This page has been robot translated, sorry for typos if any. Original content here.

We catch the spy or "Where the computer sends mail ..."

It is already difficult to find a person who has not heard the word "Trojan", and there are few other programs that are sent from the user unnoticed, some info about him. Next, I will write about how to find out who and what (for example your passwords) quietly send programs like "Trojan horse".

The principle of action of these programs is that the attacker gains access to files and folders on the hard disk, can run various applications on your computer and take pictures of the screen. A trojan consists of two programs: a server and a client. A server is a program that runs on the victim's machine and executes commands from the client. And the client is at the malefactor with the help which he controls the server. When you hit the computer, the program is recorded in the autorun and invisibly starts along with the operating system. Troyan can be downloaded from the Internet along with an innocuous program i. he is stuck with it. Trojans are used very simply, you must force the victim to start the program's server (if you are in the local network, you can go yourself and start :) ) then in the client part enter the ip address of the victim, click connect .....

Protection: Use fresh AVP, DrWeb antiviruses and do not run unknown programs (especially those that came with mail), as well as programs with a DOS icon (blue square). Firewall is also an effective protection method.

How Trojans Send Your Passwords

Like other mail programs, Trojans use the Simple Mail Transfer Protocol (SMTP) to send emails, i.e. in order to send a letter, the program connects to the SMTP server and sends it, the most interesting thing is that this whole process can be traced using Sniffer. ( Sniffer is a program that "catches" the necessary information transmitted both on the network and from a separate machine if it is installed on it, i.e. you can monitor what data your computer sends and receives ) I will use the example of the Network Spy sniffer, in general any sniffer under Windows will do. First you need to configure Net Spy, so that only the information we need is displayed, and service type arp, icmp ... packages were ignored, for this you need to start the program and go to the filter settings: "Options" menu "Manage rules ..." "

Those. there will be only TCP.

When will the trojan send passwords? Naturally, when connected with the Internet, it is possible that only with the appearance of a new connection and with it new passwords. So we create another dailap connection, with the password Anti- Smile happy This is what the "hacker" will receive in a letter from his Trojan :) Open the sniffer and launch it (by clicking on the green arrow), connect to the Internet using the old connection, and wait until the server of the Trojan starts sending our passwords in about a minute, maybe more you will see something like this:

Those. NetSpy records everything that is sent to the smtp-server, and now it’s not difficult to know to whom and what was sent :) One line is displayed in each line: the first column contains the time, the second IP address of the computer that sent the packet, and the third has the destination IP address. If you enter the "Action" menu and select "Resolve IP's" there, then the IP addresses will take on the usual form and it will become clear how the program is used by the smtp server to send mail. Then there is the size and at the end the type of the protocol is indicated, we have this smtp ie Immediately it is clear that this is sending mail, and if for example POP3, IMAP4, then this is the delivery of letters from the server, but HTTP is clear .... Now double-clicking on any line, you can "Decode" this package, in the upper part you can see all information about it: MAC and IP-addresses from where and where it is sent, protocol type, TTL, size, etc. and at the bottom of the transmitted information. Select the largest packages and look (you can switch from one package to another using the "forward" and "back" arrows in the opened window with the decoded package) in them you can find the message header with the recipient's address, as well as the text of the letter.

If you want to check how it "works" without waiting for the Trojans, then use any email program.

How is the trojan updated

In addition to sending passwords, many Trojans have a “self-update” function; when it downloads an Internet file and launches it, if so in the sniffer window, the packets transmitted via the http protocol (port 80) will appear, just like in the previous In case you need to save everything to a file, then again use the search by text, this time you need to look for the word "GET" after it the requested address is specified: