Trojans and TCP view

[dos]

Hi,
my question is how to know that a trojan is comunicating with it's owner?
I'm using TCP view. Wich files are present on infected pc and are they
visible trough tcp view?
Can a trojan use legitimate files like firefox.exe and sends data trough
different ports? Please give me an example of tipical trojan connection?

Thanks.

 

[Volodymyr Shcherbyna]

Traffic depends on troyans. Usually malware masks as a http client, and uses
built in OS capabilities (WinInet, WinHTTP) to communicate with web servers.
Each case requires investigation. So you'd better take some time, and
investigate the overall traffic on machine.

--
V.
This posting is provided "AS IS" with no warranties, and confers no
rights.
"dos" <dos@discussions.microsoft.com> wrote in message
news159745A-270F-4042-A0D1-1A7A7E32966E@microsoft.com...
> Hi,
> my question is how to know that a trojan is comunicating with it's owner?
> I'm using TCP view. Wich files are present on infected pc and are they
> visible trough tcp view?
> Can a trojan use legitimate files like firefox.exe and sends data trough
> different ports? Please give me an example of tipical trojan connection?
>
> Thanks.

 

[David H. Lipman]

From: "dos" <dos@discussions.microsoft.com>

| Hi,
| my question is how to know that a trojan is comunicating with it's owner?
| I'm using TCP view. Wich files are present on infected pc and are they
| visible trough tcp view?
| Can a trojan use legitimate files like firefox.exe and sends data trough
| different ports? Please give me an example of tipical trojan connection?
|
| Thanks.

TCPView helps but not completely.

Individual files by themsleves may show communication "home" or to peers. However, some
malware can hook directly into the OS such that a particular EXE file will not be indicated,
it will appear the OS is communicating to the malicious third part web sites.


Trojans can use legit files by patching the legit files with malicious code. Additionally,
malware often uses the EXE name of legit files such as firefox.exe however what is important
is the Fully Qualified Name (FQN) and path to the EXE file.

For example:
c:\windows\system32\svchost.exe is legit
C:\Program Files\Common Files\System\svchost.exe is NOT legit !


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Volodymyr Shcherbyna]

In addition, TCPView does not show connections made in the context of
'System' process. It means, that a malware driver is able to create a pool
thread item, and execute it in the context of System using TDI interface for
communication. This, for sure, will not be depicted in TCPView.

As more advanced tool, I suggest to use WireShark.

--
V
This posting is provided "AS IS" with no warranties, and confers no
rights.
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:e5loOwtXIHA.4476@TK2MSFTNGP06.phx.gbl...
> From: "dos" <dos@discussions.microsoft.com>
>
> | Hi,
> | my question is how to know that a trojan is comunicating with it's
> owner?
> | I'm using TCP view. Wich files are present on infected pc and are they
> | visible trough tcp view?
> | Can a trojan use legitimate files like firefox.exe and sends data trough
> | different ports? Please give me an example of tipical trojan connection?
> |
> | Thanks.
>
> TCPView helps but not completely.
>
> Individual files by themsleves may show communication "home" or to peers.
> However, some
> malware can hook directly into the OS such that a particular EXE file will
> not be indicated,
> it will appear the OS is communicating to the malicious third part web
> sites.
>
>
> Trojans can use legit files by patching the legit files with malicious
> code. Additionally,
> malware often uses the EXE name of legit files such as firefox.exe however
> what is important
> is the Fully Qualified Name (FQN) and path to the EXE file.
>
> For example:
> c:\windows\system32\svchost.exe is legit
> C:\Program Files\Common Files\System\svchost.exe is NOT legit !
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

 

[Ron H]

Hi David, After reading your answer to this post i went to Task Manger
and found five (5) svchost.exe services running - 3 Network Services ,
and 2 System. Now after seeing your answer and checking
Process Library and finding out this svchost.exe could be used by a
Trojan, How can i find out the path's of these services in Task Manger
like in your example? Thanks Ron (Defender)

"David H. Lipman" wrote:

> From: "dos" <dos@discussions.microsoft.com>
>
> | Hi,
> | my question is how to know that a trojan is comunicating with it's owner?
> | I'm using TCP view. Wich files are present on infected pc and are they
> | visible trough tcp view?
> | Can a trojan use legitimate files like firefox.exe and sends data trough
> | different ports? Please give me an example of tipical trojan connection?
> |
> | Thanks.
>
> TCPView helps but not completely.
>
> Individual files by themsleves may show communication "home" or to peers. However, some
> malware can hook directly into the OS such that a particular EXE file will not be indicated,
> it will appear the OS is communicating to the malicious third part web sites.
>
>
> Trojans can use legit files by patching the legit files with malicious code. Additionally,
> malware often uses the EXE name of legit files such as firefox.exe however what is important
> is the Fully Qualified Name (FQN) and path to the EXE file.
>
> For example:
> c:\windows\system32\svchost.exe is legit
> C:\Program Files\Common Files\System\svchost.exe is NOT legit !
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
>

 

[Volodymyr Shcherbyna]

You can download more advanced tool which shows the path for a processes
here: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
regarding svchost.exe problem, read for TaskManager limitation in Windows
XP:
http://msmvps.com/blogs/v_scherbina...-case-of-task-manager-that-does-not-kill.aspx

--
V
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Ron H" <RonH@discussions.microsoft.com> wrote in message
news4174670-F7C8-4A4D-8592-80169E13321E@microsoft.com...
> Hi David, After reading your answer to this post i went to Task Manger
> and found five (5) svchost.exe services running - 3 Network Services ,
> and 2 System. Now after seeing your answer and checking
> Process Library and finding out this svchost.exe could be used by a
> Trojan, How can i find out the path's of these services in Task Manger
> like in your example? Thanks Ron (Defender)
>
> "David H. Lipman" wrote:
>
>> From: "dos" <dos@discussions.microsoft.com>
>>
>> | Hi,
>> | my question is how to know that a trojan is comunicating with it's
>> owner?
>> | I'm using TCP view. Wich files are present on infected pc and are they
>> | visible trough tcp view?
>> | Can a trojan use legitimate files like firefox.exe and sends data
>> trough
>> | different ports? Please give me an example of tipical trojan
>> connection?
>> |
>> | Thanks.
>>
>> TCPView helps but not completely.
>>
>> Individual files by themsleves may show communication "home" or to peers.
>> However, some
>> malware can hook directly into the OS such that a particular EXE file
>> will not be indicated,
>> it will appear the OS is communicating to the malicious third part web
>> sites.
>>
>>
>> Trojans can use legit files by patching the legit files with malicious
>> code. Additionally,
>> malware often uses the EXE name of legit files such as firefox.exe
>> however what is important
>> is the Fully Qualified Name (FQN) and path to the EXE file.
>>
>> For example:
>> c:\windows\system32\svchost.exe is legit
>> C:\Program Files\Common Files\System\svchost.exe is NOT legit !
>>
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>
>>
>>

 

[Ron H]

Volodymyr, Thank You for that link i think this is something i should
have been using for a while now. Ron

"dos" wrote:

> Hi,
> my question is how to know that a trojan is comunicating with it's owner?
> I'm using TCP view. Wich files are present on infected pc and are they
> visible trough tcp view?
> Can a trojan use legitimate files like firefox.exe and sends data trough
> different ports? Please give me an example of tipical trojan connection?
>
> Thanks.

 

[David H. Lipman]

From: "Ron H" <RonH@discussions.microsoft.com>

| Hi David, After reading your answer to this post i went to Task Manger
| and found five (5) svchost.exe services running - 3 Network Services ,
| and 2 System. Now after seeing your answer and checking
| Process Library and finding out this svchost.exe could be used by a
| Trojan, How can i find out the path's of these services in Task Manger
| like in your example? Thanks Ron (Defender)
|

It is common to have multiple SVCHOST.EXE processes running. Each load specifcommunication
capabilities of the OS.

Like I said, it is not the name of the file that is important, it is the Fully Qualified
Name and Path to that file.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Ron H]

David, I haven't installed the program Volodymyr told me about yet
but knowing that the process runs multiple times has put me a little
more at ease. Thanks Ron


"dos" wrote:

> Hi,
> my question is how to know that a trojan is comunicating with it's owner?
> I'm using TCP view. Wich files are present on infected pc and are they
> visible trough tcp view?
> Can a trojan use legitimate files like firefox.exe and sends data trough
> different ports? Please give me an example of tipical trojan connection?
>
> Thanks.