Signatures of Trojans
How can I verify that there are no trojans on my network? I would like to know where I can find signatures for the latest inceptions of the biggies in the trojan world. I do not trust my anti-virus program and want to manually check md5s of files that trojans infect.
Software/Hardware used:
Windows XP, Windows 7
Software/Hardware used:
Windows XP, Windows 7
ASKED:
March 11, 2010 6:25 AM
UPDATED:
January 30, 2012 8:21 AM
Answer Wiki:
What you need is an IPS or IDS system. Or you can sniff packets from computers that you think are infected and see if they are generating abnormal traffic out to the internet.
===
Trojan horses or any other malicious software are usually hidden in some parts of your computer system. This means these files are somewhat hard to locate, the best thin you have to do is to scan your computer system and let your antivirus software do the job of searching and removing potential risks.
To see all answers submitted to the Answer Wiki: View Answer History.
If you don’t trust your anti-virus, I think you should replace it (if that’s an option).
There are free anti-spyware programs you can install in addition to your current antivirus.
I really doubt that you can manually detect more malware than good anti-spyware programs, which are developed by companies dedicated to that specific field, and with many years of research on the topic.
Alright so here is my take– What about malware that breaks antivirus programs or sit dormant waiting for the bot net to issue a command. I know I can netstat -a to check if ports are listening, but I was hoping to for md5s of known trojans to make sure that my antivirus is working (for those trojans that break anti-virus, changing anti-virus programs wouldn’t solve the problem). I would also expect an IDS like Snort to catch known signatures, but deploying an IPS wouldn’t help after the fact.
Thank you both for very valid answers.
I’ve used AVG and they have been great.
Ok, this is more like what I was looking for:
How to detect the ZeuS Banking Trojan on your computer
Computers infected with this version of ZeuS will have the following files and folders installed. The location depends on whether the victim has Administrator rights. The files will most likely have the HIDDEN attribute set to hide them from casual inspection.
With Administrator rights:
%systemroot%system32sdra64.exe (malware)
%systemroot%system32lowsec
%systemroot%system32lowsecuser.ds (encrypted stolen data file) %systemroot%system32lowsecuser.ds.lll (temporary file for stolen data) %systemroot%system32lowseclocal.ds (encrypted configuration file)
Without Administrator rights:
%appdata%sdra64.exe
%appdata%lowsec
%appdata%lowsecuser.ds
%appdata%lowsecuser.ds.lll
%appdata%lowseclocal.ds
ZeuS also makes registry changes to ensure that it starts up with Administrator privileges:
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
From:
“Userinit” = “C:WINDOWSsystem32userinit.exe”
To:
“Userinit” = “C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32sdra64.exe”
Without Administrator rights:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Add:
“Userinit” = “C:Documents and Settings<user>Application Datasdra64.exe”
The sdra64.exe program uses process injection to hide its presence in the list of running processes. Upon startup, it will inject code into winlogon.exe (if Administrator rights available) or explorer.exe (for non-Administrators) and exit. The injected code infects other processes to perform its data theft capabilities.
You can also run Nessus it will provide you complete picture with solution.