Log in | Back to darenet.org

Detecting and Removing Trojan Horses

(Resources)
(Resources)
Line 42: Line 42:
* [[Recovering From a System Compromise]]
* [[Recovering From a System Compromise]]
-
[[Category:Expolits Prevention]]
+
[[Category:Exploits Prevention]]

Revision as of 06:54, 26 October 2007

In This Guide:

Detection - How to find a Trojan

By their very nature trojan horses are difficult to find. Unlike viruses they won't corrupt files or delete things you might notice, they do their best to stay out of sight and avoid detection. That said, they are pieces of software and no software can run on any computer without leaving some trace of it's existance. Below I'll cover three basic tools that will uncover the presence of the majority of trojan horses. None of these costs any money, in fact two of them are already installed on every windows computer!

The Task List

You may be familiar with the Task List that appears if you press CTRL+ALT+DEL within windows. This is supposed to be a list of all the programs running on your computer at the second you pressed those keys - it's not. For reasons best known to themselves Microsoft hid a great many processes from display in the task list, possibly to avoid confusing novice users. In doing this, they gave trojan writers the perfect tool to hide their own creations from your view as well.

Less well known is the System Information Utility (msinfo32.exe) that hides in the C:\program files\common\microsoft shared\msinfo folder on your disk. This tool can uncover almost every process that's running on any windows system, even those that are 'hidden' from the task list. Better yet, on windows 98 & ME the same tool provides an easy way to selectivly disable any suspect processes at the next reboot. To use this when hunting for trojans, look down the task listings for running tasks & services for any which you don't recognise. Check the paths and filenames. Check the file properties and run the executable or .dll through your virus scanner. If you find nothing but still aren't sure, use the Startup Programs editor in the tools menu to disable the process then reboot your machine (make a backup of your system files first!). If nothing complains, leave the process disabled for now and carry on looking at the others. Eventually you'll have only those processes you really need running on your machine which will have the benefit of not only killing off any trojans but also making your PC seem more responsive and generally quicker to start up.

Netstat

All trojans need to communicate. If they don't do that they are useless for their intended purpose. This is the second major weakness of most trojan horses, their communication leaves a trail you can follow.

The Netstat command lists all the open connections to and from your PC. To use it, open a DOS box and enter the command netstat -an this will list all the open connections to and from your PC, along with the IP address of the machines on either side. If you see a connection you don't recognise, you need to investigate it further and track down the process that's using it. For this you need the third tool in the armoury, TCPView.

TCPView

TCPView is a free utility by Sysinternals which not only lists the IP addresses communicating with your computer, it tells you what program is using that connection. Armed with this information you can locate whatever program is sending data out of your machine and deal with it. I recommend renaming the offending file then rebooting - that way if you make a mistake you can put it right easily.

Removing a Trojan Horse

Trojans often modify the startup files of your computer, add or change lines in the system registry and even overwrite system files to make sure they are run every time you boot up. For that reason, removing them by hand takes time, patience and an understanding of what you are doing. It's fraught with dangers, including trashing your registry or loosing the ability to run programs so it's definatly not for everyone - even those who know exactly what they are doing often prefer to use automated tools when removing a trojan horse.

Each trojan has it's own specific removal routine, see the Cleaners & Fixes pages for details on those. They do however all conform to the same basic patterns :

  • They usually insert a line in the run, run once or run services keys in the system registry. This is the principal startup method of most trojans including Back Orifice & Sub7. Removing the line from the registry and rebooting usually stops the trojan loading.
  • Some alter Win.ini, system.ini or plae themselves in the 'Startup' folder. Again, removing the offending line usually stops the trojan running.
  • Some alter or replace system files. These need careful handling and are best left to experts or automated tools.
  • One in particular can modify a certain setting in the registry, causing it to be executed before ANY program you run. removing this line stops you running ANYTHING! Again, this is best left to experts or automated tools to deal with.

The steps involved in removing a trojan are simple :

  • Identify the trojan horse file on your hard disk.
  • Find out how it is being started and take the necessary action to prevent it being restarted after a reboot.
  • Reboot your machine and delete the trojan horse.
  • See the Recovering from a System Compromise page for more in-depth help on what else you may need to do.

Resources