Backtrace Keyloggers and RAT's

Now all keyloggers and RATs are sending data to the hacker in regular intervals (usually every 5 to 10 minutes) by using one of the two methods below:

1. Using the Emails: where hacker configures his email ID and password while creating
the server. Keylogger records the key strokes in a temp file and sends it to the hacker in form of emails. But this has a limit as most free email servers like Gmail or Yahoo or Hotmail has limit of 500 composed and received mails. So most hackers use the second method.
2. FTP server: While creating the keylogger server, hackers configure their FTP server, where they receive the logs of key strokes in the form of text file(usally labeled on the basis of current system time stamp). Hackers keylogger server uploads the files to FTP server after every few minutes interval.

If we monitor all data packages we can easily scan for one of these and then we'll have the hackers email info or FTP info. What can we do with this, you might ask; highly skilled hackers obviously won't allow this as they create a completely seperate email or FTP site which leaves no traces of them, but novice skilled hackers (there's plenty of those) will just use their own email or leaving behind information about them. An example could be that you find the name of the person from the email you backtraced - this ain't his primary email, so there's nothing valuable. From there you can look up his name on Google, you'll probably find his real email on some site; then simply try to login to it using the password from the fake email (most novice skilled hackers will have the same password).

Wireshark is a very famous network scanning hack tool which is used by hackers or network forensic experts to monitor the packet flow of their network cards like Ethernet or WLAN. It records each and every packet coming and going out of your system's Network card. Packets is just a bunch of data.

Whenever you feel anything suspicious in your system like your system is compromised or you are infected follow the steps below prior to removing the keylogger or RAT from your system.

Steps to reverse engeneering the email or FTP servers password:

1. First of all download and install Wireshark. You can easily get this simply by Googling it.
Note: While Wireshark is getting installed, ensure that it installs the Winpcap with it otherwise it won't work properly.

2. Now go to the "Capture"-button in the top menu of the Wireshark and select the interface (means your network card which can be Ethernet or WLAN).

3. It will now start capturing the packets through that Network card. What you have to do is just keep capturing the records for atleast 30 minutes for getting the best results. After x time, stop capturing the packets.

4. Now you need to filter your results, for this go to the filter box and type FTP and SMTP one by one. Note: if you get records for FTP then hacker has used FTP server and if you didn't get FTP that means the hacker has used SMTP, so give SMTP in Filter box.

5. As you scroll down you will find the “FTP username” and “Password” for victims ftp account in case FTP server is used. And if hacker has used SMTP then you will find "email address" and its "password" that hacker has used to create the server.