Trojan detection and removal 2

[alittlebitnumb]

How to tell if you are infected and techniques to get rid of them.

In the last installment of my Trojan Horse removal and detection series, I didn't think it was going to fare very well. Also, I changed my e-mail and took a day or so to bring me back now on with the good stuff...

HOW TO KNOW IF YOU MIGHT BE INFECTED:

There are several ways to tell if you have been infected, but you will need to probe in your box a little further before you know it is a trojan. First, you need to know telltale signs that should trigger a trojan running:

* Unexplained reboots when there were no hardware problems before.

* Strange pop-up messages that come out of nowhere and are not in the norm of Windows error messages.

* Your CDROM mysteriously opens and closes on its own.

* A chat that does not go away.

* Files are moved, renamed, deleted or modified without explaination.

* The mouse moves around the screen.

* Constant freezes, crashes and strange error messages when there were no previous problems before.

There are other things trojans do that are not in the list but are not evident until it is too late. That is, unless you get a call from your ISP for terms of use violation(s):

* Stolen passwords

* Eavesdropping

* Stealing private information such as banking information

* Uploading other servers, files or even virii

* Using the PC for "man in the middle" attacks <--This can generate calls from your ISP

* Keylogging <--Is recording everything you type and sent back to the attacker

Does this mean the attacker van do whatever I can do as if the person is sitting in front of the PC? Not necessarily. Not all trojans are RATs. You just need to be aware the most common type of trojan is the RAT because of the ease of use and the sadistic fun the attacker has by "owning" computers. Mobman, creator of Sub7 gave detailed information on how he had servers running with people running poorly configured firewalls such as ZoneAlarm, so this stresses the importance of knowing how your firewall works!

If Anti-virus/trojan found a trojan, then take note of it's location, the trojan name and go to Google to investigate what the program is, how it infects and how to remove it manually. AV might remove it for you, and you may never have to worry about it again, however, it is good to know what it was and how to see if it is removed *completely* by doing the removal checklist manually.

Before you start investigating, you need to rule out other possibilites. This includes updating drivers, software and anti virus/trojan. Also, check for faulty hardware by running a tester on your hardware. A nice little shareware program I am using to check for this stuff is called HL info, and you can download a copy from This Site. Once these problems have been looked over and still have symptoms, it is time to dig further.

USING NETSTAT TO SEE WHO AND WHAT IS CONNECTED

Netstat is a great tool for seeing connections. An example of connections might be

C:\WINDOWS\Desktop>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP USER:1055 0.0.0.0:0 LISTENING
TCP USER:1055 205.188.9.36:5190 ESTABLISHED
TCP USER:1025 0.0.0.0:0 LISTENING
UDP USER:1032 *:*
UDP USER:1813 *:*
UDP USER:1050 *:*

This indicates all is well, and checking the list of known port numbers tells me it is alright. However, a problem might be

C:\WINDOWS\Desktop>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP USER:1055 0.0.0.0:0 LISTENING
TCP USER:1055 205.188.9.36:5190 ESTABLISHED
TCP USER:1025 0.0.0.0:0 LISTENING
UDP USER:1032 *:*
UDP USER:1813 *:*
UDP USER:1050 *:*
UDP USER:27374 0.0.0.0:0 LISTENING

Shows an unusual process running on a high port number, which usually indicates a RAT. To make sure though, you need to check the list of known trojan ports and yes, 27374 TCP is the Sub7 and some variants (Please note this is only the DEFAULT port).

Okay, what if you suspect a process is running on that port? Let's use TELNET to log in and see what is returned.

Telnet> connected. time/date: 08:40.22 - June 14, 2002, Friday, version: M.U.I.E. 2.1

Shows a definite connection. Now that you know what version the server (2.1) is, now you can look on how to remove it. Is it always this easy? By all means no. Sometimes, the person who configured the server knows all the ways users will look for suspicious activity, ad nd might make it next to impossible to remove it. However, if you STILL cannot find it, here are some tools I found indispensible in search of problems like these:

Tambu Tools

And there, you will find netstat lite, a GUI that shows all connections, and Tambu Registry.

Remember, if you have a decent firewall, you can configure it to block all further connections from the attacker that is sending commands to the server. We know trojans cannot work on a firewall. Once that is done, you can be on the net and search for answers on Google.

NEXT: THE AFTERMATH... WHAT TO DO

[Unleashed]

Originally posted here by alittlebitnumb
We know trojans cannot work on a firewall.

But there is trojans out there which are able to disable the firewalls and antiviruses !!!

[emrys]

very nice /me goes off ot run a couple scans

[alittlebitnumb]

But there is trojans out there which are able to disable the firewalls and antiviruses !!!

Thanks for clearning that up. Goes to show I haven't kept up with the times.

[Togechu2]

Wow, very interesting! You should have another insallment for those more advanced virii, as Unleashed stated.

[the_adairs]

Raising his hand*

Alright, I have a question about the section of your tutorial that talks about telneting.

"Okay, what if you suspect a process is running on that port? Let's use TELNET to log in and see what is returned.

Telnet> connected. time/date: 08:40.22 - June 14, 2002, Friday, version: M.U.I.E. 2.1

Shows a definite connection. Now that you know what version the server (2.1) is, now you can look on how to remove it "


This is the part that I dont understand. In your example where you ran netstat to check what ports are listening, the first example showed normal activity. When you gave your second example, you presented a udp port much higher that was listening. So were to assume that this is a sighn of a trojan keeping the port open right? Now, you telnet and find what is returned. Can you please elaberate on this? Are you telneting directly to that port, and as for the M.U.I.E 2.1, what is this and how do you know its a server? Are you connecting to the same port that the trojan is located, therefore using the trojan like a soldier to send a message to the server or system that has the main file? Not sure this is coming out right, so please explain the telnet part in more detail or supply a site where I can read about it.
thanks
Gramps the sponge.