A Must To Read Article On Trojans :
Trojans , types of Trojan , know Trojans , Everything you want to know about Trojans
Trojan horses present more difficulties in definition than at first appears. Whereas viruses are defined primarily by their ability to replicate, Trojans are primarily defined by their payload, or, to use a less emotive term, their function. Replication is an absolute value. Either a program replicates, or it doesn't. Damage and intent, however, are not absolutes, at least in terms of program function.
In computing terms, the term Trojan horse is most often applied to an apparently attractive program concealing in some way an unpleasant surprise. Trojans work similar to the client-server model.
Trojans come in two parts, a Client part and a Server part. The attacker deploys the Client to connect to the Server, which runs on the remote machine when the remote user (unknowingly) executes the Trojan on the machine. The typical protocol used by most Trojans is the TCP/IP protocol, but some functions of the Trojans may make use of the UDP protocol as well. When the Server is activated on the remote computer, it will usually try to remain in a stealth mode, or hidden on the computer. This is configurable.
It is usual for Trojans to also modify the registry and/or use some other auto starting method. Many Trojans have configurable features like mailing the victim's IP, for example Pro Rat trojan, as well as messaging the attacker via ICQ or IRC. Also there are websites with ActiveX servers imbedded in them were any one using Internet explorer goes on the site and the attachment installs its self with out any warning.
This is relevant when the remote machine is on a network with dynamically assigned IP address or when the remote machine uses a dial-up connection to connect to the Internet. DSL users on the other hand, have static IPs so the infected IP is always known to the attacker.
Most of the Trojans use auto-starting methods so that the servers are restarted every time the remote machine reboots / starts. This is also notified to the attacker. As these features are being countered, new auto-starting methods are evolving. The start up method ranges from associating the Trojan with some common executable files such as explorer.exe to the known methods like modifying the system files or the Windows Registry.
Some of the popular system files targeted by Trojans are Auto start Folder, Win.ini, System.ini, Wininit.ini, Winstart.bat, Autoexec.bat Config.sys. Could also be used as an auto-starting method for Trojans Explorer Startup.
Registry is often used in various auto-starting methods.
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
" Info"="c:directoryTrojan.exe"
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce]
" Info"="c:directoryTrojan.exe"
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices]
" Info"="c:directoryTrojan.exe"
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce]
" Info="c: directoryTrojan.exe"
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
" Info"="c:directoryTrojan.exe"
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce]
" Info"="c:directoryTrojan.exe"
Registry Shell Open methods
[HKEY_CLASSES_ROOTexefileshellopencommand]
[HKEY_LOCAL_MACHINESOFTWAREClassesexefileshellopencommand]
A key with the value "%1 %*" should be placed there and if there is some executable file placed there, it will be executed each time a binary file is opened. It is used like this: trojan.exe "%1 %*"; this would restart the Trojan.
ICQ Net Detect Method
" [HKEY_CURRENT_USERSoftwareMirabilisICQAgentApps]
This key includes all the files that will be executed if ICQ detects Internet connection. This feature of ICQ is frequently abused by attackers as well.
ActiveX Component method
" [HKEY_LOCAL_MACHINESoftwareMicrosoftActiveSetupInstalledComponentsKeyName] StubPath=C: directoryTrojan.exe
These are the most common Auto-Starting methods using Windows system files, and the Windows registry.
The main Transmission of trojans are known to be by ICQ, IRC Attachments, Physical Access Browser And E-mail, Software Bugs with binded trojans, NetBIOS, Fake Programs, Un-trusted Sites, Freeware Software and most common of all is P2P File sharing! Yes that's Kaaza, Bear Share, Limewire and list goes on. Visit stop [bad] ware to learn about many free ware wich are bad and may carry spyware or even trojans!
So how do you go about finding and removing Trojans? Download and lean how to use TCPView. TCPView is a Windows program that will show detailed listings of all TCP and UDP endpoints on the system, including the local and remote addresses and state of TCP connections. On Windows NT, 2000 and XP TCPView also reports the name of the process that owns the endpoint. Best way to check for Trojans is close any open browsers let pc go in state of rest and open TCP view, once you see a connection established when youÒre not using anything and there is no signatures of the process than it might be a trojan. Another method is to view your Process. Simply hit [ALT] [CTRL] [DELETE] and it will list all of your running Process. Look for anything that you know might be suspicious or a trojan.
If you don't have a copy of Ad-Aware that you should go to there website and get one which helps remove many trojans and spyware. www.lavasoft.de/software/adaware/ . Sometimes you may run into trojan (trojans server.exe) that wont allow you to delet it and gives you errors like write protected or its in-use. You will need to run "Unlocker" and remove it that way. What are some other stealth ways Trojans can get on your pc and be remote controlled? The method is called ICMP Tunneling. ICMP tunneling is a method of using ICMP echo-request and echo-reply as a carrier of any payload an attacker may wish to use, in an attempt to stealthily access, or control a compromised system. This method makes it harder to find running server like TCP or UDP. The Internet Control Message Protocol is an adjunct to the IP layer. It is a connectionless protocol used to convey error messages and other information to unicast addresses . ICMP packets are encapsulated inside of IP datagram. The first 4-bytes of the header are same for every ICMP message, with the remainder of the header differing for different ICMP message types. There are 15 different types of ICMP messages.
Covert Channels are methods in which an attacker can hide the data in a protocol that is undetectable. Covert Channels rely on techniques called tunneling, which allows one protocol to be carried over another protocol.
A covert channel is a vessel in which information can pass, but this vessel is not ordinarily used for information exchange. Therefore, as a matter of consequence, covert channels are impossible to detect and deter using a system's normal (read: unmodified) security policy. In theory, almost any process or bit of data can be a covert channel. In practice, it is usually quite difficult to elicit meaningful data from most covert channels in a timely fashion. This makes it an attractive mode of transmission for a Trojan.
The attacker can use the covert channel and install the backdoor on the target machine. The concept of ICMP Tunneling is simple: arbitrary information tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets.
This exploits the covert channel that exists inside of ICMP_ECHO traffic. This channel exists because network devices do not filter the contents of ICMP_ECHO traffic. They simply pass them, drop them, or return them. The Trojan packets themselves are masqueraded as common ICMP_ECHO traffic. We can encapsulate (tunnel) any information we want. So what are come counter measure to protect your self from this attack? Configure your firewall to block ICMP incoming and outgoing echo packets. Blocking ICMP will disable ping request and may cause inconvenience to users. Most new firewall have this option. Last thing I want to stress is make sure your not with out a firewall or Anti-Virus and allways updating them.
[Types of Trojans]
Privacy-Invasive Trojans
Privacy-invasive Trojans generally perform some function that reveals to the programmer vital and privileged information about a system or otherwise compromises that system. Passwords are, for obvious reasons, a very common target.
They can also (or instead) conceal some function that either reveals to the programmer vital and privileged information about a system or compromises that system.
Some anti-virus companies have differentiated between PC-specific privacy-invasive Trojans and destructive Trojans by restricting the use of the term Trojan to destructive programs. They use the term password stealers for the most common privacy-invasive programs. In the latter half of the 1990s, password-stealing programs aimed specifically at AOL users seemed to become very common (some estimates at the number of such programs rose to many hundreds). Some anti-virus software uses an APS identifier for such programs, probably standing for AOL Password Stealer. However, AOL is not and never was the only vulnerable service. In their paper Where There's Smoke, There's Mirrors, Sarah Gordon and David Chess describe running user simulations on AOL over a seven-month period. While attempts were made to gain their dummy users'screen passwords, these attempts generally used direct social engineering techniques by correspondents masquerading as AOL staff, rather than indirectly with password stealing programs.
[Back Door Trojans]
Trojans have, from time to time, been planted in legitimate applications. Ken Thompson describes in Reflections on Trusting Trust a number of interesting (not entirely hypothetical) scenarios, the most famous being the Trojanized compiler scenario. In this case, production software offers the means of privileged access to anyone knowing of the back door or trapdoor described.
Back doors and trapdoors offering unauthorized access (and maybe modification) are not the only instances of unauthorized code introduced into legitimate programs, however. Many Mac owners who bought a certain brand of third-party keyboard with a Trojan hardcoded into ROM chip found that the text "Welcome Datacomp" was inserted into their documents at apparently random intervals. PC motherboards with a Trojanized BIOS were characterized by "Happy Birthday" played through the system loudspeaker at boot-up, apparently on the programmer's birthday.
[Remote Access Tools (RATs)]
Though few anti-virus vendors would claim to detect all known Trojans, most do detect at least some on the platforms for which they have products, especially those Trojans that do direct damage. Remote Access Tools (RATs) such as Netbus and Back Orifice, however, straddle a line between legitimate systems administration (similar to that carried out by programs such as PC Anywhere) and covert unauthorized access. When the system owner is persuaded to run the installation program, a server program is installed that can be accessed from a client program on a remote machine without the knowledge of the user. The server is used to manipulate the victim machine.
Functionally, there might be no difference between a RAT and a "legitimate" tool. The difference lies not in the functionality, but in the facilitation of the covert availability of that functionality to unauthorized individuals. As with sniffers and network scanners, it's not what the program does so much as the reason it's being used. Yet if RAT software is willingly installed, opening the system to an attack the user does not expect, does that make it a Trojan? Using Microsoft Word also makes the user vulnerable to attacks he might not have anticipated. It was, for instance, literally years before some computer users realized that using versions of Word and other Microsoft Office applications supporting macro languages made them vulnerable to macro viruses and Trojans. Does that make Bill Gates a Trojan author? No, because the functionality in this case is too generalized to be described as a back door. However, a RAT broadcasting its presence to a hacker, who probes a characteristic range of port numbers, can certainly be described as a back door Trojan. It promotes the intentions of the author and subverts the expectations of the victim.
This is a serious issue—not least in that the "Bad Guys" frequently allude to the shortcomings of legitimate software (especially Microsoft's) as if unforeseen bugs in Office justified their own premeditated activities.
Nonetheless, some RAT authors have exploited this ambivalence by producing "Professional" versions of such software and charging for them. This allows the authors to complain of the anti-capitalist, anti-competitive behavior of security vendors who detect their program as a Trojan (or, all too often and inaccurately, a virus). It works, too. Several anti-virus vendors have dropped detection of the Professional version of Netbus, despite the murkiness of its antecedents and its continuing potential for misuse. Others have gone out of their way to distinguish between standard Netbus Pro installations and Trojanized installations.
[Droppers]
A dropper is a program that is not itself a virus, but is intended to install a virus. Curiously, given the popular association of Trojans and viruses, droppers are a comparatively rare entry point for viruses in the wild (see the preceding chapter on viruses). In the PC world, dropper programs are most commonly associated with transporting boot sector viruses across networks, and can be used for that purpose by both pro- and anti-virus researchers. They can be used as a covert means of introducing a virus onto a system, if the victim can be persuaded by social engineering techniques to run the dropper program.
Droppers have been used surprisingly frequently in the Mac world, though. The MacMag virus was introduced via a HyperCard stack called New Apple Products. The Tetracycle game was implicated in the original spread of MBDF. ExtensionConflict is supposed to identify conflicts between extensions (now there's a surprise), but installs the SevenDust virus. Both SevenDust and MBDF are still being reported in the field. Back in the PC world, the Red Team alert muddied the waters by attaching a virus dropper alleged to be a fix for a virus that didn't and couldn't possibly exist.
[Jokes]
Joke programs are almost as old as computing. One venerable example is the PDP Cookie program, which popped up and asked the victim for a cookie. PC and Mac users have both long been delighted or irritated by such programs. Confusion has arisen due to the habit of anti-virus software of alerting (using the word virus) not only on viruses and Trojans, but on joke programs such as CokeGift. This widely distributed program offers the victim their CD tray as a holder for their fizzy drink (or possibly white powder for nasal ingestion or carboniferous fossil fuel). Cute for some, irritating for others, but not exactly life-threatening. However, the practice of alerting on joke programs might have arisen in response to supposed joke programs that threaten to format disks, or claim to have done so, but make no such actual attempt. Indeed, there have been instances when, what one vendor has reported as a Trojan, another vendor reported as a joke.
[Bombs]
Logic bombs are malicious programs that execute their payload when a preprogrammed condition is met. When the trigger condition is a time or date, the term time bomb may be used. A time-out is a logic bomb sometimes used to enforce contract terms. Characteristically, the program stops running unless some action is taken to indicate (for instance) that the license fee has been paid, or the contractor who wrote the code has been paid. It's not unknown for a contractor to introduce some more drastic time bomb to be triggered if a dispute over payment arises.
The use of the word bomb does suggest a destructive payload, but this need not, in fact, be the case. Mail bombs and subscription bombs, which don't really belong in a chapter on Trojans, are DoS (Denial-of-Service) attacks intended to inconvenience the victim by battering his or her mailbox with a barrage of mail. Often this is done by subscribing the victim to large numbers of mailing lists. Email Trojans certainly exist, although email is more commonly an infection vector for viruses and worms.
The term ANSI bomb usually refers to a mail message or other text file that takes advantage of an enhancement to the MS-DOS ANSI.SYS driver. This allows keys to be redefined with an escape sequence, in this case, to echo some potentially destructive command to the console. Such programs were at one time quite frequently reported on Fidonet. However, nowadays few systems run programs that require ANSI terminal emulation, and ANSI.SYS is not normally installed in Windows 9x or later.
There are alternatives to ANSI.SYS that don't support keyboard redefinition, or allow it to be turned off.
[Rootkits]
A rootkit is an example of a set of trojanized system programs that an intruder who manages to root-compromise a system might be able to substitute for the commands'standard equivalents. Examples include modified versions of system utilities such as top and ps, allowing illegitimate processes to run unnoticed; daemons modified to compromise log entries or hide connections; utilities gimmicked to enable escalation to root privileges or to hide rootkit component files or other backdoor functionality (secret passwords to allow privileged access, for instance). Associated programs include packet sniffers and utmp/wtmp editors (used to doctor log files).
Rootkits exist for a number of flavors of UNIX, and are appearing in NT versions. However, one-off Trojanized versions of login (that is, versions not included in a suite of programs such as a rootkit) have been used, for instance, to harvest passwords since Pontius programmed in PILOT.
You can find information on rootkits in the FAQ at http://staff.washington.edu/dittrich/misc/faqs/lrk4.faq.
Sarah Gordon's paper Publication of Vulnerabilities and Tool (Proceedings of the Twelfth World Conference on Computer Security, Audit and Control, 1995) includes a technical analysis of some rootkit components.
[DDoS Agents]
DDoS (Distributed Denial-of-Service) tools like Stacheldraht, TFN2K, and Trinoo are Trojans designed with a very specific purpose. They are intended to bring down Internet servers by remotely coordinating packet-flooding attacks from multiple machines. Typically, the intruder controls a number of master machines. These, in turn, control daemons on remote machines. Covertly installed, their presence is often concealed by the installation of rootkits. Daemons can be installed on many hundreds of remote machines, all directing flooding attacks at the victim system.
Detailed analysis of DDoS attacks and counter-attacks is beyond the scope of this chapter. However, the installation and presence of a DDoS attack tool can be detected by the same means as other malware. That is, recognition of a specific search string (Known Something Detection), heuristic scanning, and change detection. Virus scanners usually detect known DDoS tools. Network traffic can be monitored for characteristics such as IP packets with spoofed source addresses. Intrusion detection systems can be configured to scan for patterns characteristic of communications between master software and daemon software.
[Worms]
In principle, this should probably be the longest subsection in this chapter. Many system administrators now apply the term Trojan to what the author of Chapter 17, "Viruses and Worms," described as worms. While I regard this usage as misleading, it is defensible, common, and can't be ignored.
It's defensible because, as discussed in Chapter 17, most present-day worms are reliant on social engineering to persuade the recipient to execute the malicious code. In other words, they conform to one of the definitions we've previously examined suggesting that Trojans are programs that purport to do one (desirable) thing while actually doing some other (less desirable) thing.
The usage is misleading because it defies the definition of Trojans as non-replicative malware. In the virus business, most people hold the view that viruses and worms replicate. Some believe that the class worm is a subset of the class virus, and many regard Trojans as non-replicative. These distinctions are not just academic. To fight malicious code effectively, we need to understand how it works, and distinctions are particularly important when we come to examine a multipartite threats such as MTX or LoveLetter. Modern mail-borne malware might include components which can be described as parasitic (a file virus), a worm (a network virus that doesn't infect other files by direct attachment), and/or a classic Trojan.
[Trojan Security]
Trojans frequently masquerade as games, joke programs, screensavers, and other programs frequently exchanged by email, especially when strict system policies or security policies are not enforced. If software contains a privacy-invasive Trojan or a destructive Trojan with a delayed payload (a time bomb or other form of logic bomb, for example), the Trojan might be distributed by a victim who is not yet aware that the program is malicious.
Compiled binaries are not the only places you'll find Trojans. Batch files and other shell scripts, Perl programs, and perhaps even code written in JavaScript, VBScript, or Tcl can carry a Trojan. Scripting languages have been described as unsuitable for the creation of Trojans if the code remains humanly readable.
This increases the victim's chances of discovering the offending code. In real life, though, victims often seem quite happy to run unchecked code, even when it's humanly readable.
The LoveLetter virus was executed by countless recipients, even though the cleartext code clearly included a subroutine whose very name indicated that it was intended to infect files. Nesting a Trojan within such code is, however, more feasible if the file is part of a much larger package—for example, if the entire package extracts to many subdirectories.
In such cases, the complexity of the package can reduce the likelihood that a human being, using normal methods of investigation, would uncover the Trojan, especially if it's an easily overlooked short sequence like DELTREE C:\ or rm -rf. Trojans don't usually announce their intent. Worse still, many Trojans masquerade as legitimate, known utilities that you'd expect to find running on the system.
Thus, you cannot rely on detecting a Trojan by listing current processes. In detecting a Trojan by eye, much depends on the user's experience. Users who know little about their operating systems are less likely to venture deep into directory structures, looking for suspicious files. More proficient users are unlikely to have time to examine the complex system structures of modern operating systems, especially on server-class machines. Even experienced programmers can have difficulty identifying a Trojan, even when the code is available for their examination. Identification of malicious code by reverse-engineering can be more difficult and time-consuming by orders of magnitude.
New Trojans are difficult to detect using heuristic detection. (Unless you use the somewhat sweeping heuristic that a change in a file detected automatically is likely to indicate a Trojan substituted for a legitimate file.) There is no absolute test for code to determine whether it is (or is not) a Trojan because author intent and user expectations are not generally susceptible to automated analysis.
In most cases, Trojans are found in binaries, which remain largely in non-human-readable form. However, the fact that the code is largely static does make Trojans at least as susceptible to "known-something" detection as viruses. In other words, when a known malicious program is identified, it can be detected by software updated with an appropriate search string. Remember that, by most definitions, replication is not a characteristic of the Trojan breed. Trojans spread through the action of being copied by an attacker or a victim socially engineered into carrying out the attacker's wishes, not by self-copying.
Thus it is not usually feasible for an attacker to utilize techniques such as polymorphism to reduce the chance of detection. Since the copying of the program is not a function of the program itself, the program has no means of evolving into a nonidentical copy (a morph) of itself.
Nevertheless, undetected Trojans can lead to total system compromise. A Trojan can be in place for weeks or even months before it's discovered. In that time, a cracker with root privileges could alter the entire system to suit his or her needs. Even when the Trojan is discovered, many hidden loopholes might be left behind when it is removed.
More commonly, the process described as object reconciliation is known as change detection, integrity checking, or integrity management. However, these terms are not strictly synonymous.
Change detection simply describes any technique that alerts the user to the fact that an object has been changed in some respect.
Integrity checking has the same core meaning, but is often taken to imply a more sophisticated approach, not only to detecting change in spite of attempts to conceal it, but to ensuring that the reporting software itself is not subverted.
Integrity management is a more general term. It can include not only the detection of unauthorized changes, but other methods of maintaining system integrity. Such methods can include some or all of the following, in no particular order:
- Maintaining trusted backups
- Blocking unknown intrusions at entry
- Maintenance of strict access control
- Careful application of manufacturer patches to block newly discovered loopholes
- A finely engineered change-management system, using only signed (trusted) code.
A simple method of testing file integrity, is based on reports of changes in file state information. Different file integrity tests vary in sophistication. For example, you can crudely test a file's integrity using any of the following indexes:
- Date last modified
- File creation date
- File size
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment