Detecting Trojans and Viruses

A Trojan can be detected in many ways. Port scanning, which can prove very effective if you know what to look for. Because a Trojan is used to allow access through backdoors or covert channels, a port must be opened to allow this communication. A port scan using a tool such as Nmap reveals these ports and allows you to investigate them further.

The following ports are used for classic Trojans:
■ Back Orifice: UDP 31337 or 31338
■ Back Orifice 2000: TCP/UDP 54320/54321
■ Beast: TCP 6666
■ Citrix ICA: TCP/UDP 1494
■ Deep Throat: UDP 2140 and 3150
■ Desktop Control: UDP NA
■ Donald Dick: TCP TCP 23476/23477
■ Loki: Internet Control Message Protocol (ICMP)
■ NetBus: TCP 12345 and 12346
■ Netcat: TCP/UDP (any)Malware
■ NetMeeting Remote: TCP 49608/49609
■ pcAnywhere: TCP 5631/5632/65301
■ Reachout: TCP 43188
■ Remotely Anywhere: TCP 2000/2001
■ Remote: TCP/UDP 135-1139
■ Whack-a-Mole: TCP 12361 and 12362
■ NetBus 2 Pro: TCP 20034
■ GirlFriend: TCP 21544
■ Masters Paradise: TCP 3129, 40421, 40422, 40423, and 40426
■ Timbuktu: TCP/UDP 407
■ VNC: TCP/UDP 5800/5801

See Exercise 1 to learn how to use nestat to detect open ports.

U S I N G N E T S TAT

Exercise 1 : Using Netstat to Detect Open Ports
Another tool that is effective at detecting Trojans is netstat. This tool can list the ports that are open and listening for connections on the system.

To use netstat, follow these steps in Windows:
1. Open a command prompt.
2. At the command line, enter netstat –an (note that the command is case sensitive).
3. Observe the results.

You should see that several ports are open and listening. You may not recognize all the numbers, but that doesn’t mean they are malicious. You may wish to research the open ports (they vary from system to system) to see what each relates to.