-2

Where can I find a regularly updated, downloadable list of TCP & UDP ports that are known to be commonly used by malware, trojans, etc.?

This is for import into an IT asset management system to help identify devices that might be in need of attention, security-wise.

Zek
  • 568
  • 3
  • 10
  • 24
  • 2
    Anything that isn't serious, enterprise-grade scanning such as Retina, Nessus, etc., is just a waste of time. – Ryan Ries Feb 03 '14 at 18:22
  • 5
    `ports that are known to be used by malware, trojans, etc.?` - ALL of them. – Zoredache Feb 03 '14 at 18:31
  • Identifying what ports are listening on all your devices and which ones might be suspicious is only the first step, from which you can launch Nessus scans, etc. against specific devices and ports of interest. There is a lot more data that I have not shared here; my question is simply about a downloadable list of TCP & UDP ports that are known to be used by malware, etc. – Zek Feb 03 '14 at 18:37

2 Answers2

5

Such a list is not useful, as malware uses any and all IP ports for what they do. There are some specific bits of malware that use custom ports, which is a big part of why good security posture includes setting a default-deny firewall rules for outbound connections. In response to this particular security posture, malware authors are putting things over HTTP which is generally allowed outside of firewalled networks.

Such a list will only be useful for identifying a small subset of potentially infected computers.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
  • 1
    I am aware that malware can use any and all ports, both outbound and inbound (and egress filters are of course a must). And of course it is difficult to detect malware using outbound port 80, etc., but there are a ton of more easily detected malware, worms, etc. out there that are using more unique ports. I am not saying that this list takes the place of other security measures - it is just another layer of security. – Zek Feb 03 '14 at 18:47
3

It would be much easier to match listening ports against known services. Anything else would be suspect. With few exceptions, services run on well-known ports. Others, can usually be assigned fixed ports. In any given organization, the number of active services (ports) is usually much fewer than that which would be found in the services file. It should be possible to generate a list of services that are used in the organization.

There are many ports that are used by both malware and legitmate software. A fair number of the lesser known ports I use show up as malware ports when I research them.

Scanning servers for listening ports (both externally and internally) and matching against expected services could be more effective.

BillThor
  • 27,737
  • 3
  • 37
  • 69
  • Yes, that sounds like a better approach! Especially since I know the type of device for each IP, I should be able to identify unusual ports based on device/server type. – Zek Feb 04 '14 at 03:03