Trojan Detection



  • What are all of your tips and advice for detecting Trojans in a somewhat fast manner? Trojans can be specifically difficult to detect because they masquerade as legit files. This allows for false negatives when performing manual analysis in a cursory or brief manner. However, Trojans are also a pretty common type of malware.



  • Trojans in that sense are actually not that common. The problem is rather that the term has been diluted, as it is mostly used synonymous with malware without necessarily meaning that specific malware type that comes with a legit programme.

    It is indeed hard to find malicious code in trojanized versions of legit programmes as these are often huge and it is not feasible to look at all of their code.
    It helps a great deal to use binary and code comparison tools and then compare the sample with the actual programme provided by the vendor. If you suspect the vendor to be compromised and provide infectious versions of their product, it may help to compare to previous versions of their product.

    You may also have luck to observe malicious behaviour by executing and monitoring the sample, which will in turn provide clues where to look for the malicious code. But of course it means nothing if the sample behaves well.

    Some trojanized versions just modify or use a different installer for the programme. E.g., there are remote access tool installers that will install the legit programme in a way that is not legit. This is easy to find in the install script or code.

    If you are lucky, you will find the malicious code fast, but excluding maliciousness in a fast way for big applications is not possible.


  • administrators

    Oh yeah malicious code in big applications is rough :( I think it is definitely a weakness but luckily they are so big that they are not often used for major malware campaigns it seems due to the inability to easily transfer them… Except for maybe pirated software.



  • @wunderbar said in Trojan Detection:

    Trojans can be specifically difficult to detect because they masquerade as legit files

    If what you are asking is how do you detect a malicious file that has replaced a legit file, a great way to do that is to build a baseline of file hashes of your known legit files (e.g. use a Powershell commandlet like Get-FileHash run against a fresh install). Save that baseline of known legit file hashes, then when you have a pc you think is infected , compare its file hashes to your baseline and you should be able to detect any files that have been tampered with.



  • Mm, yeh some times we can find hard way to detect but, i think the best way it’s using WireShark, because any trojan or any botnet has a IRC server or C&C then it’s must be connect with them and you looking to any suspicious request in your network then find where any data send or if it encrypted i ask the god to be with you :smiley:


Log in to reply
 

Looks like your connection to Malware Analysis Forums was lost, please wait while we try to reconnect.