NMCSP 2008 Batch-I

Module VI Trojans and Backdoors

It is Valentines Day, but Jack is totally shattered from inside. Reason: Jill just rejected his proposal. Jack reacted calmly to the situation saying he would not mind provided they could still remain friends, as before, to which Jill agreed. Something was going on in the back of his mind. He wanted to teach Jill a lesson. Jack and Jill are studying in the Computer department in the University campus. All the students have individual PCs inside their dorm rooms.

One day Jack sends an e-mail with an attachment, which looked like a word document, to Jill. Unsuspectingly Jill clicks the attachment and found that there was nothing in it. Bingo! Jill¶s system is infected by a remote access trojan, but she is unaware of it. Jack has total control over Jill¶s system. Guess what Jack can do to Jill?
‡ Steal her passwords. ‡ Use her system for attacking other systems in the University Campus ‡ Delete all of her confidential files. ‡ And much more

Module Objectives
Effects on Business. Trojan definition and how How to determine what

ports are ³listening´.
Different Trojans found in

they work. Types of Trojans.
What Trojan creators look

the wild.
Wrappers. Tools used

Different ways

for hacking.

a Trojan can get into a system. attack.

ICMP Tunneling. Anti-Trojans. How to avoid a Trojan

Indications of a Trojan Some famous


Trojans and ports used by them.

Module Flow
Introduction to Trojans Overt & Covert Channels Types and working of Trojan

Tools to send Trojans

Different Trojans

Indications of a Trojan attack

ICMP Tunneling

Trojan Construction Kit



Malicious users

are always on the prowl, trying to sneak into the network and wreak havoc. around the globe have been affected by trojan attacks.

Several businesses Most of the times

it is the absent-minded user who invites trouble by downloading files or being least bothered of the security aspects. This module covers different trojans, the way they attack and the tools used to send them across the network.

Effect on Business
³They (hackers) don't care what kind of business you are, they just want to use your computer," says Assistant U.S. Attorney Floyd Short in Seattle, head of the Western Washington Cyber Task Force, a coalition of federal, state and local criminal justice agencies. If the data is altered or stolen, a company may risk losing the trust and credibility of their customers. There is a continued increase in malware that installs open proxies on systems, especially targeting broadband users. Businesses most at risk, experts say, are those handling online financial transactions.

What is a Trojan?
A trojan is With

a small program that runs hidden on an infected computer. the help of a trojan an attacker gets access to stored passwords in the trojaned computer and would be able to read personal documents, delete files, display pictures, and/or show messages on the screen.

Overt and Covert channels
Overt Channel a legitimate communication path within a computer system, or network, for transfer of data. An overt channel can be exploited to create the presence of a covert channel by choosing components of the overt channels with care that are idle or not related.
It is

Covert Channel
It is

a channel which transfers information within a computer system, or network, in a way that violates security policy. The simplest form of covert channel is a trojan.

Working of Trojans
Trojaned System Internet


Attacker gets access to the trojaned system as the system goes online. By way of the access provided by the trojan, the attacker can stage attacks of different types.

Different types of Trojan
Remote Access


Data-sending Trojans Destructive Trojans Denial of service (DoS) attack Proxy Trojans FTP Trojans Security software



What Trojan creators look for?
Credit card information, e-mail Accounting data (passwords, Confidential documents Financial data (bank


user names, etc.)

account numbers, Social Security numbers, insurance information, etc.) Calendar information concerning victim¶s whereabouts

the victims¶ computer for illegal purposes, such as to hack, scan, flood, or infiltrate other machines on the network or Internet.

Different ways a a Trojan can get into a system.
ICQ IRC Attachments Physical Access Browser and

e-mail Software NetBIOS (File Sharing) Fake Programs Untrusted Sites and Freeware Software Downloading files, games, and screen-savers from an Internet site. Legitimate "shrink-wrapped" software packaged by a disgruntled employee

Indications of a Trojan attack.
CD-ROM drawer

opens and closes by itself. Computer screen flips upside down or inverts. Wall paper or background settings change by themselves. Documents or messages print from the printer by themselves. Computer browser goes to a strange or unknown web page by itself. Windows color settings change by themselves. Screen saver settings change by themselves.

Indications of a Trojan attack (contd.)
Right and left

mouse buttons reverse their disappears.

Mouse pointer Mouse moves by itself. Windows Start button disappears. Strange chat boxes appear on the victim¶s

computer and the victim is forced to chat with a stranger.
The ISP complains to

the victim that their computer is IP scanning.

Indications of a Trojan attack (contd.)
People chatting with

the victim know too much

personal information about him or his computer.
Computer shuts

down and powers off by itself.

Task bar disappears. The account passwords

are changed or unauthorized

persons can access legitimate accounts.
Strange purchase

statements in credit card bills.

Indications of a Trojan attack (contd.)
The computer Modem dials, Ctrl + Alt

monitor turns itself off and on. and connects, to the Internet by itself.

+ Del stops working. the computer a message flashes that

While rebooting

there are other users still connected.

Some famous Trojans and ports used by them.
Trojans Back Orifice Deep Throat NetBus Whack-a-mole NetBus 2 Pro GirlFriend Masters Paradise Protocol UDP UDP TCP TCP TCP TCP TCP Ports 31337 or 31338 2140 and 3150 12345 and 12346 12361 and 12362 20034 21544 3129, 40421, 40422, 40423 and 40426

How to determine which ports are "listening"
Reboot the PC Go to start

Run cmd Type "netstat ±an and press enter.
Exit command

shell. Open Explorer.
Change to the C

drive and double click on the netstat.txt file. Look under the "Local Address" column.

Different Trojans found in the wild
Beast Phatbot Amitis QAZ Back Orifice Back Orifice 2000 Tini NetBus SubSeven Netcat Donald Dick Let me rule RECUB

Trojan: Beast 2.06
Beast is a powerful Remote

Administration Tool (AKA trojan) built with Delphi 7.
One of

the distinct features of the Beast is that it is an all-in-one trojan (client, server and server editor are stored in the same application). the server is that it uses injecting technology. management. Source: http://www.areyoufearless.com

An important feature of

New version has system time

Trojan: Phatbot
This Trojan allows the attacker to control computers and link them into P2P networks that can then be used to send large amounts of spam e-mail messages, or flood Web sites with data, in an attempt to knock them offline. It can steal Windows Product Keys, AOL login names and passwords as well as the CD key of some famous games. It tries to disable antivirus and firewall software.

Trojan :Amitis
It has more than 400 ready to use options.

the only Trojan with a live update feature. copies itself to the windows directory so even if the main file is deleted the victim is still infected. automatically sends the requested notification as soon as the victim goes online.
The server The Server

It is

Source: http://www.immortal-hackers.com

Trojan : Senna Spy
Senna Spy Generator 2.0

is a trojan generator. Senna Spy Generator is able to create Visual Basic source code for a trojan based on the selection of a few options. generated source code, anything could be changed in it.

This trojan is compiled from

Source: http://sennaspy.cjb.net/

Trojan :QAZ
It is a companion virus that can spread over the network. It also has a "backdoor" that will enable a remote user to connect to and control the computer using port 7597. It may have originally been sent out by e-mail. It renames notepad to note.com Modifies the registry key:


Trojan :Back Orifice
Back Orifice (BO) is a remote

administration system which allows a user to control a computer across a TCP/IP connection using a simple console or GUI application. On a local LAN or across the internet, BO gives its user more control of the remote Windows machine than the person at the keyboard of the remote machine. Back Orifice was created by a group of well known hackers who call themselves the CULT OF THE DEAD COW. BO is small, and entirely self installing. Source: http://www.cultdeadcow.com/

Trojan :Back Orifice 2000
BO2K has stealth capabilities, it will not show up on the task list and runs completely in hidden mode.

Back Orifice accounts for highest number of infestations on Microsoft computers. The BO2K server code is only 100KB. The client program is 500KB. Once installed on a victim PC, or server machine, BO2K gives the attacker complete control of the system

Back Orifice Plug-ins

BO2K functionality can be extended using BO plug-ins. BOPeep (Complete remote control snap in). Encryption (Encrypts the data sent between the BO2K GUI and the server).

BOSOCK32 (Provides stealth capabilities by using ICMP instead of TCP UDP).

STCPIO (Provides encrypted flow control between the GUI and the server, making the traffic more difficult to detect on the network).


Soon after BO appeared, a category of cleaners emerged, claiming to be able to detect and remove BO.

BOSniffer turned out to be one such Trojan that in reality installed Back Orifice under the pretext of detecting and removing it.

Moreover, it would announce itself on the IRC channel #BO_OWNED with a random username.

Trojan :Tini

It is a very tiny trojan program which is only 3 kb and programmed in assembly language. It takes minimal bandwidth to get on victim's computer and takes small disk space. Tini only listens on port 7777 and runs a command prompt when someone attaches to this port. The port number is fixed and cannot be customized. This makes it easier for a victim system to detect by scanning for port 7777. From a tini client the attacker can telnet to tini server at port 7777. Source: http://ntsecurity.nu/toolbox/tini

Trojan :NetBus
NetBus is a Win32 based

Trojan program
Like Back Orifice, NetBus

allows a remote user to access and control the victim¶s machine by way of its Internet link. NetBus was written by a Swedish programmer, CarlFredrik Neikter in March 1998.
This virus

is also known as Backdoor.Netbus. Source: http://www.jcw.cc/netbus-download.html

Trojan :SubSeven
SubSeven is a Win32

The credited author Its symptoms

of this trojan is Mobman. include a slowing down the computer, and a constant stream of error messages. most commonly spread through file attachments in e-mail messages, and the ICQ program. Source: www.subseven.ws/

SubSeven is a trojan virus

Trojan :Netcat

Outbound or inbound connections, TCP

or UDP, to, or from,

any port. Ability to use any local source port. Ability to use any locally-configured network source address. Built-in port-scanning capabilities, with randomizer Built-in loose source-routing capability.

Trojan :CyberSpy Telnet Trojan
CyberSpy is a telnet trojan (a client terminal is not necessary to get connected). It is written in VB with a small amount of C. It supports multiple clients. It has about 47 commands. It has ICQ, e-mail and IRC bot notification. Other things like fake error/port/pw/etc. can be configured with the editor.

Trojan :Subroot Telnet Trojan
It is a

telnet remote administration tool.

It was

written and tested in the republic of South Africa. It has variants
‡ SubRoot 1.0 ‡ SubRoot 1.3

Trojan :Let Me Rule! 2.0 BETA 9
Written in Delphi Released in January 2004 A

remote access Trojan

It has

DOS prompt which allows an attacker control the victim¶s command.com. all files in a specific directory. types of files can be executed at the remote host. version has an enhanced registry explorer.

It deletes All

The new

Trojan :Donald Dick
Donald Dick is a tool that enables a user to control another computer over a network. It uses a client-server architecture with the server residing on the victim's computer.

The attacker uses the client to send command through TCP or SPX to the victim listening on a pre-defined port. Donald Dick uses default port either 23476 or 23477.

Trojan : RECUB
RECUB (Remote Encrypted Callback Unix Backdoor) is a windows port for a remote administration tool which can be also used as a backdoor for a windows system. It bypasses firewalls by opening a new IE window and then injecting code into it. It uses Netcat for a remote shell. It empties all event logs after exiting the shell.

Source: http://www.hirosh.net

Tool: Graffiti.exe
Graffiti.exe is

an example of a legitimate file that can be used to drop the Trojan into the target system. This program runs as soon as windows boots up and on execution keep the user distracted for a given period of time by running on the desktop.

Tool: eLiTeWrap

eLiTeWrap is an advanced EXE wrapper for Windows 95/98/2K/NT used for SFX archiving and secretly installing and running programs.

With eLiTeWrap one can create a setup program that would extract files to a directory and execute programs or batch files to display help, copy files, etc.

Source: http://homepage.ntlworld.com/chawmp/elitewrap/

Tool: IconPlus
IconPlus is a conversion program for translating icons

between various formats.
This kind of application can be used by an attacker to

disguise his malicious code or trojan so that users are tricked into executing it.

Tool: Restorator
It is a versatile skin editor for

any Win32 program: changes images, icons, text, sounds, videos, dialogs, menus, and other parts of the user interface. Using this one can create one¶s own User-styled Custom Applications (UCA). Restorator has many built-in tools. Powerful find and grab functions lets the user retrieve resources from all files on their disks.

Tool: Whack-A-Mole
Popular delivery vehicle

for NetBus/BO servers is a game called Whack-A-Mole which is a single executable called whackamole.exe.

installs the NetBus/BO server and starts the program at every reboot.

Tool: Firekiller 2000

FireKiller 2000 will kill (if executed) any resistant protection software. For instance, if Norton Anti-virus is in auto scan mode in the taskbar, and ATGuard Firewall activated, this program will KILL both on execution, and makes the installations of both UNUSABLE on the hard drive; which would require reinstallation to restore. It works with all major protection software like ATGuard, Conseal, Norton Anti-Virus, McAfee Antivirus, etc. Tip: Use it with an exe binder to bind it to a trojan before binding this new file (trojan and firekiller 2000) to some other dropper.

How does an attacker A wrapper The two

get BO2K or any trojan installed on the victim's computer? Answer: Using Wrappers. attaches a given EXE application (such as a game or orifice application) to the BO2K executable. programs are wrapped together into a single file. When the user runs the wrapped EXE, it first installs BO2K and then runs the wrapped application.
The user

only sees the latter application.

One can send a birthday greeting which will install BO2K as the user watches a birthday cake dancing across the screen.

Packaging Tool: WordPad
Open WordPad. Using the

mouse, drag and drop Notepad.exe into the WordPad window. On double-click the embedded icon, Notepad will open. Now, right-click on the Notepad icon within the WordPad and copy it to the desktop.

icon that appears is very similar to the default text icon. We can change the icon by using the properties box.

Tool: Hard Disk Killer (HDKP4.0)

The Hard Drive Killer Pro series of programs offers the ability to fully and permanently destroy all data on any given Dos or Win3.x/9x/NT/2000 based system. In other words 90% of the PCs worldwide. The program, once executed, will start eating up the hard drive, and/or infect, and reboot the hard drive within a few seconds. After rebooting, all hard drives attached to the system would be formatted (in an unrecoverable manner) within only 1 to 2 seconds, regardless of the size of the hard drive.

ICMP Tunneling
Covert Channels are

methods in which an attacker can hide data

in a protocol that is undetectable.
Covert Channels rely on techniques called

tunneling, which allow

one protocol to be carried over another protocol.
ICMP tunneling is a method of

using ICMP echo-request and

echo-reply as a carrier of any payload an attacker may wish to use, in an attempt to stealthily access, or control a compromised system.

Hacking Tool: Loki
Loki was written by

daemon9 to provide shell access over ICMP making it much more difficult to detect than TCP or UDP based backdoors. As far as the network is concerned, a series of ICMP packets are shot back and forth: Ping, Pong-response. As far as the attacker is concerned, commands can be typed into the Loki client and executed on the server.

Loki Countermeasures

Configure firewall to block ICMP incoming and outgoing echo packets.

Blocking ICMP will disable ping requests and may cause inconvenience to users.

It is recommended to be careful while deciding on security vs. convenience.

Loki also has the option to run over UDP port 53 (DNS queries and responses).

Reverse WWW Shell - Covert channels using HTTP

Reverse WWW shell allows an attacker to access a machine on the internal network from the outside. The attacker must install a simple trojan program on a machine in the internal network, the Reverse WWW shell server. On a regular basis, usually 60 seconds, the internal server will try to access the external master system to pick up commands. If the attacker has typed something into the master system, this command is retrieved and executed on the internal system. Reverse WWW shell uses standard http protocol. It looks like an internal agent is browsing the web.

Tool: fPort

fport reports all open TCP/IP and UDP ports and maps them to the owning application.

fport can be used to quickly identify unknown open ports and their associated applications.

Tool: TCPView

TCPView is a Windows program that will show detailed listings of all TCP and UDP endpoints on the system, including the local, and remote, addresses and state of TCP connections.

When TCPView is run, it will enumerate all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions.

Tool: Tripwire

It is a System Integrity Verifier (SIV). Tripwire will automatically calculate cryptographic hashes of all key system files or any file that is to be monitored for modifications.

Tripwire software works by creating a baseline ³snapshot´ of the system.

It will periodically scan those files, recalculate the information, and see if any of the information has changed. If there is a change an alarm is raised.

Process Viewer

PrcView is a process viewer utility that displays detailed information about processes running under Windows.

PrcView comes with a command line version that allows the user to write scripts to check if a process is running, kill it, etc. The Process Tree shows the process hierarchy for all running processes.

Inzider - Tracks Processes and Ports

This is a very useful tool that lists processes in the Windows system and the ports each one listens on.

Inzider may pick up older trojans. For instance, under Windows NT/2K, BO2K injects itself into other processes, so it is not visible in the Task Manager as a separate process, but it does have an open port that it is ³listening´ on.

System File Verification
Windows 2000 introduced

Windows File Protection (WFP) which protects system files that were installed by Windows 2000 setup program from being overwritten.
The hashes in this file could be

compared with the SHA-1 hashes of the current system files to verify their integrity against the 'factory originalsµ
sigVerif.exe utility can perform

this verification process.

Trojan horse construction kit
Such kits help hackers to construct Trojan horses of their choice. These tools can be dangerous and can backfire if not executed properly. Some of the Trojan kits available in the wild are as follows:

‡ The Trojan Horse Construction Kit v2.0 ‡ Progenic Mail Trojan Construction Kit - PMT ‡ Pandora¶s Box

There are many anti-trojan packages available, from multiple vendors. Below is a list of anti-trojan software that is available on a trial basis:

‡ ‡ ‡ ‡ ‡ ‡ ‡

Trojan Guard Trojan Hunter ZoneAlarm-f-Win98&up, 4.530 WinPatrol-f-WinAll, 6.0 LeakTest 1.2 Kerio Personal Firewall, 2.1.5 Sub-Net

Evading Anti-trojan/Anti-virus using Stealth Tools v2.0
a program which helps to send trojans, or suspicious files, undetectable from antivirus software. Its features include adding bytes, bind, changing strings, create VBS, scramble/pack files, split/join files.
It is

Source: http://www.areyoufearless.com

Backdoor Countermeasures

Most commercial antivirus products can automatically scan and detect backdoor programs before they can cause damage (e.g. before accessing a floppy, running an exe or downloading e-mail). An inexpensive tool called Cleaner (http://www.moosoft.com/cleanet.html) can identify and eradicate 1000 types of backdoor programs and trojans. Educate users not to install applications downloaded from the internet and e-mail attachments.

How to avoid a Trojan infection?
Do not download blindly from people, or sites, if it is not 100% safe. Even if the file comes from a friend, be sure what the file is before opening it. Do not use features in programs that automatically get, or preview, files. Do not blindly type commands when told to type them, or go to web addresses mentioned by strangers, or run pre-fabricated programs or scripts.

How to avoid a Trojan infection?
Do not be lulled into a false sense of security just because an antivirus program is running in the system. Ensure that the corporate perimeter defenses are kept continuously up-to-date. Filter and scan all content that could contain malicious content at the perimeter defenses. Run local versions of antivirus, firewall, and intrusion detection software at the desktop.

How to avoid a Trojan infection?
Rigorously control user permissions within the desktop environment to prevent the installation of malicious applications. Manage local workstation file integrity through checksums, auditing and port scanning. Monitor internal network traffic for unusual open ports or encrypted traffic. Use multiple virus scanners. Install software to identifying, and remove, Ad-ware/Malware/Spyware .


Trojans are malicious pieces of code that carry cracker software to a target system. Trojans are used primarily to gain, and retain, access on the target system. Trojans often reside deep in the system and make registry changes that allow it to meet its purpose as a remote administration tool. Popular trojans include Back Orifice, NetBus, SubSeven, Beast, etc. Awareness and preventive measures are the best defense against trojans.

Sign up to vote on this title
UsefulNot useful