incs 745: intrusion detection and hackers exploits trojan horse … · 2006-11-02 · precautions...

11/2/200611/2/2006 Eng. Ammar MahmoodEng. Ammar Mahmood 11

INCS 745: Intrusion Detection and Hackers INCS 745: Intrusion Detection and Hackers ExploitsExploits

Trojan Horse ProgramTrojan Horse Program

By:By:XÇzXÇzA TÅÅtÜ ]A `t{ÅÉÉwA TÅÅtÜ ]A `t{ÅÉÉwSupervised Supervised By:DrBy:Dr. Lo. Lo’’ai Tawalbehai Tawalbeh

New York Institute of Technology (NYIT)New York Institute of Technology (NYIT)--JordanJordan’’s Campuss Campus

Eng. Ammar Mahmood 211/2/2006

Introduction

Trojan horse is a malicious program that is disguised as or embedded within legitimate software. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.The term is derived from the classical myth of the Trojan War.


Introduction

Trojan horse programs cannot operate autonomously, in contrast to some other types of malware, like viruses or worms.Trojan horse programs depend on actions by the intended victims. As such, if trojans replicate and even distribute themselves, each new victim must run the program/trojan. Therefore their virulence is of a different nature, depending on successful implementation of social engineering concepts rather than flaws in a computer system's security design or configuration.


Introduction

There are two common types of Trojan horses:

useful software that has been corrupted by a cracker inserting malicious code that executes while the program is used. Examples include various implementations of weather alerting programs, computer clock setting software, and peer to peer file sharing utilities (Droppers).


Introduction

The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives.


Types of Trojan Horses

Trojan horses are almost always designed to do various harmful things, but could be harmless. They are broken down in classification based on how they breach systems and the damage they cause. The seven main types of Trojan horses are:



Remote Access Trojans: allowing remote access to the victim's computer. This is called a RAT (Remote Administration Tool). they provide the attacker with total control of the victim's machine.Example:The Bugbear virus that hit the Internet in September 2002, for instance, installed a Trojan horse on the victims' machines that could give the remote attacker access to sensitive data.Trojans acted as a server and listened on a port that had to be available to Internet attackers. Attackers can now also make use of a reverse connection to reach the backdooredhost so that they can reach the server even when it is behind a firewall.



Data Sending Trojans:spying on the user of a computer and send data back to the hacker with information such as passwords, confidential information such as credit card details, chat logs, address lists, browsing habits to other people, take a screenshot, keystrokes…etc.The Trojan could look for specific information in particular locations or it could install a key-logger and simply send all recorded keystrokes to the hacker.An example of this is the Badtrans.B email virus (released in the wild in December 2001) that could log users' keystrokes.



Destructive Trojans: The only function of these Trojans is to destroy and delete files. This makes them very simple to use. They can automatically delete all the core system files on your machine.it is similar to a virus, but the destructive Trojan has been created purposely to attack you, and therefore is unlikely to be detected by your anti-virus software.



Proxy Trojans: These Trojans turn the victim's computer into a proxy server, making it available to the whole world or to the attacker alone. It is used for anonymous Telnet, ICQ, IRC, etc.,activities. This gives the attacker complete anonymity and the opportunity to do everything from YOUR computer, including the possibility to launch attacks from your network.


Types of Trojan HorsesFTP Trojans:

These Trojans open an FTP server on the victim’s machine that might store and serve illegal software and/or sensitive data, and allow attackers to connect to your machine via FTP. A Trojan FTP program is a File Transmission Protocol tool that allows an attacker to download, upload and replace files on the affected machine.often used to host potentially dangerous or illegal content (warez, child porn, etc.) on the compromised computer.

security software disabler Trojans:These are special Trojans, designed to stop/kill programs

such as anti-virus software, firewalls. Example: Bugbear virus installed a Trojan on the machines of all infected users and was capable of disabling popular anti-virus and firewalls software.Usually targeted to particular end-user software.



denial-of-service attack (DDoS) Trojans.Example: WinTrinoo is a DDoS tool that has recently become very popular; through it, an attacker who has infected many ADSL users can cause major Internet sites to shut down; early examples of this date back to February 2000, when a number of prominent e-commerce sites such as Amazon, CNN, E*Trade, Yahoo and eBay were attacked.


Trojan TechnologiesRootkit Technology:

Rootkit technology involves a piece of malware (a Rootkit) intercepting system calls and altering them in order to conceal other malware.The purpose of rootkits is usually to hide backdoors, rootkits can hide things such as files, registry keys and processes.Rootkits also alter system logs in order to hide the activity of an attacker.There are two main types of Rootkits

Kernel level rootkits normally patch, replace or hook system calls so they can alter them.Application level rootkits work basically the same, except they may simply inject themselves into an application or replace binaries of the application with fakes.


Trojan TechnologiesPolymorphism

A Polymorphic virus is basically a virus that uses a self encryption technique in order to try and evade Anti-Virus programs.The Polymorphic virus will alter or encrypt itself each time it infects a different machine. It also encrypt the algorithm they use to encrypt themselves, meaning each time they mutate they change almost completely, or at least it would appear that way to an Anti-Virus program.it is very difficult to detect some Polymorphic viruses,becauseyou cannot rely on viral signatures since the virus can encrypt itself.In order for Anti-Virus programs to be able to detect Polymorphic viruses, they must use decryption simulation techniques.


Trojan TechnologiesFirewall Bypass: There are 3 types

FWB (Firewall Bypass) works by simply injecting the Trojan into a process as a DLL. Firewall vendors responded by blocking unknown DLL’s from injecting themselves into trusted applications.FWB+: Trojans coders then found away around having a DLL, by making the Trojan inject itself into the process with out need for a DLL. Firewall vendors then responded once again by blocking all the API used by Trojan coders to inject their Trojans into known trusted applications.FWB #:Firewall Bypass Sharp works by finding the address of the function, rather than just simply attempting to call the API.


Methods of Infection

The majority of Trojan horse infections occur because the user was tricked into running an infected program/file.There are 3 main way to infected by Trojan horse:



Websites : You can be infected by visiting a rogue website. Internet Explorer is most often targeted by makers of trojans and other pests, because it contains numerous bugs.

improperly handle data (such as HTML or images) by executing it as a legitimate program.ActiveX objects, and some older versions of Flash or Java



Email:If you use Microsoft Outlook, you're vulnerable to many of the same problems that Internet Explorer has, even if you don't use IE directly. The same vulnerabilities exist since Outlook allows email to contain HTML and images.Furthermore, an infected file can be included as an attachment.



Open ports:Computers running their own servers (HTTP,

FTP, or SMTP, for example), allowing Windows file sharing, or running programs that provide file sharing capabilities such as Instant Messengers (AOL's AIM, MSN Messenger, etc.) may have vulnerabilities similar to those described above


Precautions against Trojan horses

end-user awareness: If you receive e-mail from someone that you do not know or you receive an unknown attachment, never open it right away.make sure that you have the settings so that attachments do not open automatically.Make sure your computer has an anti-virus program on it and update it regularlyOperating systems offer patches to protect their users from certain threats Avoid using peer-to-peer or P2P sharing networks like Kazaa , Limewire, Ares, or Gnutella because they are generally unprotected


Trojan detection

Detecting known/old Trojans that do not specifically designed to attack you is easy job done by security SW (e.g. antivirus) usually.Detecting unknown Trojans can only be done by manually reviewing the executable.The process of manually reviewing executables is a tedious and time-intensive job, and can be subject to human error. Therefore it is necessary to tackle this process intelligently and automate part of it.


Removing the Trojan

Removing Trojan horses can be a difficult task and may require a new installation of the operating system. Sometimes, simply uninstalling the Trojan horse does not solve the problem. The Trojan horse could have made permanent changes or installed backdoors that are unknown to the user.However most of its signature (of the Trojan) none by the security SW (e.g. antivirus) it can be removed very easy.


Ex. Of Protection SWGFI (Trojan and executable analyzer tool): An executable scanner intelligently analyses what an executable does and assigns a risk level. It disassembles the executable and detects in real time what the executable might do. It compares these actions to a database of malicious actions and then rates the risk level of the executable.This way, potentially dangerous, unknown or one-off Trojans can be detected.The Trojan and executable scanner deals with advanced hackers who create their own versions of Trojans, the signatures of which are not known by anti-virus software.


Ex. Of Protection SW


Example of Trojan SW

SubSeven is a RAT (Remote Administration Tool) For Windows. Executing server.exe on Windows 9x/NTxsystem will allow full remote access on that system.It is the most well known Trojan backdoor application available (Remote Access Trojans) to the public.


Example of Trojan SWSubseven consists of three main files:

1- Subseven client (R.A.T)2- Subseven server (Trojan Horse)3- Subseven server editor


Example of Trojan SWHow dose it work?

1- We use server editor to configure the server , we specify the startup method that will be used on the victim PC.

2- Then we configure the notification method ICQ, email or IRC channel. That will be used to know the IP address that the victim will use every time he connect to the internet.

3- Then we send the sever file to the victim after we change the icon and the extension of the server file.

4- After executing the file by the victim , the hacker receives the notification which contains the ip address and port number.

5- The hacker use the ip and port number to connect by the client tool.


Example of Trojan SWFunctions:

send messages or questions to the victim open the default browser at the specified address hide or show the Start button take a screen shot of the victim's desktop disable keyboard chat with the victim start/stop the victim's PC Speaker restart windows open/close the CD-ROM set the length of the victim's mouse trails set a password for the server get all the active windows on the victim's computer enable/disable a specified window disable the close button on a specified window get a list of all the available drives on the victim's computer

turn monitor on/off show/hide the taskbar get more information about the victim's computer change the server name listen for all the pressed keys record sound get the file's size download/upload/execute file set wallpaper play file on the victim's computer reverse/restore mouse buttons set the online notification on/off close the server on the victim's computer


Fake Server icon


Bind server with EXE file


Example of Trojan SW

Melt option will delete the server after execution, in fact it will install itself to windows/system folder then it will delete itself.Bind option allows you to join any EXE file to

your server to make sure that the person who runs that server won't feel strange about it. Same thing for fake error msg.


Resources

http://en.wikipedia.org/wiki/Main_Pagehttp://www.hackpr.net (sub7 official website)GFI\ The corporate threat posed by email Trojans (white paper)http://www.pestpatrol.com/zks/pestinfo/s/subseven.asp

http://en.wikipedia.org/wiki/Main_Page

http://www.hackpr.net/

incs 745: intrusion detection and hackers exploits trojan horse … · 2006-11-02 · precautions...

Documents