Is It Possible?????

Printable View

December 17th, 2003, 09:56 AM
Summer

Is It Possible?????

Hi guys.....

I've always wondered if it's possible for a trojan to hide active connections and/or listening port info, when a user types the netstat or netstat -an command?

I know a firewall and an IDS is the best solution, but I've always wondered if it's possible for a trojan to do something like this.

Thanks!
December 17th, 2003, 10:07 AM
skiddieleet

It might be able to hide listening info, but I don't think it can hide connections. I'm not too sure though, it probably can't hide either of them, although that would make it somewhat easy to find if you could tell it was listening just by netstat. Probably a good thing to do every now and then is a portscan on your comp, because then you can tell if you have anything listening on an unusual port. Hope this helps.
December 17th, 2003, 10:36 AM
nihil

If it were set to wait for 5 minutes inactivity before it started, and die when you hit a key or moved the mouse then netstat will not find it because it is inactive?

If you are monitoring activity....................they have to be active?

Cheers

BTW I do have a reputation for paranoia :D
December 17th, 2003, 10:55 AM
cr347iv3

I thought that it was possible..
I know i've caught a Trojan before, i did a thorough check with an Anti Trojan program.
And it didn't detect anything, but i still had a sneaking suspicion that there was one hiding somewere.
So anyhow i did netstat command in the command prompt, and sure enough there it was..
I soon disconected from the net, and killed the little sucker..

Anyhow i'm not sure if you can detect all Trojans this way, but hey i could be wrong..

Cheers
creative
December 17th, 2003, 12:04 PM
SirDice

If someone put a modified version of netstat on your machine it could 'hide' the open ports and the connections.

You cannot truly hide the network traffic it'll generate tho. There are ways to prevent easy detection (like using icmp ping packets for communication) but even those can be sniffed once you know what to look for.
December 17th, 2003, 02:25 PM
i2c

someone always does that to me, i start reading the post have a solution and then someone states its in the last post before i reply, arhhh well great minds think alike. Or something like that :)

SirDice came up with the way i would do it, modifcation of netstat. This would mean that when netstat is typed it only shows ports in a certain now limited range, or comes back with some bogus results

The bogus results are by far the easiest to create, replace the original netstat with one you have made in C, all the help information can be displayed the same, but when someone trys to see the network statistics then it displays a list of made up results

i2c
December 17th, 2003, 07:59 PM
KissCool

Another very original way is to deal with the OSI model in order to communicate under the lyings generally captured by monitors/firewalls/sniffers. Some experimental trojans using this principle have already been published.
But the probabilities to be infected by one of these is currently very weak.
December 19th, 2003, 03:51 PM
SirDice

Nice idea :D But this doesn't do much if you're sniffing with a different highly secured machine using a network interface that has no ip address (an IDS i.e.).