Sunday, 5 October 2014

How to secure yourselves from Trojans and RATs


Symptoms of a trojan:


Unusual behaviour of the system is a mere indication of a Trojan attack!!!
• Programs starting and running without the initiation of the User.
• Opening or Closing of CD-ROM drawers
• Wallpaper, background, or screen saver settings changing by themselves
• Screen display flipping upside down
• Browser program opening strange or unexpected websites.

All the above actions seem like a ghost controlling your system!!!!
The actions clearly indicate that you are under Trojan attack!

Concept behind Detecting Trojans:

The first and foremost thing you have to do is to check the applications which are making network connections with other computers. One of those applications will be a process started by the Server Trojan.

METHOD 1:


Detecting trojans using" netstat" command


An effective method to detect trojans is by using “netstat” command.


Step1: Go to Start>run and type cmd ( to open command prompt)

Step2: Go to C drive and type netstat
It displays all the Active Connections.


Now Type the command netstat –ano
It displays all the present TCP/IP and UDP ports that are being used.


The trojan could be one of the ESTABLISHED conections. But not all the ESTABLISHED connections are trojans.

Step 3: Open task manager.

(This can be done by right-clicking on task bar and start task manager)

Step 4:


Go to view-->select columns


Check the process Identifier and click ok.



Step 5: Cross check the PIDs of ESTABLISHED connections with the PIDs shown on task manager to know the name of the program or application running. For example PID 5004 isTeamViewer.exe (as shown in the image)


Step6: Whenever you find a suspicious program, copy the name and paste it in the search box ofspywareguide.com
For example, one of the programs could be Backdoor.Alvgus.a.exe. Copy it and paste it in the search box of spywareguide.com
Click on it and it displays its properties…..



How To Kill A Program??


Well, you have identified a trojan. Now you have to kill it. You can kill the process using pskill.
And now you can kill the program using pskill.
You can download pskill from here. 
Store the pskill.exe application on your C drive. And now you can kill the particular process using the command C:\>pskill 5004 (PID of the program).

METHOD 2: 


Detecting and removing Trojans Using  TCPView:


If you find it difficult to do all the above stuff, just go through this method.
TCPView is a Windows program that will show you detailed listings of all TCP and UDP end points on your system, including the local and remote addresses and state of TCP connections. you can download it from here.
When you start TCPView it will enumerate all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions.
Endpoints that change state from one update to the next are highlighted in yellow;
those that are deleted are shown in red, and new endpoints are shown in green.
You can right-click on active connections and check the properties.

Once you get hold of the Trojan application, you can Kill the active connection and the running process and then delete the physical application file.
This will make you recover from the attack of Trojan.


How to prevent a Trojan Attack??


The key to preventing Trojans and backdoors from being installed on a system is to not to install applications downloaded from the Internet or open Email attachments from parties you don’t know.
Most commercial antivirus programs have Anti-Trojan capabilities as well as spyware detection and removal functionality.
These tools can automatically scan hard drives on startup to detect backdoor and Trojan programs before they can cause damage. It’s important to use commercial applications to clean a system.
Also use Malwarebytes Anti-Malware to protect your computer from all kinds of viruses and trojans. You can download it from here.

NOTE: Never ever download trojans and RATs from third party websites. Always use Trojans from their official websites only.


Author

AMAN JAIN 

No comments:

Post a Comment