Trojans without listening ports

[my_wan]

A few years back I wanted to run all ports on my windows box in full stealth mode and still have a FULL range of access options from the internet. I wrote a program that every few minutes parsed zonealarm logs for a pair of specified connection attempts within a specified time frame. If found a small server would open that I could start and stop proccesses for access to various other servers. I was planning to development an application to do this directly without zonealarm but it hit me, an open port need not acknowledge its presence to any kind of query (duh). So I accomplishes the same thing on a standard (stealth open) port.
The question then becomes how would you trace such a trojan when about any windows component even your device drivers can be full stealth servers.

[noODle]

Ports may not show up in netstat but when you perform a portscan on your own computer it has to show up.
Use nmap to scan your own computer.
nmap uses different techniques on your ports like syn scanning or rst scanning.

I hope that helps.

[my_wan]

If the server ever accepted a connection of any kind it would show up but the one I wrote does not accept any connections nor respond in any way. It simply reads the packet and drops it. Yes netstat sees a listening port locally but nmap sees nothing locally or remotely. It acts just like any other stealth mode port to a scan.

[noODle]

If it does not accept connections it would not be a trojan I guess.
I am sorry if I misunderstood your question.

[my_wan]

It does not have to accept a connection in order perform an action on the local computer based on on the attempted connection(s). What I am useing is different than the concept trojan that I spoke of. The concept trojan would not show up up with netstat, Nmap, or anything else. Of course you could have the trojan use any other application on the machine to make make connection and do all the dirty work.

[instronics]

Sorry for the offtopic here, my example is based on a *nix trojan.


There is a trojan for unix/linux which is very hard to detect. As far as i'm aware, theres only one tool to find that specific trojan. Its a very rare trojan, actually its a lot more than a simple trojan. It does not sit and listen on a port like other trojans, it does not show up on any process listing nor on any netstat or nmap, it only shows up with its antidode. This trojan is called KIS (kernel intrusion system) made by 0ptyx. Its by far the most advanced trojan tool i have ever seen. It acutally sits inside the kernel itself. Even IDS cannot pick up the setup of this trojan. On the other hand, normal users have nothing to fear, since the trojan KIS is used very rarely and its target is mainly very high security boxes. I have never heard of this trojan infecting a home user, or even a small private company.


Cheers.

[noODle]

The program you are reffering to is actually a rootkit and there are more.
Rootkits come from the unix/linux world but are becoming more and more targeted for Windows. For some (?) reason *nix is a better target I guess.
It depends on Loadable Kernel Modules like 'adore'.
It modifies sytem calls like ps etc.
You could also try t0rnkit.

[instronics]

Yip, you are right. Sorry for calling it a trojan. Im not very keen on using them

Thx for correcting me there noodle.

Cheers.

[slarty]

A covert remote-control program (which may or may not technically be a trojan) can work without opening "ports" in at least two ways:

1. Hijack existing network traffic, for example, direct your web browser to do its network IO for it, or send and receive messages using your mail program. The latter was described in a security journal I read a few years back

2. Use network protocols which don't use ports, for example ICMP. I wrote a small proof-of-concept for Windows that uses ICMP messages (no, not pings), and it worked under NT4 (I used a Linux box to generate the packets though)

Neither of these would show up.

To avoid trojans, don't run untrusted binaries.

[my_wan]

I could have done well to read your tut slarty http://www.antionline.com/showthread...hreadid=243202