Tweet
Trojans and viruses can sometimes be detected if you know what you are looking for. Because this kind of malicious software is used to allow access through backdoors or covert channels, a TCP or UDP port must be listening to allow communication. In effect, the malicious software might be detectable using a simple port scan. One other way of discovering backdoors is using the netstat command that allow the owner of the system to see what ports are in a listening or connected state on the local system.
The following ports are used for common trojans
Of course, above list is not a complete list as new software is being developed continuously and existing backdoors might change listening ports.
Some of these tools were meant for administrative purposes and might not be considered to be malicious but a hacker might use them as such.
A wide variety of tools exists that can be used to take control of a target system and leave behind a backdoor.
Some examples are listed below...
let me rule
A remote access trojan authored entirely in Delphi. It uses TCP port 26097 by default.
RECUB
Remote Encrypted Callback Unix Backdoor (RECUB) uses RC4 encryption, code injection, and encrypted ICMP communication requests. It demonstrates a key trait of trojan software in that it is very small in size. It is less than 6KB.
Phatbot
Capable of stealing personal information such as e-mail addresses, credit card numbers, and software licensing codes. It uses a P2P network to return this information to the attacker.
It also has the capability to disable many antivirus and software-based firewalls, leaving the victim open to further attacks.
amitis
This software opens TCP port 27551 to give the attacking party complete control over the target system.
Zombam.B
This software allows an attacker to use a web browser to infect a computer. It uses port 80 by default and is created with a trojan-generation tool known as HTTPRat.
Zombam.B will attempt to terminate various antivirus and firewall processes.
Beast
Beast uses a technique known as Data Definition Language (DDL) injection to inject itself into an existing process, effectively hiding itself from process viewers.
Hard-disk killer
This is a trojan written to destroy a local hard drive. When the software is being executed, it attacks the local hard drive by wiping it in just a few seconds.
The following ports are used for common trojans
- Back Orifice: UDP 31337 or 31338
- Back Orifice 2000 (BO2K): TCP/UDP 54320/54321
- Beask: TCP 6666
- Citrix ICA: TCP/UDP 1494
- Deep Throat: UDP 2140 and 3150
- Desktop Control: UDP
- Donald Dick: TCP 23476/23477
- Loki: Internet Control Message Protocol (ICMP)
- NetBus: TCP 12345 and 12346
- Netcat: Any TCP or UDP port
- NetMeeting Remote: TCP 49608/49609
- pcAnywhere: TCP 5631/5632/65301
- Reachout: TCP 43188
- Remotely Anywhere: TCP 2000/2001
- Remote: TCP/UDP 135-1139
- Whack-a-Mole: TCP 12361 and 12362
- NetBus 2 Pro: TCP 20034
- GirlFriend: TCP 21544
- Masters Paradise: TCP 3129, 40421, 40422, 40423, and 40426
- Timbuktu: TCP/UDP 407
- VNC: TCP/UDP 5800/5801
- RDP: TCP 3389
Of course, above list is not a complete list as new software is being developed continuously and existing backdoors might change listening ports.
Some of these tools were meant for administrative purposes and might not be considered to be malicious but a hacker might use them as such.
A wide variety of tools exists that can be used to take control of a target system and leave behind a backdoor.
Some examples are listed below...
let me rule
A remote access trojan authored entirely in Delphi. It uses TCP port 26097 by default.
RECUB
Remote Encrypted Callback Unix Backdoor (RECUB) uses RC4 encryption, code injection, and encrypted ICMP communication requests. It demonstrates a key trait of trojan software in that it is very small in size. It is less than 6KB.
Phatbot
Capable of stealing personal information such as e-mail addresses, credit card numbers, and software licensing codes. It uses a P2P network to return this information to the attacker.
It also has the capability to disable many antivirus and software-based firewalls, leaving the victim open to further attacks.
amitis
This software opens TCP port 27551 to give the attacking party complete control over the target system.
Zombam.B
This software allows an attacker to use a web browser to infect a computer. It uses port 80 by default and is created with a trojan-generation tool known as HTTPRat.
Zombam.B will attempt to terminate various antivirus and firewall processes.
Beast
Beast uses a technique known as Data Definition Language (DDL) injection to inject itself into an existing process, effectively hiding itself from process viewers.
Hard-disk killer
This is a trojan written to destroy a local hard drive. When the software is being executed, it attacks the local hard drive by wiping it in just a few seconds.
Comment