Trojans, Backdoors, and Sniffers
Trojan horses are continuosally in the security news. They have been around us since computing started, and virus writers continue to add ...
http://kingofdkingz99.blogspot.com/2011/10/trojans-backdoors-and-sniffers.html
Trojan horses are continuosally in the security news. They have been around us since computing started, and virus writers continue to add more and more lethal
varieties.
Trojans are malicious pieces of code used to install hacking software on a
target system and aid the hacker in gaining and retaining access to that system.
Trojans and their counterparts (backdoors and sniffers) are important pieces of
the hacker’s toolkit.
For example, a Trojan can install a backdoor program that allows a hacker to
connect to a computer without going through the normal authentication
process. Loading a backdoor program on a target computer lets the hacker come
and go at will. For this and other reasons, it’s imperative to be able to identify
Trojans and their behaviors and properly protect your own computing base.
three accepted definitions of a Trojan Horse are:
■■ An unauthorized program contained within a legitimate program that
performs functions unknown and unwanted by the user
■■ A legitimate program that has been altered by the placement of unauthorized
code within it and that performs functions unknown and unwanted by user.
■■ Any program that appears to perform a desirable and necessary function
but that, because of hidden and unauthorized code, performs functions
unknown and unwanted by the user
The operating phrase here is performs functions unknown and unwanted by the
user. Trojans can be transmitted to the computer in several ways, through email
attachments, freeware, physical installation, ICQ/IRC chat, phony programs, or
infected websites. When the user signs on and goes online, the Trojan is activated,
and the attacker gets access to the system. Unlike a worm, a Trojan
doesn’t typically self-replicate. The exact type of attack depends on the type
of Trojan.
A backdoor in a computer system secures remote access to the system for an
attacker and allows the attacker to bypass normal authentication; backdoors
attempt to remain hidden from casual inspection. The backdoor may take the
form of an installed Trojan or be a result of a code modification to a legitimate
program.
Trojans often reside deep in the system and make Registry changes that
allow them to spawn a connection on the Slave’s computer that communicates
out of the target’s network into a designated hacker server. Since the
offending traffic is outbound, this type of attack is often not noticed right
away. Most organizations employ more protection on incoming data than on
outgoing data.
results from the others. Depending upon the type of Trojan, an attacker
can use them to stage various types of exploits.
Trojans can be:
■■ Remote access Trojans (RATS)
■■ Keystroke loggers or password sending Trojans
■■ Software detection killers
■■ Purely destructive or service denying Trojans
■■ FTP Trojans
Some Trojans are programmed to open specific ports to allow access for
exploitation. When a Trojan is installed on a system, it often opens a high numbered
port. The open port can be scanned and located, enabling an
attacker to compromise the system.
Remote Access Trojans (RATs)
A program that surreptitiously allows access to a computer’s resources (files,
network connections, configuration information, and so on) via a network
connection is sometimes referred to as a remote access Trojan (RAT). Remote
access functionality is often included in legitimate software design.
For example, software that allows remote administration of workstations on
a company network or that allows helpdesk staff to take over a machine
remotely to demonstrate how a user can achieve some desired result is genuinely
a useful tool. Such a tool is designed into a system and installed and
used with the knowledge and support of the system administrator and the
other support staff.
RATs generally consist of two parts: a client component and a server component.
For the Trojan to function as a backdoor, the server component has to
be installed on the Slave’s machine. This may be accomplished by disguising
the program in such a way as to entice victims into running it. It could masquerade
as another program altogether (such as a game or a patch), or it could
be packaged with a hacked, legitimate program that installs the Trojan when
the host program is executed.
After the server file has been installed on a Slave’s machine, often accompanied
by changes to the Registry to ensure that the Trojan is reactivated
whenever the machine is restarted, the program opens a port so that the
hacker can connect. The hacker can then utilize the Trojan via this connection
to issue commands to the Slave’s computer. Some RATs even provide a message
system that notifies the hacker every time a Slave logs on to the Internet.
Most RATs and backdoor Trojans use common specific ports.
shows some of these ports.
Common Remote Access Port Numbers
Trojan Attack Vectors
A Trojan may infect a system through various attack vectors, such as email attachments,
downloaded worms, or direct installation by hackers. Trojans usually
spoof their origin so that their attacks can’t be traced to the actual perpetrator.
A Trojan employs an attack vector to install its payload on the target’s computer
systems. The most common attack vectors are:
■■ Email and attachments (the #1 method)
■■ Deception and social engineering
■■ Web bugs and driveby downloads
■■ NetBIOS remote plants
■■ Physical access
■■ Attacks that exploit Windows and Internet Explorer vulnerabilities
■■ Fake executables and freeware
■■ Web pages that install spyware and adware
Instant messaging, Internet Relay Chat (IRC), and P2P file-sharing networks
provide routes of attack. These Internet services rely on trusted communications
between computers, making these services handy vectors for hostile
exploits.
Combined attack vectors are often used so that if the message doesn’t carry
the malware, the attachment does. Email attachments are still the most common
way to attack a PC, but the email messages themselves are now used as
attack vectors, with the malware embedded in the email message. This means
that just reading or previewing the message can launch an attack.
Email message attacks rely on malicious code embedded in messages in
HTML format. Evil HTML messages in conjunction with trusting email clients
can easily infiltrate computers, installing Trojan horses and opening backdoors
for further invasion. One nasty trick adopted from spammers is to place an
“opt-out” link at the bottom of spam. When the link is clicked, a Trojan is
installed on the PC.
A good example of an email Trojan horse is Sepuc. Victims normally have no
idea that they’re being spied on. The email has no subject line and no visible
text in the body of the message. If the user opens the message, a small amount
of malicious code hidden in the email attempts to exploit a known vulnerability
in Internet Explorer to force a download from a remote machine. If it succeeds,
this file downloads several other pieces of code and eventually installs
a Trojan capable of harvesting data from the PC and sending it to a remote
machine.
Deception is a common vector for Trojans. Deception is aimed at a gullible
user as the vulnerable entry point. Most deception schemes require the unwitting
cooperation of the computer’s operator to succeed. This section illustrates
some of the common forms of attacks by deception.
Counterfeit websites use deception as the attack vector. They are intended
to look genuine but are used to plant malware. Often, they’re used in conjunction
with spam and pop-up pages to install spyware, adware, hijackers,
dialers, Trojans, or other malware. It can all happen as quickly as the page
loads or when a link is clicked.
It’s getting harder and harder to infect a PC with a Trojan, as effective anti-malware
software and devices shorten the time between a zero-day outbreak and
the remedy. One common and effective way for an attacker to get their Trojan
installed on the Slave’s computer is by using a wrapper.
A wrapper is a program used to combine two or more executables into a single
packaged program. The wrapper attaches a harmless executable, like a
game, to a Trojan’s payload, the executable code that does the real damage, so
that it appears to be a harmless file.
When the user runs the wrapped executable, it first runs the game or animation
and then installs the wrapped Trojan in the background, although the
user sees only the animation. For example, a common wrapped Trojan sends
an animated birthday greeting that installs BO2K while the user watches a
dancing birthday cake.Following Figure shows the wrapper concept.
Two often-used wrappers are eLiTeWrap (http://homepage.ntlworld
.com/chawmp/elitewrap), and Silk Rope (http://packetstormsecurity.org/
trojans/bo/index3.html).
ELiTeWrap is the granddaddy of wrappers. It’s an advanced executable
wrapper for Windows and can be used for archiving or secretly installing and
running programs. With eLiTeWrap, the hacker can create a setup program that
extracts files to a specified directory and executes programs and batch files.
Silk Rope is a wrapper program with an easy to use GUI. It binds BO installer
with a program of the attacker’s choosing, saving the result as a single file. The
Silk Rope icon is a generic single-file-install icon (an opening box with a window
in the background) that the hacker can change with an icon utility such as
Microangelo or IconPlus.
Some other wrapper or file-masking tools include:
■■ Saran Wrap
■■ PE Bundle
■■ Teflon Oil Patch (TOVB4)
■■ AFX File Lace
■■ Exe2vbs
varieties.
Trojans are malicious pieces of code used to install hacking software on a
target system and aid the hacker in gaining and retaining access to that system.
Trojans and their counterparts (backdoors and sniffers) are important pieces of
the hacker’s toolkit.
For example, a Trojan can install a backdoor program that allows a hacker to
connect to a computer without going through the normal authentication
process. Loading a backdoor program on a target computer lets the hacker come
and go at will. For this and other reasons, it’s imperative to be able to identify
Trojans and their behaviors and properly protect your own computing base.
Trojans And BackDoors
A Trojan is a program that performs functions unwanted by the target. Thethree accepted definitions of a Trojan Horse are:
■■ An unauthorized program contained within a legitimate program that
performs functions unknown and unwanted by the user
■■ A legitimate program that has been altered by the placement of unauthorized
code within it and that performs functions unknown and unwanted by user.
■■ Any program that appears to perform a desirable and necessary function
but that, because of hidden and unauthorized code, performs functions
unknown and unwanted by the user
The operating phrase here is performs functions unknown and unwanted by the
user. Trojans can be transmitted to the computer in several ways, through email
attachments, freeware, physical installation, ICQ/IRC chat, phony programs, or
infected websites. When the user signs on and goes online, the Trojan is activated,
and the attacker gets access to the system. Unlike a worm, a Trojan
doesn’t typically self-replicate. The exact type of attack depends on the type
of Trojan.
A backdoor in a computer system secures remote access to the system for an
attacker and allows the attacker to bypass normal authentication; backdoors
attempt to remain hidden from casual inspection. The backdoor may take the
form of an installed Trojan or be a result of a code modification to a legitimate
program.
Trojans often reside deep in the system and make Registry changes that
allow them to spawn a connection on the Slave’s computer that communicates
out of the target’s network into a designated hacker server. Since the
offending traffic is outbound, this type of attack is often not noticed right
away. Most organizations employ more protection on incoming data than on
outgoing data.
Trojan Types
There are several types of Trojans; each behaves differently and produces differingresults from the others. Depending upon the type of Trojan, an attacker
can use them to stage various types of exploits.
Trojans can be:
■■ Remote access Trojans (RATS)
■■ Keystroke loggers or password sending Trojans
■■ Software detection killers
■■ Purely destructive or service denying Trojans
■■ FTP Trojans
Some Trojans are programmed to open specific ports to allow access for
exploitation. When a Trojan is installed on a system, it often opens a high numbered
port. The open port can be scanned and located, enabling an
attacker to compromise the system.
Remote Access Trojans (RATs)
A program that surreptitiously allows access to a computer’s resources (files,
network connections, configuration information, and so on) via a network
connection is sometimes referred to as a remote access Trojan (RAT). Remote
access functionality is often included in legitimate software design.
For example, software that allows remote administration of workstations on
a company network or that allows helpdesk staff to take over a machine
remotely to demonstrate how a user can achieve some desired result is genuinely
a useful tool. Such a tool is designed into a system and installed and
used with the knowledge and support of the system administrator and the
other support staff.
RATs generally consist of two parts: a client component and a server component.
For the Trojan to function as a backdoor, the server component has to
be installed on the Slave’s machine. This may be accomplished by disguising
the program in such a way as to entice victims into running it. It could masquerade
as another program altogether (such as a game or a patch), or it could
be packaged with a hacked, legitimate program that installs the Trojan when
the host program is executed.
After the server file has been installed on a Slave’s machine, often accompanied
by changes to the Registry to ensure that the Trojan is reactivated
whenever the machine is restarted, the program opens a port so that the
hacker can connect. The hacker can then utilize the Trojan via this connection
to issue commands to the Slave’s computer. Some RATs even provide a message
system that notifies the hacker every time a Slave logs on to the Internet.
Most RATs and backdoor Trojans use common specific ports.
shows some of these ports.
Common Remote Access Port Numbers
Trojan Attack Vectors
A Trojan may infect a system through various attack vectors, such as email attachments,
downloaded worms, or direct installation by hackers. Trojans usually
spoof their origin so that their attacks can’t be traced to the actual perpetrator.
A Trojan employs an attack vector to install its payload on the target’s computer
systems. The most common attack vectors are:
■■ Email and attachments (the #1 method)
■■ Deception and social engineering
■■ Web bugs and driveby downloads
■■ NetBIOS remote plants
■■ Physical access
■■ Attacks that exploit Windows and Internet Explorer vulnerabilities
■■ Fake executables and freeware
■■ Web pages that install spyware and adware
Instant messaging, Internet Relay Chat (IRC), and P2P file-sharing networks
provide routes of attack. These Internet services rely on trusted communications
between computers, making these services handy vectors for hostile
exploits.
Combined attack vectors are often used so that if the message doesn’t carry
the malware, the attachment does. Email attachments are still the most common
way to attack a PC, but the email messages themselves are now used as
attack vectors, with the malware embedded in the email message. This means
that just reading or previewing the message can launch an attack.
Email message attacks rely on malicious code embedded in messages in
HTML format. Evil HTML messages in conjunction with trusting email clients
can easily infiltrate computers, installing Trojan horses and opening backdoors
for further invasion. One nasty trick adopted from spammers is to place an
“opt-out” link at the bottom of spam. When the link is clicked, a Trojan is
installed on the PC.
A good example of an email Trojan horse is Sepuc. Victims normally have no
idea that they’re being spied on. The email has no subject line and no visible
text in the body of the message. If the user opens the message, a small amount
of malicious code hidden in the email attempts to exploit a known vulnerability
in Internet Explorer to force a download from a remote machine. If it succeeds,
this file downloads several other pieces of code and eventually installs
a Trojan capable of harvesting data from the PC and sending it to a remote
machine.
Deception is a common vector for Trojans. Deception is aimed at a gullible
user as the vulnerable entry point. Most deception schemes require the unwitting
cooperation of the computer’s operator to succeed. This section illustrates
some of the common forms of attacks by deception.
Counterfeit websites use deception as the attack vector. They are intended
to look genuine but are used to plant malware. Often, they’re used in conjunction
with spam and pop-up pages to install spyware, adware, hijackers,
dialers, Trojans, or other malware. It can all happen as quickly as the page
loads or when a link is clicked.
Quote:COMMON TROJAN VECTORS FOR MALICIOUS CODEWrappers
HTML email and web pages can deliver malicious code in a variety of ways.
Here are the various means:
ActiveX controls. Browser security settings that prevent running unsigned
or unverified ActiveX controls can be overridden by launching HTML files
from a local disk or changing system Registry entries.
VBScript and Java scripts. Rogue scripts can automatically send data to
a web server without the owner’s knowledge or use the computer for
distributed denial-of-service attack.
Iframes. An iframe embedded in an email message can be used to run
some VB script; this script can access the local file system to read or
delete files.
Images. Embedded images can be dangerous and cause the execution of
unwanted code. Web bugs can also create privacy issues.
Flash applets. There aren’t many incidents reported in the wild, but some
bugs could be used to execute arbitrary code.
It’s getting harder and harder to infect a PC with a Trojan, as effective anti-malware
software and devices shorten the time between a zero-day outbreak and
the remedy. One common and effective way for an attacker to get their Trojan
installed on the Slave’s computer is by using a wrapper.
A wrapper is a program used to combine two or more executables into a single
packaged program. The wrapper attaches a harmless executable, like a
game, to a Trojan’s payload, the executable code that does the real damage, so
that it appears to be a harmless file.
When the user runs the wrapped executable, it first runs the game or animation
and then installs the wrapped Trojan in the background, although the
user sees only the animation. For example, a common wrapped Trojan sends
an animated birthday greeting that installs BO2K while the user watches a
dancing birthday cake.Following Figure shows the wrapper concept.
Two often-used wrappers are eLiTeWrap (http://homepage.ntlworld
.com/chawmp/elitewrap), and Silk Rope (http://packetstormsecurity.org/
trojans/bo/index3.html).
ELiTeWrap is the granddaddy of wrappers. It’s an advanced executable
wrapper for Windows and can be used for archiving or secretly installing and
running programs. With eLiTeWrap, the hacker can create a setup program that
extracts files to a specified directory and executes programs and batch files.
Silk Rope is a wrapper program with an easy to use GUI. It binds BO installer
with a program of the attacker’s choosing, saving the result as a single file. The
Silk Rope icon is a generic single-file-install icon (an opening box with a window
in the background) that the hacker can change with an icon utility such as
Microangelo or IconPlus.
Some other wrapper or file-masking tools include:
■■ Saran Wrap
■■ PE Bundle
■■ Teflon Oil Patch (TOVB4)
■■ AFX File Lace
■■ Exe2vbs