Saturday, May 31, 2008

Trojans

Trojan Attacks:

A Trojan is a malicious program that, when installed on a system, can be used for nefarious purposes by an attacker. Tools that allow remote administration or access to a vulnerable system, RATs, are called Trojans. That means after a system has been infected with a Trojan, an attacker can control nearly all the hardware & software on the system by remote. Today, Trojans are highly sophisticated & provide attackers with many different features for remote control. Once a Trojan has been introduced to a system, not only does all the data becomes vulnerable to threat but there is a good chance that the compromised system can be used to set up an attack on some third - party system.


Most Trojans consists of two parts & their operation is fairly simple to follow. Using them invokes very little technical skill. The two parts are:



  • The Server Part :

    This part of the Trojan opens up a preset port on the target computer, which listens for any connections to be initiated by the attackers. Obviously, it has to be installed on the victim’s computer through trickery or disguise.
  • The Client Part :

    This part gives the attacker complete control over the target system. It is installed on the attacker’s system to connect the server part of the Trojan, which has been installed on the victim’s system.

Trojans are very hazardous tools that enable an attacker to cause great damage to the target system. Some of the most common malicious attacks that can be carried out by the use of Trojans are:

  1. Trojans are most often used for stealing sensitive intellectual property (IP) data from the target corporations & playing pranks on hapless individuals. By installing a Trojan on a system, the attackers are able to access, delete, upload or download files from it. IP theft is not only very expensive but it also can be used to damage the good name of a corporation. This is because installation of a Trojan gives access to nearly all hardware & software on the system, it becomes open to all kinds of pranks, some of which are:

    - Increase or decrease the volume when you are listening to music.
    -     Moving the mouse towards the right when you are trying to move it to the left.
    - When you type ABC, the attacker may type XYZ.
    - Open and close your DVD drive tray at intervals.
  2. Many Trojans have built in logging capabilities. Today, there are innumerable Trojans available that also work as key loggers that record all the keystrokes made by the victim on the infected system. This means that key loggers record all the keys (in a predefined log file) that have been pressed on the target system. Such Trojans are useful for the following operations:

    - Accessing the contents of confidential emails & documents.
    - Recording passwords, credit card numbers, account, IDs, etc.
    - Pilfering software programming code.
    - Finding out vital information regarding tender price & future business plans.

    Almost all Trojans have key logging facilities that can also record the name of the window where the particular data was typed. It is possible for an attacker to configure a Trojan so that automatically it will secretly email the log file to a preset email address, at regular intervals. It is even possible to configure an autodestruct feature into a Trojan, which will automatically get destroyed at a predefined data & time, leaving little evidence behind.
  3. Nearly all Trojans can be used for malicious purposes. An attacker can easily run malicious commands on an infected system & delete important files or even re-format the entire HDD. Thus, Trojan can be used instead of viruses or worms.
  4. An attacker can program Trojans in such a way that they use resources of target system & network to carry out attacks on predefined victim systems. This means the attacker can put in a Trojan that has been programmed to attack the target system at a pre-fixed time & date. The attack is so planned that the victim believes that his own system or network has carried out the attack, which can involve many legal implications for the corporation.


A Trojan attack can be executed by following the simple steps:

  1. The most difficult part of executing a Trojan attack is installing the server part of the Trojan victim system. Some of the more common ways to do this are:

    - Email: Sending the Trojan server file as an attachment to email addressed to the victim. The problem with this method is that most often, the victim may not open the infected attachment.
    - Autorun CD-ROMs: Burn the Trojan onto a CD-Rom and then use the Autorun facility of the CD to automatically execute the Trojan, the moment the CD is inserted into the tray.
    - Instant Messengers: It is also possible to send the Trojan server part disguised as a normal file over IRC or Instant Messenger. Attackers generally rename the Trojan so that it looks like a normal, legitimate file.
    - Physical Access: Physical access to the victim system gives an opportunity to the attacker to install the Trojan server part manually.
    - EXE Binders: These binders are devices that allow users to bind two .EXE files together into one file, in such a way that there is no effect of the working of either of the two files. So, the attacker binds or conceals the Trojan sever part inside a legitimate .EXE file. The container file is usually chosen to be irresistible to the victim, such as greeting cards, small games, etc.
  2. The server part of the Trojan, once installed on the victim’s system, subsequently binds itself to a specific port on the victim system & listens for connections. Every Trojan listens for connections at a predefined specific port number, which is different for each Trojan.

    For example, the Netbus Trojan listens for connections on the preset port 12345.
  3. Next, it is necessary for the attacker to locate the IP address of the target system on which server part of the Trojan has been installed. This step enables the attacker to connect to the infected system & control it by remote.
  4. Then, the attacker uses the client part of the Trojan tool, which is installed on his system to connect to the server part of the Trojan installed on the victim system. The attacker connects to the preset port number that the Trojan uses. After establishing the connection, the victim’s system lies open to the attacker to inflict any kind of damage.
  5. Most often, after the Trojan has been installed in the target system, the attackers will install a backdoor on it to ensure easy access whenever they want to enter.

Detection Of Trojans:

  1. Suspicious Open Ports: By using nestat-n command.
  2. Monitoring Outgoing Traffic: What is more dangerous is that a Trojan covertly emails the logged passwords or recorded sensitive data to the attacker’s preset email address. Hence, by blocking all malicious outgoing emails, it is possible to guard against Trojans. The systems administrator should look for out illegal activity around the external mail servers, i.e. SMTP or Port 25. (Telnet Feature)
  3. Detection Tools: Lockdown 2000, Preview, etc…
  4. Start-up Files: In Registry or start-up folder.
  5. System Files: The two system file, i.e. win.ini & system.ini have sections where all programs that are referenced get executed.
  6. Batch Files: These two batch files, autoexec.bat & winstart.bat, also get executed everytime Windows boots and can, therefore, contain either malicious commands or references to malicious programs.

Counter-measures:

After a Trojan has been detected, the system administrator needs to remove it from the system. This can be done in the following manner:

  • There are many Trojan removal tools that can be downloaded & used to remove the most common Trojans. One should not only remove the Trojan, but also all the references to the Trojans from the start-up files.
  • Never accept or execute any file sent over email, chat, IRC, etc. However harmless or tempting the received file may seem, do not execute it. Also, do not experiment too much with Trojans because it is possible that the client part of the Trojan, installed on your system could turn out to be the server part, thus leaving your system open to attackers.
  • Because EXE allows an attacker to join two EXE files, the harmful Trojan files may be embedded inside a normal harmless .EXE file. This Trojan cannot be detected & only increases the file size by a certain number of bytes. Therefore, be careful & download software from the internet from the original developer’s website. Do not accept any .EXE files irrespective of whom you got it from.
  • A more effective countermeasure against Trojan activity is installing firewall on your system to monitor & log all port traffic. This enables you to detect & trace Trojan-exploiting attempts. In addition, no matter how tempting, you should never execute any file sent to you over email, chat, IRC, & the like. Always download software from the Internet only from the original developer’s website.

Next: Worms
Back: Viruses

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)