Is It Possible?????
Results 1 to 8 of 8

Thread: Is It Possible?????

  1. #1
    Junior Member
    Join Date
    Jul 2003
    Posts
    14

    Question Is It Possible?????

    Hi guys.....

    I've always wondered if it's possible for a trojan to hide active connections and/or listening port info, when a user types the netstat or netstat -an command?

    I know a firewall and an IDS is the best solution, but I've always wondered if it's possible for a trojan to do something like this.

    Thanks!

  2. #2
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    It might be able to hide listening info, but I don't think it can hide connections. I'm not too sure though, it probably can't hide either of them, although that would make it somewhat easy to find if you could tell it was listening just by netstat. Probably a good thing to do every now and then is a portscan on your comp, because then you can tell if you have anything listening on an unusual port. Hope this helps.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    If it were set to wait for 5 minutes inactivity before it started, and die when you hit a key or moved the mouse then netstat will not find it because it is inactive?

    If you are monitoring activity....................they have to be active?

    Cheers

    BTW I do have a reputation for paranoia

  4. #4
    Banned
    Join Date
    Dec 2003
    Posts
    5
    I thought that it was possible..
    I know i've caught a Trojan before, i did a thorough check with an Anti Trojan program.
    And it didn't detect anything, but i still had a sneaking suspicion that there was one hiding somewere.
    So anyhow i did netstat command in the command prompt, and sure enough there it was..
    I soon disconected from the net, and killed the little sucker..

    Anyhow i'm not sure if you can detect all Trojans this way, but hey i could be wrong..

    Cheers
    creative

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    If someone put a modified version of netstat on your machine it could 'hide' the open ports and the connections.

    You cannot truly hide the network traffic it'll generate tho. There are ways to prevent easy detection (like using icmp ping packets for communication) but even those can be sniffed once you know what to look for.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    someone always does that to me, i start reading the post have a solution and then someone states its in the last post before i reply, arhhh well great minds think alike. Or something like that

    SirDice came up with the way i would do it, modifcation of netstat. This would mean that when netstat is typed it only shows ports in a certain now limited range, or comes back with some bogus results

    The bogus results are by far the easiest to create, replace the original netstat with one you have made in C, all the help information can be displayed the same, but when someone trys to see the network statistics then it displays a list of made up results

    i2c

  7. #7
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    Another very original way is to deal with the OSI model in order to communicate under the lyings generally captured by monitors/firewalls/sniffers. Some experimental trojans using this principle have already been published.
    But the probabilities to be infected by one of these is currently very weak.
    Life is boring. Play NetHack... --more--

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Nice idea But this doesn't do much if you're sniffing with a different highly secured machine using a network interface that has no ip address (an IDS i.e.).
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •