Signatures of Trojans

105 pts.
Tags:
malware
Malware removal
Trojan Horse
Trojans
Viruses
How can I verify that there are no trojans on my network?  I would like to know where I can find signatures for the latest inceptions of the biggies in the trojan world.  I do not trust my anti-virus program and want to manually check md5s of files that trojans infect.  

Software/Hardware used:
Windows XP, Windows 7

Answer Wiki

Thanks. We'll let you know when a new response is added.

What you need is an IPS or IDS system. Or you can sniff packets from computers that you think are infected and see if they are generating abnormal traffic out to the internet.

===
Trojan horses or any other malicious software are usually hidden in some parts of your computer system. This means these files are somewhat hard to locate, the best thin you have to do is to scan your computer system and let your antivirus software do the job of searching and removing potential risks.

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • carlosdl
    If you don't trust your anti-virus, I think you should replace it (if that's an option). There are free anti-spyware programs you can install in addition to your current antivirus. I really doubt that you can manually detect more malware than good anti-spyware programs, which are developed by companies dedicated to that specific field, and with many years of research on the topic.
    69,240 pointsBadges:
    report
  • AndrewGauger
    Alright so here is my take-- What about malware that breaks antivirus programs or sit dormant waiting for the bot net to issue a command. I know I can netstat -a to check if ports are listening, but I was hoping to for md5s of known trojans to make sure that my antivirus is working (for those trojans that break anti-virus, changing anti-virus programs wouldn't solve the problem). I would also expect an IDS like Snort to catch known signatures, but deploying an IPS wouldn't help after the fact. Thank you both for very valid answers.
    105 pointsBadges:
    report
  • thongtarget21
    I've used AVG and they have been great.
    485 pointsBadges:
    report
  • AndrewGauger
    Ok, this is more like what I was looking for: How to detect the ZeuS Banking Trojan on your computer Computers infected with this version of ZeuS will have the following files and folders installed. The location depends on whether the victim has Administrator rights. The files will most likely have the HIDDEN attribute set to hide them from casual inspection. With Administrator rights: %systemroot%system32sdra64.exe (malware) %systemroot%system32lowsec %systemroot%system32lowsecuser.ds (encrypted stolen data file) %systemroot%system32lowsecuser.ds.lll (temporary file for stolen data) %systemroot%system32lowseclocal.ds (encrypted configuration file) Without Administrator rights: %appdata%sdra64.exe %appdata%lowsec %appdata%lowsecuser.ds %appdata%lowsecuser.ds.lll %appdata%lowseclocal.ds ZeuS also makes registry changes to ensure that it starts up with Administrator privileges: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon From: "Userinit" = "C:WINDOWSsystem32userinit.exe" To: "Userinit" = "C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32sdra64.exe" Without Administrator rights: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Add: "Userinit" = "C:Documents and Settings<user>Application Datasdra64.exe" The sdra64.exe program uses process injection to hide its presence in the list of running processes. Upon startup, it will inject code into winlogon.exe (if Administrator rights available) or explorer.exe (for non-Administrators) and exit. The injected code infects other processes to perform its data theft capabilities.
    105 pointsBadges:
    report
  • Speciallist
    You can also run Nessus it will provide you complete picture with solution.
    10 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following