Exam Focus: Define a Trojan. Objective Includes

6.1 Define a Trojan

Exam Focus: Define a Trojan. Objective includes:

·  Define a Trojan.

·  Identify overt and covert channels.

Trojan horse

A Trojan horse (Trojan) is a malicious software program code that masquerades itself as a normal program. When a Trojan horse program is run, its hidden code runs to destroy or scramble data on the hard disk. An example of a Trojan horse is a program that masquerades as a computer logs on to retrieve user names and password information. The developer of a Trojan horse can use this information later to gain unauthorized access to computers. Trojan horses are normally spread by e-mail attachments. Unlike viruses, Trojan horses do not replicate themselves but only destroy information on hard disks.

Uses of a Trojan

The following are the uses of a Trojan:

·  It is used to delete or replace an operating system's critical files.

·  It is used to generate fake traffic in order to create DOS attacks.

·  It is used to download spyware, adware, and malicious files.

·  It is used to steal information, such as passwords, security codes, and credit card information using keyloggers.

·  It is used to disable firewalls and antivirus.

·  It is used to record screenshots, audio, and video of the victim's PC.

·  It is used to infect the victim's PC as a proxy server for relaying attacks.

·  It uses the victim's PC for spamming and blasting email messages.

·  It uses the victim's PC as a botnet in order to perform DDoS attacks.

Types of Trojans

The following are the types of Trojans:

·  VNC Trojan

·  HTTP/HTTPS Trojan

·  ICMP Trojan

·  Command Shell Trojan

·  Data Hiding Trojan

·  Document Trojan

·  Covert Channel Trojan

·  Botnet Trojan

·  Proxy Server Trojan

·  Remote Access Trojan

·  Email Trojan

·  FTP Trojan

·  GUI Trojan

·  SPAM Trojan

·  Credit Card Trojan

·  Defacement Trojan

·  E-banking Trojan

·  Notification Trojan

·  Mobile Trojan

·  MAC OS X Trojan

The following are some important types of Trojans:

1.  Command Shell Trojan: It provides a remote control of a command shell on a victim's machine. The Trojan server is installed on the victim's machine. The Trojan server opens a port for the attacker to connect. The client is installed on the attacker's machine. The client is used to launch a command shell on the victim's machine. Netcat is a Command Shell Trojan.

2.  Email Trojan: Attackers send email messages to gain remote control of a victim computer. Attackers can then send commands via email to retrieve files or folders. In order to hide the identity, attackers use open relay SMTP server and fakes the email's FROM field. RemoteByMail is an example of email Trojan.

3.  Botnet Trojan: It creates a network of bots that is controlled via a Command and Control center by infecting a large number of computers across a large geographical area. Botnet is used for launching various attacks on a victim including denial of service attacks, spamming, click fraud, and the theft of financial information. Illusion Bot and NetBot Attacker are examples of botnet Trojans.

4.  VNC Trojan: It starts a VNC Server in the infected system. It uses any VNC viewer with the password "secret" to connect to the victim. Anti-virus will never detect this Trojan as VNC program is considered as a utility. WinVNC and VNC Stealer are examples of VNC Trojans.

5.  HTTP/HTTPS Trojan: It can bypass any firewall and operate in the opposite manner of a straight HTTP tunnel. It is executed on the internal host and generates a child at a predetermined time. It is permitted to access the Internet as the child program appears to be a user to the firewall. HTTP RAT is an example of HTTP Trojan.

6.  Covert Channel Trojan: It presents various exploitation techniques. It generates arbitrary data transfer channels in the data streams that are authorized by a network access control system. It allows attackers to get an external server shell from within the internal network and vice versa. It sets a TCP/UDP/HTTP CONNECT | POST channel permitting TCP data streams (SSH, SMTP, POP, etc.) between an external server and a box from within the internal network.

7.  E-banking Trojan: It captures a victim's account information before it is encrypted and forwards it to the attacker's Trojan command and control center.

8.  Notification Trojan: It forwards the location of the victim's IP address to the attacker. The attacker receives the notification whenever the victim's computer connects to the Internet.

9.  Credit Card Trojan: It is used to steal the victim's credit card related data, such as card no., CVV2, and billing details. It tricks users to visit fake e-banking websites and enter personal information. It uses email, FTP, IRC, or other methods to transmit the stolen data to remote hackers.

10.  Encryption Trojan: It encrypts data files in the victim's system and renders information unusable.

11.  Remote Access Trojan: It allows attackers to gain full control over computer systems. Remote access Trojans are usually set up as client/server programs, so that an attacker can connect to the infected system and control it remotely. RAT DarkComet and Apocalypse are examples of Remote Access Trojans.

12.  Data Sending Trojan: It is used to capture and redirect data. eBlaster is an example of this type of Trojan. It can capture keystrokes, passwords, or any other type of information and send them back to the attacker via email.

13.  Document Trojan: Attackers embed a Trojan into a word document. This infects a victim's computer. As the victim opens the document and clicks on the Trojan package, Trojan is executed.

14.  Destructive Trojan: It is used to destroy files or operating systems. This Trojan formats all local and network drives. The user will not be able to boot the operating system.

15.  DoS Attack Trojan: It is designed to cause a DoS attack.

16.  Proxy Trojan: It is designed to work as proxies. These programs can help a hacker hide and perform activities from the victim's computer.

17.  FTP Trojan: It is specifically designed to work on port 21. These Trojans allow a hacker to upload, download, or move files on the victim's computer. TinyFTPD is an example of FTP Trojan.

18.  GUI Trojan: It is a graphical user interface Trojan. MoSucker, Jumper, and Biodox are GUI Trojans.

19.  Security Software Disabler Trojan: It is designed to attack and kill antivirus or software firewalls. The goal of disabling these programs is to make it easier for the hacker to control the system.

Overt and covert channels

An overt channel is the normal and legitimate way in which programs communicate within a computer system or network. Games or any legitimate programs are examples of an overt channel. A covert channel is a mechanism used to send or receive information between two or more machines. In this mechanism, any firewalls and IDS's are not altered on the network. This mechanism is also used to derive its stealthy nature as it sends traffic via ports that most firewalls will permit through. A Trojan is the simplest form of the covert channel. By using the covert channel, the Trojan can communicate undetected, and the hacker can send commands to the client component undetected.

HTTP RAT

HTTP RAT is a HTTP Trojan. It has the following functions:

·  It displays ads and records personal data/keystrokes.

·  It downloads unsolicited files and disables programs/system.

·  It floods Internet connection and distributes threats.

·  It tracks browsing activities and hijacks Internet browser.

·  It makes fraudulent claims regarding spyware detection and removal.

Shttpd Trojan

Shttpd is a small HTTP Server. It can be embedded inside any program. It can be wrapped with a genuine program (game chess.exe). It will turn a computer into an invisible web server when executed.

Banking Trojan analysis

Trojan captures valid Transaction Authentication Number (TAN) that is entered by a user. It replaces the TAN with a random number that will be rejected by the bank. The intercepted TAN can be misused with the user's login details.
On e-banking pages, a Trojan creates fake form fields. Additional fields produce extra information, such as a card number and date of birth. This information can be used by attackers to impersonate and compromise the account of a victim.
A Trojan first analyses POST requests, and then responses to a victim's browser. It compromises the scramble pad authentication. As a user enters Customer Number and Personal Access Code, the Trojan intercepts scramble pad input.

PhoneSnoop

The PhoneSnoop Trojan remotely activates the microphone of a BlackBerry handheld and listens to sounds near or around it. It can be used to spy on an individual. Take the following steps to use PhoneSnoop:

·  Install PhoneSnoop.

·  Go to Options > Advanced options > Applications to select PhoneSnoop application permissions.

·  Change the permissions for Input Simulation and Phone to Allow.

·  Go to your Downloads or Home Screen and locate the PhoneSnoop icon and start the application.

·  Enter the phone number for which you want to trigger the remote listening and click Activate.

DNSChanger

The DNSChanger Trojan makes users download the program and run malicious code by using social engineering techniques. It involves the following steps:

1.  Users are prompted to download a new codec in order to watch videos.

2.  The user then downloads the codec. This actually installs a fake codec.

3.  Local machine's DNS settings are changed to attacker's IP address.

4.  A video is played so as not to raise suspicion after the fake codec is installed.

5.  A notification is sent to the attacker regarding the victim's machine using HTTP post message.

Qaz

Qaz is a backdoor Trojan that searches for Notepad.exe, renames it Note.com, and then copies itself to the computer as Notepad.exe. After this, whenever Notepad.exe is executed, the QAZ Trojan executes and calls the original Notepad to avoid being noticed. The payload of the Trojan uses WinSock and awaits a connection at port 7597. Any attacker who finds this port open on the victim's Trojaned computer can connect to it. Qaz also spreads itself to other shared drives on local networks.
How to remove Qaz: Qaz can be manually removed by editing the registry using the following steps:

1.  Run regedit from Start Menu > Run, and go to:HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run.

2.  Search for any registry key that contains the data value of startIE=XXXX\Notepad.exe. When found, highlight the registry key that loads the file, and press the Delete key.

3.  Reboot the computer, search for the file Note.com, and rename it as Notepad.exe.

What do Trojan creators look for?

Trojan creators look for the following:

·  Credit card information

·  Account data, such as email addresses, passwords, user names, etc.

·  Confidential documents

·  Financial data, such as bank account numbers, social security numbers, insurance information, etc.

·  Calendar information that concerns the whereabouts of a victim

·  Using the victim's computer for illegal uses (hack, scan, flood, or infiltrate other machines on the network or Internet)

Indications of a Trojan attack

The following are the indications of a Trojan attack:

·  Opening and closing of CD-ROM drawer by itself

·  Redirecting to unknown pages by a computer browser

·  Disabling of Anti-virus or improper working of Anti-virus

·  Disappearing of the taskbar

·  Appearing of strange chat boxes on a victim's computer

·  Changing of Windows color settings

·  Disappearing of Windows Start button

·  Changing of the account passwords or unauthorized access

·  Flipping of computer screen upside down or inverting of computer screen

·  Changing of screensaver's settings automatically

·  Complaining the ISP to the victim that his/her computer is IP scanning

·  Appearing of strange purchase statements in the credit card bills

·  Changing of wallpaper or background settings

·  Reversing functions of the right and left house buttons

·  Knowing too much personal information about a victim by people

·  Turning of the computer monitor itself off and on

·  Printing of documents or messages from the printer themselves

·  Disappearing or moving by itself of mouse pointer

·  Shutting down and powering off the computer by itself

·  Working of Ctrl+Alt+Del stops

Infect systems using a Trojan

Take the following steps to infect systems using a Trojan:

1.  Use a Trojan Horse Construction Kit to create a new Trojan.

2.  Create a dropper. The dropper is a part in a trojanized packet, which installs the malicious code on the target system.

3.  Use tools to install the Trojan on the victim's computer in order to create a wrapper.

4.  Propagate the Trojan.

5.  Execute the dropper.

6.  Execute the damage routine.

Trojan vectors

A Trojan may infect any system through Trojan vectors. The most common Trojan vectors are as follows:

·  Email attachments

·  Social engineering

·  NetBIOS remote installation

·  Physical access

·  Fake executables

·  Spyware and adware

·  IRC and IM chats

·  Flash applets

·  ActiveX controls, VBScript, and Java scripts

Different ways a Trojan can get into a system

A Trojan can get into a system in the following different ways:

·  Instant Messenger applications

·  IRC (Internet Relay Chat)

·  Attachments

·  Physical Access

·  Browser and email software bugs

·  NetBIOS (File Sharing)

·  Untrusted sites and freeware software

·  Downloaded files, games, and screensavers from Internet sites

·  Fake programs

·  Legitimate "shrink-wrapped" software packaged by a disgruntled employee.

Detecting a Back Orifice Trojan

Back Orifice Trojan, whether installed on the victim's computer or not, can be detected in the following ways:

·  By entering the netstat command in the Command Prompt. If the following result is displayed, there may be a Back Orifice Trojan in the computer:

C:\WINDOWS>netstat -an | find "UDP" UDP IP_Address:31337 *:*