cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Trojans & Backdoors

1702
Views
10
Helpful
0
Comments
Beginner

[toc:faq]

What is a Trojan?

A Trojan is a program that pretends to be legitimate program, while It is malicious in nature and is infecting the system in background and provides access of that system to the Attacker.

Objectives Of Trojans:

There can be different type of objective:

  • Using the Trojaned machine as part of a Botnet to stage another attack like DDOS etc.
  • Trojans can install Softwares so that they can upload or download files and data directly from your computer.
  • Trojans can modify or delete your files.
  • Trojans also supports Keystroke logging and they can monitor people without their knowledge.
  • Wasting computer storage space.
  • Crashing the computer.

Overt Channel & Covert Channel:

Overt Channel:

Overt channel simply means that the Data which is being transmitting on the network is a legitimate connection which is following the security policy

An overt channel can be used to create a Tunnel(covert channel) to transmit the data carefully on the network, which does raise any alarm .

Covert Channel:

Covert channel is simply the connection in which data is being transmitting over the network that violates the security policy.

The simplest form of covert channel is

  1. Trojan
  2. Backdoors etc.
  3. Http tunnelling to access some restricted data.

Working of Trojans:

An attacker can get access to the system in multiple way.

  • If the Trojan is direct connecting Trojan then attacker can connect to the victim directly and can get access to the victim machine, but the scenario is not always that easy. Victim can be behind a Firewall, in that case direct connection Trojans will not any provide any access to the victim computer even if the victim is infected.
  • Here comes the Reverse Connecting Trojans into the scene, In Reverse Connection Scenario, attacker need to connect to the victim instead reverse connecting Trojan themselves tries to create and maintain the connection between the victim and attacker which can bypass firewall if the trojan is using that protocol and port which is allowed from inside network.

Different Types of Trojan

  • Remote Access Trojans: Remote Access Trojans provides the whole access of the machine.

  • Destructive Trojans: Some trojans are created with a purpose that they will destruct the normal working or booting procedure of the victim machine.

  • Denial-of-Service (DoS) Attack: Some trojans works a dump zombies and they wait for the attacker to give commands and usually they are being used for DDOS attacks.

  • Proxy Trojans: Proxy Trojans are provides the access of the victim machine in the same way as the Remote access trojan does , but it gives the additional functionality that attacker can use the victim’s machine as a proxy server which will hide the attacker from being logged.

  • FTP Trojans: FTP trojans are those which open the ftp port 21 on the victim machine and allows attackers to access it through ftp client

  • Security Software Disablers: Some trojans are designed to check and disable the anti virus, internet security tools on the victim machine thus making them vulnerable to attacks and prevent themselves from being detected.

Target Data Types of Trojans

Trojans are not restricted to target only the following contents but this what they actually look for:

  • Login credentials like Username-password combination and information like credit card details which may be used by the victim.
  • Trojans looks for Confidential documents, official documents and personal documents.
  • Trojans can also retrieve data like bank account numbers, social security numbers, insurance information etc.
  • Trojans can also access calendar information like important meetings and other notes concerning the victim’s presence or activity.
  • Trojans can also stage the victim machine to hack further for some illegal cause and leave the victim for consequences.

Different Modes of Trojan Infection

Trojans can be spread by any means, some of them are listed here:

  • Through Internet Relay Chats and messengers like gtalk and yahoo.
  • Through mail attachments
  • Trojans can also infect the system through a physical access of the system
  • Browser and email software security bugs can allow attackers to compromise machine and then infect it with trojans for future access.
  • Trojans can also replicate while sharing data within a domain network.
  • Untrusted sites and freeware software site also transmits the trojans in an affective manner.

Auto Run Trojan

  • The ‘AUTORUN.INF’ file must start with the following line:
  • [autorun]
  • For example to create a CD or pen drive that will autorun the program ‘server.exe’ would require an AUTORUN.INF file similar to:
  • [autorun] open=server.exe icon=setup.exe to create a CD that will autorun to open the html file ‘index.htm’ would require:
  • [autorun] ShellExecute=index.htm icon=index.htm However, since some older versions of Windows do not support ‘ShellExecute’ a less elegant alternative would be:
  • [autorun] open=command /c start index.htm icon=index.htm Be aware that the use of ‘command’ and ‘start’ restrict this to machines running Windows.

So, By using Auto run feature you can spread your trojan very easily

Symptoms of a Trojan Infection

Common symptoms of a trojan infected machines:

  • CD-ROM drawer opens and closes by itself
  • Computer screen flips upside down or inverts
  • Wallpaper or background settings change by themselves
  • Documents or messages print from the printer by themselves
  • Computer browser goes to a strange or unknown web page by itself
  • Windows color settings change by themselves
  • Screensaver settings change by themselves

These are common effects that user experience after infected by a trojans like beast and prorat.

Ports Used by Trojans

Trojan                Ports

==================

Deepthroat        6670

Netbus              6666

Prorat               5110

Secret agent     11223

Asylum             23456

Binder and wrappers:

  • Wrapper or binder is an application which combines a trojans application with a non malicious file like an image or any other executable file.
  • This reduces the suspicion level of the victim over attacker and it also helps in convincing the victim to execute that wrapped file
  • Using wrappers, we have combined two different applications as a single file, now when victim executes that file single wrapped file, it first installs the trojan in the background and then run the legitimate application after it.
  • Victim only see the later legitimate application on the foreground.

How to Detect Trojans?

There are several method by which we can scan the presence of a trojan which are as follows:

  • By scanning the system for suspicious open ports using tools such as netstat & TCPview
  • By scanning for suspicious running processes using process Viewer.
  • By scanning for suspicious registry entries using the following tools such as MSConfig.
  • By scanning what type network connection are being established by using wireshark and save that data packets capture and analysis them to see to which IP address they are connecting to.

Avoiding Trojan Infection:

  • Do not download blindly from any websites that you are visiting.
  • Do not trust the file even if the file coming from a friend, there may be a possibility that your friends system is also infected and it might also your system as well, so be sure what the file is before opening it.
  • Disable the autopreview or autoplay option from the media that you are connecting to your computer.
  • Do not type commands that you have received in a mail from someone or not type anything in the browser that can a malicious script that may further infect your computer.

Prorat:

prorat trojan.png