/
ECSA
/
LPT
EC
Council
Mod le XXXIV
EC
-
Council
Mod
u
le XXXIV
Virus and Trojan
Dt ti
D
e
t
ec
ti
on
Penetration Testing Roadmap
Start Here
Information
Vulnerability External
Gathering
Analysis Penetration Testing
Router and
Internal
Firewall
Penetration Testing

Router

and

Switches
Penetration Testing
Internal

Network
Penetration Testing
IDS
Penetration Testing
Wireless
Network
Penetration Testing
Denial of
Service
Penetration Testing
Password
Cracking
Stolen Laptop, PDAs
and Cell Phones
Social
Engineering
Application
Cont’d
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing

Penetration Testin
g
Penetration Testing
Penetration Testing
Penetration Testing Roadmap
(cont
’
d)
(cont d)
Cont’d
Physical
Database VoIP
Security
Penetration Testing
Penetration testing Penetration Testing
Virus and
Trojan
Detection
War Dialing
VPN
Penetration Testing
Log
Management
Penetration Testing
File Integrity
Checking
Blue Tooth and
Hand held
Device
Penetration Testin

g
g
Telecommunication
And Broadband
Email Security
Penetration Testing
Security
Patches
Data Leakage
PiTi
End Here
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication
Penetration Testing
Penetration

Testing
Patches

Penetration Testing
P
enetrat
i
on
T
est
i
n

g
Steps for Detecting Trojans and
Viruses
Viruses
1
•Use netstat -a to detect Trojans’ connections
1
2
• Check Windows task manager
2
• Check whether scanning programs are enabled
3
• Check whether anti-virus and anti-Trojan
programs are working
4
programs are working
• Detection of a boot-sector virus
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
5
Step 1: Use netstat -a to Detect
Trojans Connections
Trojans Connections
Most of the remote access Trojans use TCP or
Most of the remote access Trojans use TCP or
UDP sockets.
Generally, Trojans use default port for the
execution.
A simple netstat -a can reveal Trojan

connections.
Go to command prompt and type netstat -a
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Netstat: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Check Windows Task
Manager
Manager
Windows task manager provides advanced
information about programs and processes
running on the computer
running on the computer
.

It displays standard information, including
applications processes networking and users
applications
,
processes
,
networking
,
and users
on the system.
EC-Council
Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited
Windows Task Manager:
Screenshot
Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 3: Check Whether Scanning
Programs are Enabled
Programs are Enabled
Check whether scannin
g

p
ro
g
rams are enabled or not.
gp g
Use different scanning tools, and check whether they detect the Trojans
and viruses on the s
y
stem.
y
Step 3.1: Scan for suspicious running processes
Step 3.2: Scan for suspicious registry entries
Ste
p

3
.

3
: Check for sus
p
icious o
p
en
p
orts
p33 p p p
Step 3.4: Scan for suspicious network activities
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 3.5: Use the HijackThis tool to scan for spyware
Step 3.1: Perform Scanning for
Suspicious Running Processes
Suspicious Running Processes
Scan the system for
suspicious running
p
rocesses.
p
Use the following
•
Process Viewer
Use the following
scanning tools:
Process Viewer
• What’s on my computer
EC-Council

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 3.2: Perform Scanning for
Suspicious Registry Entries
Suspicious Registry Entries
Re
g
istr
y
shows the
gy
different application on
the system.
Check the registry for
unknown .exe files.
Use the
following
• RegScanner
f
following
scanning tools:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
•MS Con
f
ig
Step 3.3: Check for Suspicious
Open Ports
Open Ports

Scan for suspicious
open ports using
•Netstat.
open ports using
tools, such as:
•Fport.
•TCPView.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 3.4: Check Whether Suspicious
Network Activities are Present
Network Activities are Present
Scan the s
y
stem for
y
suspicious network
activities.
Use the following
scanning tools:
• Ethereal
• Nessus
N
•
N
map
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Step 3.5: Use HijackThis to Scan
for Spyware
for Spyware
HijackThis continuously detects and removes new hijacks.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
HijackThis: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Check Whether Anti-Virus and
Anti
-
Trojan Programs are Working
Anti
Trojan Programs are Working
Scan the system for different viruses, worms, and Trojans.
Check whether anti-virus and anti-Trojan programs are working or not.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 5: Detection of a Boot-
Sector Virus
Sector Virus
Boot-sector viruses are spread to computer systems by
b ti tt ti t b t f i f t d fl di k
b
oo
ti

ng,

or

a
tt
emp
ti
ng
t
o
b
oo
t
,
f
rom

an
i
n
f
ec
t
e
d fl
oppy
di
s
k

.
O
p
en the MS-DOS and run CHKDSK command.
p
If your system is using 640K of memory for the BIOS,
CHKDSK will report:
CHKDSK will report:
• 655,360 total bytes of memory.
If the system is infected with a boot-sector virus, CHKDSK
will report:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• 653,312 total bytes of memory.
Spyware Detectors
Ad-Aware
Spybot Search & Destroy
Pest Patrol
McAfee Anti-Spyware
S Gd
S
pyware
G
uar
d
SpyCop
Spyware Terminator
XoftSpySE
EC-Council

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SPYWAREfighter
Anti-Trojans
Trojan Guard
Trojan Hunter
Trojan Hunter
ZoneAlarm f Win98&up
WinPatrol f WinAll
LeakTest
Kerio Personal Firewall
Sub-Net
TAVScan
SpyBot Search & Destroy
Anti Trojan
Anti Trojan
Cleaner
Comodo BOClean
jf
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tro
j
an Remover: Xo
f
tspySE
Trojan Remover: Spyware Doctor
Anti-Virus Software
Panda Antivirus

AMacro Antivirus
AMacro Antivirus
BitDefender Professional Plus 8
Cyberscrub Antivirus
Mdaemon
AVG Antivirus
Norton Antivirus
F-Secure Anti-Virus
Kaspersky Anti-Virus
AntiVir Personal Edition
AntiVir Personal Edition
Bootminder
McAfee SecurityCenter
i
i
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CA Ant
i
-V
i
rus
avast! Virus Cleaner
Summary
A Trojan horse is a program in which malicious or harmful code is enclosed
within harmless programming or data in such a way that it can access control
within harmless programming or data in such a way that it can access control
and cause its chosen form of damage.
Virus is a self-replicating program that produces its own code by attaching

copies of itself into other executable codes.
Process Viewer, What’s on my computer, and HijackThis are some scanning
tools.
Check that automatic updates are turned on
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check that automatic updates are turned on
.

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited