Banner 468 X 60

CEHv6 Module 08 Trojans and Backdoors

CEHv6 Module 08 Trojans and Backdoors

The Trojan Horse got its name from the old mythical story about how the Greeks gave their enemy a huge wooden horse as a gift during the war.

The enemy accepted this gift and they brought it into their kingdom, and during the night, Greek soldiers crept out of the horse and attacked the city, completely overcoming it.
A Trojan horse is an unauthorized program contained within a legitimate program. This unauthorized program performs functions unknown by the user. A legitimate program that has been altered by the placement of unauthorized code within it; this code performs functions unknown by the user.
Working:

Trojans come in two parts, a Client part and a Server part. When the victim runs the server on its machine, the attacker will then use the Client to connect to the Server and start using the Trojan. TCP/IP protocol is the usual protocol type used for communications, but some functions of the Trojans use the UDP protocol as well. When the Server is being run on the victim's computer, it will (usually) try to hide somewhere on the computer, start listening on some port(s) for incoming connections from the attacker, modify the registry and/or use some other auto starting method.
It's necessary for the attacker to know the victim's IP address to connect to his/her machine. Many Trojans have features like mailing the victim's IP, as well as messaging the attacker via ICQ or IRC. This is used when the victim has dynamic IP which means every time you connect to the Internet you get a different IP (most of the dial-up users have this).

Most of the Trojans use Auto-Starting methods so even when you shut down your computer they're able to restart and again give the attacker access to your machine. New auto-starting methods and other tricks are discovered all the time. The variety starts from "joining" the Trojan into some executable file you use very often like explorer.exe, for example, and goes to the known methods like modifying the system files or the Windows Registry. System files are located in the Windows directory and here are short explanations of their abuse by the attackers:

- Auto start Folder - The Auto start folder is located in C:\Windows\Start Menu\Programs\startup and as its name suggests automatically starts everything placed there.

- Win.ini - Windows system file using load=Trojan.exe and run=Trojan.exe to execute the Trojan

- System.ini - Using Shell=Explorer.exe trojan.exe results in execution of every file after Explorer.exe

- Wininit.ini - Setup-Programs use it mostly; once run, it's being auto-deleted, which is very handy for Trojans to restart

- Winstart.bat - Acting as a normal bat file Trojan is added as @trojan.exe to hide its execution from the user

- Autoexec.bat - It's a DOS auto-starting file and it's used as auto-starting method like this -> c:\Trojan.exe

- Config.sys - Could also be used as an auto-starting method for Trojans

- Explorer Startup - Is an auto-starting method for Windows95, 98, ME and if c:\explorer.exe exists, it will be started instead of the usual c:\Windows\Explorer.exe, which is the common path to the file.
Registry is often used in various auto-starting methods.


A key with the value "%1 %*" should be placed there and if there is some executable file placed there, it will be executed each time you open a binary file. It's used like this: trojan.exe "%1 %*"; this would restart the Trojan.

- ICQ Net Detect Method

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\]
This key includes all the files that will be executed if ICQ detects Internet connection. As you can understand, this feature of ICQ is very handy but it's frequently abused by attackers as well.
- ActiveX Component
[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName]
StubPath=C:\directory\Trojan.exe

These are the most common Auto-Starting methods using Windows system files, and the Windows registry.
Trojans Variations

1.Remote Access Trojans
These are probably the most publicly used Trojans, just because they give the attackers the power to do more things on the victim's machine than the victim itself, while standing in front of the machine. Most of these Trojans are often a combination of the other variations you'll read below. The idea of these Trojans is to give the attacker a COMPLETE access to someone's machine, and therefore access to files, private conversations, accounting data, etc.

2. Password Sending Trojans
The purpose of these Trojans is to rip all the cached passwords and also look for other passwords you're entering then send them to a specific mail address, without the user noticing anything. Passwords for ICQ, IRC, and FTP, HTTP or any other application that require a user to enter a login password are being sent back to the attacker's e-mail address, which in most cases is located at some free web based e-mail provider. Most of them do not restart when Windows is loaded, as the idea is to gather as much info about the victim's machine as passwords, marc logs, ICQ conversations and mail them; but it depends on the needs of the attacker and the specific situation.

3. Keyloggers
These Trojans are to log the keystrokes of the victim and then let the attacker search for passwords or other sensitive data in the log file. Most of them come with two functions like online and offline recording. Of course they could be configured to
send the log file to a specific e-mail address on a daily basis.

4. Destructive
The only function of these Trojans is to destroy and delete files. This makes them very simple and easy to use. They can automatically delete all your core system files (for example: .dell, .in or .exe files, possibly others) on your machine. The Trojan is being activated by the attacker or sometimes works like A logic bomb and starts on a specific day and at specific hour.

5.Denial Of Service (DoS) Attack Trojans
These Trojans are getting very popular these days, giving the attacker power to start DDoS if having enough victims of course. The main idea is that if you have 200 ADSL users infected and start attacking the victim simultaneously, this will generate a LOT of traffic (more then the victim's bandwidth, in most cases) and its the access to the Internet will be shut down. WinTrinoo is a DDoS tool that has become really popular recently, and if the attacker has infected many ADSL users, major Internet sites could be shut down as a result, as we've seen it happen in the past few months.
Another variation of a DoS trojan is the mail-bomb trojan, whose main aim is to infect as many machines as possible and simultaneously attack specific e-mail address/addresses with random subjects and contents which cannot be filtered.

6.Proxy/Wingate Trojans
Interesting feature implemented in many trojans is turning the victim's computer into a proxy/wingate server available to the whole world or to the attacker only. It's used for anonymous Telnet, ICQ, IRC, etc., and also to register domains with stolen credit cards and for many other illegal activities. This gives the attacker complete anonymity and the chance to do everything from YOUR computer and if he/she gets caught the trace leads back to you.

7.FTP Trojans
These trojans are probably the most simple ones and are kind of outdated as the only thing they do is to open port 21(the port for FTP transfers) and let EVERYONE connect to your machine or just the attacker. Newer versions are password protected so only the one that infected you may connect to your computer.

8.Software Detection Killers
There are such functionalities built into some trojans, but there are also separate programs that will kill ZoneAlarm, Norton Anti-Virus and many other (popular anti-virus/firewall) programs, that protect your machine. When they are disabled, the attacker will have full access to your machine, to perform some illegal activity, use your computer to attack others and often disappear. Even though you may notice that these programs are not working or functioning properly, it will take you some time to remove the trojan, install the new software, configure it and get back online with some sense of security.
How Can I Get Infected

Following are ways to get infected with Trojans:

1 ICQ
2 IRC
3 Attachments
4 Physical Access
5 Browser And E-mail Software Bugs
6 Netbios(FileSharing)

Trojan Programs: Trojans can be classified as :

1.Backdoors
2.General Trojans
3.PSW Trojans
4.Trojan Clickers
5.Trojan Downloaders
6.Trojan Droppers
7.Trojan Proxies
8.Trojan Spies
9.Trojan Notifiers
10.ArcBombs

Backdoors

Today backdoors are the most dangerous type of Trojans and the most widespread. These Trojans are remote administration utilities that open infected machines to external control via a LAN or the Internet. They function in the same way as legal remote administration programs used by system administrators. This makes them difficult to detect.The only difference between a legal administration tool and a backdoor is that backdoors are installed and launched without the knowledge or consent of the user of the victim machine. Once the backdoor is launched, it monitors the local system without the user's knowledge; often the backdoor will not be visible in the log of active programs.
Once a remote administration utilitiy has been successfully installed and launched, the victim machine is wide open.

Backdoor functions can include:

1.Sending/ receiving files
2.Launching/ deleting files
3.Executing files
4.Displaying notification
5.Deleting data
6.Rebooting the machine

In other words, backdoors are used by virus writers to detect and download confidential information, execute malicious code, destroy data, include the machine in bot networks and so forth. In short, backdoors combine the functionality of most other types of Trojans in one package.
Backdoors have one especially dangerous sub-class: variants that can propagate like worms. The only difference is that worms are programmed to propagate constantly, whereas these 'mobile' backdoors spread only after a specific command from the 'master'.

General Trojans

This loose category includes a variety of Trojans that damage victim machines or threaten data integrity, or impair the functioning of the victim machine.
Multi-purpose Trojans are also included in this group, as some virus writers create multi-functional Trojans rather than Trojan packs.

PSW Trojans

This family of Trojans steals passwords, normally system passwords from victim machines. They search for system files, which contain confidential information such as passwords and Internet access telephone numbers and then send this information to an email address coded into the body of the Trojan. It will then be retrieved by the 'master' or user of the illegal program.
Some PSW Trojans steal other types of information such as:
System details (memory, disk space, operating system details)
Local email client
IP-address
Registration details
Passwords for on-line games
Trojan-AOL are PSW Trojans that steal passwords for aol (American Online) They are contained in a sub-groups because they are so numerous.

Trojan Clickers

This family of Trojans redirects victim machines to specified websites or other Internet resources. Clickers either send the necessary commands to the browser or replace system files where standard Internet urls are stored (e.g. the 'hosts' file in MS Windows).
Clickers are used:
1.To raise the hit-count of a specific site for advertising purposes
2.To organize a DoS attack on a specified server or site
3.To lead the victim to an infected resource where the machine will be attacked by other malware (viruses or Trojans)

Trojan Downloaders

This family of Trojans downloads and installs new malware or adware on the victim machine. The downloader then either launches the new malware or registers it to enable autorun according to the local operating system requirements. All of this is done without the knowledge or consent of the user.
The names and locations of malware to be downloaded are either coded into the Trojan or downloaded from a specified website or other Internet location.

Trojan Droppers

These Trojans are used to install other malware on victim machines without the knowledge of the user. Droppers install their payload either without displaying any notification, or displaying a false message about an error in an archived file or in the operating system. The new malware is dropped to a specified location on a local disk and then launched.

DOWNLOAD LINK: CEHv6 Module 08 Trojans and Backdoors

0 comments: