Gravitation: What Is a Trojan? The full description.

According to Greek mythology, the Greeks won the Trojan War by entering in to the fortified city of Troy hiding in a huge, hollow wooden horse. The Greeks built a huge wooden horse for their soldiers to hide in. They left the horse in front of the gates of Troy. The Trojans thought it to be a gift from the Greeks, who had withdrawn from the war, and so they transported the horse into their city. At night, the Spartan soldiers broke through the wooden horse, and opened the gates for their soldiers who eventually destroyed the city of Troy.

Taking a cue from Greek mythology, a computer Trojan is defined as a "malicious, security-breaking program that is disguised as something benign." A computer Trojan horse is used to enter a victim's computer undetected, granting the attacker unrestricted access to the data stored on that computer and causing immense damage to the victim. For example, a user downloads what appears to be a movie or a music file, but when he or she runs it, it unleashes a dangerous program that may erase the unsuspecting user's disk and send his or her credit card numbers and passwords to a stranger. A Trojan can also be wrapped into a legitimate program, meaning that this program may have hidden functionality that the user is unaware of.

In another scenario, a victim may also be used as an intermediary to attack others—without his or her knowledge. Attackers can use the victim's computer to commit illegal denial-of-service attacks such as those that virtually crippled the DALnet IRC network for months on end. (DALnet is an Internet relay chat (IRC) network that is a form of instant communication over the network.)

Trojan horses work on the same level of privileges that the victim user has. If the victim had the privileges, Trojan can delete files, transmit information, modify existing files, and install other programs (such as programs that provide unauthorized network access and execute privilege-elevation attacks). The Trojan horse can attempt to exploit a vulnerability to increase the level of access beyond that of the user running the Trojan horse. If successful, the Trojan horse can operate with increased privileges and may install other malicious codes on the victim's machine.

A compromise of any system on a network may affect the other systems on the network. Systems that transmit authentication credentials such as passwords over shared networks in clear text or in a trivially encrypted form are particularly vulnerable. If a system on such a network is compromised, the intruder may be able to record user names and passwords or other sensitive information.

Additionally, a Trojan, depending on the actions it performs, may falsely implicate the remote system as the source of an attack by spoofing and, thereby, cause the remote system to incur liabilities.

Purpose of Trojans

Trojan horses are the dangerous malicious programs that affect computer systems without the victim's knowledge. The purpose of Trojan is to:

- Delete or replace the operating system's critical files

- Generate fake traffic to create DOS attacks

- Download spyware, adware, and malicious files

- Record screenshots, and audio and video of the victim's PC

- Steal information such as passwords, security codes, and credit card information using keyloggers

- Disable firewalls and antivirus software

- Create backdoors to gain remote access

- Infect a victim's PC as a proxy server for relaying attacks

- Use a victim's PC as a botnet to perform DDoS attacks

- Use a victim's PC for spamming and blasting email messages

What Do Trojan Creators Look For?

Trojans are written to steal information from other systems and to exercise control over them. Trojans look for the target's personal information and, if found, return it to the Trojan writer (attacker). They can also allow attackers to take full control over a system.

Trojans are not solely used for destructive purposes; they can also be used for spying on someone's machine and accessing private and/or sensitive information.

Trojans are created for the following reasons:

- To steal sensitive information, such as:

- Credit card information, which can be used for domain registration, as well as for shopping.

- Account data such as email passwords, dial-up passwords, and web services passwords. Email addresses also help attackers to spam.

- Important company projects including presentations and work-related papers could be the targets of these attackers, who may be working for rival companies.

- Attackers can use the target's computers for storing archives of illegal materials, such as child pornography. The target can continue to use their computer, and have no idea about the illegal activities for which their computer is being used.

- Attackers can use the target computer as an FTP Server for pirated software.

- Script kiddies may just want to have fun with the target's system. They might plant a Trojan in the system, which then starts acting strangely: the CD tray opens and closes frequently, the mouse functions improperly, etc.

The compromised system might be used for other illegal purposes, and the target would be held responsible for all illegal activities, if the authorities discover them.

Indications of a Trojan Attack

A Trojan is software designed to steal data and demolish your system. It creates a backdoor to attackers to intrude into your system in stealth mode. The system becomes vulnerable to the Trojan and attackers can easily launch their attack on the system if it is not safeguarded. Trojans can enter your system using various means such as email attachments, downloads, instant messages, open ports, etc. The following are some of the indications that you may notice on your system when it is attacked by the Trojan:

- CD-ROM drawer opens and closes by itself

- Computer browser is redirected to unknown pages

- Strange chat boxes appear on target's computer

- Documents or messages are printed from the printer

- Functions of the right and left mouse buttons are reversed

- Abnormal activity by the modem, network adapter, or hard drive

- The account passwords are changed or unauthorized access

- Strange purchase statements appear in the credit card bills

- The ISP complains to the target that his or her computer is IP scanning

- People know too much personal information about a target

Though Trojans run in stealth mode, they exhibit some characteristics, observing which; you can determine the existence of Trojans on your computer. The following are typical symptoms of a Trojan horse virus infection:

- Antivirus software is disabled or does not work properly

- The taskbar disappears

- Windows color settings change

- Computer screen flips upside down or inverts

- Screensaver's settings change automatically

- Wallpaper or background settings change

- Windows Start button disappears

- Mouse pointer disappears or moves by itself

- The computer shuts down and powers off by itself

- Ctrl+Alt+Del stops working

- Repeated crashes or programs open/close unexpectedly

- The computer monitor turns itself off and on

Common Ports Used by Trojans

IP ports play an important role in connecting your computer to the Internet and surfing the web, downloading information and files, running software updates, and sending and receiving emails and messages so that you can connect to the world. Each computer has unique sending and receiving ports for each function.

Users need to have a basic understanding of the state of an "active connection" and ports commonly used by Trojans to determine if the system has been compromised.

There are different states, but the "listening" state is the important one in this context. This state is generated when a system listens for a port number when it is waiting to make a connection with another system. Trojans are in a listening state when a system is rebooted. Some Trojans use more than one port as one port may be used for "listening" and the other(s) for data transfer.

How to Infect Systems Using a Trojan

An attacker can control the hardware as well as software on the system remotely by installing Trojans. When a Trojan is installed on the system, not only does the data become vulnerable to threats, chances are that the attacker can perform attacks on the third-party system. Attackers infect the system using Trojans in many ways:

- Trojans are included in bundled shareware or downloadable software. When a user downloads those files, Trojans are installed onto the systems automatically.

- Users are tricked with the different pop-up ads. It is programmed by the attacker in such a way that it doesn't matter if is the user clicks YES or NO; a download starts and the Trojan is installed onto the system automatically.

- Attackers send Trojans through email attachments. When those attachments are opened, the Trojan is installed on the system.

- Users are sometimes tempted to click on different kinds of files such as greeting cards, porn videos, images, etc., where Trojans are silently installed one the system.

The step-by-step process for infecting machines using a Trojan is as follows:

Step 1. Create a new Trojan packet using a Trojan Horse Construction Kit.

Step 2. Create a dropper, which is a part in a Trojanized packet that installs the malicious code on the target system.

Step 3. Create a wrapper using tools to install the Trojan on the victim's computer. By using various tools like petite.exe, Graffiti.exe, EliteWrap, etc., a wrapper is created to install the Trojan on the victim's computer.

Step 4. Propagate the Trojan. Computer virus propagation (spreading) can be done through various methods:

- An automatic execution mechanism is one method where traditionally it was spread through floppy disks and is now spread through various external devices. Once the computer is booted, the virus automatically spreads over the computer.

- Even viruses can be propagated through emails, Internet chats, network sharing, P2P file sharing, network redirecting, or hijacking.

Step 5. Execute the Dropper. Dropper is used by attackers to disguise their malware. The user is confused and believes that all the files are genuine or known files. Once it gets loaded into the host computer, it helps other malware to get loaded and perform the task.

Step 6. Execute the damage routine. Most computer viruses contain a Damage Routine that delivers payloads. A payload sometimes just displays some images or messages whereas other payloads can even delete files, reformat hard drives, or cause other damage.

Wrappers

Source: http://www.objs.com

Wrappers are used to bind the Trojan executable with a genuine-looking .EXE application such as games or office applications. When the user runs the wrapped EXE, it first installs the Trojan in the background and then runs the wrapping application in the foreground. The attacker can compress any (DOS/WIN) binary with tools such as petite.exe. This tool decompresses an EXE file (once compressed) on runtime. This makes it possible for the Trojan to get in virtually undetected, since most antivirus software is not able to detect the signatures in the file.

The attacker can place several executables inside one executable, as well. These wrappers may also support functions such as running one file in the background while another one is running on the desktop.

Technically speaking, wrappers can be considered another type of software "glueware" used to bind other software components together. A wrapper encapsulates into a single data source to make it usable in a more convenient fashion than the original unwrapped source.

Users can be tricked into installing Trojan horses by being enticed or frightened. For instance, a Trojan horse might arrive in an email described as a computer game. When the user receives the mail, the description of the game may entice him or her to install it. Although it may, in fact, be a game, it may also be taking other action that is not readily apparent to the user, such as deleting files or mailing sensitive information to the attacker. In another instance, wan attacker sends a birthday greeting that will install a Trojan as the user watches, such as a birthday cake dancing across the screen.

Fake Programs

- Attackers can easily lure a victim into downloading free programs that are suitable for their needs, and loaded with features such as an address book, access to check several P0P3 accounts, and many other functions that make it even better than the currently used email client.

- The victim downloads the program and marks it as TRUSTED, so that the protection software fails to alert him or her of the new software being used. The email and P0P3 account passwords are mailed directly to the attacker's mailbox without anyone noticing. Cached passwords and keystrokes can also be mailed. The aim is to gather ample information and send it to the attacker.

- In some cases, an attacker may have complete access to a system, but what the attacker does depends on his or her ideas about how to use the hidden program's functions. While sending email and using port 25 or 110 for POP3, these could be used for connections from the attacker's machine (not at home, of course, but from another hacked machine) to connect and use the hidden functions they implemented in the used email client.

- The victim downloads the program and marks it as TRUSTED, so that the protection software fails to alert him or her of the new software being used. The email and POP3 account passwords are mailed directly to the attacker's mailbox without anyone noticing. Cached passwords and keystrokes can also be mailed. The aim is to gather ample information and send it to the attacker.

- Attackers thrive on creativity. Consider an example where a fake audio galaxy, which is a site for downloading MP3, is given. An attacker generates such a site by using 15-gb space on his system to place a larger archive there for the MP3. In addition, some other systems are also configured in the same fashion. This is done to fool users into thinking that they are downloading from other people who are spread across the network. The software acts as a backdoor and will infect thousands of naive users using ADSL connections.

- Some fake programs have hidden codes, but still maintain a professional look. These websites link to anti-Trojan software, thus fooling users into trusting them. Included in the setup is readme.txt. This can deceive almost any user, so proper attention needs to be given to any freeware before it is downloaded.

Shrink-Wrapped Software

Legitimate "shrink-wrapped" software packaged by a disgruntled employee can contain Trojans.

Via Attachments

When unaware web users receive an email saying they will get free porn or free Internet access if they run an attached .exe file, they might run it without completely understanding the risk to their machines.

-Example:

- A user has a good friend who is carrying out some research and wants to know about a topic related to his friend's field of research. He sends an email to his friend asking about the topic and waits for a reply. The attacker targeting the user also knows his friend's email address. The attacker will simply code a program to fake the email From: field and make it appear to be the friend's email address, but it will include the TROJANED attachment. The user will check his email, and see that his friend has answered his query in an attachment, and download and run it without thinking that it might be a Trojan. The end result is an infection.

- Trash email with the subject line, "Microsoft IE Update," without viewing it.

- Some email clients, such as Outlook Express, have bugs that automatically execute the attached files.

Untrusted Sites and Freeware Software

- A site located at a free web space provider or one just offering programs for illegal activities can be considered suspicious.

There are many underground sites such as NeuroticKat Software. It is highly risky to download any program or tool located on such a suspicious site that can serve as a conduit for a Trojan attack on a victim's computer. No matter what software you use, are you ready to take that risk?

- Many sites are available that have a professional look and contain huge archives. These sites are full of feedback forms and links to other popular sites. Users must take the time to scan such files before downloading them, so that it can be determined whether or not they are coming from a genuine site or a suspicious one.

- Software such as mIRC, ICQ, PGP, or any other popular software must be downloaded from its original (or official dedicated mirror) site, and not from any other websites that may have links to download supposedly the same software.

- Webmasters of well-known security portals, who have vast archives with various "hacking" programs, should be responsible for the files they provide and scan them often with anti-virus and anti-Trojan software to guarantee the site to be "free of Trojans and viruses." Suppose an attacker submits a program infected with a Trojan, в e.g., a UDP flooder, to the webmaster for the archive; if the webmaster is not alert, the attacker may use the webmaster's irresponsibility to infect the site's files with a Trojan.

- Users who deal with any kind of software or web application should scan their systems on a daily basis. If they detect any new file, it should be examined. If any suspicion arises regarding the file, it must be forwarded to software detection labs for further analysis.

- It is easy to infect machines using freeware programs. "Free is not always the best" and hence these programs are hazardous for systems.

NetBIOS (File Sharing)

If port 139 on the system is open, i.e., file sharing is enabled, it can be used by others to access the system, install trojan.exe, and modify a system's file.

The attacker can also use a DoS attack to shut down the system and force a reboot, so the Trojan can restart itself immediately. To block file sharing in the WinME version, go to:

Start -> Settings -> Control Panel -> Network -> File and Print Sharing

- Uncheck the boxes there. This will prevent NetBIOS abuse.

How to Deploy a Trojan

A Trojan is the means by which an attacker can gain access to the victim's system. In order to gain control over the victim's machine, an attacker creates a Trojan server, and then sends an email to a victim containing a link to the Trojan server. Once the victim clicks on the link sent by the attacker, it connects him or her directly to the Trojan server. The Trojan server sends a Trojan to the victim system. The attacker installs the Trojan, infecting the victim's machine. As a result, victim is connected to the attack server unknowingly. Once the victim connects to an attacker server, the attacker takes complete control over the victim's system and performs any action the attacker chooses. If the victim carries out any online transaction or purchase, then the attacker can easily steal sensitive information such as credit card details, account information, etc. In addition, attackers can also use the victim's machine as the source for launching attacks on other systems.

Computers typically get infected by users clicking on a malicious link or opening an email attachment that installs a Trojan on their computers that serves as a back door to criminals who can then command the computer to send spam email.

Evading Antivirus Techniques

The following are the various techniques used by Trojans, viruses, and worms to evade most of antivirus software:

1. Never use Trojans downloaded from the web (antivirus detects these easily).

2. Write your own Trojan and embed it into an application.

3. Change the Trojan's syntax:

e Convert an EXE to VB script e Convert an EXE to a DOC file e Convert an EXE to a PPT file

4. Change the checksum.

5. Change the content of the Trojan using a hex editor.

6. Break the Trojan file into multiple pieces.

Command Shell Trojan: Netcat

Using Netcat эп attacker can set up a port or a backdoor that will allow him or her to telnet into a DOS shell. With a simple command such as C:\>nc -L -p 5000 -t -e cmd.exe, the attacker can bind port 5000. With Netcat, the user can create outbound or inbound connections, TCP or UDP, to or from any port. It provides for full DNS forward/reverse checking, with appropriate warnings. Additionally, it provides the ability to use any local source port, any locally configured network source address, and it comes with built-in port-scanning capabilities. It has a built-in loose source-routing capability and can read command-line arguments from standard input. Another feature is the ability to let another program respond to inbound connections (another program service established connections).

In the simplest usage, "nc host port" creates a TCP connection to the given port on the given target host. The standard input is then sent to the host, and anything that comes back across the connection is sent to the standard output. This continues indefinitely, until the network side of the connection shuts down. This behavior is different from most other applications, which shut everything down and exit after an end-of-file on the standard input. Netcat can also function as a server by listening for inbound connections on arbitrary ports, and then doing the same reading and writing. With minor limitations, Netcat does not really care if it runs in client or server mode; it still moves data back and forth until there is none left. In either mode, shutdown can be forced after a configurable time of inactivity on the network side.

Features:

- Outbound or inbound connections, TCP or UDP, to or from any port

- Full DNS forward/reverse checking, with appropriate warnings

- Ability to use any local source port

- Ability to use any locally configured network source address

- Built-in port-scanning capabilities, with randomizer

- Built-in loose source-routing capability

- Can read command-line arguments from standard input

- Slow-send mode, one line every N seconds

- Hex dump of transmitted and received data

- Optional ability to let another program service establish connections

- Optional telnet-options responder using the command nc -I -p 23 -t -e cmd.exe

- Where 23 is the port for telnet, -I option is to listen, -e option is to execute, -t option tells Netcat to handle any telnet negotiation the client might expect.

Netcat is a utility used for reading and writing the networks that support TCP and UDP protocols. It is a Trojan that is used to open either the TCP or UDP port on a target system and hackers with the help of Telnet gain the access over the system.

Defacement Trojans: Restorator

Source: http://www.bome.com

Restorator is a versatile skin editor for any Win32 programs. The tool can modify the target interface of any Windows 32-bit program and thus create target-styled Custom Applications (UCAs). You can view, extract, add, remove, and change images, icons, text, dialogs, sounds, videos, version, dialogs, and menus in almost all programs.

Technically speaking, it allows you to edit the resources in many file types, for example .ocx (Active X), .scr (Screen Saver), and others. The attacker can distribute modifications in a small, self-executing file. It is a standalone program that redoes the modifications made to a program. Its Grab function allows you to retrieve resources from files on a target's disk.

Restorator is the Borne flagship product that allows you to do resource (resources are application-dependent data that the respective programmer includes in the program) editing. It is a utility for editing Windows resources in applications and their components, e.g., files with .exe, .dll, .res, .re, and .dcr extensions. You can use this for translation/localization, customization, design improvement, and development. This resource editor comes with an intuitive target-interface. You can replace logos and can control resource files in the software development process. It can intrude into the target's system and its working programs.

Botnet Trojans

A botnet is a collection of software robots (worms, Trojan horses, and backdoors) that run automatically. It refers to a collection of compromised machines running programs under a common command and control infrastructure. A botnet's originator (attacker) can control the group remotely. These are computers (a group of zombie computers) infected by worms or Trojans and taken over surreptitiously by attackers and brought into networks to send spam, more viruses, or launch denial of service attacks. This is a computer that has been infected and taken over by an attacker by using a virus/Trojan/malware.

Botnet owners usually target educational, government, military, and other networks. With the help of botnets, attacks like denial of service, creation or misuse of SMTP mails, click fraud, theft of application serial numbers, login IDs, credit card numbers, etc. are performed.

HTTP/HTTPS Trojans

HTTP/HTTPS Trojans can bypass any firewall, and work in the reverse way of a straight HTTP tunnel. They use web-based interfaces and port 80. These Trojans are executed on the internal host and spawn a child every day at a certain time. The child program appears to be a target to the firewall which, in turn, allows it to access the Internet. However, this child program executes a local shell, connects to the web server that the attacker owns on the Internet through a legitimate-looking HTTP request, and sends it a ready signal. The legitimate-looking answer from the attacker's web server is in reality a series of commands that the child can execute on the machine's local shell. All traffic is converted into a Base64-like structure and given as a value for a cgi-string, so the attacker can avoid detection. The following is an example of a connection:

Slave:GET/cgi-bin/order? M5mAejTgZdgYOdgIO0BqFfVYTgjFLdgxEdblHe7krj HTTP/l.O

Master replies with: gSmAifbknz

The GET of the internal host (SLAVE) is just the command prompt of the shell; the answer is an encoded "Is" command from the attacker on the external server (MASTER). The SLAVE tries to connect daily at a specified time to the MASTER. If needed, the child is spawned because if the shell hangs, the attacker can check and fix it the next day. In case the administrator sees connections to the attacker's server and connects it to himself, the administrator just sees a broken web server because there is a token (password) in the encoded cgi GET request. WWW proxies (e.g., squid, a full-featured web proxy cache1) are supported. The program masks its name in the process listing. The programs are reasonably small with the master and slave programs, just 260-lines per file. Usage is easy: edit rwwwshell.pl for the correct values, execute "rwwwshell.pl slave" on the SLAVE, and run "rwwwshell.pl" on the MASTER just before it is the time at which the slave tries to connect.

ICMP Tunneling

The concept of ICMP tunneling is simple since arbitrary information tunneling in the data portion of ICMP.ECHO and ICMP.ECHOREPLY packets is possible. ICMP_ECHO traffic contains a covert channel that can be destroyed due to tunneling. Network devices do not filter the contents of ICMP_ECHO traffic, making the use of this channel attractive to hackers.

Attackers simply pass them, drop them, or return them. The Trojan packets themselves are masquerading as common ICMP_ECHO traffic. The packets can encapsulate (tunnel) any required information.

Covert channels are methods in which an attacker can hide the data in a protocol that is undetectable. They rely on techniques called tunneling, which allow one protocol to be carried over another protocol. A covert channel is defined as a vessel through which the information can pass, and it is generally not used for information exchanges. Therefore, covert channels cannot be detected by using standard system security methods. Any process or bit of data can be a covert channel. This makes it an attractive mode of transmission for a Trojan, since an attacker can use the covert channel to install the backdoor on the target machine.

Remote Access Trojans

Remote access Trojans provide full control over the target's system to attackers and enables them to remotely access files, private conversations, accounting data, and so on in the target's machine. The remote access Trojan acts as a server, and listens on a port that is not supposed to be available to Internet attackers. Therefore, if the target is behind a firewall on the network, there is less chance that a remote attacker would be able to connect to the Trojan. Attackers on the same network located behind the firewall can easily access the Trojans.

Examples include the Back Orifice and NetBus Trojans. Another example, the Bugbear virus that hit the Internet in September 2002, installed a Trojan horse on targets' systems, giving access to sensitive data to the remote attackers.

This Trojan works like a remote desktop access. The attacker gains complete GUI access to the remote system.

The process is as as follows:

1. Infects (Rebecca's) computer with server.exe and plants Reverse Connecting Trojan.

2. The Trojan connects to Port 80 to the attacker in Russia establishing a reverse connection.

E-banking Trojans

E-banking Trojans are very dangerous and have become a major threat to the banking transactions performed online. This Trojan is installed on the victim's computer when he or she clicks the email attachment or clicks on some advertisement once the target logins in to the banking site. The Trojan is preprogrammed with a minimum range and maximum range to steal. So it doesn't withdraw all the money from the bank. Then the Trojan creates screenshots of the bank account statement; the victims aren't aware of this type of fraud and thinks that there is no variation in their bank balance unless they check the balance from other systems or from ATM machines. Only when they check the balance will the differences be noticed.

Here the attacker first infects the malicious advertisements and publishes these advertisements among genuine websites. When the victims access the infected website, it automatically redirects him or her to a website from where the exploit kit gets loaded onto the victim's system. Thus, the exploit kit allows the attacker to control what is loaded in the victim's system and used for installing a Trojan horse. This malware is highly obfuscated and can only be detected by few anti-virus systems. The system of the victim is now a botnet from where the Trojan easily sends and receives instruction from the control and command server without the knowledge of the victim. When a victim access his or her bank account from the infected system, all the sensitive information, i.e., used by the victim in accessing account information such as login credentials (user name password), phone number, security number, date of birth, etc. are sent to the Control and Command Server by the Trojan. If the victim is accessing the transaction section of the banking website for performing online transactions, then the data that is entered by the victim on the transaction form is sent to the Control and Command Server instead of to the bank website. The control and command server system analyzes and decodes the information and identifies suitable money mule bank accounts. The Trojan receives instructions from the control and command server to send the latest transaction form that is updated by the control and command server to the bank for transferring money to the mule account. Confirmation from the bank about successful/failed transaction of the money that was transferred is also reported by the Trojan to the control and command server.

Banking Trojan Analysis

A banker Trojan is a malicious program that allows obtaining personal information about users and clients using online banking and payment systems.

A banking Trojan analysis involves the following three basic types:

Tan Gabbler: A Transaction Authentication Number (TAN) is used for authenticating the online banking transaction, which is a single-use password. The banking Trojan explicitly attacks the target's online banking services that depend on the TAN. When the TAN is entered, the Trojan grabs that number and changes that number with any random number that is incorrect and rejected by the bank. The content is filtered by the Trojan and the incorrect number is replaced in order to satisfy the target. An attacker can misuse the intercepted TAN with the target's login details.

HTML Injection: This type of Trojan creates duplicate fields on the online banking sites and these extra fields are used by the attacker to collect the targets account details, credit card number, date of birth, etc. Attackers can use this information to impersonate and compromise the target's account.

Form Grabber: This is an advanced method of collecting data from the Internet available on the various browsers. This is highly effective in collecting the target IDs, passwords, and other sensitive information.

Credit Card Trojans

Credit card Trojans, once they are installed on the victim's system, collect various details such as credit card numbers, latest billing details, etc. Then, a fake online banking registration form is created and they make the credit card user believe that it is genuine information from the bank. Once the user enters the required information, attackers collect the information and use the credit card for personal use without the knowledge of the victim.

Credit card Trojans steal victims' credit-card-related data such as card number, CW2s, and billing details. These Trojans trick users into visit fake e-banking websites and entering personal information. The Trojan servers transmit the stolen data to remote hackers using email, FTP, IRC, or other methods.

Data Hiding Trojans (Encrypted Trojans)

Encryption Trojans encrypt the data present on the victim's computer and renders the complete data unusable: "Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was encrypted with complex password.'' Attackers demand a ransom or force victims to make purchases from their online drugstores in return for the password to unlock files: "Do not try to search for a program that encrypted your information - it simply does not exists in your hard disk anymore," pay us the money to unlock the password." This can be decrypted only by the attacker, who demands money, or they can force the user buy from a few websites for decryption.

How to Detect Trojans

Trojans are malicious programs that masquerade as a useful or legitimate file but

their actual purpose is to take complete control over your computer, thereby accessing your files and confidential information. In order to avoid such unauthorized access and to protect your files and personal information, an antivirus product has to be used, which automatically scans and detects the presence of Trojans on your system or you can also detect the Trojans installed on your system manually. The following are the steps for detecting Trojans:

1. Scan for suspicious OPEN PORTS

2. Scan for suspicious RUNNING PROCESSES

3. Scan for suspicious REGISTRY ENTRIES

4. Scan for suspicious DEVICE DRIVERS installed on the computer

5. Scan for suspicious WINDOWS SERVICES

6. Scan for suspicious STARTUP PROGRAMS

7. Scan for suspicious FILES and FOLDERS

8. Scan for suspicious NETWORK ACTIVITIES

9. Scan for suspicious modification to OPERATING SYSTEM FILES

10. Run Trojan SCANNER to detect Trojans

Trojan Countermeasures

A Trojan is a malicious program that masquerades as a genuine application. When these Trojans are activated, they lead to many issues such as erasing data, replacing data on a victim's computer, corrupting files, spreading viruses, and spying on the victim's system and secretly reporting the data, recording keystrokes to steal sensitive information such as credit card number, user names, passwords etc. and opening a backdoor on the victim's system for carrying out precarious activities in the future. In order to prevent such activities and reduce the risks against Trojans, the following countermeasure should be adopted:

- Avoid opening email attachments received from unknown senders

- Block all unnecessary ports at the host and firewall

- Avoid accepting the programs transferred by instant messaging

- Harden weak, default configuration settings

- Disable unused functionality including protocols and services

- Monitor the internal network traffic for odd ports or encrypted traffic

- Avoid downloading and executing applications from untrusted sources

- Install patches and security updates for the operating systems and applications

- Scan CDs and floppy disks with antivirus software before using

- Restrict permissions within the desktop environment to prevent malicious applications installation

- Avoid typing the commands blindly and implementing pre-fabricated programs or scripts

- Manage local workstation file integrity through checksums, auditing, and port scanning

- Run local versions of antivirus, firewall, and intrusion detection software on the desktop

Pen Testing for Trojans and Backdoors

Step 1: Scan for open ports

Open ports are the primary sources to launch attacks. Therefore, in an attempt to make your network secure by conducting pen testing, you should find the open ports and protect them. You can find the unnecessary open ports by scanning for open ports. For this purpose, you can use the tools such as TCPView and CurrPorts.

Step 2: Scan for running processes

Most Trojans don't require the user to start the process. They start automatically and don't even notify the user. This kind of Trojan can be detected by scanning for running processes. In order to scan for running processes, you can use tools such as What's Running, which scans your system and lists all currently active programs, processes, services, modules, and network connections. It also includes special areas to display startup programs.

Step 3: Scan for registry entries

A few Trojans run in the background without any notification to the system's user. If you want to test for such Trojans, then you should scan for registry entries. This can be done with the help of tools such as JV Power Tools and PC Tools Registry Mechanic.

Step 4: Scan for device drivers installed on the computer

In order to control the hardware, most modern OSes use their own device drivers. Attackers can take advantage of this situation to spread Trojans and backdoors through device driver files. Trojans spread through device drivers infect the device driver files and other processes.

Step 5: Scan for Windows services

If you find any of the Windows services suspicious, then check the associated executable files. To scan Windows services, you can use the tools such as SrvMan and ServiWin.

Step 6: Scan for startup programs

Some Trojans run automatically when you start Windows. Therefore, scan for Startup programs using tools such as Starter, Security AutoRun, and Autoruns and check the listed startup programs and determine if all the programs in the list can be recognized with known functionalities.

Step 7: Scan for files and folders

The easy way for an attacker to hack a system is with the use of files embedded with Trojan packages. Firewalls, IDSes, and other security mechanisms may fail to prevent this kind of attack. Therefore, you need to scan all files and folders for Trojans and backdoors. You can scan files and folders using tools such as FCIV, TRIPWIRE, SIGVERIF, FastSum, and WinMD5.

Step 8: Scan for network activities

Network activities such as upload of bulk files or unusually high traffic going to a particular web address may sometimes represent a sign of Trojan. You should scan for such network activities. Tools such as Capsa Network Analyzer can be used for this purpose.

Step 9: Scan for modification to OS files

Check the critical OS file modification or manipulation using tools such as TRIPWIRE or manually compare hash values if you have a backup copy.

Step 10: Run Trojan Scanner to detect Trojans

Trojan scanners such as Trojan Hunter and Emsisoft Anti-Malware are readily available in the market. You can install and run those Trojan scanners to detect Trojans on your system.

Step 11: Document all the findings

Once you conduct all possible tests to find the Trojans, document all the findings that you obtain at each test for analysis and check if there is any sign of a Trojan.

Step 12: Isolate the machine from the network

When you find a Trojan on a machine, you should isolate the machine immediately from the network before it takes control over other systems in the network. Check whether the antivirus software is updated or not.

If the antivirus is not updated, then update it and then run it to scan the system. If the antivirus is already updated, then find other antivirus solutions to clean Trojans.

Gravitation

суббота, 4 марта 2017 г.

What Is a Trojan? The full description.

Комментариев нет:

Отправить комментарий

суббота, 4 марта 2017 г.

What Is a Trojan? The full description.

Комментариев нет:

Отправить комментарий

суббота, 4 марта 2017 г.