Who is this tut for? This is for all those people who *keep* posting the same old threads.

We all have read the other tuts about Trojans/etc and know what they are, here I attempt to expel some myths

Myth 1: Virus checkers will protect you
This is untrue.

Virus checkers mostly work by comparing programs against signatures in their databases. They are very stupid in this respect (I'm not knocking them per-se). This works very well against viruses, as each virus exists in huge numbers, and they're all the same. This does not work against trojans.

Clearly a backdoor program (not necessarily a trojan) can be hand-crafted on a per-installation basis, therefore there will not be another one in existence that is the same. No virus scanner can have it in its database, because it has never been seen before.

Virus checkers have signatures of well known binary-distributed backdoor "blackhat" programs in their databases. This mostly prevents kiddies. It will do nothing against an adversary who rolls their own, or compiles a modified version of a source-code distributed one.

Some experiments showed that changing compiler options or using a different compiler was entirely sufficient to mask even well-known backdoors from any virus checker.

Some use "Heuristics", which is extremely unreliable, as it creates a lot of false positives. Also, you don't *know* exactly what a given backdoor is going to do.

Myth 2: firewalls will protect you

So you think firewalls will protect you? No.

There are two types of firewall - network and application. The former are common in companies and filter packets on a rule-basis or by stateful inspection. They won't help, because a backdoor program can disguise its malicious traffic as normal traffic.

Application firewalls won't help either. These are common on desktops, and often used by home users. However, a backdoor can easily get around them, by masquerading as a normal application and creating an innocent type of traffic.

Myth 3: backdoors listen on "ports"

This is untrue too. It is entirely unnecessary for a piece of mal-ware to listen on a "port", whatever that means.

Complete remote control can be obtained without the need to listen on any ports, or show up on "netstat".

They can simply make innocent-looking connections in an outward direction from
time to time, looking for commands.

They can operate by sending and receiving covert emails through your email program.

They can use the port-less ICMP or raw sockets.

Conclusions

1. No amount of off-the-shelf security products will protect you against every
back-door or trojan.
2. The recipies for detecting them (netstat, looking at the registry, process listing) often cited on AO can be fooled fairly easily.
3. The ONLY WAY of preventing backdoors from taking over your computer is to engage in safe computing practices. There are no other measures which are effective. So DON'T open that attachment, don't download that crack and don't install that suspect program.