I Think port 1025 was offically assigned to network blackjack(back in old days). This game associates with that port. Go to dos (start-->run---> cmd) and type 'netstat -an', look for anything with port 1025( or use TDS and Active Ports from http://www.ntutility.com/freeware.html) ;). Now close another program and look again. If after closing all visible programs the port 1025 stays open, hit control-alt-delete once and exit everything but explorer. If that port is still open, you may have a trojan horse running...

    There are several trojan horses(that I can recall rite now) using port 1025, NetSpy, Maverick's Matrix, and RemoteStorm...


    Technodrome
     
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    hi Technodrome :)

    i did the netstat -an and it only showed one instance of port 1025:

    Proto Local Address Foreign Address State
    TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING

    (didn't list the other ports there since most refer to my pc)

    i don't have the ctl-alt-del on this XP-Home pc.....but if i go to Task Manager....well....darn, i could be hour's there shutting things down and hoping i'm not disconnecting myself. i am using XP-Antispy3, and i manually shut down Creative's iM tuner as soon as i start the pc....but those other svchost.exe's that run with XP, just spin me in circles trying to figure out what they belong to.

    i'll go for anything that looks like it isn't necessary first....then i'll post back, but it may be awhile. LOL!

    thank you! :)
     
  9. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    ctl-alt-del-----> win task manager----->processes---->end process . but i bet you already knew this ;) .


    Technodrome
     
  10. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    This is what TDS-3 showed Port 1025 as;
    The Active Port program showed the svchost.exe's Process ID (PID) as 1000 (that is a great li'l program Technodrome!)
    and after trying each svchost.exe in the TaskManager, i finally found the one that shut down Port 1025. (WOW...it sure is taking alot of memory)
     

    Attached Files:

  11. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    but it still didn't tell me what the svchost.exe was exactly and with it using that much memory...i wanted to find out.

    LOL!! THIS was a learning experience!

    i went into the Advanced System Information panel, but the Process ID for each running service wasn't listed (oversight on M$ there because it sure would have made it easier)....so i copied a before and after. These 14 services stopped running when i shut down Port 1025 and the svchost.exe that's listening on it:

    *WZCSVC svchost.ex e -k netsvcs Stopped Auto
    *TrkWks svchost.ex e -k netsvcs Stopped Auto
    *TermServic e svchost.ex e -k netsvcs Stopped Manual
    *srservice svchost.ex e -k netsvcs Stopped Auto
    *ShellHWDet ection svchost.ex e -k netsvcs Stopped Auto
    *seclogon svchost.ex e -k netsvcs Stopped Auto
    *Schedule svchost.ex e -k netsvcs Stopped Auto
    *Netman svchost.ex e -k netsvcs Stopped Manual
    *lanmanwork station svchost.ex e -k netsvcs Stopped Auto
    *lanmanserv er svchost.ex e -k netsvcs Stopped Auto
    *Dhcp svchost.ex e -k netsvcs Stopped Auto
    *CryptSvc svchost.ex e -k netsvcs Stopped Auto
    *Browser svchost.ex e -k netsvcs Stopped Auto
    *AudioSrv svchost.ex e -k netsvcs Stopped Auto
    -------------

    if i have a trojan...i think i need it! ;)

    i don't, do i....
    but why would all these services have to be listening on a port?
     
  12. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    LOL!....of course i knew that!! (i, just forgot) :rolleyes:
     
  13. Rickster

    Rickster Guest

    My XP is lean and always has 18 to 20 system32/svchost ports listening. Others, like Proxo, listens on 8080, which if you look up is a port for “proxy [but also] RAT’s: Brown Orifice, RemoteConChubo, RingZero." As Techno said, some ports are named for the Trojans known to use them, or previously assigned services. When you see 0.0.0.0:port# using 0.0.0.0. the service is dormant but only listening, that’s all. One is Port 135 – RPC, Remote Procedure Location Service using 0.0.0.0.: to some unassigned port. Some are loop backs to other system32 services to communicate with each other. Others listen for automatic updates via your security programs, or MS updates.

    You can go nuts trying to figure out everything using svchost that listens, but don't let the "handle" given the port name worry you, it's not always related. Considering what you’re using, you’re well protected. Use TDS Net Stat frequently, but focus on the Established TCP and Remote TCP Connection tabs primarily. When off-line, mime are always blank there, unless my e-mail and AV program are checking for mail – anything else would get my undivided attention. As you saw when you shutdown svchost on 1025 – see all the relevant services that went down with it. It’s safe to leave it be. I bet if you scan each of those ports, they'll show closed or stealthed too.
     
  14. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    You've got no Trojan Horse on your system!

    If you want to know more about those services including svchost.exe go to this site:

    http://www.blackviper.com/


    Technodrome
     
  15. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    :) MyNethingieMan, Technodrome, and Rickster.....thank you very much for your help and guidance!

    MNM---i looked at the Advanced Administrative Tools (especially that Process Monitor) at G-Lock Software...WOW! Even though it's a bit up there in price, given it's an 11 in 1 untilities makes it very tempting just to d/l the trial version and see what it comes up with. Have you tried this program yourself?

    Rickster---yup, you are right! most of the ports that show up in Netstat are with the 0.0.0.0. and just listening (usually only one that shows Established is icq when i have it on).....but you have up to 80 listening all at once?? woooo! mine only shows 3-4 listening. (not as worried now! thanks!) :D

    Technodrome---thank you again for your help, and i feel confident i don't have a trojan on either pc now. The "Active Port" program is really sweet! Do you know if they have an earlier version of that, that would work on Win98se or WinME....or would the one listed for XP there, also work on earlier OS?

    thanks again everyone!
     
  16. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    NP snapdragin! ;)

    Active Ports will only work with nt/2000/xp systems!


    Technodrome
     
Loading...
Thread Status:
Not open for further replies.