How can I tell if someone is hacking my Windows PC?

  • Does your mouse cursor move without your consent?
  • DVD tray spontaneously open?
  • Have you noticed aberrant behavior such as slow performance and obscure error messages that don’t resemble anything you’ve ever seen before?

If so, it’s possible that you have a Remote Access Trojan (RAT) living on your computer that is clandestinely providing remote access to a hacker.

RATs aren’t just for squalid homes and subway tracks anymore; in fact, they have recently reared their ugly heads in the news.  Blackshades is a notorious RAT but there are many others.

Most RATs provide a veritable buffet of tools for voracious hackers to snoop around your system.  For example, it’s not uncommon for RATs to come replete with:

  • Keyloggers
  • Webcam Hijackers
  • Registry Modifiers
  • Password Stealers

In my experience, downloading pirated software from peer-to-peer file sharing applications such as Bittorrent or from underground software distribution forums is the the most common way to get infected.  The aloof victim thinks he’s downloading the full season of Game of Thrones not realizing there’s a RAT lurking in the .RAR file.

Once the Trojan is executed, it opens a TCP port on the client machine which allows the attacker to furtively send commands to the victims computer.

Findings RATs

The easiest way to make sure you’re not infected is to open a command prompt and use a tool named Netstat (the abridged form of Network Statistics) to see all the active and listening ports on your system.

In Windows 8, you can open a command prompt with Administrator rights (Windows Key + x + a) and type:

netstat -ab

 

netstat -ab

The a after the dash tells Netstat to reveal all the current connections to your computer.  The b option in the command displays the binary file; in other words, the actual application name that’s creating the connection.

The netstat output above probably looks disorganized but there are actually four columns:

  • Protocol
  • Local Address
  • Foreign Address
  • State

Amid the melee of connections you want to zero in on any IP addresses which seem suspicious.  Netstat will take several minutes to complete but when it finishes you want to pay close attention to the Local and Foreign Address columns.

How can you distinguish the unsavory connections from the good guys?

Looking for culprits

In my netstat results you’ll see an application name in brackets.  For example I’ve placed my cursor on [googledrivesync.exe] but there are others present here including [spoolsv.exe] and [Dropbox.exe].

If you see a process named something general like [process.exe] then your ears should perk up.  It doesn’t mean you have a Trojan but it should give you pause.

Throw the process name in Google and see what results come back. If it seems deleterious, axe it with a good antivirus program, change your passwords and monitor your credit card statements.

Incidentally, you should definitely request a free credit report especially if you suspect the attacker made fraudulent charges against your card.  I also suggest filing a complaint and immediately notifying your card issuer.

Important Ports

In addition to the process name, zero in on the Local and Foreign addresses.  The local address is the IP address and port of the computer you executed the netstat command from, it’s your address thus it’s aptly called local.

Conversely, the Foreign Address is the IP address and port of the computer connected to you.  Most of the IP address and port combos you see here, known as sockets, are innocuous; however, if you’re infected with RATs the TCP or UDP ports will tell you for sure.

Each IP address is a collection of four decimal numbers separated with dots.  After the last number, there’s a colon and then another number. That number following the colon is the port.

 

In the screenshot above, you can see the local IP address following [googledrivesync.exe] is 10.255.77.167.  The port is a little harder to see since my cursor is occluding part of it so I’ll just tell you that it’s 51025.

In the world of networking, ports are integral for communication.  Without ports, it would be impossible to run multiple applications on a single computer. Ports allow one computer to have many networked programs such as Skype, Dropbox and Chrome all on a single network connection.  The bad guys don’t connect using well-known or registered ports; on the contrary, they use non-standard ports that are known for being malicious.

So I would compare the port number against a list of malicious ports.  If nothing comes back, toss it in Google and see what you can find.

Ultimately, the best way to avoid rats is to keep your house clean.  In the same way, you should keep your PC clean by running regular virus scans and refusing to install software from questionable sources.

The terror of Trojans

Being infected with RATs is an unnerving experience.

I know it first hand because about two decades ago, I was a victim of the infamous SubSeven exploit. I was still in high school and deep into the underground scene.  Someone tricked me into downloading something enticing (probably the picture of a hot girl) but for the first week or so my computer showed zero signs of infection.

Initially, there were no anomalies; however, as the days moved forward I noticed little things that seemed insignificant but were still alarming.

For example, new text randomly inserted itself into documents and icons moved to different places.  These were the nascent indications of a Trojan but I still was completely clueless and ignored it.

I didn’t get freaked out until I got a weird pop-up telling me the password of my AOL Instant Messenger account.  That’s when I panicked and scoured the internet amassing all the knowledge I could about how to eradicate the Trojan.

I eventually removed the Malware, but the experience left an indelible mark.  Pay attention to what you download.

The Bottom Line

Remote Access Trojans are so appealing because they’re so easy to use.

You don’t need to be a programmer to own someones computer.  With a little guile and some patience you can trick people into downloading tools that give you carte blanche access to their systems.

We need to think like hackers when we defend our computers.

Stay alert because there are covert circles of unscrupulous hackers just waiting to see a new victim pop-into their administration consoles.  Don’t let that PC be you.

Netstat is one way to check for threats but the best offense is a healthy dose common sense.

Have you ever been infected with a RAT?  Have any stories to share?  Let me know in the comments!

About

Connect with Vonnie on Twitter

Posted in Windows, Windows 7, Windows 8, Windows 8.1 Tagged with: , , ,
  • Pingback: RATs - Remote Access Trojan - Tetracious Frustration()

  • Bryan Ayres Ryder

    First time I’d heard of rats and ‘my bad’ I haven’t been doing my due diligence to keep my sensitive information safe. But what is more, I believe the government has tabs on my sheet and while I don’t mind it I also don’t like it. The gov will do what it does and I can’t change that. So now I’m certain I don’t know which way is up or down as far as my electronic data is concerned, but my next scariest potential leek may be coming from my cell phone. What do you think?

  • Michaelle Beasley

    I’m being attacked!!!! Some one keeps hacking BOTH my computers. They have gone in and turned all my ports off, they can turn my webcam on, and then Today, my backup computer crashed while I was on it. Before it crashed completely, I got a really weird message. First in a window that popped up, second in the blue screen of death, and finally on a black screen before it crashed. It stated “-You are not-above or equal to anyone-you are no one-” Typed exactly like that. It popped up several times before the computer completely died. I’ve ran antivirus, scanned all documents, checked all folders, and still cannot find anything. They completely wiped everything. It won’t even turn on now. Just beeps, and does not boot up. This is the third time it’s happened in a month. And it’s honestly starting to scare me….. I honestly don’t need this. I’m a single mom of two, one of which is special needs. I have to used my computers for her homeschooling. Please help, I’ve tried everything!!!

    • DerickB

      the one thing I have learned is to always cover all my cams in the house unless I was actively using them, myself have never been hacked like that (that I know of) but for safety and piece of mind my mics get disconnected when not in use as my cams all covered. I hope you have got your issue resolved by now : )

  • Jeff Jefferson

    My disc tray keeps opening and closing, do you think it’s APT?