Problem solve Get help with specific problems with your technologies, process and projects.

How do I remove Trojan viruses that have infected my network?

I just joined a new organization and a quick audit of my network of revealed two Trojans have infected the network. The details are as follows: 

Description: network blackjack

Port: 5000
Description: UPnP/filmaker.com/Socket de Troie (Windows Trojan)

How can I remove these two infiltrators and harden my network to prevent future attacks?

It's good to see that you have performed a quick audit of your network. Let's discuss the two open ports you found first.

Port 1025 is assigned to network blackjack. However, it is also used for other services including: Many hosting providers use it for SMTP, as some providers block port 25; Net2phone uses port 1025 for VoIP services; It can also be used by RPC and active directory. So make sure that none of those services are present on your network. With that said, you are right in that port 1025 can also be used for attacks as there is an RPC exploit that targets that port. Here is a link that indicates that port 1025 is one of the top 10 most probed ports.

Port 5000 is used for Window Universal Plug and Play. It's true that it is also used for the Socket de Troie Trojan, but that one is pretty old. I believe it dates back to 1998 or earlier. If you are infected with that Trojan you should be able to pick it up with a current virus scanner.

So back to your original question on how to protect your network. Well the best method is to develop in-depth defense by adopting the principle of least privilege. Defense in-depth means that you stack one layer of security on top of another. For example, use a firewall, control access to the servers, patch the servers and desktops regularly, keep the anti-virus software current and setup ACL's on your routers.

Now, on to the principle of least privilege. This rule states that you only give users and services the least amount of privilege needed to do the job. That means that you should turn off those ports that are not needed. That may mean that one at a time you start turning ports off or you may elect to block everything and then only turn back on the minimum services needed for the network and users to complete their needed tasks.

There are lots of good books and resources on the Web that discuss hardening devices and services. The NSA has hardening guidelines that you may want to take a look at here.

This was last published in September 2005

Dig Deeper on Network Security Monitoring and Analysis