Ports represent the entry and exit points of data traffic. There are two types of ports: hardware ports and software ports. Ports within the OS are software ports, and they are usually entry and exit points for application traffic (e.g., port 25 is associated with SMTP for e-mail routing between mail servers). Many existing ports are application-specific or process-specific. Various Trojans use some of these ports to infect target systems.
Users need a basic understanding of the state of an "active connection” and ports commonly used by Trojans to determine whether a system has been compromised.
Among the various states, the “listening” state is the important one in this context. The system generates this state when it listens for a port number while waiting to connect to another system. Whenever a system reboots, Trojans move to the listening state; some use more than one port: one for "listening" and the other(s) for data transfer. Common ports used by different Trojans are listed in the table below.
Port |
Trojan |
Port |
Trojan |
2 |
Death |
5001/50505 |
Sockets de Troie |
20/22/80/ |
Emotet |
5321 |
FireHotcker |
21/3024/ |
WinCrash |
5400-02 |
Blade Runner/Blade Runner 0.80 Alpha |
21 |
Blade Runner, Doly Trojan, Fore, |
5569 |
Robo-Hack |
22 |
Shaft, SSH RAT, Linux Rabbit |
6267 |
GW Girl |
23 |
Tiny Telnet Server, EliteWrap |
6400 |
Thing |
25 |
Antigen, Email Password Sender, Terminator, WinPC, WinSpy, Haebu Coceda, Shtrilitz Stealth, Terminator, Kuang2 0.17A-0.30, Jesrto, Lazarus Group, Mis-Type, Night Dragon |
6666 |
KilerRat, Houdini RAT |
26 |
6667/12349 |
Bionet, Magic Hound |
|
31/456 |
Hackers Paradise |
6670-71 |
DeepThroat |
53 |
Denis, Ebury, FIN7, Lazarus Group, RedLeaves, Threat Group-3390, Tropic Trooper |
6969 |
GateCrasher, Priority |
68 |
Mspy |
7000 |
Remote Grab |
80 |
Necurs, NetWire, Ismdoor, Poison Ivy, Executer, Codered, APT 18, APT 19, APT 32, BBSRAT, Calisto, Carbanak, Carbon, Comnie, Empire, FIN7, InvisiMole, Lazarus Group, MirageFox, Mis-Type, Misdat, Mivast, MoonWind, Night Dragon, POWERSTATS, RedLeaves, S-Type, Threat Group-3390, UBoatRAT |
7300-08 |
NetMonitor |
113 |
Shiver |
7300/31338/31339 |
Net Spy |
139 |
Nuker, Dragonfly 2.0 |
7597 |
Qaz |
421 |
TCP Wrappers Trojan |
7626 |
Gdoor |
443 |
ADVSTORESHELL , APT 29, APT 3, APT 33, AuditCred, BADCALL, BBSRAT, Bisonal, Briba, Carbanak, Cardinal RAT, Comnie, Derusbi, ELMER, Empire, FELIXROOT, FIN7, FIN8 , gh0st RAT, HARDRAIN, Hi-Zor, HOPLIGHT, KEYMARBLE, Lazarus Group, LOWBALL, Mis-Type, Misdat, MoonWind, Naid, Nidiran, Pasam, PlugX, PowerDuke, POWERTON, Proxysvc, RATANKBA, RedLeaves, S-Type, TEMP.Veles , Threat Group-3390, TrickBot, Tropic Trooper, TYPEFRAME, UBoatRAT |
7777 |
GodMsg |
445 |
WannaCry, Petya, Dragonfly 2.0 |
7789 |
ICKiller |
456 |
Hackers Paradise |
8000 |
BADCALL, Comnie, Volgmer |
555 |
Ini-Killer, Phase Zero, Stealth Spy |
8012 |
Ptakks |
666 |
Satanz Backdoor, Ripper |
8080 |
Zeus, APT 37, Comnie, EvilGrab, FELIXROOT, FIN7, HTTPBrowser, Lazarus Group, Magic Hound, OceanSalt, S-Type, Shamoon, TYPEFRAME, Volgmer |
1001 |
Silencer, WebEx |
8443 |
FELIXROOT, Nidiran, TYPEFRAME |
1011 |
Doly Trojan |
8787/54321 |
BackOfrice 2000 |
1026/ |
RSM |
9989 |
iNi-Killer |
1095-98 |
RAT |
10048 |
Delf |
1170 |
Psyber Stream Server, Voice |
10100 |
Gift |
1177 |
njRAT |
10607 |
Coma 1.0.9 |
1234 |
Ultors Trojan |
11000 |
Senna Spy |
1234/ |
Valvo line |
11223 |
Progenic Trojan |
1243 |
SubSeven 1.0 – 1.8 |
12223 |
Hack´99 KeyLogger |
1243/6711/6776/27374 |
Sub Seven |
12345-46 |
GabanBus, NetBus |
1245 |
VooDoo Doll |
12361, 12362 |
Whack-a-mole |
1777 |
Java RAT, Agent.BTZ/ComRat, Adwind RAT |
16969 |
Priority |
1349 |
Back Office DLL |
20001 |
Millennium |
1492 |
FTP99CMP |
20034/1120 |
NetBus 2.0, Beta- |
1433 |
21544 |
GirlFriend 1.0, Beta-1.35 |
|
1600 |
Shivka-Burka |
22222/ |
Prosiak |
1604 |
DarkComet RAT, Pandora RAT, HellSpy RAT |
22222 |
Rux |
1807 |
SpySender |
23432 |
|
1863 |
XtremeRAT |
23456 |
Evil FTP, Ugly FTP |
1981 |
Shockrave |
25685 |
Moon Pie |
1999 |
BackDoor 1.00-1.03 |
26274 |
Delta |
2001 |
Trojan Cow |
30100-02 |
NetSphere 1.27a |
2115 |
Bugs |
31337-38 |
Back Orifice/ Back Orifice 1.20 /Deep BO |
2140 |
The Invasor |
31338 |
DeepBO |
2140/3150 |
DeepThroat |
31339 |
NetSpy DK |
2155 |
Illusion Mailer, Nirvana |
31666 |
BOWhack |
2801 |
Phineas Phucker |
34324 |
BigGluck, TN |
3129 |
Masters Paradise |
40412 |
The Spy |
3131 |
SubSari |
40421-26 |
Masters Paradise |
3150 |
The Invasor |
47262 |
Delta |
3389 |
RDP |
50766 |
Fore |
3700/9872-9875/10067/10167 |
Portal of Doom |
53001 |
Remote Windows |
4000 |
RA |
54321 |
SchoolBus .69-1.11 / |
4567 |
File Nail 1 |
61466 |
Telecommando |
4590 |
ICQTrojan |
65000 |
Devil |
5000 |
Bubbel, SpyGate RAT, Punisher RAT |
|
|