Trojan Horses & TCPView: Detection Challenges

TL;DR

A Trojan horse can hide its activity from TCPView and similar tools, especially if it uses non-standard techniques like rootkits, process injection, or user-space network stacks. However, several methods can help you detect them, including looking for suspicious parent processes, unusual file access patterns, and using more advanced monitoring tools.

How Trojans Hide from TCPView

TCPView shows active TCP connections. A Trojan might avoid detection by:

• Using existing legitimate connections: The Trojan injects its code into a trusted process (like svchost.exe) and uses that process’s connection instead of creating new ones.
• Rootkits: Rootkits hide the Trojan’s processes, files, and network activity from standard system tools like TCPView.
• User-space networking: Some Trojans avoid using the operating system’s TCP/IP stack altogether, implementing their own networking within user space. This makes them invisible to tools that monitor OS-level connections.
• Encryption and Obfuscation: While not directly hiding from TCPView, encryption can make it harder to understand what data is being transmitted, masking the Trojan’s purpose.

Detecting Hidden Trojans

Here’s a step-by-step guide to detecting Trojans that might be evading TCPView:

1. Examine Parent Processes

1. Open Task Manager: Press Ctrl+Shift+Esc.
2. Show Details View: If necessary, click ‘More details’.
3. Expand Processes: Look for processes with unexpected parent processes. For example, if a process named ‘svchost.exe’ has a child process that doesn’t seem related to system services, investigate further. Right-click the suspicious process and select ‘Go to details’.

A legitimate process will usually have a clear parent relationship (e.g., svchost.exe spawned by services.exe). Unexpected parents are a red flag.

2. Monitor File System Activity

1. Use Process Monitor: Download and run Process Monitor from Microsoft Sysinternals (https://learn.microsoft.com/en-us/sysinternals/downloads/processmonitor).
2. Filter for File Access: Configure Process Monitor to filter events based on the process name of any suspicious processes identified in Task Manager. Look for unusual file creations, modifications, or deletions.
3. Look for Hidden Files: Pay attention to files created in temporary directories (e.g., %TEMP%) or other non-standard locations.

Process Monitor can show you exactly what files a process is accessing, which can reveal malicious activity.

3. Check Network Connections with Alternatives

1. Resource Monitor: Open Resource Monitor (type ‘resmon’ in the search bar). Go to the ‘Network’ tab. This provides an alternative view of network connections and might show activity TCPView misses.
2. netstat command: Use the

   netstat -ano

   command in Command Prompt or PowerShell. This displays all active TCP connections, listening ports, and associated process IDs (PIDs). Compare the PIDs to Task Manager to identify suspicious processes.

   • `-a`: Displays all connections and listening ports.
   • `-n`: Shows addresses and port numbers in numerical form.
   • `-o`: Displays the PID associated with each connection.

4. Scan with Anti-Malware Software

1. Run a Full System Scan: Use a reputable anti-malware program (e.g., Windows Defender, Malwarebytes) to perform a full system scan. Ensure your definitions are up-to-date before scanning.
2. Consider Boot-Time Scans: Some advanced malware requires a boot-time scan to remove it effectively.

5. Investigate Suspicious Services

1. Open Services: Type ‘services.msc’ in the search bar and press Enter.
2. Examine Service Properties: Look for services with unusual names, descriptions, or startup types. Check the service’s executable path to ensure it corresponds to a legitimate file location.

6. Use Advanced Monitoring Tools

For more sophisticated detection:

• Wireshark: A network protocol analyzer that captures and analyzes network traffic. Can help identify malicious communication patterns.
• Sysmon: A Windows system monitoring tool that logs detailed events, including process creation, file changes, and network connections. Requires configuration but provides valuable insights.