port explorer

Discussion in 'Port Explorer' started by Bethrezen, May 24, 2003.

Thread Status:
Not open for further replies.
  1. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi all

    i decided to take a lil look see at the evaluation version of port explorer coz it looked cool but I'm just wondering if there is a way to determine if a red process is actually a trojan infected service or not because there are a few red ones msn messenger kazaa lite icq msn explorer and spy blocker i don't think these are trojan infected but i just wanna make sure coz if they are then ill need to get an AT

    a quick reply would be appreciated thanks
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hey,

    The use of a good Anti-Trojan would lend some extra assurance but using, some of the Port Explorer features and some deduction, there are a few things you can do...

    1. Look at the destination IP and if it is not 127.0.0.1, 0.0.0.0 or your local IP address right click on that line and do a resolve on that IP and see if the destination lends some credibility to the safety of the process.

    2. If the destination ip is 127.0.0.1 or your local IP (in case you are unaware, the 127 address is called a loopback address and more or less means your local system) note the remote port and look in the rest of the process list for a process that is using that as a local port. If that second process has a destination IP other than 0.0.0.0, 127.0.0.1, or your local IP then do the same resolve function as in step 1. [Basically if you see the stuff encountered in this step, you have found a process that provides upper or lower level (in terms of the OSI layers) support for a process. This is typically found in Proxy Server applications.]

    3. Use the very handy 'SocketSpy' utility. [Right-click on process, Go to Socket submenu and select "enable spying". Give the process enough time to generate traffic and then go to Utilities -> Socket Spy, select the "Packet Data" button and look at the Packet Payload of the packets captured. In general, the lower the number seen in the Process's Sent and Received columns the less you need to worry about the process but this is not a sure indicator so I would be very free in the use of Socket Spy.

    4. Another warning sign would be if the socket is listening and here again you will want to follow the above steps.

    Hope this helps,

    Dan
     
  3. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    ...oh,

    and another good thing to do if you feel that the service is trojanized is to use the recently released freeware "Advanced Process Manipulation" tool from DiamondCS

    http://www.diamondcs.com.au/index.php?page=apm

    This will list all processes and allow you to see which modules are loaded for each as well as enable you to do quite a few things with regard to the Process/Modules. If you feel there is some module that may not belong (such as keylogger.dll) you can unload the dll or use a hex-viewer or strings utility to view the contents of the suspect module
     
  4. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Hi Bethrezen,
    Port Explorer will show you many things on your computer, some NON TROJAN programs will show up as red in Port Explorer, but a lot of these would be a false alarm.

    First thing you should do is see if you recognize the process (the filename) that is red. If you don't recognize it (like its not a program you've installed or something) then you can try right clicking on the SYSTEM tray to see if the program has any systray icons. If a program has a SYSTRAY icon, right clicking on it and bringing up a menu should make the program appear in Port Explorer normally (ie Not red).

    If you can't find a systray icon associated with that process then you should start getting concerned. Look at what the process's sockets are doing, where its connected, packet sniff on it, etc. Usually the best thing to do is to go into the folder where the program is running from and see what else is in there. The trojan detection in Port Explorer is really useful as long as you understand a bit about your system.

    -Jason-
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi Bethrezen,

    Just right click on your tray icons and look at Port Explorer update the status of them from red to black :) MSN does this, notice when you right click this creates a visible window with options on it..

    If there is nothing on screen then Port Explorer will show it red. You should be able to easily determine which programs are running as tray icons - anything else very well might be a trojan and should be given further attention. As always just email support@diamondcs.com.au if you are unsure, attach a saved log of the PE screen if you wish :)
     
Thread Status:
Not open for further replies.