Indicators of a Trojan infection can include excessive traffic. Lisa Bock evaluates evidence of the exploiter Trojan in a packet capture in Wireshark to see suspicious port usage.
- [Narrator] A Trojan can perform simple annoyances, steal data, or destroy all objects in its path. Trojans are good at concealing their existence. You may not know that a Trojan is in your system. However, let's take a look in Wireshark, of a suspicious capture. I've opened up Wireshark, and you see that the capture's called Unusual Traffic. Now, I asked the client what his complaint was, and basically it was that he had a lot of traffic for a small network.
Generally when I look at a packet capture, I ask what is the chief complaint, and tell me a little bit about your network. Once it's in Wireshark, what I've done is, I've increased the font so you can see it a little bit better, and then I'll go into View. I'll take off the packet bytes, so you have a little bit more landscape. Then I'll go to View, and change the time display format. Wireshark will default at Seconds Since Beginning of Capture, but I want to set it at Seconds Since Previously Captured Packet.
That will give me an idea of any delays, or latency issues. I don't really see anything that jumps out at me, but when I do take a look, one of the things I'm going to do is, look at the smoking gun. That's go to Statistics, and Conversations. What I'm going to look at, are the ports. When I go into this, we can see that there's Ethernet, there's UDP, IP version four, and IP version six.
We'll go into TCP, and in this tab here you can see that there's a couple things I can do. I can sort, for example, Bytes. I can sort, and see the top talkers. Let's go over here to Port, and then I can take a little at the port numbers. Once I look at those ports, I will go through them, and identify some things that I might feel that are of concern. One of the things that are gaming ports that have been used. Which, that isn't unusual, but let's close this.
What I did identify, that packet 1408 is using port 1703. Let's go to that, and I go to packet 1408. I'm at packet 1408. There is your Destination Port: 1703. Not really sure what that's going to be used for, and why is it using 1703. What is port 1703 used for? There are other indicators that there's something wrong with this capture, but I'm just going to show you that if I go to this website, SpeedGuide, port 1703.
I do see that it is associated with Trojan Exploiter. Running some more tests that they were able to determine that there was an infection, and we're really not sure if it was only Exploiter, or there was anything else. What I did was, once you get this information, go back in here, we can add a little comment. First of all, I can right click and mark the packet, so we know that it is one of interest. Then I'll go into Statistics, and then go into the Capture File Properties, and here I can put some comments.
I put the comments that the client complained, said he has lots of traffic. We see gaming ports all over the place. Packet 1408 is using port 1703, which is associated with the Exploiter Trojan. The client scanned it, and found an infection. We save the comments, and close it. That way that can be sent to the client, so they can take a look at it. As you can see, it's not easy to find a Trojan, but there are indications that there might be one on your system.
Join cybersecurity expert Lisa Bock in this course as she explains how to identify vulnerabilities in your system, and how to then take countermeasures to prevent unwanted access. Lisa explains how hackers can use a Trojan to penetrate a network and lists the methods and tools that they use. She follows up by sharing how you can perform ethical hacking of your own system to detect areas of susceptibility, so you can address the flaws and defend against attacks. She also discusses rootkits, SSDP amplification attacks, ICMP, and more.
Note: Learning about ethical hacking for Trojans and backdoors is part of the Malware competency from the Certified Ethical Hacker (CEH) body of knowledge.
- Identifying and removing Trojans
- Defending against Trojans
- Blended threats
- SSDP amplification attack
- Disguising FTP, HTTP, and ping
- Using ICMP
- Detecting, removing, and avoiding rootkits