RE: Scanning for trojans

["Rob Shein" <shoten () starpower net>]

Most trojans are awfully sparse on response information if you don't
authenticate to them properly.  I don't think such a tool exists, and if it
did, I think it would only spot a few of the many possible trojans out
there.  A long shot might be to check out which well-known trojans are
easily reconfigured to use different ports (like BO2K) and do a quick check
for those.  Otherwise, it's entirely possible that the trojan has been
slightly rewritten to make it remotely unidentifiable anyways.

-----Original Message-----
From: Discussion Lists [mailto:discussions () lagraphico com] 
Sent: Monday, April 28, 2003 6:06 PM
To: Eric; pen-test () securityfocus com
Subject: RE: Scanning for trojans


Thanks, but in my case I don't have local access to the machine, so it would
be helpful to find a way to identify it remotely.  I am beginning if such an
animal actually exists?

Thanks

> -----Original Message-----
> From: Eric [mailto:ews () tellurian net]
> Sent: Monday, April 28, 2003 2:26 PM
> To: Discussion Lists; pen-test () securityfocus com
> Subject: Re: Scanning for trojans
>
>
> map the open port back to the executable that launched it.
>
> ...Microsoft specific advice...
> If on Win2K, use fport from foundstone.  If XP, try fport, or
> do netstat 
> -on and map the PID back to the executable.
>
> At 10:19 AM 4/27/2003 -0700, Discussion Lists wrote:
> > Hi all,
> > I have discovered what I believe is a trojan on a port that is a
> > non-standard port for that particular trojan, but I want to 
> narrow down
> > the possibilities of what it could be.  Can anyone suggest a trojan
> > scanner that can detect a trojan by simply scanning for open 
> ports, and
> > connecting?
> >
> > Thanks
> >
> > -------------------------------------------------------------
> ----------
> > ----
> > Attend Black Hat Briefings & Training Europe, May 12-15 in
> Amsterdam, the
> > world's premier event for IT and network security experts.
> The two-day
> > Training features 6 hand-on courses on May 12-13 taught by
> professionals.
> > The two-day Briefings on May 14-15 features 24 top speakers
> with no vendor
> > sales pitches.  Deadline for the best rates is April 25.
> Register today to
> > ensure your place.  http://www.securityfocus.com/BlackHat-pen-test
> > -------------------------------------------------------------
> ---------------

---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------