Skip to main content

EC EHE - Trojan Ports

Ports represent the entry and exit points of data traffic. There are two types of ports: hardware ports and software ports. Ports within the OS are software ports, and they are usually entry and exit points for application traffic (e.g., port 25 is associated with SMTP for e-mail routing between mail servers). Many existing ports are application-specific or process-specific. Various Trojans use some of these ports to infect target systems.

Users need a basic understanding of the state of an "active connection” and ports commonly used by Trojans to determine whether a system has been compromised.

Among the various states, the “listening” state is the important one in this context. The system generates this state when it listens for a port number while waiting to connect to another system. Whenever a system reboots, Trojans move to the listening state; some use more than one port: one for "listening" and the other(s) for data transfer. Common ports used by different Trojans are listed in the table below.

 

Port

Trojan

Port

Trojan

2

Death

5001/50505

Sockets de Troie

20/22/80/
443

Emotet

5321

FireHotcker

21/3024/
4092/5742

WinCrash

5400-02

Blade Runner/Blade Runner 0.80 Alpha

21

Blade Runner, Doly Trojan, Fore,
Invisible FTP, WebEx, WinCrash, DarkFTP

5569

 Robo-Hack

22

Shaft, SSH RAT, Linux Rabbit

6267

GW Girl

23

Tiny Telnet Server, EliteWrap

6400

Thing

25

Antigen, Email Password Sender, Terminator, WinPC, WinSpy, Haebu Coceda, Shtrilitz Stealth, Terminator, Kuang2 0.17A-0.30, Jesrto, Lazarus Group, Mis-Type, Night Dragon

6666

KilerRat, Houdini RAT

26

BadPatch

6667/12349

Bionet, Magic Hound

31/456

Hackers Paradise

6670-71

 DeepThroat

53

Denis, Ebury, FIN7, Lazarus Group, RedLeaves, Threat Group-3390, Tropic Trooper

6969

 GateCrasher, Priority

68

Mspy

7000

 Remote Grab

80

Necurs, NetWire, Ismdoor, Poison Ivy, Executer, Codered, APT 18, APT 19, APT 32, BBSRAT, Calisto, Carbanak, Carbon, Comnie, Empire, FIN7, InvisiMole, Lazarus Group, MirageFox, Mis-Type, Misdat, Mivast, MoonWind, Night Dragon, POWERSTATS, RedLeaves, S-Type, Threat Group-3390, UBoatRAT

7300-08

 NetMonitor

113

Shiver

7300/31338/31339

Net Spy

139

Nuker, Dragonfly 2.0

7597

Qaz

421

TCP Wrappers Trojan

7626

Gdoor

443

ADVSTORESHELL , APT 29, APT 3, APT 33, AuditCred, BADCALL, BBSRAT, Bisonal, Briba, Carbanak, Cardinal RAT, Comnie, Derusbi, ELMER, Empire, FELIXROOT, FIN7, FIN8 , gh0st RAT, HARDRAIN, Hi-Zor, HOPLIGHT, KEYMARBLE, Lazarus Group, LOWBALL, Mis-Type, Misdat, MoonWind, Naid, Nidiran, Pasam, PlugX, PowerDuke, POWERTON, Proxysvc, RATANKBA, RedLeaves, S-Type, TEMP.Veles , Threat Group-3390, TrickBot, Tropic Trooper, TYPEFRAME, UBoatRAT

7777

GodMsg

445

WannaCry, Petya, Dragonfly 2.0

7789

 ICKiller

456

Hackers Paradise

8000

BADCALL, Comnie, Volgmer

555

Ini-Killer, Phase Zero, Stealth Spy

8012

Ptakks

666

Satanz Backdoor, Ripper

8080

Zeus, APT 37, Comnie, EvilGrab, FELIXROOT, FIN7, HTTPBrowser, Lazarus Group, Magic Hound, OceanSalt, S-Type, Shamoon, TYPEFRAME, Volgmer

1001

Silencer, WebEx

8443

FELIXROOT, Nidiran, TYPEFRAME

1011

Doly Trojan

8787/54321

 BackOfrice 2000

1026/
64666

RSM

9989

 iNi-Killer

1095-98

RAT

10048

Delf

1170

Psyber Stream Server, Voice

10100

Gift

1177

njRAT

10607

 Coma 1.0.9

1234

Ultors Trojan

11000

Senna Spy

1234/
12345

Valvo line

11223

 Progenic Trojan

1243

SubSeven 1.0 – 1.8

12223

 Hack´99 KeyLogger

1243/6711/6776/27374

Sub Seven

12345-46

 GabanBus, NetBus

1245

VooDoo Doll

12361, 12362

Whack-a-mole

1777

Java RAT, Agent.BTZ/ComRat, Adwind RAT

16969

Priority

1349

Back Office DLL

20001

Millennium

1492

FTP99CMP

20034/1120

NetBus 2.0, Beta-
NetBus 2.01

1433

Misdat

21544

GirlFriend 1.0, Beta-1.35

1600

Shivka-Burka

22222/
33333

Prosiak

1604

DarkComet RAT, Pandora RAT, HellSpy RAT

22222

Rux

1807

SpySender

23432


Asylum

1863

XtremeRAT

23456

Evil FTP, Ugly FTP

1981

Shockrave

25685

Moon Pie

1999

BackDoor 1.00-1.03

26274

Delta

2001

Trojan Cow

30100-02

NetSphere 1.27a

2115

Bugs

31337-38

Back Orifice/ Back Orifice 1.20 /Deep BO

2140

The Invasor

31338

DeepBO

2140/3150

DeepThroat

31339

NetSpy DK

2155

Illusion Mailer, Nirvana

31666

BOWhack

2801

Phineas Phucker

34324

BigGluck, TN

3129

Masters Paradise

40412

The Spy

3131

SubSari

40421-26

Masters Paradise

3150

The Invasor

47262

Delta

3389

RDP

50766

Fore

3700/9872-9875/10067/10167

Portal of Doom

53001

Remote Windows
Shutdown

4000

RA

54321

SchoolBus .69-1.11 /

4567

File Nail 1

61466

Telecommando

4590

ICQTrojan

65000

Devil

5000

Bubbel, SpyGate RAT, Punisher RAT