Title: Example 2: Winning Entry #2 - Arun Darlie Koshy
Post by: don on April 13, 2006, 12:47:05 PM
*Most* Unusual is process smss.exe with PID 1384 with memory usage 1384 k, the normal smss.exe critical systems service takes around 344 K (and we see that its there).
Fishy, we've caught our rogue process ;-).
We can use the free tool "TCPView" freely availble from Sysinternals.com to determine whether this process is listening on a TCP or UDP port.
Nigel could'nt kill this process as the backdoor uses an interesting vulnerability in the design of Windows 2k. The OS is not case sensitive when determining critical system processes :
Since the backdoor has the same name, the OS refuses to terminate it.
Nigel can either use the "kill" utility supplied with the Windows 2K Resource kit, or he can choose an even more advanced version from Sysinternals:
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml (complete suite)
--- SIGNATURE ---
"The gull sees farthest who flies highest"
GPG/PGP key located at acksyn.infosecwriters.com