A little more detail:
In order for computers connected to the internet to be able to communicate with each other, the transmission standard “TCP/IP “was designed. TCP/IP is a software protocol for formatting and transferring data within a network – such as the internet. One of the main advantages of TCP/IP is that it is not dependant on the computer’s operating system. Transmissions between different operating systems are therefore possible.
Each computer on the internet has an IP-address (IP = Internet Protocol), which is similar in principle to a telephone number. However, unlike telephone numbers, IP addresses are restricted in their numerical range. An IP address has the format “###.###.###.###”. Four number blocks, each of which are segmented with dots, and each block can only contain a value from 0 to 255. The IP address of the emsisoft webserver, for example is “80.237.191.14”. Enter this into your web browser to see this in action.
By knowing the IP address in use, a program is therefore able to send data to another computer. But an essential factor has been left out. How the receiving computer can know which program to use for the data it receives. For this reason there is a system of port numbers, also known as ports. With each transmission of data, the data package must contain the receiver’s IP, and also the port number of the program which is responsible.
Imagine ports as a direct dialling number in a phone system. You can reach, for example, a company under a specific telephone number (0123-45678). If you want to call a specific person in that company, you call the main number plus the direct-call number (0123-45678-90). If the direct-call number is not existent, you simply won’t get a connection. The same thing occurs if you try to connect with a computer on a port where no service is present.
When you open the website of Emsisoft with your browser, it is always transmitted via port 80 (80.237.191.14:80). A complete data transfer always contains the IP address plus the port number required. This applies to both outgoing data (requests to the webserver) and also the incoming data – data transmitted from the website itself).
Port numbers can be any number from 0 to 65535. This range is split into three main categories:
- 0 to 1023 are “well known ports”, meaning they are reserved for special services like FTP (21), SMTP (25), HTTP (80), POP3 (110), etc.
- 1024 to 49151 are “registered ports”, meaning they are registered for services.
- 49152 to 65536 are “dynamic and/or private ports”, meaning that everyone can use these as required.
Port numbers are managed by the IANA (Internet Assigned Numbers Authority). The problem in fact is that there are no control mechanisms available which can prevent a trojan from using port 80. If a trojan does use this port, a novice user could imagine the program is a webserver, and may even simply ignore the port.
Trojans are nothing more than programs using a port to transmit data to an attacker. They hold a port open, e.g. Port 31337. The attacker connects to the trojan and sends requests to do a certain task, for example to make a screenshot. The trojan makes the screenshot and sends the image via the port to the attacker. On newer trojans, the port number is quite freely configurable, which makes identifying the trojan by the port number difficult.
But how can a port be closed? Quick answer – close the program holding the port open. But there are also more advanced methods for preventing communication over specific ports. Read more about this in the next article:
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trialHave a Great (Malware-Free) Day!