This page has been robot translated, sorry for typos if any. Original content here.

We catch the spy or "Where the computer sends mail ..."

Now it’s hard to find a person who did not hear the word “trojan”, and indeed there are a lot of other programs that quietly send out information about him from the user. Next, I will write about how to find out to whom and what (for example, your passwords) quietly send programs like "Trojan horse".

The principle of the operation of these programs is that an attacker gains access to the files and folders of the hard drive, can launch various applications on your computer and "take pictures" of the screen. A trojan consists of two programs: a server and a client. A server is a program that runs on the victim’s machine and executes client commands. And the attacker has the client with the help of which he manages the server. When it enters the computer, the program is recorded in autorun and invisibly starts with the operating system. A trojan can be downloaded from the Internet along with a harmless program i.e. it is glued to it. Trojans are used very simply, you need to make the victim launch the program server (if you are on the local network, you can go up and run it yourself :) ) then in the client part enter the victim's ip address, click connect .....

Protection: Use fresh antiviruses AVP, DrWeb and do not run unknown programs (especially those that came with mail), as well as programs with a dos icon (blue square). Another effective security method is Firewall.

How trojans send your passwords

Like other email programs, Trojans use the Simple Mail Transfer Protocol (SMTP), i.e. in order to send an email, the program connects to the SMTP server and sends it, the most interesting thing is that this whole process can be tracked using Sniffer. (A sniffer is such a program that "catches" the necessary information transmitted both on the network and from a separate machine if it is installed on it, that is, you can monitor what data your computer sends and receives ) I will consider the Network Spy sniffer as an example, in general Any Windows sniffer will do. First you need to configure Net Spy so that only the information we need is displayed, and service type arp, icmp ... packets are ignored, for this you need to run the program and go to the filter settings: Menu "Options" In it "Manage rules ... "

Those. only TCP will remain.

When will the trojan send passwords? Naturally, when connecting to an Internet, it is possible that only when a new connection appears and new passwords with it. So we create one more dailap connection, with the Anti- password Smile happy this is what the “hacker" will receive in a letter from his trojan :) Open the sniffer and launch it (by clicking on the green arrow), connect to the Internet via the old connection, and wait for the trojan server to start sending our passwords, after about a minute, maybe more you will see something like the following:

Those. NetSpy records everything that is transferred to the smtp server, and now it is no longer difficult to find out to whom and what was sent from the information available. :) Each line displays one packet: the first column shows the time, the second IP address of the computer that sent the packet, and the third column shows the destination IP address. If you go to the "Action" menu and select "Resolve IP's" there, the IP addresses will take the usual form and it will become clear which smtp server the program uses to send mail. Then comes the size and the type of protocol is indicated at the end, we have it smtp i.e. it’s immediately clear that this is sending mail, and if for example POP3, IMAP4, then this is the delivery of letters from the server, well, HTTP is clear .... Now, by double-clicking on any line, you can “Decode” this package, the entire part is indicated information about it: MAC and IP addresses from where and where it is directed, protocol type, TTL, size, etc. and at the bottom of the transmitted information. Select the largest packages and look (you can move from one package to another using the "forward", "back" arrows in the opened window with the decoded package) in them you can find the header of the message with the address of the recipient, as well as the text of the message.

If you want to check how this "works" without waiting for the trojans, then use any email program.

How the trojan is updated

In addition to sending passwords, many Trojans have a “self-update” function, which when they download a file from an Internet and run it, if it is so in the sniffer window, packets transmitted via the http protocol (port 80) will still appear. As in the previous one In this case, you need to save everything to a file, then again we will use the search in the text, this time we need to look for the word "GET" after it the requested address is indicated: