Malware 197
■ NetMeeting Remote: TCP 49608/49609
■ pcAnywhere: TCP 5631/5632/65301
■ Reachout: TCP 43188
■ Remotely Anywhere: TCP 2000/2001
■ Remote: TCP/UDP 135-1139
■ Whack-a-Mole: TCP 12361 and 12362
■ NetBus 2 Pro: TCP 20034
■ GirlFriend: TCP 21544
■ Masters Paradise: TCP 3129, 40421, 40422, 40423, and 40426
■ Timbuktu: TCP/UDP 407
■ VNC: TCP/ UDP 5800/5801
See Exercise 8.2 to learn how to use nestat to detect open ports.USING NETSTAT
Exercise 8.2: Using Netstat to Detect Open Ports
Another tool that is effective at detecting Trojans is netstat. This tool can list the ports that
are open and listening for connections on the system.
To use netstat, follow these steps in Windows:
- Open a command prompt.
- At the command line, enter netstat –an (note that the command is case sensitive).
- Observe the results.
You should see that several ports are open and listening. You may not recognize all the
numbers, but that doesn’t mean they are malicious. You may wish to research the open
ports (they vary from system to system) to see what each relates to.
Note that although the ports here refer to some classic examples of Trojans, there are
many new ones. We cannot list them all, because they are ever evolving and the ports
change.
See Exercise 8.3 to learn about TCPView.
USING TCPVIEW
Exercise 8.3: Using TCPView to Track Port Usage
Netstat is a powerful tool, but one of its shortcomings is the fact that it is not real-time. If
you wish to track port usage in real time, you can use tools like TCPView.
If you do not already have TCPView, you can download it from http://www.microsoft.com.