hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Stealther...
GovernmentSecurity.org > The Archives > Exploit Articles
EvilGod
Aug 14 2003, 10:42 PM
Reading some security news i found this:

CODE

Stealther Trojan hides evidence of processes, files and registry keys to make infection harder to detect


Does anyone know how and if it's possibile to hide evidence of process, files and registry keys as this trojan do?
jurk-off
Aug 14 2003, 11:17 PM
its possible this trojan would probably removes the log files or something..??
but i think it is possible wink.gif
vnet576
Aug 14 2003, 11:21 PM
did a little searchin and i found this trojan for u. Haven't tried it myself yet....

http://www.hostultra.com/~vnet576/stealth.zip

Ok something weird's going on with this host that I uploaded to. I'm getting some weird popups.

so i'm uploading it to a second one...hope this one works better.

http://www.sharemation.com/vnet576/My%20Do...nts/stealth.zip
EvilGod
Aug 14 2003, 11:26 PM
see this guyz

http://www.staticipnotify.com/aphex/downlo...ads/RootKit.zip

CODE

AFX Windows Rootkit 2003
http://www.iamaphex.cjb.net
unremote@knology.net

This software generates a system patch that will hide processes, files, folders
registry keys and netstat entries from Windows 95/98/ME/NT/2k/XP/2003. Information
is withheld based on 4 lists of mask strings. This enables you to apply wildcards to
hiding functions such as hiding files based on "*.exe" or netstat entries based on
"*TCP*:80*" to hide http traffic.

The "example.exe" include is preconfigured to hide all processes/files and keys matching
"~~*" and all "*TCP*" traffic. The installer copies itself to the system directory and
extracts 2 DLL files from it's resources. It saves the files as "iexplore.exe" and
"explorer.exe". The first dll is loaded into "explorer.exe" which then installs hooks
contained in "explorer.dll".

To configure a custom rootkit run "RootKit.exe" and click "Help" and make sure to
compress your installer!


HomePage:
http://iamaphex.cjb.net/


lemme know what ya think
jurk-off
Aug 14 2003, 11:27 PM
wtf is this kind a link pron????
vnet576
Aug 14 2003, 11:29 PM
i'm sorry this host has popups so I uploaded it to a second one. sad.gif
ComSec
Aug 14 2003, 11:51 PM
QUOTE (EvilGod @ Aug 14 2003, 10:42 PM)
Reading some security news i found this:

CODE

Stealther Trojan hides evidence of processes, files and registry keys to make infection harder to detect


Does anyone know how and if it's possibile to hide evidence of process, files and registry keys as this trojan do?


check this out

QUOTE
This trojan has been found to be widespread among several universities. In these cases, the recent DCOM RPC vulnerablity has been exploited to copy a backdoor trojan (detected as BackDoor-TC since the 4255 DAT files), and the patch for the DCOM RPC vulnerability. Exploited systems are patched, the backdoor is installed, and the Stealther trojan conceals both the backdoor and itself.
The stealther trojan is designed to hide running processes, files, and registry keys. When run, any file name matching CSRS*.EXE will be hidden from the user. Booting an infected system in to Safe Mode, or connecting to it via network share are 2 ways to view the stealth files.

Details of the recent attack are as follows. Compromised systems contain the following files:

%WinDir%\system32\csrsv.exe Stealther trojan
%WinDir%\system32\csrsu.exe  ExeStealth packed BackDoor-TC trojan
c:\update.exe MS03-026 patch


The following registry keys are present:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSRSPX
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSRSWIN1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CSRSPX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CSRSWIN1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\CSRSPX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\CSRSWIN1
The CSRSPX key is responsible for loading the Stealther trojan, to conceal the presence of any file named CSRS*.EXE (in this case the backdoor trojan, as well as the Stealther trojan). Reports have varied in which TCP Port the backdoor trojan is listening on, and is likely configured by the hacker(s) responsible for these attacks. 
Top of Page

Symptoms 
- MS03-026 vulnerable systems mysteriously getting patched
- Unexpected TCP ports left open 
Top of Page

Method Of Infection 
This trojan is being installed by exploiting vulnerable systems. In at least one case, a Windows task has been scheduled to fetch the trojan files from a remote server. 
Top of Page

Removal Instructions 
All Windows Users:
Use current engine and DAT files for detection and removal. An active infection requires users to reboot into Safe Mode prior to scanning/removing of the trojan.
Manual Removal Instructions


Restart Windows in Safe Mode.
Delete the registry keys mentioned above
Delete the files mentioned above
Restart the computer

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.