Home
Who am I?
Scenarios
Where & When
Misc
Olde Style Page
Math Puzzles
Spinal Hack Winner 2

By Arun Darlie Koshy

Answer 1)

*Most* Unusual is process smss.exe with PID 1384
with memory usage 1384 k, the normal smss.exe
critical systems service takes around 344 K (and
we see that its there).

Fishy, we've caught our rogue process ;-).

Answer 2)

We can use the free tool "TCPView" freely availble
from Sysinternals.com to determine whether this
process is listening on a TCP or UDP port.

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Answer 3)

Nigel could'nt kill this process as the backdoor
uses an interesting vulnerability in the design
of Windows 2k.

The OS is not case sensitive when determining
critical system processes :

- winlogon.exe
- csrss.exe
- smss.exe
- services.exe

Since the backdoor has the same name, the OS
refuses to terminate it.

reference
---------

http://www.securityfocus.com/bid/3033

Answer 4)

Nigel can either use the "kill" utility supplied
with the Windows 2K Resource kit, or he can
choose an even more advanced version from
Sysinternals :

http://www.sysinternals.com/ntw2k/freeware/pstools.shtml (complete suite)

http://www.sysinternals.com/ntw2k/freeware/pskill.shtml


--- SIGNATURE ---

"The gull sees farthest who flies highest"

GPG/PGP key located at acksyn.infosecwriters.com

 

Send me some e-mail

©Copyright 2004, Ed Skoudis