What Is A Trojan Horse?
A Trojan horse is:
1. An unauthorised program contained within a legitimate program. This unauthorised program performs functions unknown (and probably unwanted) by the user.
2. A legitimate program that has been altered by the placement of unauthorised code within it; this code performs functions unknown (and probably unwanted) by the user.
3. Any program that appears to perform a desirable and necessary function but that (because of unauthorised code within it that is unknown to the user) performs functions unknown (and definitely unwanted) by the user.
The Trojan Horse got its name from the old mythical story about how the Greeks gave their enemy a huge wooden horse as a gift during the war. The enemy accepted this gift and they brought it into their kingdom, and during the night, Greek soldiers crept out of the horse and attacked the city, completely overcoming it.
How Do Trojans Work?
Trojans come in two parts, one on the attackers machine and one on the the victim's. It usually modifies the Registry,
which means it will start up automatically each time the computer is switched on.
The attacker will then connect up and start using the trojan to communicate with the victims PC, usually without the victim knowing.
The trojan hides somwhere in the PC's files and will listen for incoming communication.
.
It's necessary for the attacker to know the victim's IP address to connect to his/her machine.
(IP or Internet Protocol is the language used by computers to communicate across the net)
Each PC has an "address" allocated by the ISP each time you are online, unless you are on ADSL / Broadband, when you have a fixed one.
"Many trojans have features like mailing the victim's IP, as well as messaging the attacker via ICQ or IRC.
This is used when the victim has dynamic IP which means every time you connect to the Internet you get a
different IP (most of the dial-up users have this). ADSL users have static IPs so the infected IP is always known to the
attacker and this makes it considerably easier to connect to your machine.
"Most of the trojans use Auto-Starting methods so even when you shut down your computer they're able to restart and
again give the attacker access to your machine. New auto-starting methods and other tricks are discovered all the time.
The variety starts from "joining" the trojan into some executable file you use very often like explorer.exe, for example, and
goes to the known methods like modifying the system files or the Windows Registry. System files are located in the Windows
directory and here are short explanations of their abuse by the attackers:
The report then lists file and registry details.
What Is The Attacker Looking For?
This section appears further down the report, but it is important to highlight before you read further!
Some of you may think that trojans are used for damages only. Well, they can also be used for spying on someone's machine
and taking a lot of private and sensitive information (industrial espionage). The attacker's interests would include but are not
limited to the following:
Credit Card Information (often used for domain registration, shopping with your credit card)
Any accounting data (E-mail passwords, Dial-Up passwords, WebServices passwords, etc.)
Email Addresses (Might be used for spamming, as explained above)
Work Projects (Steal your presentations and work related papers)
Children's names/pictures, Ages (pedophile attacker?!)
School work (steal your papers and publish them with his/her name on it)
I'll mention again several scenarios about the attacker's mode of thinking:
Once infected, your computer might be used as a Warez Archive. No matter how much or little free disk space you have,
you'll probably have enough for the attacker's needs. He/she won't use all of your bandwidth; there will be some limit for
connections to your computer, so you'll still be able to do your work without knowing that your computer is used as a pirated
software FTP Server and it is known to people worldwide who keep downloading software from YOU.
Kiddie-Porn traders will also use your computer for storing their archives and again turning your machine into a well known place
for traders of nasty and above all illegal pictures. You'll again do your work and have no clue there are illegal activities going in
your computer.
The attacker might just want to have fun with you, open/close the CD tray, play with your mouse, annoy you somehow; that's s
tupid and useless but a lot of people do it.
Your computer might be used for other illegal purposes like the attacker's usage of your IP address to hack, scan, flood,
infiltrate other machines on the Internet; so the victims will see your machine is doing it, and this will definitely get you in trouble.
Trojan Variations
There are so many variations out there, it will be hard to list and describe each and every one of them,
many will have a combination of all the trojan features you will read about below, or have many other functions still not, and probably will never be known
to the public.
REMOTE ACCESS TROJANS
These are probably the most publicly used trojans,just because they give the attackers the power to do more things
on the victim's machine than the victim itself, ................ The idea of these trojans is to give the attacker a COMPLETE access
to someone's machine, and therefore access to files, private conversations, accounting data, etc.
PASSWORD SENDING TROJANS
The purpose of these trojans is to rip all the cached passwords and also look for other passwords you're entering then
send them to a specific mail address, without the user noticing anything. Passwords ........ that require a user to enter a login+password are being sent
back to the attacker's e-mail address, which in most cases is located at some free web based e-mail provider.
Most of them do not restart when Windows is loaded, as the idea is to gather as much info about the victim's machine as passwords, mIRC logs, ICQ conversations and mail them;
but it depends on the needs of the attacker and the specific situation.
KEYLOGGERS
These trojans are very simple.The only one thing they do is to log the keystrokes of the victim and then let the
attacker search for passwords or other sensitive data in the log file. Most of them come with two functions like online and
offline recording. Of course they could be configured to send the log file to a specific e-mail address on a daily basis.
DESTRUCTIVE
The only function of these trojans is to destroy and delete files. This makes them very simple and easy to use.
They can automatically delete all your core system files (for example: .dll, .ini or .exe files, possibly others) on your machine.
The trojan is being activated by the attacker or sometimes works like a logic bomb and starts on a specific day and at specific hour.
"DENIAL OF SERVICE" (DoS) ATTACK TROJANS
These trojans are getting very popular these days, .................
The main idea is that if you have 200 ADSL users infected and start attacking the victim simultaneously, this will generate
a LOT of traffic (more then the victim's bandwidth, in most cases) and its access to the Internet will be shut down.
.......major Internet sites could be shut down as a result.
PROXY/WINGATE TROJANS
Interesting feature implemented in many trojans is turning the victim's computer into a proxy/wingate server
available to the whole world or to the attacker only. It's used ........ to register domains with stolen credit cards and for many
other illegal activities. This gives the attacker complete anonymity and the chance to do everything from YOUR computer and if he/she gets caught the trace leads back to you.
FTP TROJANS
These trojans are probably the most simple ones and are kind of outdated as the only thing they do is to open port 21
(the port for FTP transfers) and let EVERYONE connect to your machine or just the attacker. Newer versions are password
protected so only the one that infected you may connect to your computer.
SOFTWARE DETECTION KILLERS
There are such functionalities built into some trojans, but there are also separate programs that will kill ZoneAlarm,
Norton Anti-Virus and many other (popular anti-virus/firewall) programs, that protect your machine.
When they are disabled, the attacker will have full access to your machine, to perform some illegal activity, use your
computer to attack others and often disappear. Even though you may notice that these programs are not working or
functioning properly, it will take you some time to remove the trojan, install the new software, configure it and get back online
e of security.
The Future Of Windows Trojans
Windows users will always be targets of malicious attackers because most of them
don't know the real meaning of the word security, and think that some firewall is the only solution they need for protection
actually don't have a clue how it works, or how to configure it properly. Windows Trojans will be a big security problem in the
future and I'm sure attackers realise that, and many more unique functions will be implemented into their trojans but will
mostly be used for the attacker's private purposes
How Can I Get Infected?
A lot of people out there can't differ various ways of infection just because in their minds t
he only way of getting infected is by downloading and running server.exe and they will never do it as they say.
As you'll read here, there are many more ways for malicious attackers to infect your machine and start using it for illegal activities.
Please take all of these topics reviewed here really seriously; read them carefully and remember that prevention is way better
than the cure!: -
ICQ
IRC
Attachments
Physical Access
Browser And E-mail Software Bugs
Netbios(FileSharing)
VIA ICQ
People don't understand that they can also get infected while talking via ICQ or any other Instant Messenger Application.
It's all risky when it's about receiving files no matter from who, and no matter from where.
VIA IRC
So many people LIVE on IRC and this is another place where you can get yourself infected.
Trust is vital no matter what you're doing. No matter who is sending you files, pretending to be free porn archive,
software for "free internet", hacking Hotmail program, DO NOT get any of these files. Newbies are often targets of
these fakes, and believe me, many people are still newbies about their security. Users get infected from porn-trade channels,
and, of course, warez channels, as they don't think about the risk, but how to get free porn and free programs instead.
Here is one scenario of you getting infected while using IRC:-
You're talking with someone, a "girl" probably, have great time and, of course, you want to see the person you're talking to.
You ask for a picture or the "girl" offers you her pictures and I'm sure you'll definitely want to see them.
The "girl" says that she has just created her first screensaver, using some known free or commercial software to do this,
rs it to you, but how about if "she" mentions several pictures are naked ones?! You have been talking to "her" for a week or so,
you get this screensaver.exe, you run it and, yeah, VERY nice pics, some are naked and she didn't lie to you so nothing bad or
suspicious has happened BUT think again what really has happened!
Most people don't notice in their Explorer that the Type of the file is Application BUT with a .TXT icon. So BEFORE you run something, even if it's with a .TXT icon, check its extension and make sure it's really a text file.
VIA ATTACHMENTS
I'm always amazed how many people got themselves infected by an attachment, sent into their mailboxes.
Most of these users are new to the Internet and are pretty naive. When they receive a mail,containing an attachment,
saying they will get free porn, free Internet access etc., they run it without completely understanding the risks for their machines.
EVEN IF YOU GET ATTACHMENTS FROM PEOPLE YOU KNOW, NEVER OPEN THEM UNLESS YOU KNOW EXACTLY WHAT IT IS!
EMAIL THEM BACK AND ASK THEM WHAT IT IS BEFORE OPENING IT! BEWARE OF FILES THEY ARE FORWARDING.
Many people got themselves infected by the famous "Microsoft Internet Explorer Update" sent directly to their mailboxes,
by the nonexistent Microsoft Updates Staff. I understand you felt great because Microsoft are paying attention especially to you,
and sent you the latest updates, but these "updates" are definitely trojans. Microsoft will NEVER send you updates of their
software via e-mail no matter you see the FROM field is updates@microsoft.com and as you've noticed in the previous example
the FROM field could and IS faked. If you ever notice some mail in your mailbox with subjects like "Microsoft IE Update" and such,
delete WITHOUT viewing or reading the e-mail, because some E-Mail clients like Outlook Express and others, have bugs that
automatically execute the file being attached in the e-mail WITHOUT you even touching it. As you can imagine this is a extremely
dangerous problem that requires you to be always up to date with the latest version of any software you're using.
PHYSICAL ACCESS
Physical access is vital for your computer's security. Imagine what can an attacker do while having physical
access on your machine, and let's not mention if you're always connected to the Internet and leave the room for several minutes
.. long enough to get you infected.
BROWSER AND EMAIL SOFTWARE BUGS
Users do not update their software versions as often as they should be, and a lot of the attackers are taking advantage
of this well known fact. Imagine you are using an old version of Internet Explorer and you visit a (malicious) site that will
check and automatically infect your machine without you downloading or executing any programs. The same scenario
goes when you check your E-mail with Outlook Express or some other software with well known problems, again you
will be infected without downloading the attachment. Make sure you always have the latest version of your Browser
and E-mail Software, and reduce the ways of these variations to minimum.
NETBIOS (FILE SHARING)
If port 139 on your machine is opened,you're probably sharing files and this is another way for someone to access
your machine, install trojan.exe and modify some system file, so it will run the next time you restart your PC.
Sometimes the attacker may use DoS(Denial Of Service Attack) to shut down your machine and force you to reboot,
so the trojan can restart itself immediately. To block file sharing in WinME version, go to:
Start->Settings->Control Panel->Network->File And Print Sharing
and uncheck the boxes there. That way you won't have any problems related to Netbios abuse.
FAKE PROGRAMS
Imagine a Freeware SimpleMail program that's very suitable for your needs, and very handy with its features like address book,
option to check several POP3 accounts and many other functions that make it even better then your E-mail client and the best
thing for you is that it's free. You use ZoneAlarm or any other similar protection software, and mark the program as a TRUSTED
Internet server so none of your programs will ever bother you about that program as you are using it probably every day because
it's working very well, no problems ever occurred, you're happy, but a lot of things are going in the background. Every mail you
send and all your passwords for the POP3 accounts are being mailed directly into the attacker's mailbox without you noticing
anything. Cached passwords and your keystrokes could be also mailed and the idea here is to gather as much info as possible
and send it to the attacker. This info includes credit card numbers, passwords for various applications and many other things
Fake programs that have hidden functions, often have professional looking web sites, links to various anti-trojan software
mentioned as affiliates, and make you trust the site; readme.txt is included in the setup and many other things to fool you it's
a trusted one. Pay attention to freeware tools you download, consider them extremely dangerous and a very useful and easy
way for attackers to infect your machine with a Trojan.
UNTRUSTED SITES AND FREEWARE SOFTWARE
A site located at some free web space provider or just offering some programs for illegal activities can be considered as
untrusted one. As you know, there are thousands of "hacking/security" archives on these free web space providers like Xoom,
Tripod, Geocities and many many others. These sites have archives full with "hacking" programs, scanners, mail-bombers,
flooders and many other tools. Often several, if not all of these programs are infected by the guy who created the site. It's highly
risky to download any of the programs and the tools located on such untrusted sites; no matter which software you use are, you
ready to take the risk? There are some untrusted sites, looking REALLY professional and having huge archives, full with Internet
related software, feedback form, links to other popular sites. I think if you take some time, look deeper, scan all the files you
download you can decide on your own whether the site you are downloading your software from is a trusted or an untrusted one
How Are They Detecting My Internet Presence?
People new to the Internet often ask this question as they can't understand why someone will want to
attack especially them, because they never did any harm to anyone and never did something that might get them into trouble.
While reading the previous sections, I hope you understood that sometimes you only need to visit a web site with your unpatched
browser and get yourself infected.
I will explain several scenarios on how attackers may discover your Internet presence:
When visiting a web page,the attacker might have created a script that will automatically check your Browser for known bugs,
and if any are detected, install a trojan on your machine or notify the attacker to have a deeper look. Make sure you're always
using the latest version of your Browser for maximal protection. Check for (security) patches and apply these often!
Intelligence With Trojans
Think for a while about how much your life depends on your computer, your ICQ, your chat program,
your e-mail address and think how vulnerable your life is just because you're infected with a Trojan Horse. They can, and they have been used for
intelligence for a very long time. Just by reading your e-mails, keeping track of your contacts, reading your private conversations, the web sites you visit,
ICQ history, mIRC log files with your private conversations and a log of everything you do online, a psychological profile could be created in several hours
(depends of the skills of course) and your life, mode of thinking, reactions on specific future situations and needs will be revealed to some geek, wanting to
recruit and/or manipulate you. This is food for thought and another topic, but just think how a combination of psychology, social engineering and computer security
knowledge makes you a really powerful guy. And remember that people reveal their REAL personalities, wishes, mode of thinking, interests only when they think
nobody is watching them...
How Do I Know I'm Infected?
Sometimes you think it's normal Windows behaviour when there are 500 MB or so missing on your HDD,
because some software is using it, or you have installed a game you forgot about and many other reasons but not the real one. Here are some things which are
very suspicious, and no matter how much your Anti-Virus software tells you that you aren't infected, dig a little deeper and see what really happened.
One thing that will help you is to know the main features of the public trojans, so you'll be able to react if you notice such activity on your PC.
- Its normal to visit a web site and several more pop-ups to appear with the one you've visited. But when you do completely nothing and suddenly your
browser directs you to some page unknown to you, take that serious.
- A strange and unknown Windows Message Box appears on your screen, asking you some personal questions.
- Your Windows settings change by themselves like a new screensaver text, date/time, sound volume changes by itself, your mouse moves by itself,
CD-ROM drawer opens and closes.
Please note that most advanced attackers will just spy on you and use your infected machine for some specific reason, and not perform any of the
above "tricks" so as not to cause any suspicious activity on the target system (as this would probably mean they could get easily detected).
Someone that just wants to have fun with you is more likely to perform these actions. |
