Post Thu Apr 13, 2006 12:47 pm

Example 2: Winning Entry #2 - Arun Darlie Koshy

Answer 1)

*Most* Unusual is process smss.exe with PID 1384 with memory usage 1384 k, the normal smss.exe critical systems service takes around 344 K (and we see that its there).

Fishy, we've caught our rogue process ;-).

Answer 2)

We can use the free tool "TCPView" freely availble from Sysinternals.com to determine whether this process is listening on a TCP or UDP port.

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Answer 3)

Nigel could'nt kill this process as the backdoor uses an interesting vulnerability in the design of Windows 2k. The OS is not case sensitive when determining critical system processes :

- winlogon.exe
- csrss.exe
- smss.exe
- services.exe

Since the backdoor has the same name, the OS refuses to terminate it.

Reference
---------

http://www.securityfocus.com/bid/3033

Answer 4)

Nigel can either use the "kill" utility supplied with the Windows 2K Resource kit, or he can choose an even more advanced version from Sysinternals:

http://www.sysinternals.com/ntw2k/freew ... ools.shtml (complete suite)

http://www.sysinternals.com/ntw2k/freeware/pskill.shtml


--- SIGNATURE ---

"The gull sees farthest who flies highest"

GPG/PGP key located at acksyn.infosecwriters.com
CISSP, MCSE, CSTA, Security+ SME