RCT's & RAT's
What are they?
How do I detect them?
How many are there?
What ports do they use?
How do I Remove?
Acid Shivers (modified)
Deep Back Orifice
Deep Throat v2
Hack 'a' Tack
NetBus 2 Pro
Sockets 'de Troie
The "Trojan horse" applications discussed within this website are remote administration "hacker" utilities that will allow a user to control another user's computer across the Internet using the "client/server" approach. While it may be hard to believe, Trojan horse applications can provide equal, if not more control of a remote PC system than the person sitting at its keyboard.
Where the topic involves trojans such as Back Orifice or NetBus, would you like to take a guess at which PC is acting as the "server"?
"IP Address" (Internet Protocol Address)
The above is a small selection from a possible 65,535 (64K) port numbers! To see a more complete list, click here.
Which PC's can be affected?
Depending on the trojan involved, they're designed to affect Windows 95/98 PC's, Windows NT PC's, or both.
How do the trojans work?
How a hacker establishes the connection to another user's computer, is that the hacker running the "client" portion establishes a connection to the IP address of a known PC that has the "server" portion installed upon it
If the hacker running the "client" portion doesn't know the IP address of the user's PC which has been compromised by the "server" portion. The hacker usually initiates a series of connections to a large range of IP addresses on the Internet (known as "scanning"), looking for any PC that responds back to the attempt. If a PC responds back, it responds with its IP address. Then all the hacker has to do, is to establish a connection to that IP address.
Keep in mind that 99% of the time, the hacker doesn't have a specific target (or victim) to begin with, so any PC that answers back to their attempted connections satisfy their goal of hacking into another's PC.
Because the "server" portion is configured to use (or "listen" on) a particular port number, it's the client who attempts a connection to that specific port number to initiate the connection between computers.
NOTE: Some trojans may use more than one port number. This is because one port is used for "listening" and the other/s are used for the transfer of data.
In their default configurations, the following trojans use:
Back Orifice - UDP port 31337 or 31338
Devil - port 65000
Detecting the trojans can be difficult because once they're installed, they typically don't show in either the task list or close-program list, and are rerun every time the computer is started by means of an entry in a branch of the Registry.
How did my system become compromised?
"Have you downloaded and run any programs lately?"
Simply executing the "server" portion of either trojan, installs the software. To ease distribution, the "server" portions can be attached ("piggy-backed") to any other windows executable which will run normally after installing the server portion.
There have been several reports of ICQ users being compromised via the ability to send files to/from one another. I strongly suggest that you click here to read ICQ's latest End User Agreement, which discusses this topic.
The best defense to prevent your PC from becoming compromised by these or any other trojans, is to not download files from unknown sources!
Final words of advice
Acquire an antivirus software product.
Acquire a firewall application for your PC.
The benefit of using a firewall, is that even if your system were to become compromised, the design of the firewall's rules would prevent the connections from being allowed through it.
FWIW, I personally use VisNetic Firewall for my home PC and find that it does exactly what it's supposed to (e.g. prevent those on the 'net from being able to establish unwanted connections to my PC when I'm online.
Copyright Commodon Communications. All rights reserved.