This page has been robot translated, sorry for typos if any. Original content here.

Catch a spy or "Where does the computer send mail ..."

Now it is difficult to find a person who has not heard the word "Trojan", and there are not enough other programs that are unnoticeably sent by the user, either about him or about him. Next, I'll write about how to find out to whom and what (for example, your passwords) are stealthily sending programs such as the "Trojan Horse".

The principle of the action of these programs is that the attacker gets access to the files and folders of the hard drive, can run various applications on you on your computer and "take pictures" of the screen. The Trojan consists of two programs: the server and the client. The server is a program that runs on the victim machine and executes the client's commands. And the client is at the attacker with the help, which he manages the server. When you get to the computer, the program is written into autorun and invisibly starts with the operating system. Trojan can be downloaded from the Internet with a harmless program, i.e. it is glued to it. The Trojans are very simple, you have to make the victim run the server of the program (if you are on the local network, you can go and run it yourself :) ) then in the client part enter the ip address of the victim, click connect .....

Protection: Use the latest AVP, DrWeb antivirus and do not run unknown programs (especially those that came with the mail), as well as progs with the DOS icon (blue square). Also an effective method of protection is the Firewall

How Trojans Send Your Passwords

Like other email programs, Trojans use Simple Mail Transfer Protocol (SMTP) to send messages. in order to send a message, the program connects to the SMTP server and sends it, the most interesting is that the whole process can be tracked using Sniffer. ( Sniffer is such a program that "fetches" the necessary information transmitted both on the network and from a separate machine if it is installed on it, that is, you can monitor what data your computer sends and receives ) I will look at the example of the Network Spy sniffer, in general any sniffer for Windows will do. First you need to configure Net Spy, so that only the information we need is displayed, and the service type arp, icmp ... of packages was ignored, for this you need to run the program and go to the filter settings: Menu "Options" In it, "Manage rules ... "

Those. only TCP will remain.

When will Trojan send passwords? Of course, when connecting with the Internet, it is possible that only when a new connection appears and with it new passwords. So we create one more dalap connection, with the password Anti- Smile happy this is what the "hacker" will receive in a letter from his Trojan :) Open the sniffer and start it (clicking on the green arrow), connect to the Internet on the old connection, and wait for the Trojan server to start sending our passwords, in about a minute, maybe more you will see something like:

Those. NetSpy records everything that is passed to the smtp server, and now it's no longer difficult, according to available information, to know who and what was sent :) Each line displays one packet: the first column says the time, the second IP-address of the computer that sent the packet, in the third - the ip-address of the destination. If you go to the "Action" menu and select "Resolve IP's" there, then the IP addresses will take the usual form and it becomes clear what smtp-server the program uses to send mail. Then comes the size and at the end indicates the protocol type, we have it smtp ie. immediately understand that this is sending mail, and if for example POP3, IMAP4, then this is the delivery of letters from the server, well, HTTP is so clear .... Now double-clicking on any line, you can "Decode" this package, information about it: MAC and IP-addresses from where and where to go, protocol type, TTL, size, etc. and at the bottom of the transmitted information. Select the largest packages and see (you can switch from one to another by using the arrows "forwards", "back" in the opened window with the decoded package) in them you can find the header of the letter with the address of the recipient, as well as the text of the letter.

If you want to check how this "works" without waiting for the Trojans, then use any mail program.

How the Trojan is updated

In addition to sending passwords, many Trojans have a "self-updating" function when it downloads a file from the Internet and launches it, if this is so in the sniffer window, there will still be packets transmitted over the http protocol (80th port), As well as in the previous one In case you need to save everything to a file, then again we use the text search, this time we need to search for the word "GET" after it the requested address is specified: