| Tools | Insider allows the user to see applications running on his system along with the listening ports they are using. Inzider is not infallible. It is possible for an application which is holding open a listening port to hide from Inzider probes. Still, Inzider provides a quick health check which may help in identifying some of the less advanced Trojans that are floating around. |
Inzider does not perform any registry or INI file changes which make it easily portable as well (as it is less than 100K). Inzider can find running applications missed out by netstat sometimes. The "PID" shown is the Process ID" used by the system to identify the running program from others that are running at the same time. Inzider can also verify which program is holding open a listening port.
Unfortunately Inzider is not 100% effective. Inzider will run on Win95, Win98 and NT based systems. However, on Windows NT/2000/XP, Inzider is still unable to check processes started as services. While Inzider is useful for making a first look at the system's health, some additional checks are in order to insure that the system is secure.
| Tools | Senna Spy Trojan generator is a program that's a world first; in that it can actually make a customized Trojan for the user in a matter of minutes. This Trojan is controlled by telnet making it possible for any operating system to run. The default port which this Trojan opens is port 11000 but this is configurable. Another feature of this Trojan is the ability to access the infected computers file system with an ftp client such as cute ftp or Ws ftp, this aspect of senna spy is pretty scary because it gives the hacker power to download and upload any file of choice. The tool also comes with its own generator and uses VB script. |
| Tools | The Hard Drive Killer Pro series of programs offer one the ability to fully and permanently destroy all data on any given Dos or Win3.x/9x/NT/2000 based system. After it is run, it is goes about destroying every existing Hard Drive in the computer. The person only needs to run it for a few seconds, and then even if they exit the program without letting it stuff up their hard drive, it will continue from where it left off when it restarts. So there is no escape. |
The program, once executed, will start eating up the hard drive, and/or infect and reboot the hard drive within a few seconds. After rebooting, all hard drives attached to the system would be formatted (in an unrecoverable manner) within only 1 to 2 seconds, irregardless of the size of the hard drive.
HDKP 4.0 EXE on the other hand, is the same as HDKP 4.0's .bat edition, in the EXE version is a compressed version of the BAT file, and when executed, extracts the bat file from the exe file and executes the bat file. Hard Drive Killer Pro 5.0 is also due to be released in DOS (exe) and DOS (bat) versions. These editions should be noticeably smaller in size.
The Hard Drive Killer Pro (and some of its previous versions) totally eliminates data on the Hard Drive and kills the FAT (that's, File Allocation Table, we are not talking about Fat Cells) of the computer it's used on.
Windows File Protection detects attempts by other programs to replace or move a protected system file. Windows File Protection checks the file's digital signature to determine if the new file is the correct Microsoft version. If the file is not the correct version, Windows File Protection either replaces the file from the backup stored in the Dllcache folder or from the Windows 2000 CD. If Windows File Protection cannot locate the appropriate file, it prompts you for the location. Windows File Protection also writes an event to the event log, noting the file replacement attempt.
File Signature Verification checks to see which system files are digitally signed and display its findings. To start File Signature Verification, click Start, click Run, and then type sigverif.
System File Checker (sfc.exe) is a command line utility that scans and verifies the versions of all protected system files after you restart your computer. If System File Checker discovers that a protected file has been overwritten, it retrieves the correct version of the file from the %systemroot%\system32\dllcache folder, and then replaces the incorrect file.
Syntax:
sfc [/scannow] [/scanonce] [/scanboot] [/cancel] [/quiet] [/enable] [/purgecache] [/cachesize=x]
| Countermeasure | Originally released in 1992 by Gene Kim and Dr. Eugene Spafford (from the COAST Laboratory at Purdue University), Tripwire for Servers is one of the first examples of a general file integrity assessment tool. Written for the UNIX environment, and now available for Windows NT/2000, it provides system administrators the ability to monitor file systems for added, deleted, and modified files. Tripwire software works by creating a baseline "snapshot" of the system. |
It stores the snapshot in a database, and then verifies the system's integrity by checking its current state against the baseline. By comparing the current system to a snapshot of how the system should look, Tripwire software quickly and accurately identifies any added, changed, or deleted files. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc.
An important feature of the server is that is using the injecting technology. At the first run the server is injecting in the memory of winlogon.exe (on 9x systems in systray.exe). Afterwards, from winlogon.exe injections are performed in explorer.exe or Internet Explorer, according with the options chosen when building the server.
The main benefits of this type of running is that from winlogon.exe are monitoring the other injected applications and, by example, if the Internet Explorer is closed, from winlogon.exe will be started again and injected with the dll. If the server is injected in explorer.exe it won't be visible on any Task Manager. When the server is injected in Internet Explorer will be running under the System account on NT, will be visible in Task Manager, but in this way the firewalls could be more easily by-passed. It is not a big deal if it is visible in TaskMgr because in the case when the IE process is closed will be automatically run again.
The same running procedure will be performed when the injection occurred in explorer.exe. The server stability is almost 100%, the explorer.exe can't be crashed by closing the client during a file transfer or other operations). The server (dll) is residing in the windows/system directory and writes few registry entries, so the victim must have the appropriate privileges on NT platform. If the victim is a restricted user then the server won't run on NT (2k, XP).
The single way to get rid of Beast is booting in Safe Mode. Whenever the injected process (IE or explorer.exe) is closed, from the winlogon.exe the server will be injected again. All the servers (loaders) are locked from winlogon.exe, so cannot be deleted. The registry settings are also overwritten at every few seconds... The most easily way to uninstall the server is to connect from the client and click the Kill Server button.
For more information continue read on : www.oceninfo.co.cc being with us and be a master of computer
COMMENTS