Professional Documents
Culture Documents
Countermeasures
Version 6
Mod le VIII
Module
Trojans and Backdoors
Scenario
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
News
Source: http://www.canada.com/
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Trojans
• Overt & Covert Channels
• Types of Trojans and how Trojan works
• Indications of Trojan attack
• Different Trojans used in the wild
• Tools for sending Trojan
• Wrappers
• ICMP Tunneling
• Constructing a Trojan horse using Construction Kit
• Tools for detecting Trojan
• Anti-Trojans
• A idi Trojan
Avoiding T j Infection
I f i
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Indications of
Tools to Send Trojan Different Trojans
Trojan Attack
Countermeasures Anti-Trojan
Anti Trojan Tools to detect Trojan
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Introduction
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
What is a Trojan
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Overt and Covert Channels
Keylogger.exe
Chess.exe
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Working of Trojans
Attacker
k Trojaned System
Internet
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Different Types of Trojans
Data-Sending Trojans
Destructive Trojans
Proxy Trojans
FTP Trojans
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
What Do Trojan Creators Look
For
Credit card information
Confidential documents
Financial data (bank account numbers, social security numbers, insurance information, and so on)
Using the victim’s computer for illegal purposes, such as to hack, scan, flood, or infiltrate other machines on
the network or Internet
Hacker
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Different Ways a Trojan Can Get
into a System
Instant Messenger applications
Attachments
Physical access
NetBIOS (FileSharing)
Fake programs
Documents or messages
g p print from the p
printer byy themselves
S
Screensaver settings
tti change
h b
by th
themselves
l
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Indications of a Trojan Attack
(cont d)
(cont’d)
Right and left mouse buttons reverse their functions
Thee taskbar
as ba ddisappears
sappea s
While rebooting the computer, a message flashes that there are other
users still connected
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ports Used by Trojans
Trojan Protocol Ports
Wh k
Whack-a-mole
l TCP 12361 and
d 12362
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How to Determine which Ports
are “Listening”
Listening
Go to Start Æ Run Æ cmd
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojans
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan: iCmd
iCmd works like tini.exe but accepts multiple connections and you can set a
password
d
At the
h colon
l prompt : type the
h
password jason
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
MoSucker Trojan
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
MoSucker Trojan: Screeenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Proxy Server Trojan
Thousands
h d off machines
hi on the
h
This tool, when infected, starts
Internet are infected with the
a hidden proxy server on the
proxy servers using this
victim’s computer
technique
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Proxy Server Trojan (cont’d)
ATTACKER
TARGET
PROXY
INTERNET
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SARS Trojan Notification
SARS Trojan notification sends the location of the victim’s IP
address to the attacker
Whenever the victim’s computer connects to the Internet, the
attacker receives the notification
Attacker
Notification types:
yp
• SIN Notication
• Directly notifies the attacker's server
• ICQ Notification
• Notifies the attacker using
g ICQ
Q channels
• PHP Notification
• Sends the data by connecting to PHP server on
the attacker's server
• E-Mail Notification
• Sends the notification through email
Victims infected with Trojans
• Net Send
• Notification is sent through net send command
• CGI Notification
• Sends the data by connecting to PHP server on
the
h attacker's
k ' server
• IRC notification
• Notifies the attacker using IRC channels
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SARS Trojan Notification
(cont d)
(cont’d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Wrappers
Attackers might send a birthday greeting that will install a Trojan as the user watches,
for example, a birthday cake dancing across the screen
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Wrapper Covert Program
This program runs as soon as Windows boots up and, on execution, keeps the
user distracted for a given period of time by running on the desktop
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Wrapping Tools
• Customizable options
• Supports Windows platforms
• Also known as YAB
Pretator Wrapper
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
One Exe Maker / YAB / Pretator
Wrappers
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Packaging Tool: WordPad
5 4
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
RemoteByMail
Victim
Email
Attacker
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Icon Plus
D f d calc.exe
Defaced l using
i Restorator
R t t
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tetris
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
HTTP Trojans
If the attacker has typed something into the master system, this command
is retrieved and executed on the internal system
It llooks
k lik
like an iinternal
t l agentt iis b
browsing
i ththe web
b
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan Attack through Http
Internet
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
HTTP Trojan (HTTP RAT)
Victim
Infect victim’s computer with
server exe and plant HTTP Trojan
server.exe
3
The Trojan sends
Generate server.exe an email to the
attacker with the
l ti off an IP
location
address
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Shttpd Trojan - HTTP Server
SHTTPD is a small HTTP Server that can easily be embedded inside any program
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reverse Connecting Trojans
Infect
f (Rebecca’s) computer with
server.exe and plant Reverse
Connecting Trojan 1
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: BadLuck Destructive
Trojan
The user will not be able to use the operating system after the
machine has been infected by the Trojan
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ICMP Tunneling
Covert channels are methods in which an attacker can hide the data in a protocol that
is undetectable
Covert channels rely on techniques called tunneling, which allow one protocol to be
carried over another protocol
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ICMP Backdoor Trojan
Commands d are
sent using
ICMP protocol
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Backdoor.Theef (AVP)
Using this Trojan, the server opens various ports on the victim’s
machine (eg.
(eg ports 69
69, 4700
4700, 13500 and 2800)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Backdoor.Theef (AVP):
Screenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
T2W (TrojanToWorm)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Biorante RAT
Features:
Highlighted connection list if webcam is detected
Online Keylogger
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Biorante RAT: Screenshots
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DownTroj
DownTroj is a Trojan horse with the following
features:
• Remote messagebox
• Remote info
• Remote file browser (+ download, upload, delete, make/del dir)
• Remote shell
• Remote task manager (+ start/kill)
• Remote keylogger
• Remotely reboot or shutdown system
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Turkojan
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan.Satellite-RAT
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Yakoza
Added to Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows
NT\CurrentVersion\Winlogon "Shell"
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DarkLabel B4
DarkLabel is a firewall bypass reverse connection remote administration tool,
that allows yyou to remotelyy control computers
p that are behind firewalls and
routers
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan.Hav-Rat
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Poison Ivy
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Poison Ivy: Screenshot 1
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Poison Ivy: Screenshot 2
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Rapid Hacker
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SharK
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Shark: Screenshot 1
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Shark: Screenshot 2
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Shark: Screenshot 3
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
HackerzRat
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
TYO
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
1337 Fun Trojan
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Criminal Rat Beta
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
VicSpy
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Optix PRO
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ProAgent
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
OD Client
Features :-
• Remote Web Downloader (Main Function)
• Downloads and executes a file from the Internet remotely
Windows XP & Windows Server Rooting (Remote desktop)
• Adds a admin user to the host and allows for remote desktop
connection
i
• Username:- xplorer
• Password:- l3vel69
• Remove Server
• Uninstalls the server from the host
Shutdown Server
• Shutdowns the server but does not uninstall
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
AceRat
Features:
• Shutoff, Log Off Victimes PC
• Full functioning and
g
interactive File Manager
• Send Error Msg's
• System Info
• Change Wallpaper, System
C l
Colors
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Mhacker-PS
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
RubyRAT Public
Features :
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SINner
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ConsoleDevil
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ZombieRat
Features:
• Opens Windows
Program -Msconfig,
Calculator, Paint,
Narrator,
N
NotePade,WordPad,
RegEdit, Clock
• Enables/ Disables
TaskManager and
Hides Shutdown
button
• Kills processes
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
FTP Trojan - TinyFTPD
TinyFTPD is a simple FTP Trojan which supports most of the standard FTPD Commands
Usage:
• Tinyftpd [ControlPort] [BindPort] [UserName] [Password] [HomeDir] [AllowedIP] [Access] [-Hide]
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
VNC Trojan
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
VNC Trojan: Screenshots
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Webcam Trojan
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DJI RAT
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Skiddie Rat
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Biohazard RAT
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Troya
It is
i a web-based
b b dT Trojan
j
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ProRat
Activation Key :
• User : mohdjase1
• Key : 66618e869accfc4f96
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Dark Girl
Remote Access
Works as a keylogger
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DaCryptic
Functions:
• Registry access
• File
il
upload/download
• Keylogger
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Net-Devil
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan: PokerStealer.A
When it runs, activates ssh on the infected machine, then sends the user name
and
d passwordd hash,
h h along
l with
ith the
th IP address
dd off th
the Mac,
M tto a specified
ifi d e-mail
il
address with a subject “Howdy”
After obtaining the password the attacker can take control on the machine and
delete all the necessary files
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
PokerStealer.A: Screenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan:Hovdy.a
It gathers the username, password and IP address from the infected system and
send it to the server
After obtaining g the ppassword the attacker can take control on the machine and
delete all the files from the hard disk
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Hovdy.a: Screenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Classic Trojans
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Classic Trojans Found in the
Wild
Warning
These are classic outdated tools and is presented here for proof of
concept ( You will not be able to find the source code for these tools on
the Internet). It is presented in this module so that you are encouraged to
view the source code of these tools to understand the attack engineering
behind them.
them
Beast NetBus
Phatbot SubSeven
Amitis
Netcat
QAZ
Donald Dick
Back Orifice
Let me rule
Back Oriffice 2000
Tini RECUB
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan: Tini
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tini: Screenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan: NetBus
N tB is
NetBus i a Wi
Win32-based
32 b d T Trojan
j program
Provides a basic TCP/UDP networking subsystem that allows users to interact manually or via
script with network applications
Built-in
il i lloose source-routing
i capability
bili
Cryptcat
yp tool: Netcat with encryption
yp
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Netcat: Screenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Netcat Client/Server
Netcat server
Netcat client
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Netcat Commands
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan: Beast
One off th
O the di
distinct
ti t ffeatures
t off th
the B
Beastt iis
that it is an all-in-one Trojan (client, server,
and server editor are stored in the same
application)
N version
New i h has system
t ti
time managementt
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Hacking Tools
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Hacking Tool: Loki
Loki was written by daemon9 to provide shell access over ICMP, making it much more difficult
to detect than TCP
TCP- or UDP
UDP-based
based backdoors
As far as the network is concerned, a series of ICMP packets are shot back and forth: a ping,
pong response. As far as the attacker is concerned, commands can be typed into the Loki client
and executed on the server
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Atelier Web Remote Commander
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan Horse Construction Kit
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan Detecting Tools
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How to Detect Trojans
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: fPort
fport
p reports
p all open
p TCP/IP
/ fport
p can be used to q
quicklyy
and UDP ports, and maps identify unknown open ports
them to the owning and their associated
application applications
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: TCPView
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CurrPorts Tool
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Process Viewer
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Delete Suspicious Device Drivers
Keeps
p yyour computer
p secure
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Super System Helper Tool
http://ntsecurity.nu/cgi-
http://ntsecurity nu/cgi
bin/download/inzider.exe.pl
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: What's Running
It gives the complete information about processes, services, IP connections,
modules,, and drivers,, running
g on your
y computer
p
Copyright © by EC-Council
Screenshot showing list of processes running
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: MSConfig
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Registry-What’s Running
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Autoruns
This utility shows you what programs are configured to run during system bootup or login,
and shows the entries in the order Windows processes them. These programs include those in
your startup folder, Run, RunOnce, and other Registry keys
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Hijack This (System
Checker)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Startup List
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Anti-Trojan
j Software
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Anti-Trojan Software
There are many anti-Trojan software programs available with many vendors
• Trojan Guard
• Trojan Hunter
• ZoneAlarm f Win98&up
Win98&up, 4 4.530
530
• WinPatrol f WinAll, 6.0
• LeakTest, 1.2
• Kerio Personal Firewall, 2.1.5
• Sub-Net
• TAVScan
• SpyBot Search & Destroy
• Anti Trojan
• Cleaner
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
TrojanHunter
TrojanHunter
j is an advanced trojan
j scanner
and toolbox, that searches for and removes
Trojans from your system
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
TrojanHunter: Screenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Comodo BOClean
Comodo BOClean protects your computer against trojans, malware, and other
threats
The program can ask the user what to do, or run in the unattended mode and
automatically shutdowns and removes any suspected Trojan application
Features:
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan Remover: XoftspySE
X ft
Xoftspy d t t and
detects d removes all
ll th
the spyware ttrying
i tto iinstall
t ll on your PC
It scans for more than 42,000 different Spyware and Adware parasites
It g
gets alerts about p
potentiallyy harmful websites
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
XoftspySE: Screenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan Remover: Spyware
Doctor
Spyware Doctor is an adware and spyware removal
utilityy that detects and cleans thousands of p
potential
spyware, adware, trojans, keyloggers, spyware, cookies,
trackware, spybots, and other malware from your PC
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Spyware Doctor: Screenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SPYWAREfighter
Its continuous p
protection improves
p Internet browsing
g safetyy byy scanning
g
for more than 220.000 known threads
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: SPYWAREfighter
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Evading Anti-Virus Techniques
Never use Trojans from the wild (anti-virus can detect these easily)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sample Code for Trojan
Client/Server
Trojanclient.java Trojanserver.java
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Evading Anti-Trojan/Anti-Virus Using
Stealth Tools
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Backdoor Countermeasures
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Tripwire
T i i is
Tripwire i a System
S t Integrity
I t it Verifier
V ifi (SIV)
It will periodically scan those files, recalculate the information, and see if any
of the information has changedg and,, if there is a change,
g , an alarm is raised
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tripwire: Screenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
System File Verification
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
MD5sum.exe
If you suspect a file is Trojaned, then compare the MD5 signature with the snapshot checksum
Command: md5sum *
*.*
* > md5sum.txt
md5sum txt
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Microsoft Windows
Defender
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Microsoft Windows Defender:
Screenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How to Avoid a Trojan Infection
Even if the file comes from a friend, be sure what the file is before
opening it
Do not blindly type commands that others tell you to type; go to web
addresses mentioned by strangers, or run pre-fabricated programs or
scripts
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How to Avoid a Trojan Infection
(cont d)
(cont’d)
One should not be lulled into a false sense of security just because an anti-virus
anti virus program
is running in the system
Ensure that the corporate perimeter defenses are kept continuously up to date
Filter and scan all content at the perimeter defenses that could contain malicious content
Run local versions of anti-virus, firewall, and intrusion detection software on the
desktop
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How to Avoid a Trojan Infection
(cont d)
(cont’d)
Rigorously control user permissions within the desktop environment to prevent the
installation
ll off malicious
l applications
l
Manage local workstation file integrity through checksums, auditing, and port scanning
Use multiple
p virus scanners
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
What happened next
As Ron never cared for desktop security he did not have the latest
update of antivirus.
antivirus Neither did he have a Trojan scanner nor a file
integrity checker.
Zechariah had infected Ron’s computer and was ready to do all kinds
of assault which the Infected Trojan supported.
Zechariah can do any of the following:
• R
Run a keylogger
k l on R
Ron’s
’ systems and
d retrieve
i all
ll sensitive
ii
information
• Delete confidential files
• Rename files and change file extensions
• Use Ron’s computer to carry out illegal activities
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Trojans are malicious pieces of code that carry cracker software to a target
system
t
They are used primarily to gain and retain access on the target system
They often reside deep in the system and make registry changes that allow it to
meet iits purpose as a remote administration
d i i i tooll
Awareness and preventive measures are the best defense against Trojans
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Appendix
pp
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan: Phatbot
Phatbot Trojan allows the attacker to have
control over computers and link them into
P2P networks that can be used to send large
amounts of spam email messages or to flood
websites with data in an attempt to knock
them offline
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan: QAZ
It also has a "backdoor" that will enable a remote user to connect to and
control the victim’s computer using port 7597
• HKLM\software\Microsoft\Windows\Current
• Version\Run
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan: Back Orifice
Encryption (Encrypts the data sent between the BO2K GUI and the server)
BOSOCK (Provides
BOSOCK32 (P id stealth
t lth capabilities
biliti b by using
i ICMP instead
i t d off TCP UDP)
STCPIO (Provides encrypted flow control between the GUI and the server
server, making
the traffic more difficult to detect on the network)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojan: SubSeven
The
h credited
di d author
h off this
hi Trojan
j iis
Mobman
It has variants as
follows:
• SubRoot 1.0
• SubRoot 1.3
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited