How to figure out if someone installed a homemade trojan ?

Phuncz

Phuncz

2[H]4U
Joined
Apr 12, 2009
Messages
2,630
So it's like this: a friend sends me a file to test out, he is a programmer. When I executed it (it's an exe and dll) he tells me it sends small screenshots of my screen to his computer at small intervals, he wants to check how well it works over the internet. He says it's for a remote desktop program he is working with. Paranoid as I am I deleted the file and checked various things to make sure it is not covertly installed to keep sending stuff. But I'm no programmer myself, I don't know how to find something like that. I checked various standard places but if he used a cryptic dll-name through DLL-host, I'm not going to find it myself.

Are there any tips to look for to find out if something in the background is keylogging and screencapping ? Next to the standard stuff like checking Task Manager ofcourse :)
 
The only thing that comes up is a disconnected (it's off atm.) network drive, it doesn't mention anything else. Would this show a direct IP connection for instance ? The program required that I input his home IP to connect to it. He said he put his machine in DMZ mode so the router wouldn't block it.
 
Yes, "net use" is just network drives and stuff. Try "netstat -a" instead. A good software firewall will also show you this same connection list.
 
My advice is a little skew, but beat your friend and don't ever open programs for him again. What he did was illegal and downright wrong, he should have notified you and received your consent before he asked you to open these files.

If he's a good programmer, you may never find it, it may also never even exist. Alternatively you can just reformat and re-install to play the safe route. You can use netstat or any session monitor, but without knowing of when the uploads are submitted, you may sit for hours or days staring at your screen to wait for a new session.
 
OK netstat -a gave a lot of entries, only one that seemed to go to a real IP address, in a neighbouring country on port 49642. I also checked the Windows 7 firewall which doesn't seem to point out something.

What I found odd was that no permission was asked when I executed the program. So if I understand it correctly, in Windows 7 or Vista it means that nothing can be installed to the Windows or Program Files folders and no startup changes can be made, right ?
 
Phuncz said:
OK netstat -a gave a lot of entries, only one that seemed to go to a real IP address, in a neighbouring country on port 49642. I also checked the Windows 7 firewall which doesn't seem to point out something.

What I found odd was that no permission was asked when I executed the program. So if I understand it correctly, in Windows 7 or Vista it means that nothing can be installed to the Windows or Program Files folders and no startup changes can be made, right ?
Click to expand...

If it did not ask for you to install the software I'm thinking it probably did not install anything. most simple programs don't need to install anything.

I agree with Ockie on both counts though. Both that you may never find anything and that your friend is a douche bag. Throw a water balloon at your friends computer and then "ask" him if he's willing to test out your new waterproofing technology.

In all seriousness, netstat is your friend. I would also download and install hijackthis though you can really fuck stuff up if you don't know what you're doing and you just start deleting stuff. If you're really paranoid format.
 
You must log in or register to reply here.
Back
Top