Comments on: Signatures of Trojans http://itknowledgeexchange.techtarget.com/itanswers/signatures-of-trojans/ Sun, 19 May 2013 03:14:28 +0000 hourly 1 By: speciallist http://itknowledgeexchange.techtarget.com/itanswers/signatures-of-trojans/#comment-75402 speciallist Wed, 31 Mar 2010 13:32:22 +0000 #comment-75402 You can also run Nessus it will provide you complete picture with solution.

]]> By: andrewgauger http://itknowledgeexchange.techtarget.com/itanswers/signatures-of-trojans/#comment-74986 andrewgauger Thu, 18 Mar 2010 17:30:10 +0000 #comment-74986 Ok, this is more like what I was looking for:

How to detect the ZeuS Banking Trojan on your computer

Computers infected with this version of ZeuS will have the following files and folders installed. The location depends on whether the victim has Administrator rights. The files will most likely have the HIDDEN attribute set to hide them from casual inspection.

With Administrator rights:

%systemroot%system32sdra64.exe (malware)
%systemroot%system32lowsec
%systemroot%system32lowsecuser.ds (encrypted stolen data file) %systemroot%system32lowsecuser.ds.lll (temporary file for stolen data) %systemroot%system32lowseclocal.ds (encrypted configuration file)

Without Administrator rights:

%appdata%sdra64.exe
%appdata%lowsec
%appdata%lowsecuser.ds
%appdata%lowsecuser.ds.lll
%appdata%lowseclocal.ds

ZeuS also makes registry changes to ensure that it starts up with Administrator privileges:

HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
From:
“Userinit” = “C:WINDOWSsystem32userinit.exe”
To:
“Userinit” = “C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32sdra64.exe”

Without Administrator rights:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Add:
“Userinit” = “C:Documents and Settings<user>Application Datasdra64.exe”

The sdra64.exe program uses process injection to hide its presence in the list of running processes. Upon startup, it will inject code into winlogon.exe (if Administrator rights available) or explorer.exe (for non-Administrators) and exit. The injected code infects other processes to perform its data theft capabilities.

]]> By: thongtarget21 http://itknowledgeexchange.techtarget.com/itanswers/signatures-of-trojans/#comment-74910 thongtarget21 Tue, 16 Mar 2010 20:30:14 +0000 #comment-74910 I’ve used AVG and they have been great.

]]> By: andrewgauger http://itknowledgeexchange.techtarget.com/itanswers/signatures-of-trojans/#comment-74777 andrewgauger Fri, 12 Mar 2010 00:34:44 +0000 #comment-74777 Alright so here is my take– What about malware that breaks antivirus programs or sit dormant waiting for the bot net to issue a command. I know I can netstat -a to check if ports are listening, but I was hoping to for md5s of known trojans to make sure that my antivirus is working (for those trojans that break anti-virus, changing anti-virus programs wouldn’t solve the problem). I would also expect an IDS like Snort to catch known signatures, but deploying an IPS wouldn’t help after the fact.

Thank you both for very valid answers.

]]> By: carlosdl http://itknowledgeexchange.techtarget.com/itanswers/signatures-of-trojans/#comment-74748 carlosdl Thu, 11 Mar 2010 14:55:32 +0000 #comment-74748 If you don’t trust your anti-virus, I think you should replace it (if that’s an option).

There are free anti-spyware programs you can install in addition to your current antivirus.

I really doubt that you can manually detect more malware than good anti-spyware programs, which are developed by companies dedicated to that specific field, and with many years of research on the topic.

]]>