Port 3505: CCM Communications — A Forgotten Registration and a Backdoor

What Port 3505 Is

Port 3505 sits in the registered ports range (1024–49151), the middle tier of the port numbering system. IANA assigned it the service name ccmcomm for "CCM Communications." What CCM Communications actually was or who requested the registration is largely lost to time — the registration exists in the IANA database with almost no supporting documentation, no associated RFC, and no software that publicly claims to use it.¹

This is more common than it sounds. The registered ports range contains thousands of assignments made over decades by organizations that have since changed, dissolved, or simply moved on. The registration remains; the software it named often doesn't.

The AutoSpY Trojan

The more documented history of port 3505 involves malware. The AutoSpY trojan (also catalogued as Backdoor.AntiSpy and Backdoor.AutoSpySimovits) used TCP port 3505 as its command-and-control channel. First observed in the early 2000s, AutoSpY was a remote access trojan — the kind of software that, once installed on a victim's machine, let an attacker control it remotely. The trojan would listen on port 3505, waiting for instructions from whoever planted it.²

AutoSpY is old. Modern antivirus tools catch it without effort. But its association with this port is why security platforms like Juniper's IPS still flag unexpected traffic on 3505 as a potential threat.³

This is a pattern throughout the port space: a legitimate service gets an assignment, doesn't achieve wide adoption, and then a piece of malware moves in — knowing that less-used ports attract less scrutiny.

What You'll Find Here Today

Almost certainly nothing, or something completely application-specific. Port 3505 has no active, widely-deployed service claiming it. Any modern software using this port is doing so by convention or convenience, not by following a standard.

How to Check What's Using It

If you see port 3505 open on a system and want to know why:

Linux / macOS:

# Show what process is listening on port 3505
ss -tlnp | grep 3505

# Or with lsof
sudo lsof -i :3505

Windows:

netstat -ano | findstr :3505

The process ID in the output can then be matched against Task Manager or tasklist to identify the owning application.

Why Unassigned and Lightly-Used Ports Matter

The registered port range exists to prevent collisions — two different applications claiming the same port number and confusing routers, firewalls, and administrators trying to make sense of their network traffic. When a registration goes dormant, it creates a kind of no-man's-land: the port isn't free, but nothing legitimate is using it. Malware and ad-hoc applications fill the vacuum.

Port 3505 is a small case study in how the port registry ages. Registrations were made. Software came and went. The number remained, carrying just enough history to make it worth a second look if you find it open.