RCT's & RAT's
What are they?
How do I detect them?
How many are there?
What ports do they use?
How do I Remove?
Acid Shivers (modified)
Deep Back Orifice
Deep Throat v2
Hack 'a' Tack
NetBus 2 Pro
Sockets 'de Troie
This is the best method to determine if your system has been compromised, but it requires that you:
A. have a basic understanding of the state of an "active connection" and
B. that you're familiar with the port numbers commonly used by the trojans.
With regards to the state of an "active connection". There are several types, but there's really only one type that you need to know about.
The "listening" state - which is when your PC listens on a port number, awaiting for another PC to make a connection to it. The "listening state" is the state that the trojan will be in after your system is rebooted.
NOTE: Some trojans may use more than one port number. This is because one port is used for "listening" and the other/s are used for the transfer of data.
In their default configurations, the following trojans use:
Back Orifice - UDP port 31337 or 31338
Devil - port 65000
How to detect
If after following the directions outlined further down below, you've determined that your PC is "listening" on any of the above ports. It's a very strong indicator that your PC has been compromised. Click the appropriate link to learn how to remove the trojan involved.
Although Back Orifice and NetBus are commonly found to be configured to use their default port/s in establishing the connection between the client and server, they have been found to be configured to use different port/s.
Regardless what port/s they may be configured to use, the important thing to know is that if your a home user (and your PC doesn't participate on a LAN or a SoHo LAN), your PC shouldn't be "listening" on any port (or ports) after it's been rebooted.
Keep in mind that for some PC's that are connected to a LAN or a SoHo LAN, it is common for certain ports (137,138 and 139) to be listening. Such ports are used for NetBIOS, and sometimes port 135 (RPC) may be used as well.
How to determine what ports are "listening"
Perform the following steps:
Step 1. - Reboot your PC. Do NOT establish a dial-up connection.
Click Start | Shut Down
Step 2. - After you reboot your PC and before doing anything else, open a DOS window.
Click Start | Programs | MS-DOS Prompt
NOTE: If you don't have a shortcut to the MS-DOS Prompt, don't worry. You can
Click Start | Run
Step 3. - Type "netstat -an >>c:\netstat.txt" (without the quotes)Type netstat -an >>c:\netstat.txt
Step 4. - Close the DOS window.
Step 5. - Open Explorer
Click Start | Programs | Windows Explorer
Step 6. - Change to the C drive and double click on the netstat.txt file. It should open with NOTEPAD.
For reference, the port numbers are shown as ":XXXXX" to the right of the IP address, where "XXXXX" is a 1 to 5 digit number.
Provided below are some examples of what you may might find:
The above example is typical of a home user's PC. The system (after a reboot) doesn't show any active connections. If your system looks like this, then congratulations! You have nothing to worry about.
The above example is typical of a PC on a LAN. The system (after a reboot) shows several connections in a listening state, used by NetBIOS. As mentioned above, the ports used by NETBIOS are ports 137 (nbname), 138 (nbdata) and 139 (nbsession).
Again, if your system isn't showing any active connections other than the ones related to using NetBIOS, then congratulations! You have nothing to worry about.
The above example is typical of a home user's PC that's been compromised with the Back Orifice server portion, and whereby it's been configured to use the port 31337 (the default).
The above example is typical of a PC on a LAN that's been compromised with the Back Orifice server portion, and whereby it's been configured to use port 31337 (the default).
The above example is typical of a home user's PC that's been compromised with the Back Orifice server portion that's been configured to use port 4000 instead of the default 31337.
The above example is typical of a PC on a LAN that's been compromised with the Back Orifice server portion that's been configured to use port 4000 instead of the default 31337.
If your system shows any ports in a listening state that you cannot identify or explain. It might be wise to further investigate the possiblity that your system may be compromised with one of these trojans using a different port other than the default/s.
Some ports that may be found in a listening state include:
FTP, which uses TCP port 21
If you do find your system "listening" on any of these ports. You should know whether it should or shouldn't be. If it shouldn't be, then it's wise to further investigate the possiblity that your system may be compromised with one of the trojans using a different port other than the default/s.
If you're unsure how to read your "netstat.txt" file, feel free to email me a copy. I'd be more than happy to take a look at it and let you know the results.
Copyright Commodon Communications. All rights reserved.