Can a trojan bypass netstat?

[alamuru420123]

Hi, I'm using Windows xp sp2 with NAV 2005, sygate personal pro and microsoft anti-spyware beta. I make regular checks for both viruses and spyware. Recently, my computer started acting a bit strange. It shuts down all by itself when I'm watching a movie or something, the songs i'm playing in winamp change and windows minimize and maximize by themselves. Whenever such a thing happens, I immediatly check using "netstat -a" but it doesn't show any foreign address connected. Is it possible for a trojan sitting on my computer to not show up in netstat? The data sent and received don't show anything strange. Is there anyway to know for sure whether there's a trojan on my computer or not? It's not very severe but still, it's very irritating to think that someone is watching what you're doing all the time.

[nihil]

with NAV 2005, sygate personal pro and microsoft anti-spyware beta.

Have you also got the Microsoft firewall running?

Does this behaviour happen if you are off the net, and running saved stuff?

Update your NAV and run it in safe mode
Go to the Trend Micro Pc cillin site and run the "housecall" online scanner.

Check your scheduled tasks, auto updates etc and turn them off.

My gut feel at this stage is that NAV 2005 is conflicting with something.

Let me know how you get on

[MrBabis]

If you this think that some one are connected to you computer, try to disconnect from internet and do what you usualy do....

Best test if you are monitoring by some one.....

[Gump]

Yes a trojan can bypass netstat, usually with a little help.

In addition to the excellent advise of nihil , I would recommend a utility that has the same functionality as netstat but is external to the OS. I use Fport from foundstone. You can find it on their web site. It is free, and you can compare the results to netstat and look for anomolies.

Also is there any other device on your network where you could see the connection? Like a router or NAT device? Might look there as well if you have one.

[ric-o]

I have a CD with OS utilities like NETSTAT from a clean system that I take around to machines I think have been compromised. See if you can get that file off a known clean system and put it on some sort of read-only media (CD or write-protected floppy) and run it on your suspect system. You wanna use the '-ao' if XP and '-an' parameter if W2K.

You could also try OpenPorts located here http://www.diamondcs.com.au/openports/ it's FREE.

It does sound like you may have a 'critter' on your box. Thoughts...

- Did you try safe mode and scan with AV scanner?
- How about safe mode with networking and visit one of the online virus scanners such as on Symantec's site http://security.symantec.com/default...d=ie&venid=sym.
- You could also download and run the Trojan Defense Suite (TDS3) located at that same website as OpenPorts - they have a free 30 day eval http://tds.diamondcs.com.au/

If NONE of those detect anything you might want to try the Rootkit Revealer from SysInternals. It's a little advanced and will take some research of the findings but will detect many rootkits. http://www.sysinternals.com/ntw2k/fr...itreveal.shtml

Good luck, let us know what you find.

[nihil]

Hi,

Some of these things are quite good at hiding

There are some useful tools on Karen Kenworthy's site:

http://www.karenware.com/powertools/powertools.asp

You might want to try Windows Watcher?.....................if you have a nasty one it may not be stealthed against that

Fellow tool freaks, you might like to browse the site as well..............Karen writes some useful stuff.........sorry should have mentioned the site ages ago

Cheers

[Relyt]

Great stuff posted before. Could be software conflicts, trojans, you bet!

But don’t forget the possibility of this being heat related or voltage issues. You had mentioned that this happens during high resource demands (movies, etc) = higher temps and higher voltage demands. Generally computers are not suppose to just shutdown unless we pull the plug or instruct them to. Whether that instruction comes from the keyboard or set peremeters (such as max CPU/Board temps, mini/max voltages, something is making it or telling it to shutdown). I’d check your PC health in the setup to see what the CPU and Board temps are (also the shutdown temp setting and compare the two) and check the voltages. Then go to your CPU’s and Main board’s manufacturer and compare the temps/voltages with their standards.

You must have good airflow in and out of the box and the power supply must supply the required voltages.

Can a trojan bypass netstat?

Most assuredly! One goal of the deviant is to try to hide by altering logs, detection processes etc. Coding filters to alter netstat’s output has already been accomplished and for those that can’t write their own, they are readily available at the L4m3rz $i7es.

Looks like we have just about all the possibilities covered now. Let us know.

cheers

[alamuru420123]

Hi !

@Nihil:

I've got the latest updates for all of them and I run regular scans of my system. Spyware scans are done every night at 2am. There is one thing I forgot to mention. I'm in a college campus with all the computers in the campus connected through LAN. We keep sharing stuff among ourselves using WASTE and sometimes even through Lanshares. That's why I keep my comp switched on all the time. I will try the pc-cillin house call and let you know wht happens. I don't think it's a NAV conflict coz this is a fairly new winxp installation (about a month old). This kind of strange behaviour started just a couple of days ago. It doesn't happen all the time. Just now and then. Once, I just left the room for a min and when I got back, somehow the "standby,turn off, restart" window was showing on the screen. I am not running windows firewall. I've even changed the settings in sygate to ask me for each and every program that needs to use the network. I'll try out the tools you suggested and post back.

@gump:

Can't check the connection coz as I said, I'm on a LAN and the main server is far far away. I'll check up that utility that you suggested.

@rico:

I haven't scanned in safe mode. But if NAV doesn't detect it in normal mode, there isn't much point in scanning again in safe mode right? It says '0 viruses found' . Safe mode is only for removing the viruses/trojans detected but which are staying memory resident right?

@relyt:

I don't think it's the voltage fluctuation. coz this comp is 6 months old and I haven't had a problem before. The CPU and M/B are well ventilated. That's because I always keep the side panel open . Sometimes, it's easier to take your Hard disk to someone else's computer and copy the stuff you want .

[ric-o]

Originally posted here by alamuru420123
@rico:
I haven't scanned in safe mode. But if NAV doesn't detect it in normal mode, there isn't much point in scanning again in safe mode right? It says '0 viruses found' . Safe mode is only for removing the viruses/trojans detected but which are staying memory resident right?

The idea behind booting in Safe Mode is to load as few of the drivers and services as possible because one of them could be the malware. There are some stealth tatics by malware writers that can be avoided by booting into Safe Mode so they become visible.

All in all it's really just another step in a long list of system checks that should be done.

One more tip to add to the Rootkit Revealer tip: rename the EXE to a different name. Rootkit makers have responded to the tool by watching for the execution of the executible file. Some rootkits even compares the MD5 so you gotta edit the exe file. I did just that, changing a couple text characters where there was a text line - for example 'This program cannot be run in DOS mode' in the beggining and that changes the MD5. But this is all getting advanced.

[The Duck]

How about safe mode with networking and visit one of the online virus scanners such as on Symantec's site http://security.symantec.com/defaul...e&venid=sym.

I think I brought up an idea along time ago, it was whether or not you could run those online scans in safe mode. I can't remember who exactly tested it, either nihil or tiger shark, one of those two, but whoever it was said they couldn't get it to work...

Correct me if I'm wrong ...