Home > Uncategorized > Detecting Trojan and Worm with Capsa Network Analyzer

Detecting Trojan and Worm with Capsa Network Analyzer

Trojan and Worms are two major threats to network security. Do you know what exact is a Trojan horse? In Wikipedia, Trojan horses are designed to allow a hacker remote access to a target computer system. Once a Trojan horse has been installed on a target computer system, it is possible for a hacker to access it remotely and perform various operations.

Almost all Trojans and worms need an access to network, because they have to send data out to the hacker. Only the useful data are sent to the attacker the Trojan accomplishes its mission. So it should be a good solution that we start from the aspect of traffic analysis and protocol analysis technology. We are going to detect the Trojan horse and worm with the help of a –network analyzer-Colasoft Capsa. Capsa is an easy-to-use and intuitive network analyzer, which provides enough information to help check if there is any Trojan activities in our network. In this article I’m going to show you how to spot a Trojan or worm.

5 solutions to find the trace of a Trojan or worm in LAN network:

Solution 1: The Summary Tab

1
Concentrate on TCP packet summary. We should be alerted when TCP SYN Sent number is much larger than TCP SYN ACK Sent number. Generally the ratio of these two numbers approximately equals 1:1. Trojans and worms always send large amount of TCP SYN packet to the network and try to establish connections with other machines. When a connection established, they try to penetrate into the target machine.

Solution 2: IP Endpoint Tab

2
We can reorder the rows by clicking the column headers of the Packet Sent, Packet Received or IP conversation. Pay attention to the node with big statistics. They, however, might be BitTorrent downloading. But Trojans and worms definitely send out a large amount of packets.

Solution 3: The Log Tab

3
Focus on the DNS Log. We could make a list of target websites of Trojan horses by Google. For example, website like *****.3322.org. Furthermore, we can store the DNS log and analyze by using filters of the Trojans’ keywords.

Solution 4: Using Filters

04
Build filters rules with patterns of some Trojans and worms. Until they send a packet out, we will get those Trojans’ and worms’ activities. This method has its drawback that it does nothing to a new Trojan or worm.

Solution 5: The TCP Conversation Tab & UDP Conversation Tab

5
6
When Trojan or worm activities are found in our network, we can locate the machine’s IP address in the Node Explorer and then check its TCP Conversation or UDP Conversation. In TCP Conversation tab, we can read the reconstructed data of the communication in Data Flow sub tab, (the UDP Conversation is with the Data sub tab). Attentions have to be paid if the conversation is sending your system information.
Above are the featured tabs of Capsa network analyzer that we often use to detect network problems or bottlenecks. Moreover, we can spend some time to study what ports do the Trojans and worms like to use such as Executor:80, Ultors Trojan:1234. Then when we troubleshoot the network and make the analysis, we should pay attention to the node sending or receiving packets to and from these ports as well.

  1. May 4th, 2010 at 04:29 | #1

    great post as usual!

  2. May 4th, 2010 at 23:44 | #2

    What a great resource!

  3. May 15th, 2010 at 20:46 | #3

    Keep posting stuff like this i really like it

  4. June 7th, 2010 at 01:57 | #4

    Great information! I’ve been looking for something like this for a while now. Thanks!

  5. June 10th, 2010 at 01:12 | #5

    My cousin recommended this blog and she was totally right keep up the fantastic work!

  6. July 2nd, 2010 at 18:17 | #6

    Great information! I’ve been looking for something like this for a while now. Thanks!

  7. April 24th, 2011 at 20:35 | #7

    I’m one of many Chicago IT consultants. I reallly like you’re blog and the way you break down information. Good resource. Thanks.

  8. June 5th, 2011 at 04:36 | #8

    We’ve seen a recent increase in the number of trojans and virus attacks on our computers. Anything we can do to protect ourselves is worth looking at – thx.

  9. August 12th, 2011 at 03:21 | #9

    Shame that these technologies are needed at all, but with the number of unscrupulous people out there trying to hack computers and infect networks, then keep up the good work.

  1. April 30th, 2010 at 06:04 | #1
  2. April 30th, 2010 at 08:18 | #2