Tag Archives: tcpview

TCPView & AutoRuns vs Undetectable Backdoor

Filed under Downloads, Misc, Personal, Security News
Tagged as , , ,

We’re going to useTCPView to check active network traffic and AutoRuns to check and see what’s loading with Windows.

The user is complaining of system slowness. Upon looking at the workstation I noticed AVG Free Edition, Spybot Search and Destroy installed and Windows Firewall enabled. Pretty standard novice user protection plan. Almost a given this system is infected.

I close Firefox and all open applications. Open TCPView and right off the bat I see outbound traffic to *.CO.UK using Firefox to make the remote connection. This is common in backdoors to use reverse connection methods. Once you execute the backdoor, it binds to a common process (IE, Firefox) and then reverse connects to the attacker. The reason for binding to a common process such as Internet Explorer or Firefox, is the fact that most novice users create rules for their software firewall and select “always allow” for common processes. This way the user isn’t bothered every time they open Firefox with “Do You want to allow firefox.exe access…” This is perfect for the backdoor, you’ve allowed unrestricted access outbound through firefox. Strike 1 for this novice user.


Port 95? Firefox should only be allowed access on port 80 and 443 (HTTP / HTTPS) Now that I know the user is infected, I need to find out what the file is called, where it lives, and why AVG’s superior detection is showing a clean system. I load AutoRuns and check for the suspicious Logon items. Bingo Bango! I see scchost.exe (not to be confused with svchost.exe, which is actually legit in most cases) loading upon reboot and it’s stored safely from novice users in the system32 folder. Now, 100% sure that is the backdoor, I would like AVG to agree, so I attempt to update AVG and check the file, No! AVG insists the file is clean. OK, to the USB drive for MalwareBytes. Sure enough a nice password stealer has been detected. Strike 2 for trusting AVG (signature based detection).


MalwareBytes detected and removed the password stealer, I then put in the KAV rescue disk to scan the system and everything came back clean. In the end, I convinced the user to let me perform a clean install and even teach this user how to properly use Firefox (w/NoScript). Reminding the user that the software firewall is only as good as the user and that the AntiVirus program is only as good as its definitions.

TCPView provided you with the information needed to see you have unauthorized access to a server in the UK. AutoRuns was able to show us the malicious file loading with Windows. The actual detection and removal is up to you and your utilities, however TCPView and AutoRuns gave you the heads up. On the flip side, the backdoor successfully executed and called home on the system. Being that it’s a password stealer, the information it was programmed to gather completed successfully.

I call this one a DRAW. Why? because a backdoor is designed to go unnoticed and AVG let it do just that, but with a few basic programs you can see that your system is not preforming normally. Also, after detecting the backdoor, I installed it on a virtual machine and after about 18 hours of leaving it alone, it downloaded a new executable and maintained a connection to the client. This shows that we caught it early enough on the users computer to detect and remove it before it phoned home for the latest instructions.