Trojan Hiding from Task Manager

TL;DR

Yes, a Trojan can hide its activity from Task Manager using various techniques. This guide explains how and what you can do to detect them.

How Trojans Hide From Task Manager

Task Manager shows running processes, but clever malware tries to avoid detection. Here’s how:

1. Process Hollowing

1. What it is: A legitimate process (like notepad.exe) is started, then its code is replaced with the Trojan’s malicious code. Task Manager will show the name of the legitimate process, not the Trojan.
2. Detection: This is tricky! Look for unusual activity from trusted processes – high CPU usage, network connections you don’t expect, or files being written to strange locations. Process monitoring tools (see section 5) are helpful.

2. DLL Injection

1. What it is: The Trojan injects its code into another running process as a Dynamic Link Library (DLL). Again, Task Manager sees the legitimate process.
2. Detection: Check loaded modules for each process in Task Manager’s ‘Details’ tab. Look for DLLs that don’t belong or have suspicious names.

3. Rootkit Techniques

1. What it is: Rootkits modify the operating system to hide files, processes, and network connections. They can intercept Task Manager’s calls and filter out the Trojan’s information.
2. Detection: Rootkits are very difficult to detect with standard tools. Specialized rootkit scanners (see section 5) are needed.

4. Running as a Service

1. What it is: The Trojan installs itself as a Windows service, which runs in the background and isn’t always visible in Task Manager’s ‘Applications’ or ‘Processes’ tabs.
2. Detection: Open services.msc (type this into the Run dialog – press Win+R). Look for services with generic names or descriptions that seem suspicious.

5. Tools to Help Detect Hidden Trojans

• Process Explorer: A more advanced Task Manager from Microsoft Sysinternals. It shows a lot more detail about processes, including parent-child relationships and loaded DLLs. Download it here: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
• Autoruns: Also from Sysinternals, shows everything that starts automatically with Windows – including services, scheduled tasks, and registry entries used by malware. Download it here: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
• Malwarebytes Anti-Malware: A popular anti-malware program that can detect and remove many types of Trojans. https://www.malwarebytes.com
• Sophos Rootkit Reveal: Specifically designed to find rootkits. https://www.sophos.com/en-us/products/free-tools/rootkit-reveal.html

6. Checking Resource Monitor

1. What it is: Provides a more detailed view of CPU, memory, disk and network usage than Task Manager.
2. How to use: Open Resource Monitor (type resmon into the Run dialog). Look for processes with unusual resource activity that don’t match their name or purpose.

7. Network Monitoring

1. What it is: See what network connections each process is making.
2. How to use: Use Resource Monitor (Network tab) or a dedicated network monitoring tool like Wireshark to identify suspicious outbound connections.