Scen ario
Zechariah works for an In suran ce firm . Though bein g a top
perform er for his bran ch he n ever got credit from his Man ager
perform er for his bran ch, he n ever got credit from his Man ager,
Ron . Ron was biased to a particular sect of em ployees. On Ron ’s
birthday all em ployees in cludin g Zechariah greeted him .
Zechariah person ally wen t to greet Ron an d asked him to check his
Zechariah person ally wen t to greet Ron an d asked him to check his
em ail as a birthday surprise was awaitin g him ! Zechariah had
plan n ed som ethin g for Ron .
Un kn own of Zechariah’s evil in ten tion Ron open s the
bday .zip
file.
Un kn own of Zechariah s evil in ten tion Ron open s the
bday .zip
file.
Ron extracts the con ten ts of the file an d run s the
bday .exe
an d
en joys the flash greetin g card.
Zechariah had Ron in fect his own com puter by a Rem ote Con trol
p
y
Trojan .
W hat harm can Zechariah do to R on ?
Module Objective
This m odule will fam iliarize you
• Trojan s
y
with:
• Trojan s
• Overt & Covert Chan n els
• Types of Trojan s an d how Trojan works
• In dication s of Trojan attack
• Differen t Trojan s used in the wild
• Tools for sen din g Trojan
• Wrappers
• ICMP Tun n elin g
ICMP Tun n elin g
• Con structin g a Trojan horse usin g Con struction Kit
• Tools for detectin g Trojan
• Anti-Trojans
Module Flow
Trojan s Chan n els Workin g of a Trojan
In dication s of Trojan Attack Differen t Trojan s
Tools to Sen d Trojan
ICMP Tun n elin g Trojan Construction Kit Wrappers
An ti-Trojan
Coun term easures An ti Trojan Tools to detect Trojan
In troduction
Malicious users are always on the prowl to sn eak in to Malicious users are always on the prowl to sn eak in to networks and create trouble
Trojan attacks have affected several businesses around the globe
In m ost cases, it is the absent-m inded user who invites
trouble by down loadin g files or bein g careless about security aspects
This m odule covers different Trojan s, the way they attack, and the tools used to send them across the network
What is a Trojan
A Trojan is a sm all program that run s hidden on an in fected
com puter
With the help of a Trojan , an attacker gets access to stored
passwords in the Trojan ed com puter an d would be able to
read person al docum en ts, delete files an d display pictures,
an d/ o sho m essages on the sc een
Overt an d Covert Chan n els
Overt Chan n el
Covert Chan n el
A legitim ate com m un ication path within a com puter system , or n etwork, for
A chan n el that tran sfers in form ation within a com puter system , or network, in
h i l i li
p y , ,
transfer of data
An overt channel can be exploited to
a way that violates security policy
An overt channel can be exploited to create the presence of a covert channel by choosin g com pon en ts of the overt channels with care that are idle or n ot related
The sim plest form of covert channel is a Trojan
Workin g of Trojan s
An attacker gets access to the Trojan ed system as the system goes
on lin e
Different Types of Trojans
Rem ote Access Trojans
Data-Sen din g Trojan s
Destructive Trojan s
What Do Trojan Creators Look
For
For
Credit card in form ation
Accoun t data (em ail addresses, passwords, user n am es, an d so on )
Con fiden tial docum en ts
Fin an cial data (ban k accoun t n um bers, social security n um bers, in suran ce in form ation , an d so on )
Calen dar in form ation con cern in g the victim ’s whereaboutsg
Usin g the victim ’s com puter for illegal purposes, such as to hack, scan , flood, or in filtrate other m achin es on the n etwork or In tern et
Different Ways a Trojan Can Get
in to a System
in to a System
In stan t Messen ger application s
IRC (Internet Relay Chat)
Attachm en ts
Physical access
Browser an d em ail software bugs
NetBIOS (FileSharin g)
Fake program s
Un trusted sites an d freeware software
Down loadin g files, gam es, an d screen savers from In tern et sites
In dications of a Trojan Attack
CD-ROM drawer open s and closes by itself
Com puter screen flips upside down or inverts
Wallpaper or backgroun d settings chan ge by them selves
Docum ents or m essages print from the printer by them selvesg p p y
Com puter browser goes to a stran ge or un kn own web page by itself
Windows color settings change by them selves
S tti h b th l
In dications of a Trojan Attack
(cont’d)
(cont d)
Right an d left m ouse button s reverse their fun ction s
Mouse poin ter disappears
Mouse poin ter m oves an d fun ction s by itself
Win dows Start button disappears
Stran ge chat boxes appear on the victim ’s com puter
In dications of a Trojan Attack
(cont’d)
(cont d)
People chattin g with the victim kn ow too m uch person al in form ation about him or his com puter
The com puter shuts down an d powers off by itself
The taskbar disappearse as ba d sappea s
The accoun t passwords are chan ged or un authorized person s can access legitim ate accoun ts
Stran ge purchase statem en ts appear in the credit card bills
The com puter m on itor turn s itself off an d on
Modem dials and connects to the Internet by itself
Ctrl+Alt+Del stops working
Ports Used by Trojan s
GirlFrien d TCP
21544
Masters Paradise
TCP
3129, 40 421, 40 422,
H ow to Determ in e which Ports
are “Listen in g”
are Listen in g
Go to Start
Æ
Run
Æ
cm d
Trojan : iCm d
iCm d works like tin i.exe but accepts m ultiple con n ection s an d you can set a
d
password
Win dow1: Type icmd.exe 54 jason
Win dow2: Type telnet <IP add> 54
h l h
MoSucker Trojan
MoSucker is a Trojan that
bl
tt
k
t t
When this program is
t d t
t
enables an attacker to get
n early com plete con trol
over an in fected PC
executed, get rem ote
access on the in fected
Proxy Server Trojan
h
d
f
hi
h
This tool, when in fected, starts
a hidden proxy server on the
victim ’s com puter
Thousands of m achines on the
In tern et are in fected with the
SARS Trojan Notification
SARS Trojan notification sends th e location of the victim ’s IP address to the attacker
Whenever the victim ’s com puter connects to the Internet, the attacker receives the n otification
Atta cke r
Notification types:
• SIN Notication
• Directly n otifies the attacker's server • ICQ Notification
• Notifies the attacker usin g ICQ channels
yp
• Sen ds the n otification through em ail
Victim s in fe cte d w ith Tro ja n s
SARS Trojan Notification
(cont’d)
Wrappers
H ow does an attacker get a Trojan in stalled on the
i i ' ? A U i
victim 's com puter? Answer: Usin g wrappers
A wrapper attaches a given EXE application (such as Chess.exe 90 k
+
Trojan .exe 20 k
A wrapper attaches a given EXE application (such as gam es or office application s) to the Trojan executable
The two program s are wrapped together in to a sin gle
fil Wh th th d EXE it fi t
file. When the user run s the wrapped EXE, it first
in stalls the Trojan in the backgroun d an d then run s the wrapped application in the foregroun d
Chess.exe 110 k
The user only sees the latter application
Wrapper Covert Program
Graffiti.exe is an exam ple of a legitim ate file that can be used to drop the
Trojan in to the target system
Trojan in to the target system
Wrappin g Tools
On e file EXE Maker
• Com bin es two or m ore files in to a sin gle file
• Com piles the selected list of files in to on e host file • You can provide com m an d lin e argum en tsp g
• It decom presses an d executes the source program
Yet An other Bin der
• Custom izable option s
• Supports Win dows platform s • Also kn own as YAB
On e Exe Maker / YAB / Pretator
Wrappers
Packagin g Tool: WordPad
You can in sert OLE object
j
(exam ple: EXE files) in to a
Wordpad docum en t an d
chan ge the followin g usin g
the built-in package editor:
Rem oteByMail
Rem ote Con trol a com puter by
Rem ote Con trol a com puter by
sen din g em ail m essages
It can retrieve files or folders by
sen din g com m an ds through em ail
It is an easier an d m ore secure way of
accessin g files or executin g program s
Sen d m e c:\ creditcard.txt file An y com m ands for m e?
H ere is the file attached File sen t to the attacker
Tool: Icon Plus
Icon Plus is a con version
program for tran slatin g
icon s between various
form ats
form ats
An attacker can use this
kin d of application to
disguise his m alicious code
disguise his m alicious code
or Trojan so that users are
Defacin g Application : Restorator
Restorator is a versatile skin editor for an y Win 32 program that chan ges im ages, icon s, text soun ds videos dialogs m en us an d other text, soun ds, videos, dialogs, m en us, an d other parts of the user in terface
User-styled Custom Application s (UCA) can be t d b i thi ft
created by usin g this software
Restorator has m an y built-in tools Restorator has m an y built in tools
Powerful fin d-an d-grab fun ction s let the user retrieve resources from all files on their disks
D f d l i R t t
Tetris
Gam es like Tetris, chess, an d solitaire are perfect carriers solitaire are perfect carriers for Trojan s
It is easy to send by em ail
H TTP Trojans
The attacker m ust install a sim ple Trojan program on a m achin e in the internal network, the Reverse WWW shell server
Reverse WWW shell allows an attacker to access a m achine on the internal network from the outside
On a regular basis, usually 60 secon ds, the internal server will try to access the external m aster system to pick up com m ands
If the attacker has typed som ething in to the m aster system , this com m and is retrieved and executed on the internal system
Reverse WWW shell uses standard http protocol
Trojan Attack through H ttp
Clicks a file to down load
In tern et
Trojan attacks through http request
H TTP Trojan (H TTP RAT)
Infect victim ’s com puter with
Shttpd Trojan - H TTP Server
SH TTPD is a sm all H TTP Server that can easily be em bedded in side an y program
C++ Source code is provided
Even though shttpd is NOT a trojan it can easily be wrapped with a chess exe an d turn a Even though shttpd is NOT a trojan, it can easily be wrapped with a chess.exe an d turn a com puter in to an in visible Web Server
shttpd Trojan from http:/ / www.eccoun cil.org/ cehtools/ shttpd.zip id dowm loaded
In fect the Victim com puter with J OUST.EXE
Shttpd should be run n in g in the backgroun d
listen in g on port 443 (SSL)
N ll Fi ll ll
Attacker
Norm ally Firewall allows you through port 443
Con n ect to the victim usin g Web Browser
Reverse Con n ectin g Trojan s
f
In fect (Rebecca’s) com puter with
s e rve r.e xe an d plan t Reverse
Con n ectin g Trojan
1
Yu ri, the H acker
The Trojan con n ects to Port 8 0 to the H acker in Russia establishin g a reverse
con n ection
2
Yuri, the H acker, has com plete con trol
Nuclear RAT Trojan (Reverse
Con n ectin g)
Tool: BadLuck Destructive
Trojan
Trojan
This is a dan gerous an d destructive tool
When executed, this tool destroys the operating system
The user will n ot be able to use the operatin g system after the m achin e has been in fected by the Trojan
ICMP Tunneling
Covert channels are m ethods in which an attacker can hide the data in a protocol that Covert channels are m ethods in which an attacker can hide the data in a protocol that is un detectable
Covert channels rely on techniques called tun n elin g, which allow on e protocol to be carried over an other protocol
ICMP Backdoor Trojan
ICMP S e rve r
Com m an d: icmpsrv -install ICMP Clie n t
Com m an d: icmpsend <victim IP> Com m an d: icmpsrv install
Com m an d: icmpsend <victim IP>
d
Backdoor.Theef (AVP)
Usin g this Trojan , the server open s various ports on the victim ’s
m achin e (eg ports 69 470 0 1350 0 and 28 0 0 )
m achin e (eg. ports 69, 470 0 , 1350 0 an d 28 0 0 )
On ce com prom ised, the hacker can perform m an y fun ction s on the
victim ’s m achin e, ren derin g it com pletely vuln erable
A brief list of the fun ction s available:
• File system : upload/ down load, execute, etc
• Regsitry: full editin g
• System : force shutdown disable m ouse/ keyboard shutdown
• System : force shutdown , disable m ouse/ keyboard, shutdown
firewalls/ AV software, set user n am e etc. (plus lots m ore)
• Spy: start/ stop keylogger, grab logged data
• Machin e In fo: Em ail/ dialup/ user details - option s to retrieve or set
for all
Backdoor.Theef (AVP):
Screen shot
T2W (Trojan ToWorm )
Bioran te RAT
Features:
H ighlighted con n ection list if webcam is detected
On lin e Keylogger
On lin e Keylogger
Screen Capture - PNG com pression
Webcam Capture - PNG com pression
Com puter in form ation with custom izable script
Uses on ly 1 port
DownTroj
Down Troj is a Trojan horse with the followin g
features:
• Rem ote m essagebox • Rem ote in fo
• Rem ote file browser (+ down load, upload, delete, m ake/ del dir) • Rem ote shell
• Rem ote shell
• Rem ote task m anager (+ start/ kill) • Rem ote keylogger
• Rem otely reboot or shutdown system
• Reverse con n ection (bypasses routers)
Coded in C/ C++ an d also has:
( yp )
• More victim s at the sam e tim e
• Unlim ited num ber of hosts/ ports to connect to
• Installing into location where it is im possible to access with win dows explorer
Turkojan
Turkojan can get
Trojan .Satellite-RAT
Yakoza
Added to Registry:
H KEY_ LOCAL_ MACH INE\ SOFTWARE\ Microsoft\ Win dows
NT\ CurrentVersion \ Win logon "Shell"
Old data: Explorer exe Old data: Explorer.exe
DarkLabel B4
Trojan .H av-Rat
H av-Rat uses reverse con n ection ,
so, n o n eed for open in g ports on
target/ user
Thi l
i h l
Poison Ivy
PI is a reverse con n ection , forward rem ote
d
i i
i
l
i
i
(
)
d
adm in istration tool, written in m asm (server) an d
Delphi (clien t)
PI does n ot use an y plugin s/ dlls or an y other files
besides the server an d does n ot drop an y other files on
h
Rapid H acker
Rapid H acker can hack / crack / bypass waitin g lim it at
R
id h
d R
id h
d
SharK
SharK uses the RC4 cipher to en crypt the traffic SharK uses the RC4 cipher to en crypt the traffic
Keylogger works with WH KEYBOARD LL hooks Keylogger works with WH _ KEYBOARD_ LL hooks
Man ipulate run n in g processes, win dows, an d services Man ipulate run n in g processes, win dows, an d services from the rem ote console
Interactive Process blacklistin g, which alerts the attacker if the blacklisted process is foun d on the attacker if the blacklisted process is foun d on the victim ’s m achine an d prom pts the attacker to take action
TYO
OD Clien t
Features
:-• Rem ote Web Down loader (Main Fun ction )
• Down loads an d executes a file from the In tern et rem otely Win dows XP & Win dows Server Rootin g (Rem ote desktop) • Adds a adm in user to the host an d allows for rem ote desktop
i con n ection
• Usern am e:- xplorer • Password:- l3vel69 • Rem ove Server
• Uninstalls the server from the host • Uninstalls the server from the host
Shutdown Server
AceRat
Features:
• Shutoff, Log Off Victim es PC
• Full fun ction in g an d
in teractive File Man ager
g
• Sen d Error Msg's
• System In fo
• Chan ge Wallpaper, System
C l
RubyRAT Public
Fe a tu re s :
• Get Basic Com puter In form ation • Execute Com m an d (Sen ds back
output!)
• Term in al Server (Rem ote
D kt ) bl / di bl
Desktop) en abler/ disabler • File Browser with File
Upload/ Down load/ Execute/ File In fo List/ Kill Processes
Con soleDevil
Con soleDevil is a sm all RAT (Rem ote Adm in istration Tool)
that allows you to take con trol over a rem ote com puters
that allows you to take con trol over a rem ote com puters
win dows con sole (com m an d prom pt) from where you can do
alm ost everythin g such as pin gin g servers, browse
Zom bieRat
Zom bieRat is m ade in Delphi 20 0 5
Fe a tu re s :
FTP Trojan - TinyFTPD
Tin yFTPD is a sim ple FTP Trojan which supports m ost of the standard FTPD Com m ands Tin yFTPD is a sim ple FTP Trojan which supports m ost of the standard FTPD Com m ands
IP can login 8 tim es sim ultan eously
Usage:
VNC Trojan
VNC Trojan starts VNC Server daem on in the
backgroun d when in fected
It con n ects to the victim usin g an y VNC viewer
g
y
with the password “secret”
Webcam Trojan
Webcam Trojan provides an attacker with the capability
f
l
ll
h
l
h
Troya
Troya is a rem ote Trojan without Clien t,
for con trollin g an other PC from your PC
It i
b b
d T
j
It is a web-based Trojan
ProRat
Activation Key :
• User : m ohdjase1
Dark Girl
Rem ote Access
DaCryptic
Fun ction s:
Fun ction s:
• Registry access
il
• File
Trojan : PokerStealer.A
PokerStealer A is a Trojan that heavily relies on social en gin eerin g
PokerStealer.A is a Trojan that heavily relies on social en gin eerin g
It com es with the filen am e PokerGam e.app as 65 KB Zip archive; un zipped, it is
pp
5
p
;
pp
,
18 0 KB
When it run s, activates ssh on the in fected m achin e, then sen ds the user n am e
d
d h
h l
ith th IP dd
f th M
t
ifi d
il
and password hash, alon g with the IP address of the Mac, to a specified e-m ail
address with a subject “H owdy”
It asks for an adm in istrator’s password after displayin g a dialog sayin g “A
It asks for an adm in istrator s password after displayin g a dialog sayin g, A
corrupt preferen ce file has been detected an d m ust be repaired
Trojan :H ovdy.a
H ovdy.a, is an exploit for the recen tly revealed an d un patched privilege
H ovdy.a, is an exploit for the recen tly revealed an d un patched privilege
escalation bug in Apple Rem ote Desktop
It asks for an adm in istrator’s password by displayin g a dialog sayin g, “A
corrupt preferen ce file has been detected an d m ust be repaired
It gathers the usern am e, password an d IP address from the in fected system an d
sen d it to the server
Classic Trojan s Found in the
Wild
Wild
These are classic outdated tools an d is presen ted here for proof of
W a rn in g
These are classic outdated tools an d is presen ted here for proof of
con cept ( You will n ot be able to fin d the source code for these tools on
the In tern et). It is presen ted in this m odule so that you are en couraged to
view the source code of these tools to un derstan d the attack en gin eerin g
behin d them
Back Oriffice 20 0 0
Don ald Dick
Let m e rule
Trojan : Tin i
Tin i is a tin y Trojan program that is on ly 3 kb an d
d i
bl l
It t k
i i
l
program m ed in assem bly lan guage. It takes m inim al
ban dwidth to get on a victim 's com puter an d it takes a
sm all am oun t of disk space
Tin i on ly listen s on port 7777 an d run s a com m an d
prom pt when som eon e attaches to this port. The port
n um ber is fixed an d can n ot be custom ized. This m akes it
easier for a victim system to detect by scan n in g for port
7777
From a tin i clien t, the attacker can teln et to tin i server at
port 7777
Trojan : NetBus
N tB i Wi 32 b d T j
NetBus is a Win 32-based Trojan program
Like Back Orifice, NetBus allows a , rem ote user to access and control the victim ’s m achine by way of its Internet lin k
It was written by a Swedish program m er n am ed Carl-Fredrik Neikter, in March 1998
This virus is also kn own as Backdoor.Netbus
Trojan : Netcat
Netcat is called the “swiss-arm y” kn ife of n etworkin g tools
Provides a basic TCP/ UDP networking subsystem th at allows users to in teract m an ually or via script with n etwork application s
Outboun d or in boun d con n ection s, TCP or UDP, to or from an y ports
Built-in port-scan n in g capabilities with ran dom izer
il i l i bili
Built-in loose source-routin g capability
Netcat Client/ Server
Co n n e ct to th e N e tca t s e rve r
S e rve r p u s h e s a “s h e ll” to th e clie n t
Netcat clien t
Netcat server
Trojan : Beast
Beast is a powerful Rem ote Adm in istration
Beast is a powerful Rem ote Adm in istration
Tool (AKA Trojan ) built with Delphi 7
O
f th di ti
t f
t
f th B
t i
One of the distinct features of the Beast is
that it is an all-in -on e Trojan (clien t, server,
an d server editor are stored in the sam e
application )
An im portan t feature of the server is that it
uses in jecting techn ology
j
g
gy
N
i
h
t
ti
t
H ackin g Tool: Loki
(www phrack com ) (www.phrack.com )
Loki was written by daem on 9 to provide shell access over ICMP, m aking it m uch m ore difficult to detect than TCP- or UDP-based backdoors
to detect than TCP or UDP based backdoors
Loki Counterm easures
Configure firewall to block ICMP or lim it the Configure firewall to block ICMP or lim it the
allowable IP’s in com in g an d outgoin g echo packets
Blockin g ICMP will disable the pin g request an d m ay cause an in con ven ien ce to users
Be careful while deciding on security versus con ven ien ce
Loki also has the option to run over UDP port 53 d
Atelier Web Rem ote Com m an der
Access to the rem ote com puter desktop
Local files can be uploaded to the rem ote system
Files can be rem otely zipped or un zipped
Trojan H orse Construction Kit
Trojan H orse con struction kits help hackers to
Trojan H orse con struction kits help hackers to
con struct Trojan horses of their choice
The tools in these kits can be dan gerous an d can
backfire if n ot executed properly
Som e of the Trojan kits available in
the wild are as follows:
• The Trojan H orse Construction Kit v2.0
H ow to Detect Trojans
Scan for suspicious open ports usin g tools such as:
p
p
p
g
• Netstat • Fport • TCPView
Scan for suspicious run n in g processes usin g :
• Process Viewer
• What’s on m y com puter • Insider
• Insider
Scan for suspicious registry en tries usin g the followin g tools:
• What’s run n in g on m y com puter • MS Con fig
• MS Con fig
Scan for suspicious n etwork activities:
Tool:Netstat
Tool: fPort
fport reports all open TCP/ IP
p
p
p
/
fport can be used to quickly
an d UDP ports, an d m aps
them to the own in g
application
p
q
y
iden tify un kn own open ports
an d their associated
Tool: TCPView
TCPView is a Win dows program
p
g
that will show the detailed listin gs
CurrPorts Tool
CurrPorts allows you to view y a list of ports that are
currently in use an d the application that is usin g it
You can close a selected con n ection an d also
term in ate the process usin g it, and export all or selected it, and export all or selected item s to an H TML or text report
Tool: Process Viewer
PrcView is a process viewer utility that displays the detailed in form ation
about processes run n in g un der Windows
PrcView com es with a com m and line version that allows the user to write scripts to check if a process is run n in g to kill it, and so on
Delete Suspicious Device Drivers
Check for kernel-based device drivers an d rem ove the suspicious drivers an d rem ove the suspicious “sys” files
Som etim es the file is locked when Som etim es, the file is locked when the system is run n in g; boot the system in safe m ode and delete the file
If still “access denied,” then boot the system in console m ode and delete them
View the loaded drivers by going to
S ta rt Æ All P ro gra m sÆ
A i Æ S t T l Æ
Check for Run n in g Processes:
What’s on My Com puter
What s on My Com puter
It provides addition al in form ation
b
t
fil
f ld
about any file, folder, or program
run n in g on your com puter
Allows search of in form ation on
the web
Keeps out viruses an d Trojan s
Super System H elper Tool
The key features of the tool are as follows:
• It takes com plete con trol over all run n in g processes
• It shows all open ports an d process, an d m an ages start-up application s an d Browser H elper Objects(BH O) • It tweaks an d optim izes
Win dows
This tool does a good job
• It schedules a com puter to shut down at a specified tim e
g j b
In zider - Tracks Processes an d
Ports
Ports
http:/ / n tsecurity nu/ cgi
http:/ / n tsecurity.n u/
cgi-bin / down load/ in zider.exe.pl
This is a useful tool that lists processes in the
Win dows system an d the ports each on e listen s on
Win dows system an d the ports each on e listen s on
Tool: What's Run n in g
Tool: MSCon fig
Microsoft System Con figuration
Utility or MSCONFIG is a tool used Check for Trojan startup en tries an d Utility or MSCONFIG is a tool used
to troubleshoot problem s with your com puter
Tool: Registry-What’s Run n in g
Tool: Autorun s
Tool: H ijack This (System
Checker)
An ti-Trojan Software
There are m an y an ti-Trojan software program s available with m an y ven dors
Below is the list of som e of the an ti-Trojan softwares that are
available for trial:
• Kerio Person al Firewall, 2.1.5 • Sub-Net
• TAVScan
• SpyBot Search & Destroy • An ti Trojan
Trojan H un ter
Trojan H un ter is an advan ced trojan scan n er
j
j
an d toolbox, that searches for an d rem oves
Trojan s from your system
It uses several proven m ethods to fin d a
wide variety of Trojan s such as file
scan n in g, port scan n in g, m em ory scan n ing,
g, p
g,
y
g,
an d registry scan n in g
Com odo BOClean
Com odo BOClean protects your com puter again st trojan s, m alware, an d other
threats
It con stan tly scan s your system in the backgroun d an d in tercepts an y
recogn ized trojan activity
The program can ask the user what to do, or run in the un atten ded m ode an d
autom atically shutdown s an d rem oves an y suspected Trojan application
• Destroys m alware and rem oves registry entries
Features:
• Does not require a reboot to rem ove all traces • Disconnects the threat without discon necting you • Gen erates option al report an d safe copy of eviden ce
Trojan Rem over: XoftspySE
X ft
d t
t
d
ll th
t
i
t i
t ll
PC
Xoftspy detects and rem oves all the spyware trying to install on your PC
It scan s for m ore than 42,0 0 0 differen t Spyware an d Adware parasites
It fin ds an d rem oves threats in cludin g: Spyware, worm s, hijackers, Adware,
Malware, keyloggers, hacker tools, PC parasites, Trojan H orses, spy
program s, an d trackware
Trojan Rem over: Spyware
Doctor
Doctor
Spyware Doctor is an adware an d spyware rem oval utility that detects an d clean s thousan ds of poten tial y p spyware, adware, trojan s, keyloggers, spyware, cookies, trackware, spybots, an d other m alware from your PC
This tool allows you to rem ove, ign ore, or quaran tin e identified Spyware
It also has an On Guard system to im m un ize an d protect your system again st privacy threats as you work
By perform in g a fast detection at Win dows start-up, you will be alerted with a list of the identified potential
SPYWAREfighter
SPYWAREfighter is a powerful an d reliable software that allows you to SPYWAREfighter is a powerful an d reliable software that allows you to protect your PC again st Spyware, Malware, an d other un wan ted software
It uses a security techn ology that protects Windows users from spyware an d other poten tially un wan ted software
It reduces negative effects caused by spyware, in cludin g slow PC
perform an ce, an n oyin g pop-ups, un wan ted chan ges to In tern et settin gs, an d un authorized use of your private in form ationy p
Evadin g An ti-Virus Techn iques
Never use Trojan s from the wild (an ti-virus can detect these easily)
Write your own Trojan an d em bed it in to an application
• Con vert an EXE to VB script • Con vert an EXE to a DOC file • Con vert an EXE to a PPT file Chan ge Trojan ’s syn tax
Change the checksum
Change the content of the Trojan using hex editor
Sam ple Code for Trojan
Clien t/ Server
Clien t/ Server
Evadin g An ti-Trojan / An ti-Virus Usin g
Stealth Tools
Stealth Tools
It is a program that helps to sen d Trojan s or suspicious files that are
un detectable to an ti-virus software
Its features in clude addin g bytes, bin d, chan gin g strin gs, creatin g
Backdoor Coun term easures
Most com m ercial an ti-virus products can
autom atically scan an d detect backdoor
autom atically scan an d detect backdoor
program s before they can cause dam age (for
exam ple, before accessin g a floppy, run n in g exe,
or down loadin g m ail)
An in expen sive tool called Clean er
(http:/ / www.m oosoft.com / clean er.htm l) can
id
tif
d
di
t 1 0 0 0 t
f b
kd
identify and eradicate 1,0 0 0 types of backdoor
program s an d Trojan s
Tool: Tripwire
T i i i S t I t it V ifi (SIV) Tripwire is a System In tegrity Verifier (SIV)
It will autom atically calculate cryptograph ic hashes of all key system files or an y file that is to be m on itored for m odification s
Itworks by creatin g a baselin e “sn apshot” of the system
System File Verification
Windows 20 0 0 in troduced Win dows File Windows 20 0 0 in troduced Win dows File Protection (WFP), which protects system files that were installed by the Windows 20 0 0 setup program from bein g
overwritten
The hashes in this file could be com pared with the SH A-1 hashes of the current system files to verify their integrity system files to verify their integrity again st the factory origin als
MD5sum .exe
MD5sum .exe is an MD5 checksum utility
It takes an MD5 digital sn apshot of system files
If you suspect a file is Trojan ed, then com pare the MD5 sign ature with the sn apshot checksum
Tool: Microsoft Win dows
Defen der
Windows Defen der is a free Windows Defen der is a free program that helps protect your com puter again st pop-ups, slow perform an ce, an d security threats
caused by spyware an d other t d ft
un wan ted software
It features Real-Tim e Protection , a m on itorin g system that
Microsoft Win dows Defen der:
Screen shot
H ow to Avoid a Trojan In fection
Do n ot down load blin dly from people or sites that you are n ot 10 0 % y p p y sure about
Even if the file com es from a frien d, be sure what the file is before open in g it
Do n ot use features in program s that autom atically get or preview files
H ow to Avoid a Trojan Infection
(cont’d)
(cont d)
On e should n ot be lulled in to a false sen se of security just because an an ti virus program On e should n ot be lulled in to a false sen se of security just because an an ti-virus program is running in the system
Ensure that the corporate perim eter defen ses are kept con tin uously up to date
Filter and scan all conten t at the perim eter defen ses that could con tain m alicious con ten t
H ow to Avoid a Trojan Infection
(cont’d)
(con t d)
Rigorously control user perm issions within the desktop en viron m en t to preven t the
ll f l l
installation of m alicious application s
Man age local workstation file in tegrity through checksum s, auditin g, an d port scan n in g Man age local workstation file in tegrity through checksum s, auditin g, an d port scan n in g
Mon itor in tern al n etwork traffic for odd ports or encrypted traffic p yp
Use m ultiple virus scannersp
What happen ed n ext
As Ron n ever cared for desktop security he did n ot have the latest
update of an tivirus Neither did he have a Trojan scan n er n or a file
update of an tivirus. Neither did he have a Trojan scan n er n or a file
in tegrity checker.
Zechariah had in fected Ron ’s com puter an d was ready to do all kin ds
of assault which the In fected Trojan supported.
Zechariah can do an y of the followin g:
R
k
l
R
’
d
i
ll
i i
•
Run a keylogger on Ron ’s system s an d retrieve all sen sitive
in form ation
•
Delete con fiden tial files
•
Ren am e files an d chan ge file exten sion s
Sum m ary
Trojan s are m alicious pieces of code that carry cracker software to a target
t
system
They are used prim arily to gain an d retain access on the target system
They are used prim arily to gain an d retain access on the target system
They often reside deep in the system an d m ake registry chan ges that allow it to
i
d
i i
i
l
m eet its purpose as a rem ote adm inistration tool
Popular Trojan s in clude back orifice n etbus subseven and beast
Popular Trojan s in clude back orifice, n etbus, subseven , and beast
Trojan : Phatbot
Phatbot Trojan allows the attacker to have control over com puters an d lin k them in to
It can steal Win dows Product Keys, AOL logins an d passwords, as well as CD keys of som e fam ous gam esg
Trojan : Am itis
Am itis has m ore than 40 0 ready-to-use i
option s
It is the only Trojan that has a live update
The server copies itself to the Windows
directory, so, even if the m ain file is deleted, the victim ’s com puter is still infected
The server autom atically sends the requested n otification as soon as the victim gets on lin e
S htt / / i t l h k
Trojan : Sen n a Spy
Sen n a Spy Gen erator 2.0 is a Trojan gen erator that is able to create Visual Basic source code for that is able to create Visual Basic source code for a Trojan based on a few option s
This Trojan is com piled from generated source code; anything could be changed in it
Source: http:/ / sen n aspy.cjb.n et/
Trojan : QAZ
QAZ is a com pan ion virus that can spread over the n etwork
It also has a "backdoor" that will en able a rem ote user to con n ect to an d
con trol the victim ’s com puter usin g port 7597
It m ay have origin ally been sen t out by em ail
It ren am es Notepad to n ote.com
It m odifies the registry key:
• H KLM\ software\ Microsoft\ Win dows\ Curren t • Version \ Run
Trojan : Back Orifice
Back Orifice (BO) is a rem ote Adm in istration system that allows a user to con trol a com puter y p across a TCP/ IP con n ection usin g a sim ple con sole or GUI application
On a local LAN or across the In tern et, BO gives
i l f h Wi d
its user m ore con trol of the rem ote Win dows m achin e than the person at the keyboard of the rem ote m achin e
Back Orifice was created by a group of
well-kn own hackers who call them selves the CULT OF TH E DEAD COW
BO is sm all an d en tirely self-in stallin g
Trojan : Back Oriffice 20 0 0
BO2K has stealth capabilities; it will not show up on the task list an d run s com pletely in the p p y hidden m ode
Back Orifice accoun ts for the highest n um ber of in festation s on Microsoft com puters
The BO2K server code is on ly 10 0 KB. The clien t program is 50 0 KB
On ce in stalled on a victim ’s PC or server m achin e, BO2K
i h k l l h
Back Oriffice Plug-in s
BO2K’s fun ction ality can be extended usin g BO plug-ins
y
g
p
g
BOPeep (Com plete rem ote con trol sn ap in )
BOPeep (Com plete rem ote con trol sn ap in )
En cryption (En crypts the data sen t between the BO2K GUI an d the server)
En cryption (En crypts the data sen t between the BO2K GUI an d the server)
BOSOCK
(P
id
t
lth
biliti
b
i
ICMP i
t
d f TCP UDP)
BOSOCK32 (Provides stealth capabilities by using ICMP instead of TCP UDP)
Trojan : SubSeven
SubSeven is a Win 32 Trojan SubSeven is a Win 32 Trojan
h di d h f hi j i
The credited author of this Trojan is Mobm an
Its sym ptom s include slowing down the victim ’s com puter and a constan t stream of error m essages
SubSeven is a Trojan virus m ost com m only spread through file
Trojan : CyberSpy Teln et Trojan
CyberSpy is a teln et Trojan , which m ean s a clien t term in al is not necessary to get con n ected
not necessary to get con n ected
It is written in VB an d a little bit of C program m in g
It supports m ultiple clients
It has about 47 com m an ds
It has ICQ, em ail, an d IRC bot n otification
Trojan : Subroot Teln et Trojan
Subroot Teln et Trojan is a teln et
RAT (Rem ote Adm in istration Tool)
It was written an d tested in the
Republic of South Africa
It has varian ts as
follows:
Trojan : Let Me Rule! 2.0 BETA 9
It deletes all files in a specific directory
All types of files can be executed at the rem ote host
The new version has an enhanced registry explorer
Trojan : Don ald Dick
Don ald Dick is a tool that en ables a user to con trol an other com puter over a n etwork. con trol an other com puter over a n etwork.
It uses a clien t server architecture with the server residing on the victim 's com puter server residing on the victim s com puter
The attacker uses the client to send com m ands through TCP or SPX to the victim listenin g on a pre-defin ed portg p p
Trojan : RECUB
RECUB (Rem ote En crypted Callback Un ix Backdoor) is a Win dows port for a rem ote adm in istration tool that can be Win dows port for a rem ote adm in istration tool that can be also used as a backdoor on a Win dows system
It bypasses a firewall by open in g a n ew win dow of IE an d It bypasses a firewall by open in g a n ew win dow of IE an d then injecting code into it
It uses Netcat for rem ote shell
It em pties all event logs after exiting the shell