dslreports logo
spacer Home Reviews Speed Test Tools News Forums Info About Join  
 
    All Forums Hot Topics Gallery
spc
ForumsSoftware and Operating Systems

SecurityRe: Analysis of Backstealth technology

 uniqs
13
Share
« TCP ack packet attacka question regarding linksys router and security »
This is a sub-selection from Analysis of Backstealth technology

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris to Steve

MVM

2002-May-2 1:37 pm

to Steve

Re: Analysis of Backstealth technology

Steve,

Nice piece of work! Knew you couldn't resist!

For those like myself who aren't going to play with this baby,
-- How big is BackStealth.exe?
-- How bit is BackStealth.dll?

Just for general sizing information.

Understand your comment on BackStealth.dll. Like CRv1, I suppose we ought to be damn glad that it doesn't do anything more than it current does.

Re FindWindow(), now are you saying you KNOW it only searches for these signature windows or are you assuming that? If the former, then that would answer one of my questions as to whether it even tries to run with ZA/ZAP.

Re AdjustTokenPriviileges(), effectively Win 9X/ME users would consequently have no protection against this call (assuming it works on those OSs). Win NT/2K/XP users would have at least some protection running with a non-Admin account? (Which would be consistent with some recent posts by gwion in the Tiny-Kerio Program.)

As always, much thanks. (Warming up for the summer season, are you? )
actions · 2002-May-2 1:37 pm ·

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

2002-May-2 1:50 pm

-- How big is BackStealth.exe? 58,368 bytes
-- How big is BackDLL.dll? 55,808 bytes
quote:
Re FindWindow(), now are you saying you KNOW it only searches for these signature windows or are you assuming that?
I'm looking at the disassembled code, not strings in the binary: this is all it looks for. But in general, it's not in concept looking for "firewall processes" as it is "processes known to be trusted". My guess is that it could inject itself into IE with the same ease - most of the time IE is trusted as well, and this hidden worker thread would not likely go through all the security setup imposed by the browser.
quote:
Re AdjustTokenPriviileges(), effectively Win 9X/ME users would consequently have no protection against this call (assuming it works on those OSs)
This is true in any case. On an operating system with no real hardware protection of memory (as you have on the Win 9x/ME), there is next to nothing you can do to keep really mal-intentioned code from behaving badly. It may be a lot of work, but once bad code gets the CPU, you're finished.

Edit: - typos

Steve
actions · 2002-May-2 1:50 pm ·
ForumsSoftware and Operating SystemsSecurity
« TCP ack packet attacka question regarding linksys router and security »
This is a sub-selection from Analysis of Backstealth technology