Detecting Rats & Keyloggers
Using CMD And Task Manager
In this tutorial, I'll be showing
you the easiest way of finding
out malicious applications
installed on your PC that
transfer data using the internet
without you knowing it.
As stated in the title, we'll be
using TaskManager and CMD for
the purposes of this tutorial.
Part 1 :- Customizing Taskbar
1. To get started, open up your
TaskManager by right clicking
your TaskBar and selecting
TaskManager or just hit CTRL
+ALT+DEL to get it open.
2. Once that is done, click the
"Processes" tab of your
TaskManager and click View ->
Select Columns -> Make sure
that "Process Identifier(PID)" is
ticked.
Pic :- http://bit.ly/1d0oijj
3. Now click the PID column to
make sure that all the
processes are sorted in a
specific order. This step is not
necessary, but it will make it
easier for you to detect
processes using their IDs.
Pic :- http://bit.ly/HiyQ1A
Part 2 :- Using CMD
Once you've done that right,
we're going to move on to part
2 of our tutorial, which is using
CMD to view established
connections.
Assuming you know how to open
up CMD, I'm just going to rush
through step 1.
1. Start -> Run -> CMD
OR
Just type in cmd in the
searchbar if you're running a
system powered by Windows7.
2. Once cmd is open, I want you
to type in "netstat -ano".
Your result should be something
like this:
Pic :- http://bit.ly/1a8Zhnl
3. Now what we're interested in
are only the connections with
the state "ESTABLISHED".
Isolate them out and look for
the PID right next to them.
There will be many connections
with "ESTABLISHED" state, you'll
have to repeat the following
steps for all of them.
Pic :- http://bit.ly/1a1ZcvP
This is the fun part. Now go
back to the TaskManager and
look for the name of the
process(es) that has the same
PID(s) as the one you found
with the ESTABLISHED
connection(s)
Pic :- http://bit.ly/HgdPFM
In the above case, it's a safe
and trusted application known
as Dropbox, so I'm good. But
incase you find a process which
you do not know, if it's
something like svchost.exe that
you're sure is infected, right
click the process and select
"Open File Location".
Now all you have to do is right
click the file and scan it using
your AV or upload it to an
online scanner such as
VirusTotal.com and check if it's
infected.
Pic :- http://bit.ly/HiztZ8
It's as easy as that.
Hope you find this useful.
