jvmorrisI Am The Man Who Was Not There.Premium,MVM
|reply to Steve |
Re: Analysis of Backstealth technology
Nice piece of work! Knew you couldn't resist!
For those like myself who aren't going to play with this baby,
-- How big is BackStealth.exe?
-- How bit is BackStealth.dll?
Just for general sizing information.
Understand your comment on BackStealth.dll. Like CRv1, I suppose we ought to be damn glad that it doesn't do anything more than it current does.
Re FindWindow(), now are you saying you KNOW it only searches for these signature windows or are you assuming that? If the former, then that would answer one of my questions as to whether it even tries to run with ZA/ZAP.
Re AdjustTokenPriviileges(), effectively Win 9X/ME users would consequently have no protection against this call (assuming it works on those OSs). Win NT/2K/XP users would have at least some protection running with a non-Admin account? (Which would be consistent with some recent posts by gwion in the Tiny-Kerio Program.)
As always, much thanks. (Warming up for the summer season, are you? )
Regards, Joseph V. Morris
SteveI know your IP addressConsultant
Yorba Linda, CA
-- How big is BackStealth.exe? 58,368 bytes
-- How big is BackDLL.dll? 55,808 bytes
quote: I'm looking at the disassembled code, not strings in the binary: this is all it looks for. But in general, it's not in concept looking for "firewall processes" as it is "processes known to be trusted". My guess is that it could inject itself into IE with the same ease - most of the time IE is trusted as well, and this hidden worker thread would not likely go through all the security setup imposed by the browser.
Re FindWindow(), now are you saying you KNOW it only searches for these signature windows or are you assuming that?
quote: This is true in any case. On an operating system with no real hardware protection of memory (as you have on the Win 9x/ME), there is next to nothing you can do to keep really mal-intentioned code from behaving badly. It may be a lot of work, but once bad code gets the CPU, you're finished.
Re AdjustTokenPriviileges(), effectively Win 9X/ME users would consequently have no protection against this call (assuming it works on those OSs)
Edit: - typos
Stephen J. Friedl Security Consultant Tustin, California USA »www.unixwiz.net
[text was edited by author 2002-05-02 14:44:07]