Trojan T9000 records your video, audio, chats, Microsoft Office files, and more.  Meanwhile, it’s undetectable to traditional anti-malware products, including: Norton, McAfee, Bitdefender, and Kaspersky.

How does T9000 avoid detection by all traditional antivirus and firewalls? What can be done to stop sophisticated trojans like T9000?

If you follow this story from beginning to end, you will discover a very surprising method to finally stop even the most sophisticated trojans once and for all.

How T9000 Sneaks Past Antivirus & Firewalls

The installer for the T9000 trojan comes attached to common document files (called RTF files).  When the document is opened, the trojan undergoes a sophisticated five-stage installation.  Here’s an excerpt of the first three steps to demonstrate how tricky this trojan is:

Stage 1: The installer scans the computer, looking for any one of 24 security products (including Norton, McAfee, Bitdefender, and Kaspersky).  The installer changes its behavior based on the security system installed, so that it can sneak the trojan inside.

Stage 2: The installer then uses a legitimate Windows program (igfxtray.exe) to load a small part of the trojan.  This small part determines the PC’s configuration; so that it can decide how to sneak the rest of the trojan onto the computer.

Stage 3: This stage depends on the security products identified in stage one, and the PC configuration identified in stage two.  For example:

If the PC is Windows 8 and the security is DoctorWeb then a specific registry key is set.

If the PC is Windows 8 and the security is not Kingsoft, Tencent, or DoctorWeb then two different registry keys are set.

And so on, and so on.

As stated above, the full five-stage installation involves even more sophisticated PC configuration and security checks; and once the trojan passes through all five stages, it’s fully loaded and running regardless of the antivirus and firewalls you are using.

T9000 Records Everything

Once running, the trojan splits itself into five separate processes.  Each process records a different part of your activity:

Process 1: This process takes a screenshot of your entire desktop. Then stores the screenshot with a simple encryption algorithm.

Process 2: This process waits until you are running specific applications (such as Notepad), and it will take a screen shot every 20 seconds for as long as you are using one of the targeted applications.

Process 3: This process specifically targets Skype; and it records all video, audio, and chat messages.

Process 4: This process looks on all your disk drives for every Microsoft document, Excel spreadsheet, and Powerpoint presentation.  It makes an encrypted copy of every one of these files and stores them in a directory (in order to send them all back to the hacker).

Process 5: This process makes a log of every file you create, copy, move, and delete.  The log file is encrypted, and stored in a directory (in order to send it back to the hacker).

T9000 basically records everything you do on your computer, and packs all this information up into an encrypted directory.  Meanwhile, all of this is happening regardless of the antivirus and firewalls you are using.

Hacker Deterrent vs T9000

Now that the trojan has a record of your entire digital life, it needs to transfer it into the hacker’s hands.  Here’s how T9000 does this: The trojan masquerades as being a very popular Windows process (explorer.exe), and it periodically delivers its recordings to the hacker by establishing an outbound connection to IP Address 198.55.120.143.

A traditional firewall merely concludes that explorer.exe (a reputable program) wants to access the internet; therefore the firewall allows it.  However, for those of you familiar with Hacker Deterrent, you will immediately realize that this attempted transfer is the trojan’s Achilles Heel.

Hacker Deterrent only allows traffic to the manufacturers of hardware/software you own.  For example:

  • Hacker Deterrent only allows Microsoft Word to talk to Microsoft.
  • Hacker Deterrent only allows Adobe Reader to talk to Adobe.
  • Hacker Deterrent only allows Techsmith’s Camtasia to talk to Techsmith.
  • And so on, and so on.

So how does such this novel approach deal with sophisticated trojans such as T9000?  Surprisingly effective:

  • Trojan T9000 needs to communicate with IP Address 198.55.120.143.
  • Since IP address 198.55.120.143 doesn’t belong to any of software/hardware manufacturers on the victim’s computer, Hacker Deterrent blocks it.

Despite all the sophisticated maneuvering to bypass antivirus and firewalls; despite all the encrypted recordings made by five separate processes; despite cloaking itself as a popular Windows program (explorer.exe); all of this comes to naught via Hacker Deterrent’s elegant method.

Only Hacker Deterrent offers the patented dynamic whitelisting security technology.  This is the technology you need for spyware such as Trojan T9000.  This is the technology you need to keep your digital life secure in an online world.  For more information on how Hacker Deterrent’s unique method stops other sophisticated trojans, see “Key to it All”.