Scen ario

Zechariah works for an In suran ce firm . Though bein g a top

perform er for his bran ch he n ever got credit from his Man ager

perform er for his bran ch, he n ever got credit from his Man ager,

Ron . Ron was biased to a particular sect of em ployees. On Ron ’s

birthday all em ployees in cludin g Zechariah greeted him .

Zechariah person ally wen t to greet Ron an d asked him to check his

Zechariah person ally wen t to greet Ron an d asked him to check his

em ail as a birthday surprise was awaitin g him ! Zechariah had

plan n ed som ethin g for Ron .

Un kn own of Zechariah’s evil in ten tion Ron open s the

bday .zip

file.

Un kn own of Zechariah s evil in ten tion Ron open s the

bday .zip

file.

Ron extracts the con ten ts of the file an d run s the

bday .exe

an d

en joys the flash greetin g card.

Zechariah had Ron in fect his own com puter by a Rem ote Con trol

p

y

Trojan .

W hat harm can Zechariah do to R on ?

Module Objective

This m odule will fam iliarize you

• Trojan s

y

with:

• Trojan s

• Overt & Covert Chan n els

• Types of Trojan s an d how Trojan works

• In dication s of Trojan attack

• Differen t Trojan s used in the wild

• Tools for sen din g Trojan

• Wrappers

• ICMP Tun n elin g

ICMP Tun n elin g

• Con structin g a Trojan horse usin g Con struction Kit

• Tools for detectin g Trojan

• Anti-Trojans

Module Flow

Trojan s Chan n els Workin g of a Trojan

In dication s of Trojan Attack Differen t Trojan s

Tools to Sen d Trojan

ICMP Tun n elin g Trojan Construction Kit Wrappers

An ti-Trojan

Coun term easures An ti Trojan Tools to detect Trojan

In troduction

Malicious users are always on the prowl to sn eak in to Malicious users are always on the prowl to sn eak in to networks and create trouble

Trojan attacks have affected several businesses around the globe

In m ost cases, it is the absent-m inded user who invites

trouble by down loadin g files or bein g careless about security aspects

This m odule covers different Trojan s, the way they attack, and the tools used to send them across the network

What is a Trojan

A Trojan is a sm all program that run s hidden on an in fected

com puter

With the help of a Trojan , an attacker gets access to stored

passwords in the Trojan ed com puter an d would be able to

read person al docum en ts, delete files an d display pictures,

an d/ o sho m essages on the sc een

Overt an d Covert Chan n els

Overt Chan n el

Covert Chan n el

A legitim ate com m un ication path within a com puter system , or n etwork, for

A chan n el that tran sfers in form ation within a com puter system , or network, in

h i l i li

p y , ,

transfer of data

An overt channel can be exploited to

a way that violates security policy

An overt channel can be exploited to create the presence of a covert channel by choosin g com pon en ts of the overt channels with care that are idle or n ot related

The sim plest form of covert channel is a Trojan

Workin g of Trojan s

An attacker gets access to the Trojan ed system as the system goes

on lin e

Different Types of Trojans

Rem ote Access Trojans

Data-Sen din g Trojan s

Destructive Trojan s

What Do Trojan Creators Look

For

For

Credit card in form ation

Accoun t data (em ail addresses, passwords, user n am es, an d so on )

Con fiden tial docum en ts

Fin an cial data (ban k accoun t n um bers, social security n um bers, in suran ce in form ation , an d so on )

Calen dar in form ation con cern in g the victim ’s whereaboutsg

Usin g the victim ’s com puter for illegal purposes, such as to hack, scan , flood, or in filtrate other m achin es on the n etwork or In tern et

Different Ways a Trojan Can Get

in to a System

in to a System

In stan t Messen ger application s

IRC (Internet Relay Chat)

Attachm en ts

Physical access

Browser an d em ail software bugs

NetBIOS (FileSharin g)

Fake program s

Un trusted sites an d freeware software

Down loadin g files, gam es, an d screen savers from In tern et sites

In dications of a Trojan Attack

CD-ROM drawer open s and closes by itself

Com puter screen flips upside down or inverts

Wallpaper or backgroun d settings chan ge by them selves

Docum ents or m essages print from the printer by them selvesg p p y

Com puter browser goes to a stran ge or un kn own web page by itself

Windows color settings change by them selves

S tti h b th l

In dications of a Trojan Attack

(cont’d)

(cont d)

Right an d left m ouse button s reverse their fun ction s

Mouse poin ter disappears

Mouse poin ter m oves an d fun ction s by itself

Win dows Start button disappears

Stran ge chat boxes appear on the victim ’s com puter

In dications of a Trojan Attack

(cont’d)

(cont d)

People chattin g with the victim kn ow too m uch person al in form ation about him or his com puter

The com puter shuts down an d powers off by itself

The taskbar disappearse as ba d sappea s

The accoun t passwords are chan ged or un authorized person s can access legitim ate accoun ts

Stran ge purchase statem en ts appear in the credit card bills

The com puter m on itor turn s itself off an d on

Modem dials and connects to the Internet by itself

Ctrl+Alt+Del stops working

Ports Used by Trojan s

GirlFrien d TCP

21544

Masters Paradise

TCP

3129, 40 421, 40 422,

H ow to Determ in e which Ports

are “Listen in g”

are Listen in g

Go to Start

Æ

Run

Æ

cm d

Trojan : iCm d

iCm d works like tin i.exe but accepts m ultiple con n ection s an d you can set a

d

password

Win dow1: Type icmd.exe 54 jason

Win dow2: Type telnet <IP add> 54

h l h

MoSucker Trojan

MoSucker is a Trojan that

bl

tt

k

t t

When this program is

t d t

t

enables an attacker to get

n early com plete con trol

over an in fected PC

executed, get rem ote

access on the in fected

Proxy Server Trojan

h

d

f

hi

h

This tool, when in fected, starts

a hidden proxy server on the

victim ’s com puter

Thousands of m achines on the

In tern et are in fected with the

SARS Trojan Notification

SARS Trojan notification sends th e location of the victim ’s IP address to the attacker

Whenever the victim ’s com puter connects to the Internet, the attacker receives the n otification

Atta cke r

Notification types:

• SIN Notication

• Directly n otifies the attacker's server • ICQ Notification

• Notifies the attacker usin g ICQ channels

yp

• Sen ds the n otification through em ail

Victim s in fe cte d w ith Tro ja n s

SARS Trojan Notification

(cont’d)

Wrappers

H ow does an attacker get a Trojan in stalled on the

i i ' ? A U i

victim 's com puter? Answer: Usin g wrappers

A wrapper attaches a given EXE application (such as Chess.exe 90 k

+

Trojan .exe 20 k

A wrapper attaches a given EXE application (such as gam es or office application s) to the Trojan executable

The two program s are wrapped together in to a sin gle

fil Wh th th d EXE it fi t

file. When the user run s the wrapped EXE, it first

in stalls the Trojan in the backgroun d an d then run s the wrapped application in the foregroun d

Chess.exe 110 k

The user only sees the latter application

Wrapper Covert Program

Graffiti.exe is an exam ple of a legitim ate file that can be used to drop the

Trojan in to the target system

Trojan in to the target system

Wrappin g Tools

On e file EXE Maker

• Com bin es two or m ore files in to a sin gle file

• Com piles the selected list of files in to on e host file • You can provide com m an d lin e argum en tsp g

• It decom presses an d executes the source program

Yet An other Bin der

• Custom izable option s

• Supports Win dows platform s • Also kn own as YAB

On e Exe Maker / YAB / Pretator

Wrappers

Packagin g Tool: WordPad

You can in sert OLE object

j

(exam ple: EXE files) in to a

Wordpad docum en t an d

chan ge the followin g usin g

the built-in package editor:

Rem oteByMail

Rem ote Con trol a com puter by

Rem ote Con trol a com puter by

sen din g em ail m essages

It can retrieve files or folders by

sen din g com m an ds through em ail

It is an easier an d m ore secure way of

accessin g files or executin g program s

Sen d m e c:\ creditcard.txt file An y com m ands for m e?

H ere is the file attached File sen t to the attacker

Tool: Icon Plus

Icon Plus is a con version

program for tran slatin g

icon s between various

form ats

form ats

An attacker can use this

kin d of application to

disguise his m alicious code

disguise his m alicious code

or Trojan so that users are

Defacin g Application : Restorator

Restorator is a versatile skin editor for an y Win 32 program that chan ges im ages, icon s, text soun ds videos dialogs m en us an d other text, soun ds, videos, dialogs, m en us, an d other parts of the user in terface

User-styled Custom Application s (UCA) can be t d b i thi ft

created by usin g this software

Restorator has m an y built-in tools Restorator has m an y built in tools

Powerful fin d-an d-grab fun ction s let the user retrieve resources from all files on their disks

D f d l i R t t

Tetris

Gam es like Tetris, chess, an d solitaire are perfect carriers solitaire are perfect carriers for Trojan s

It is easy to send by em ail

H TTP Trojans

The attacker m ust install a sim ple Trojan program on a m achin e in the internal network, the Reverse WWW shell server

Reverse WWW shell allows an attacker to access a m achine on the internal network from the outside

On a regular basis, usually 60 secon ds, the internal server will try to access the external m aster system to pick up com m ands

If the attacker has typed som ething in to the m aster system , this com m and is retrieved and executed on the internal system

Reverse WWW shell uses standard http protocol

Trojan Attack through H ttp

Clicks a file to down load

In tern et

Trojan attacks through http request

H TTP Trojan (H TTP RAT)

Infect victim ’s com puter with

Shttpd Trojan - H TTP Server

SH TTPD is a sm all H TTP Server that can easily be em bedded in side an y program

C++ Source code is provided

Even though shttpd is NOT a trojan it can easily be wrapped with a chess exe an d turn a Even though shttpd is NOT a trojan, it can easily be wrapped with a chess.exe an d turn a com puter in to an in visible Web Server

shttpd Trojan from http:/ / www.eccoun cil.org/ cehtools/ shttpd.zip id dowm loaded

In fect the Victim com puter with J OUST.EXE

Shttpd should be run n in g in the backgroun d

listen in g on port 443 (SSL)

N ll Fi ll ll

Attacker

Norm ally Firewall allows you through port 443

Con n ect to the victim usin g Web Browser

Reverse Con n ectin g Trojan s

f

In fect (Rebecca’s) com puter with

s e rve r.e xe an d plan t Reverse

Con n ectin g Trojan

1

Yu ri, the H acker

The Trojan con n ects to Port 8 0 to the H acker in Russia establishin g a reverse

con n ection

2

Yuri, the H acker, has com plete con trol

Nuclear RAT Trojan (Reverse

Con n ectin g)

Tool: BadLuck Destructive

Trojan

Trojan

This is a dan gerous an d destructive tool

When executed, this tool destroys the operating system

The user will n ot be able to use the operatin g system after the m achin e has been in fected by the Trojan

ICMP Tunneling

Covert channels are m ethods in which an attacker can hide the data in a protocol that Covert channels are m ethods in which an attacker can hide the data in a protocol that is un detectable

Covert channels rely on techniques called tun n elin g, which allow on e protocol to be carried over an other protocol

ICMP Backdoor Trojan

ICMP S e rve r

Com m an d: icmpsrv -install ICMP Clie n t

Com m an d: icmpsend <victim IP> Com m an d: icmpsrv install

Com m an d: icmpsend <victim IP>

d

Backdoor.Theef (AVP)

Usin g this Trojan , the server open s various ports on the victim ’s

m achin e (eg ports 69 470 0 1350 0 and 28 0 0 )

m achin e (eg. ports 69, 470 0 , 1350 0 an d 28 0 0 )

On ce com prom ised, the hacker can perform m an y fun ction s on the

victim ’s m achin e, ren derin g it com pletely vuln erable

A brief list of the fun ction s available:

• File system : upload/ down load, execute, etc

• Regsitry: full editin g

• System : force shutdown disable m ouse/ keyboard shutdown

• System : force shutdown , disable m ouse/ keyboard, shutdown

firewalls/ AV software, set user n am e etc. (plus lots m ore)

• Spy: start/ stop keylogger, grab logged data

• Machin e In fo: Em ail/ dialup/ user details - option s to retrieve or set

for all

Backdoor.Theef (AVP):

Screen shot

T2W (Trojan ToWorm )

Bioran te RAT

Features:

H ighlighted con n ection list if webcam is detected

On lin e Keylogger

On lin e Keylogger

Screen Capture - PNG com pression

Webcam Capture - PNG com pression

Com puter in form ation with custom izable script

Uses on ly 1 port

DownTroj

Down Troj is a Trojan horse with the followin g

features:

• Rem ote m essagebox • Rem ote in fo

• Rem ote file browser (+ down load, upload, delete, m ake/ del dir) • Rem ote shell

• Rem ote shell

• Rem ote task m anager (+ start/ kill) • Rem ote keylogger

• Rem otely reboot or shutdown system

• Reverse con n ection (bypasses routers)

Coded in C/ C++ an d also has:

( yp )

• More victim s at the sam e tim e

• Unlim ited num ber of hosts/ ports to connect to

• Installing into location where it is im possible to access with win dows explorer

Turkojan

Turkojan can get

Trojan .Satellite-RAT

Yakoza

Added to Registry:

H KEY_ LOCAL_ MACH INE\ SOFTWARE\ Microsoft\ Win dows

NT\ CurrentVersion \ Win logon "Shell"

Old data: Explorer exe Old data: Explorer.exe

DarkLabel B4

Trojan .H av-Rat

H av-Rat uses reverse con n ection ,

so, n o n eed for open in g ports on

target/ user

Thi l

i h l

Poison Ivy

PI is a reverse con n ection , forward rem ote

d

i i

i

l

i

i

(

)

d

adm in istration tool, written in m asm (server) an d

Delphi (clien t)

PI does n ot use an y plugin s/ dlls or an y other files

besides the server an d does n ot drop an y other files on

h

Rapid H acker

Rapid H acker can hack / crack / bypass waitin g lim it at

R

id h

d R

id h

d

SharK

SharK uses the RC4 cipher to en crypt the traffic SharK uses the RC4 cipher to en crypt the traffic

Keylogger works with WH KEYBOARD LL hooks Keylogger works with WH _ KEYBOARD_ LL hooks

Man ipulate run n in g processes, win dows, an d services Man ipulate run n in g processes, win dows, an d services from the rem ote console

Interactive Process blacklistin g, which alerts the attacker if the blacklisted process is foun d on the attacker if the blacklisted process is foun d on the victim ’s m achine an d prom pts the attacker to take action

TYO

OD Clien t

Features

:-• Rem ote Web Down loader (Main Fun ction )

• Down loads an d executes a file from the In tern et rem otely Win dows XP & Win dows Server Rootin g (Rem ote desktop) • Adds a adm in user to the host an d allows for rem ote desktop

i con n ection

• Usern am e:- xplorer • Password:- l3vel69 • Rem ove Server

• Uninstalls the server from the host • Uninstalls the server from the host

Shutdown Server

AceRat

Features:

• Shutoff, Log Off Victim es PC

• Full fun ction in g an d

in teractive File Man ager

g

• Sen d Error Msg's

• System In fo

• Chan ge Wallpaper, System

C l

RubyRAT Public

Fe a tu re s :

• Get Basic Com puter In form ation • Execute Com m an d (Sen ds back

output!)

• Term in al Server (Rem ote

D kt ) bl / di bl

Desktop) en abler/ disabler • File Browser with File

Upload/ Down load/ Execute/ File In fo List/ Kill Processes

Con soleDevil

Con soleDevil is a sm all RAT (Rem ote Adm in istration Tool)

that allows you to take con trol over a rem ote com puters

that allows you to take con trol over a rem ote com puters

win dows con sole (com m an d prom pt) from where you can do

alm ost everythin g such as pin gin g servers, browse

Zom bieRat

Zom bieRat is m ade in Delphi 20 0 5

Fe a tu re s :

FTP Trojan - TinyFTPD

Tin yFTPD is a sim ple FTP Trojan which supports m ost of the standard FTPD Com m ands Tin yFTPD is a sim ple FTP Trojan which supports m ost of the standard FTPD Com m ands

IP can login 8 tim es sim ultan eously

Usage:

VNC Trojan

VNC Trojan starts VNC Server daem on in the

backgroun d when in fected

It con n ects to the victim usin g an y VNC viewer

g

y

with the password “secret”

Webcam Trojan

Webcam Trojan provides an attacker with the capability

f

l

ll

h

l

h

Troya

Troya is a rem ote Trojan without Clien t,

for con trollin g an other PC from your PC

It i

b b

d T

j

It is a web-based Trojan

ProRat

Activation Key :

• User : m ohdjase1

Dark Girl

Rem ote Access

DaCryptic

Fun ction s:

Fun ction s:

• Registry access

il

• File

Trojan : PokerStealer.A

PokerStealer A is a Trojan that heavily relies on social en gin eerin g

PokerStealer.A is a Trojan that heavily relies on social en gin eerin g

It com es with the filen am e PokerGam e.app as 65 KB Zip archive; un zipped, it is

pp

5

p

;

pp

,

18 0 KB

When it run s, activates ssh on the in fected m achin e, then sen ds the user n am e

d

d h

h l

ith th IP dd

f th M

t

ifi d

il

and password hash, alon g with the IP address of the Mac, to a specified e-m ail

address with a subject “H owdy”

It asks for an adm in istrator’s password after displayin g a dialog sayin g “A

It asks for an adm in istrator s password after displayin g a dialog sayin g, A

corrupt preferen ce file has been detected an d m ust be repaired

Trojan :H ovdy.a

H ovdy.a, is an exploit for the recen tly revealed an d un patched privilege

H ovdy.a, is an exploit for the recen tly revealed an d un patched privilege

escalation bug in Apple Rem ote Desktop

It asks for an adm in istrator’s password by displayin g a dialog sayin g, “A

corrupt preferen ce file has been detected an d m ust be repaired

It gathers the usern am e, password an d IP address from the in fected system an d

sen d it to the server

Classic Trojan s Found in the

Wild

Wild

These are classic outdated tools an d is presen ted here for proof of

W a rn in g

These are classic outdated tools an d is presen ted here for proof of

con cept ( You will n ot be able to fin d the source code for these tools on

the In tern et). It is presen ted in this m odule so that you are en couraged to

view the source code of these tools to un derstan d the attack en gin eerin g

behin d them

Back Oriffice 20 0 0

Don ald Dick

Let m e rule

Trojan : Tin i

Tin i is a tin y Trojan program that is on ly 3 kb an d

d i

bl l

It t k

i i

l

program m ed in assem bly lan guage. It takes m inim al

ban dwidth to get on a victim 's com puter an d it takes a

sm all am oun t of disk space

Tin i on ly listen s on port 7777 an d run s a com m an d

prom pt when som eon e attaches to this port. The port

n um ber is fixed an d can n ot be custom ized. This m akes it

easier for a victim system to detect by scan n in g for port

7777

From a tin i clien t, the attacker can teln et to tin i server at

port 7777

Trojan : NetBus

N tB i Wi 32 b d T j

NetBus is a Win 32-based Trojan program

Like Back Orifice, NetBus allows a , rem ote user to access and control the victim ’s m achine by way of its Internet lin k

It was written by a Swedish program m er n am ed Carl-Fredrik Neikter, in March 1998

This virus is also kn own as Backdoor.Netbus

Trojan : Netcat

Netcat is called the “swiss-arm y” kn ife of n etworkin g tools

Provides a basic TCP/ UDP networking subsystem th at allows users to in teract m an ually or via script with n etwork application s

Outboun d or in boun d con n ection s, TCP or UDP, to or from an y ports

Built-in port-scan n in g capabilities with ran dom izer

il i l i bili

Built-in loose source-routin g capability

Netcat Client/ Server

Co n n e ct to th e N e tca t s e rve r

S e rve r p u s h e s a “s h e ll” to th e clie n t

Netcat clien t

Netcat server

Trojan : Beast

Beast is a powerful Rem ote Adm in istration

Beast is a powerful Rem ote Adm in istration

Tool (AKA Trojan ) built with Delphi 7

O

f th di ti

t f

t

f th B

t i

One of the distinct features of the Beast is

that it is an all-in -on e Trojan (clien t, server,

an d server editor are stored in the sam e

application )

An im portan t feature of the server is that it

uses in jecting techn ology

j

g

gy

N

i

h

t

ti

t

H ackin g Tool: Loki

(www phrack com ) (www.phrack.com )

Loki was written by daem on 9 to provide shell access over ICMP, m aking it m uch m ore difficult to detect than TCP- or UDP-based backdoors

to detect than TCP or UDP based backdoors

Loki Counterm easures

Configure firewall to block ICMP or lim it the Configure firewall to block ICMP or lim it the

allowable IP’s in com in g an d outgoin g echo packets

Blockin g ICMP will disable the pin g request an d m ay cause an in con ven ien ce to users

Be careful while deciding on security versus con ven ien ce

Loki also has the option to run over UDP port 53 d

Atelier Web Rem ote Com m an der

Access to the rem ote com puter desktop

Local files can be uploaded to the rem ote system

Files can be rem otely zipped or un zipped

Trojan H orse Construction Kit

Trojan H orse con struction kits help hackers to

Trojan H orse con struction kits help hackers to

con struct Trojan horses of their choice

The tools in these kits can be dan gerous an d can

backfire if n ot executed properly

Som e of the Trojan kits available in

the wild are as follows:

• The Trojan H orse Construction Kit v2.0

H ow to Detect Trojans

Scan for suspicious open ports usin g tools such as:

p

p

p

g

• Netstat • Fport • TCPView

Scan for suspicious run n in g processes usin g :

• Process Viewer

• What’s on m y com puter • Insider

• Insider

Scan for suspicious registry en tries usin g the followin g tools:

• What’s run n in g on m y com puter • MS Con fig

• MS Con fig

Scan for suspicious n etwork activities:

Tool:Netstat

Tool: fPort

fport reports all open TCP/ IP

p

p

p

/

fport can be used to quickly

an d UDP ports, an d m aps

them to the own in g

application

p

q

y

iden tify un kn own open ports

an d their associated

Tool: TCPView

TCPView is a Win dows program

p

g

that will show the detailed listin gs

CurrPorts Tool

CurrPorts allows you to view y a list of ports that are

currently in use an d the application that is usin g it

You can close a selected con n ection an d also

term in ate the process usin g it, and export all or selected it, and export all or selected item s to an H TML or text report

Tool: Process Viewer

PrcView is a process viewer utility that displays the detailed in form ation

about processes run n in g un der Windows

PrcView com es with a com m and line version that allows the user to write scripts to check if a process is run n in g to kill it, and so on

Delete Suspicious Device Drivers

Check for kernel-based device drivers an d rem ove the suspicious drivers an d rem ove the suspicious “sys” files

Som etim es the file is locked when Som etim es, the file is locked when the system is run n in g; boot the system in safe m ode and delete the file

If still “access denied,” then boot the system in console m ode and delete them

View the loaded drivers by going to

S ta rt Æ All P ro gra m sÆ

A i Æ S t T l Æ

Check for Run n in g Processes:

What’s on My Com puter

What s on My Com puter

It provides addition al in form ation

b

t

fil

f ld

about any file, folder, or program

run n in g on your com puter

Allows search of in form ation on

the web

Keeps out viruses an d Trojan s

Super System H elper Tool

The key features of the tool are as follows:

• It takes com plete con trol over all run n in g processes

• It shows all open ports an d process, an d m an ages start-up application s an d Browser H elper Objects(BH O) • It tweaks an d optim izes

Win dows

This tool does a good job

• It schedules a com puter to shut down at a specified tim e

g j b

In zider - Tracks Processes an d

Ports

Ports

http:/ / n tsecurity nu/ cgi

http:/ / n tsecurity.n u/

cgi-bin / down load/ in zider.exe.pl

This is a useful tool that lists processes in the

Win dows system an d the ports each on e listen s on

Win dows system an d the ports each on e listen s on

Tool: What's Run n in g

Tool: MSCon fig

Microsoft System Con figuration

Utility or MSCONFIG is a tool used Check for Trojan startup en tries an d Utility or MSCONFIG is a tool used

to troubleshoot problem s with your com puter

Tool: Registry-What’s Run n in g

Tool: Autorun s

Tool: H ijack This (System

Checker)

An ti-Trojan Software

There are m an y an ti-Trojan software program s available with m an y ven dors

Below is the list of som e of the an ti-Trojan softwares that are

available for trial:

• Kerio Person al Firewall, 2.1.5 • Sub-Net

• TAVScan

• SpyBot Search & Destroy • An ti Trojan

Trojan H un ter

Trojan H un ter is an advan ced trojan scan n er

j

j

an d toolbox, that searches for an d rem oves

Trojan s from your system

It uses several proven m ethods to fin d a

wide variety of Trojan s such as file

scan n in g, port scan n in g, m em ory scan n ing,

g, p

g,

y

g,

an d registry scan n in g

Com odo BOClean

Com odo BOClean protects your com puter again st trojan s, m alware, an d other

threats

It con stan tly scan s your system in the backgroun d an d in tercepts an y

recogn ized trojan activity

The program can ask the user what to do, or run in the un atten ded m ode an d

autom atically shutdown s an d rem oves an y suspected Trojan application

• Destroys m alware and rem oves registry entries

Features:

• Does not require a reboot to rem ove all traces • Disconnects the threat without discon necting you • Gen erates option al report an d safe copy of eviden ce

Trojan Rem over: XoftspySE

X ft

d t

t

d

ll th

t

i

t i

t ll

PC

Xoftspy detects and rem oves all the spyware trying to install on your PC

It scan s for m ore than 42,0 0 0 differen t Spyware an d Adware parasites

It fin ds an d rem oves threats in cludin g: Spyware, worm s, hijackers, Adware,

Malware, keyloggers, hacker tools, PC parasites, Trojan H orses, spy

program s, an d trackware

Trojan Rem over: Spyware

Doctor

Doctor

Spyware Doctor is an adware an d spyware rem oval utility that detects an d clean s thousan ds of poten tial y p spyware, adware, trojan s, keyloggers, spyware, cookies, trackware, spybots, an d other m alware from your PC

This tool allows you to rem ove, ign ore, or quaran tin e identified Spyware

It also has an On Guard system to im m un ize an d protect your system again st privacy threats as you work

By perform in g a fast detection at Win dows start-up, you will be alerted with a list of the identified potential

SPYWAREfighter

SPYWAREfighter is a powerful an d reliable software that allows you to SPYWAREfighter is a powerful an d reliable software that allows you to protect your PC again st Spyware, Malware, an d other un wan ted software

It uses a security techn ology that protects Windows users from spyware an d other poten tially un wan ted software

It reduces negative effects caused by spyware, in cludin g slow PC

perform an ce, an n oyin g pop-ups, un wan ted chan ges to In tern et settin gs, an d un authorized use of your private in form ationy p

Evadin g An ti-Virus Techn iques

Never use Trojan s from the wild (an ti-virus can detect these easily)

Write your own Trojan an d em bed it in to an application

• Con vert an EXE to VB script • Con vert an EXE to a DOC file • Con vert an EXE to a PPT file Chan ge Trojan ’s syn tax

Change the checksum

Change the content of the Trojan using hex editor

Sam ple Code for Trojan

Clien t/ Server

Clien t/ Server

Evadin g An ti-Trojan / An ti-Virus Usin g

Stealth Tools

Stealth Tools

It is a program that helps to sen d Trojan s or suspicious files that are

un detectable to an ti-virus software

Its features in clude addin g bytes, bin d, chan gin g strin gs, creatin g

Backdoor Coun term easures

Most com m ercial an ti-virus products can

autom atically scan an d detect backdoor

autom atically scan an d detect backdoor

program s before they can cause dam age (for

exam ple, before accessin g a floppy, run n in g exe,

or down loadin g m ail)

An in expen sive tool called Clean er

(http:/ / www.m oosoft.com / clean er.htm l) can

id

tif

d

di

t 1 0 0 0 t

f b

kd

identify and eradicate 1,0 0 0 types of backdoor

program s an d Trojan s

Tool: Tripwire

T i i i S t I t it V ifi (SIV) Tripwire is a System In tegrity Verifier (SIV)

It will autom atically calculate cryptograph ic hashes of all key system files or an y file that is to be m on itored for m odification s

Itworks by creatin g a baselin e “sn apshot” of the system

System File Verification

Windows 20 0 0 in troduced Win dows File Windows 20 0 0 in troduced Win dows File Protection (WFP), which protects system files that were installed by the Windows 20 0 0 setup program from bein g

overwritten

The hashes in this file could be com pared with the SH A-1 hashes of the current system files to verify their integrity system files to verify their integrity again st the factory origin als

MD5sum .exe

MD5sum .exe is an MD5 checksum utility

It takes an MD5 digital sn apshot of system files

If you suspect a file is Trojan ed, then com pare the MD5 sign ature with the sn apshot checksum

Tool: Microsoft Win dows

Defen der

Windows Defen der is a free Windows Defen der is a free program that helps protect your com puter again st pop-ups, slow perform an ce, an d security threats

caused by spyware an d other t d ft

un wan ted software

It features Real-Tim e Protection , a m on itorin g system that

Microsoft Win dows Defen der:

Screen shot

H ow to Avoid a Trojan In fection

Do n ot down load blin dly from people or sites that you are n ot 10 0 % y p p y sure about

Even if the file com es from a frien d, be sure what the file is before open in g it

Do n ot use features in program s that autom atically get or preview files

H ow to Avoid a Trojan Infection

(cont’d)

(cont d)

On e should n ot be lulled in to a false sen se of security just because an an ti virus program On e should n ot be lulled in to a false sen se of security just because an an ti-virus program is running in the system

Ensure that the corporate perim eter defen ses are kept con tin uously up to date

Filter and scan all conten t at the perim eter defen ses that could con tain m alicious con ten t

H ow to Avoid a Trojan Infection

(cont’d)

(con t d)

Rigorously control user perm issions within the desktop en viron m en t to preven t the

ll f l l

installation of m alicious application s

Man age local workstation file in tegrity through checksum s, auditin g, an d port scan n in g Man age local workstation file in tegrity through checksum s, auditin g, an d port scan n in g

Mon itor in tern al n etwork traffic for odd ports or encrypted traffic p yp

Use m ultiple virus scannersp

What happen ed n ext

As Ron n ever cared for desktop security he did n ot have the latest

update of an tivirus Neither did he have a Trojan scan n er n or a file

update of an tivirus. Neither did he have a Trojan scan n er n or a file

in tegrity checker.

Zechariah had in fected Ron ’s com puter an d was ready to do all kin ds

of assault which the In fected Trojan supported.

Zechariah can do an y of the followin g:

R

k

l

R

’

d

i

ll

i i

•

Run a keylogger on Ron ’s system s an d retrieve all sen sitive

in form ation

•

Delete con fiden tial files

•

Ren am e files an d chan ge file exten sion s

Sum m ary

Trojan s are m alicious pieces of code that carry cracker software to a target

t

system

They are used prim arily to gain an d retain access on the target system

They are used prim arily to gain an d retain access on the target system

They often reside deep in the system an d m ake registry chan ges that allow it to

i

d

i i

i

l

m eet its purpose as a rem ote adm inistration tool

Popular Trojan s in clude back orifice n etbus subseven and beast

Popular Trojan s in clude back orifice, n etbus, subseven , and beast

Trojan : Phatbot

Phatbot Trojan allows the attacker to have control over com puters an d lin k them in to

It can steal Win dows Product Keys, AOL logins an d passwords, as well as CD keys of som e fam ous gam esg

Trojan : Am itis

Am itis has m ore than 40 0 ready-to-use i

option s

It is the only Trojan that has a live update

The server copies itself to the Windows

directory, so, even if the m ain file is deleted, the victim ’s com puter is still infected

The server autom atically sends the requested n otification as soon as the victim gets on lin e

S htt / / i t l h k

Trojan : Sen n a Spy

Sen n a Spy Gen erator 2.0 is a Trojan gen erator that is able to create Visual Basic source code for that is able to create Visual Basic source code for a Trojan based on a few option s

This Trojan is com piled from generated source code; anything could be changed in it

Source: http:/ / sen n aspy.cjb.n et/

Trojan : QAZ

QAZ is a com pan ion virus that can spread over the n etwork

It also has a "backdoor" that will en able a rem ote user to con n ect to an d

con trol the victim ’s com puter usin g port 7597

It m ay have origin ally been sen t out by em ail

It ren am es Notepad to n ote.com

It m odifies the registry key:

• H KLM\ software\ Microsoft\ Win dows\ Curren t • Version \ Run

Trojan : Back Orifice

Back Orifice (BO) is a rem ote Adm in istration system that allows a user to con trol a com puter y p across a TCP/ IP con n ection usin g a sim ple con sole or GUI application

On a local LAN or across the In tern et, BO gives

i l f h Wi d

its user m ore con trol of the rem ote Win dows m achin e than the person at the keyboard of the rem ote m achin e

Back Orifice was created by a group of

well-kn own hackers who call them selves the CULT OF TH E DEAD COW

BO is sm all an d en tirely self-in stallin g

Trojan : Back Oriffice 20 0 0

BO2K has stealth capabilities; it will not show up on the task list an d run s com pletely in the p p y hidden m ode

Back Orifice accoun ts for the highest n um ber of in festation s on Microsoft com puters

The BO2K server code is on ly 10 0 KB. The clien t program is 50 0 KB

On ce in stalled on a victim ’s PC or server m achin e, BO2K

i h k l l h

Back Oriffice Plug-in s

BO2K’s fun ction ality can be extended usin g BO plug-ins

y

g

p

g

BOPeep (Com plete rem ote con trol sn ap in )

BOPeep (Com plete rem ote con trol sn ap in )

En cryption (En crypts the data sen t between the BO2K GUI an d the server)

En cryption (En crypts the data sen t between the BO2K GUI an d the server)

BOSOCK

(P

id

t

lth

biliti

b

i

ICMP i

t

d f TCP UDP)

BOSOCK32 (Provides stealth capabilities by using ICMP instead of TCP UDP)

Trojan : SubSeven

SubSeven is a Win 32 Trojan SubSeven is a Win 32 Trojan

h di d h f hi j i

The credited author of this Trojan is Mobm an

Its sym ptom s include slowing down the victim ’s com puter and a constan t stream of error m essages

SubSeven is a Trojan virus m ost com m only spread through file

Trojan : CyberSpy Teln et Trojan

CyberSpy is a teln et Trojan , which m ean s a clien t term in al is not necessary to get con n ected

not necessary to get con n ected

It is written in VB an d a little bit of C program m in g

It supports m ultiple clients

It has about 47 com m an ds

It has ICQ, em ail, an d IRC bot n otification

Trojan : Subroot Teln et Trojan

Subroot Teln et Trojan is a teln et

RAT (Rem ote Adm in istration Tool)

It was written an d tested in the

Republic of South Africa

It has varian ts as

follows:

Trojan : Let Me Rule! 2.0 BETA 9

It deletes all files in a specific directory

All types of files can be executed at the rem ote host

The new version has an enhanced registry explorer

Trojan : Don ald Dick

Don ald Dick is a tool that en ables a user to con trol an other com puter over a n etwork. con trol an other com puter over a n etwork.

It uses a clien t server architecture with the server residing on the victim 's com puter server residing on the victim s com puter

The attacker uses the client to send com m ands through TCP or SPX to the victim listenin g on a pre-defin ed portg p p

Trojan : RECUB

RECUB (Rem ote En crypted Callback Un ix Backdoor) is a Win dows port for a rem ote adm in istration tool that can be Win dows port for a rem ote adm in istration tool that can be also used as a backdoor on a Win dows system

It bypasses a firewall by open in g a n ew win dow of IE an d It bypasses a firewall by open in g a n ew win dow of IE an d then injecting code into it

It uses Netcat for rem ote shell

It em pties all event logs after exiting the shell