/ ECSA / LPT EC Council Mod le XXXIV EC - Council Mod u le XXXIV Virus and Trojan Dt ti D e t ec ti on Penetration Testing Roadmap Start Here Information Vulnerability External Gathering Analysis Penetration Testing Router and Internal Firewall Penetration Testing Router and Switches Penetration Testing Internal Network Penetration Testing IDS Penetration Testing Wireless Network Penetration Testing Denial of Service Penetration Testing Password Cracking Stolen Laptop, PDAs and Cell Phones Social Engineering Application Cont’d EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Penetration Testing Penetration Testin g Penetration Testing Penetration Testing Penetration Testing Roadmap (cont ’ d) (cont d) Cont’d Physical Database VoIP Security Penetration Testing Penetration testing Penetration Testing Virus and Trojan Detection War Dialing VPN Penetration Testing Log Management Penetration Testing File Integrity Checking Blue Tooth and Hand held Device Penetration Testin g g Telecommunication And Broadband Email Security Penetration Testing Security Patches Data Leakage PiTi End Here EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Communication Penetration Testing Penetration Testing Patches Penetration Testing P enetrat i on T est i n g Steps for Detecting Trojans and Viruses Viruses 1 •Use netstat -a to detect Trojans’ connections 1 2 • Check Windows task manager 2 • Check whether scanning programs are enabled 3 • Check whether anti-virus and anti-Trojan programs are working 4 programs are working • Detection of a boot-sector virus EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 5 Step 1: Use netstat -a to Detect Trojans Connections Trojans Connections Most of the remote access Trojans use TCP or Most of the remote access Trojans use TCP or UDP sockets. Generally, Trojans use default port for the execution. A simple netstat -a can reveal Trojan connections. Go to command prompt and type netstat -a EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Netstat: Screenshot EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 2: Check Windows Task Manager Manager Windows task manager provides advanced information about programs and processes running on the computer running on the computer . It displays standard information, including applications processes networking and users applications , processes , networking , and users on the system. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Windows Task Manager: Screenshot Screenshot EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 3: Check Whether Scanning Programs are Enabled Programs are Enabled Check whether scannin g p ro g rams are enabled or not. gp g Use different scanning tools, and check whether they detect the Trojans and viruses on the s y stem. y Step 3.1: Scan for suspicious running processes Step 3.2: Scan for suspicious registry entries Ste p 3 . 3 : Check for sus p icious o p en p orts p33 p p p Step 3.4: Scan for suspicious network activities EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 3.5: Use the HijackThis tool to scan for spyware Step 3.1: Perform Scanning for Suspicious Running Processes Suspicious Running Processes Scan the system for suspicious running p rocesses. p Use the following • Process Viewer Use the following scanning tools: Process Viewer • What’s on my computer EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited [...]... detects and removes new hijacks EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited HijackThis: Screenshot EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 4: Check Whether Anti -Virus and Anti Trojan Anti -Trojan Programs are Working Scan the system for different viruses, worms, and Trojans Check whether anti -virus and. .. Prohibited Anti-Trojans Trojan Guard Trojan Hunter ZoneAlarm f Win98&up WinPatrol f WinAll LeakTest Kerio Personal Firewall Sub-Net TAVScan SpyBot Search & Destroy Anti Trojan Cleaner Comodo BOClean Trojan Remover: XoftspySE j f Trojan Remover: Spyware Doctor EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Anti -Virus Software Panda Antivirus AMacro Antivirus BitDefender... Antivirus BitDefender Professional Plus 8 Cyberscrub Antivirus Mdaemon AVG Antivirus Norton Antivirus F-Secure Anti -Virus Kaspersky Anti -Virus AntiVir Personal Edition Bootminder McAfee SecurityCenter CA Anti -Virus i i avast! Virus Cleaner EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Summary A Trojan horse is a program in which malicious or harmful code... whether anti -virus and anti -Trojan programs are working or not EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 5: Detection of a BootSector Virus Boot-sector viruses are spread to computer systems by booting, or attempting t b t f b ti tt ti to boot, from an i f t d fl infected floppy di k disk Open the MS-DOS and run CHKDSK command p If your system is... harmful code is enclosed within harmless programming or data in such a way that it can access control and cause its chosen form of damage Virus is a self-replicating program that produces its own code by attaching copies of itself into other executable codes Process Viewer, What’s on my computer, and HijackThis are some scanning tools Check that automatic updates are turned on on EC-Council Copyright... di k disk Open the MS-DOS and run CHKDSK command p If your system is using 640K of memory for the BIOS, CHKDSK will report: • 655,360 total bytes of memory If the system is infected with a boot-sector virus, CHKDSK will report: • 653,312 total bytes of memory EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Spyware Detectors Ad-Aware Spybot Search & Destroy . Whether Anti -Virus and Anti - Trojan Programs are Working Anti Trojan Programs are Working Scan the system for different viruses, worms, and Trojans. Check whether anti -virus and anti -Trojan programs. Xo f tspySE Trojan Remover: Spyware Doctor Anti -Virus Software Panda Antivirus AMacro Antivirus AMacro Antivirus BitDefender Professional Plus 8 Cyberscrub Antivirus Mdaemon AVG Antivirus Norton Antivirus F-Secure. Detecting Trojans and Viruses Viruses 1 •Use netstat -a to detect Trojans’ connections 1 2 • Check Windows task manager 2 • Check whether scanning programs are enabled 3 • Check whether anti -virus and