.

Assistance requested

<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Sun Jan 09, 2011 8:13 pm

Assistance requested

Hi All,

I have a PC set up for pentesting, and I am still building it, finding programs ect. Two issues, 1. I am fairly certain I am getting good downloads from the official sites, except in one notable case, the windows binary is no longer maintained and of course now I have something listening I can see in netstat connection 220.90.198.65 port 1064 supposedly the JSTEL service. I have blocked the connection at the Windows Firewall, and redirected it to localhost through the hosts file, but I am not sure if this really is malicious, or a side effect of a legit program.

So I could use any advice on determining the nature of this connection.

2. because I am downloading applications that will be detected by my a/v, how can I distinguish between a hacking tool, and malware?
sectestanalysis.blogspot.com/‎
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Sun Jan 09, 2011 8:48 pm

Re: Assistance requested

The most reliable way of determining what the port is doing is to capture traffic on that port. If you think you've been rootkit'ed, set up a snort box...
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

Data_Raid

User avatar

Full Member
Full Member

Posts: 165

Joined: Fri Nov 09, 2007 5:55 am

Post Mon Jan 10, 2011 4:34 pm

Re: Assistance requested

That IP Address traces back to Korea:
http://whatismyipaddress.com/ip/220.90.198.65

Some additional info which might or might not be applicable (taken from http://www.pczone.com.tw/vbb3/archive/t-108256.html):

> download.microsoft.com
Server: query.ttn.net
Address: 202.145.138.1

Non-authoritative answer:
Name: a767.ms.akamai.net
Addresses: 220.90.198.90, 220.90.198.65, 220.90.198.83
Aliases: download.microsoft.com, download.microsoft.com.nsatc.net
download.microsoft.com.d4p.net, download.microsoft.com.georedirector.akadns.net

As ziggy_567 mentioned, capturing traffic and viewing the captured packets might give you an idea what connections are being created and the relative destination address.  You could also use TCPView from Sysinternals to gather more information about the connections on your computer: http://technet.microsoft.com/en-us/sysi ... s/bb897437
Using TCPView, you can highlight the connection and view properties of that process (if possible) which might give you more information on what application created the connection.

Regarding setting up a lab, what I like to do is not install any A/V on the attacking/testing machine, I also make sure that this machine is isolated from the rest of my machines, I also ensure that this machine never connects to the internet once I'm done setting it up.
Last edited by Data_Raid on Mon Jan 10, 2011 4:42 pm, edited 1 time in total.
All men by nature desire knowledge.

Aristotle
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Mon Jan 10, 2011 10:20 pm

Re: Assistance requested

Yeah, Sam Spade told me a little about it ;) I am in Korea, which made me think the traffic was legit, all of those server do appear to be legitly tied to MS. I wonder if some MS program is phoning home?...
sectestanalysis.blogspot.com/‎
<<

Third_Eye

User avatar

Newbie
Newbie

Posts: 5

Joined: Wed Apr 13, 2011 9:16 am

Post Wed Apr 13, 2011 9:32 am

Help Me

i'll create small trojan file but i cannot send it in email to another party. because yahoo identified it is an virus. and i use obsidium and poison ivy to create undetectable trojan file but i cannot win it.

please help me to do this. this for my education

thank you    ???
MCP,MCTS,MCITP,CIW,CCNA
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Wed Apr 13, 2011 1:08 pm

Re: Assistance requested

Open a command prompt and type "netstat -nao" (without the quotes). That'll give you the process IDs. You can then kill the Process ID of the offending program. You can also use ProcessHacker, a freeware program, that'll give more info but you have to know what you're doing with handles, etc. You could also install sandboxie and buster, start buster, load the program in sandboxie and then watch what the program is doing with buster.

There's bunches of other ways as well but those are the easiest for beginners. If you want to dig even deeper, try some of the tools listed in the Malware Cookbook (hint: look through the index on the Amazon page to see all the different tools).

Almost forgot- GMER and IceSword are good Windows tools you could try as well.
Last edited by WCNA on Wed Apr 13, 2011 1:30 pm, edited 1 time in total.
ISC2 Associate, WCNA, CWNA, OSCP, Network+
<<

Third_Eye

User avatar

Newbie
Newbie

Posts: 5

Joined: Wed Apr 13, 2011 9:16 am

Post Thu Apr 14, 2011 6:14 am

Help me to create this trojan undetectable file

I want to be a create undetectable trojan . ill create trojan file but it is detecting like virus how can i set this trojan undetectable. i ll tried to use poison ivy, obsidiumsetup and more how can i create this trojan file to undetectable virus.

please help me. sorry about my poor english sorry

thank you

???
MCP,MCTS,MCITP,CIW,CCNA
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Thu Apr 14, 2011 5:55 pm

Re: Assistance requested

@Third eye,

No Malware stays undetectable. One a signature is made for the malware, then it can be detected and removed.

FYI, you may want to check the yahoo mail terms of service. I'm pretty sure that intentionally uploading malware is a violation.
sectestanalysis.blogspot.com/‎
<<

Third_Eye

User avatar

Newbie
Newbie

Posts: 5

Joined: Wed Apr 13, 2011 9:16 am

Post Mon Apr 18, 2011 9:23 am

Re: Assistance requested

:::::  SephStorm

you are right. but how can i create this undetectable trojan i used obsidium also but it is not working please help me to resolve this problem

thanking you

::)
MCP,MCTS,MCITP,CIW,CCNA

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software