• Choose a category
• All
• Classic-Fiction

It's important to use commercial applications to clean a system instead of freeware tools, because many freeware removal tools can further infect the system. In addition, port-monitoring tools can identify ports that have been opened or files that have changed.

Understand Trojan-Evading Techniques

The key to preventing Trojans and backdoors from being installed on a system is to educate users not to install applications downloaded from the Internet or open e-mail attachments from parties they don't know. Many systems administrators don't give users the system permissions necessary to install programs on their system for that very reason.

Port-Monitoring and Trojan-Detection Tools

Fport reports all open TCP/IP and UDP ports and maps them to the owning application. You can use fport to quickly identify unknown open ports and their associated applications.

TCPView is a Windows program that shows detailed listings of all TCP and UDP endpoints on the system, including the local and remote addresses and state of TCP connections. When TCPView runs, it enumerates all active TCP and UDP endpoints, resolving all IP addresses to their domain-name versions.

PrcView is a process viewer utility that displays detailed information about processes running under Windows. PrcView comes with a command-line version you can use to write scripts that check whether a process is running and, if so, kill it.

Inzider is a useful tool that lists processes in the Windows system and the ports on which each one listens. Inzider may pick up some Trojans. For instance, BackOrifice injects itself into other processes, so it isn't visible in the Task Manager as a separate process, but it does have an open port that it listens on.

Tripwire verifies system integrity. It automatically calculates cryptographic hashes of all key system files or any file that is to be monitored for modifications. The Tripwire software works by creating a baseline snapshot of the system. It periodically scans those files, recalculates the information, and sees whether any of the information has changed. If there is a change, an alarm is raised.

Dsniff is a collection of tools used for network auditing and penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and WebSpy passively monitor a network for interesting data such as passwords, e-mail, and file transfers. Arpspoof, dnsspoof, and macof facilitate the interception of networktraffic normally unavailable to an attacker due to layer 2 switching. Sshmitm and webmitm implement active man-in-the-middle attacks against redirected Secure Shell (SSH) and HTTP Over SSL (HTTPS) sessions by exploiting weak bindings in ad hoc Public Key Infrastructure (PKI). These tools will be discussed in further detail in Chapter 6, "Sniffers."

System File Verification Subobjective

to Trojan Countermeasures

Windows 2003 includes a feature called Windows File Protection (WFP) that prevents the replacement of protected files. WFP checks the file integrity when an attempt is made to overwrite a SYS, DLL, OCX, TTF, or EXE file. This ensures that only Microsoft verified files are used to replace system files.

Another tool called sigverif checks to see what files Microsoft has digitally signed on a system. To run sigverif, perform the following steps:

1. Click the Start button.

2. Click Run.

3. Type sigverif, and click Start. The results will be displayed.

System File Checker is another command-line-based tool used to check whether a Trojan program has replaced files. If System File Checker detects that a file has been overwritten, it retrieves a known good file from theWi ndows\system32\d11 cache folder and overwrites the unverified file. The command to run the System File Checker is sfc/scannow.

Viruses and Worms

Viruses and worms can be used to infect a system and modify a system to allow a hacker to gain access. Many viruses and worms carry Trojans and backdoors. In this way a virus or worm is a carrier and allows malicious code such as Trojans and