INCS 745: Intrusion Detection and Hackers Exploits Trojan Horse Program Dr. Lo’ai Tawalbeh Prepared for Arab Academy for Banking and Financial Sciences (AABFS) 7/26/2016 Eng. Ammar Mahmood 1 Introduction Trojan horse is a malicious program that is disguised as or embedded within legitimate software. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed. The term is derived from the classical myth of the Trojan War. 7/26/2016 Eng. Ammar Mahmood 2 Introduction Trojan horse programs cannot operate autonomously, in contrast to some other types of malware, like viruses or worms. Trojan horse programs depend on actions by the intended victims. As such, if trojans replicate and even distribute themselves, each new victim must run the program/trojan. Therefore their virulence is of a different nature, depending on successful implementation of social engineering concepts rather than flaws in a computer system's security design or configuration. 7/26/2016 Eng. Ammar Mahmood 3 Introduction There are two common types of Trojan horses: useful software that has been corrupted by a cracker inserting malicious code that executes while the program is used. Examples include various implementations of weather alerting programs, computer clock setting software, and peer to peer file sharing utilities (Droppers). 7/26/2016 Eng. Ammar Mahmood 4 Introduction The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives. 7/26/2016 Eng. Ammar Mahmood 5 Types of Trojan Horses Trojan horses are almost always designed to do various harmful things, but could be harmless. They are broken down in classification based on how they breach systems and the damage they cause. The seven main types of Trojan horses are: 7/26/2016 Eng. Ammar Mahmood 6 Types of Trojan Horses Remote Access Trojans: 7/26/2016 allowing remote access to the victim's computer. This is called a RAT (Remote Administration Tool). they provide the attacker with total control of the victim's machine. Example:The Bugbear virus that hit the Internet in September 2002, for instance, installed a Trojan horse on the victims' machines that could give the remote attacker access to sensitive data. Trojans acted as a server and listened on a port that had to be available to Internet attackers. Attackers can now also make use of a reverse connection to reach the backdoored host so that they can reach the server even when it is behind a firewall. Eng. Ammar Mahmood 7 Types of Trojan Horses Data Sending Trojans: 7/26/2016 spying on the user of a computer and send data back to the hacker with information such as passwords, confidential information such as credit card details, chat logs, address lists, browsing habits to other people, take a screenshot, keystrokes…etc. The Trojan could look for specific information in particular locations or it could install a key-logger and simply send all recorded keystrokes to the hacker. An example of this is the Badtrans.B email virus (released in the wild in December 2001) that could log users' keystrokes. Eng. Ammar Mahmood 8 Types of Trojan Horses Destructive Trojans: The only function of these Trojans is to destroy and delete files. This makes them very simple to use. They can automatically delete all the core system files on your machine. it is similar to a virus, but the destructive Trojan has been created purposely to attack you, and therefore is unlikely to be detected by your antivirus software. 7/26/2016 Eng. Ammar Mahmood 9 Types of Trojan Horses Proxy Trojans: These Trojans turn the victim's computer into a proxy server, making it available to the whole world or to the attacker alone. It is used for anonymous Telnet, ICQ, IRC, etc., activities. This gives the attacker complete anonymity and the opportunity to do everything from YOUR computer, including the possibility to launch attacks from your network. 7/26/2016 Eng. Ammar Mahmood 10 Types of Trojan Horses FTP Trojans: These Trojans open an FTP server on the victim’s machine that might store and serve illegal software and/or sensitive data, and allow attackers to connect to your machine via FTP. A Trojan FTP program is a File Transmission Protocol tool that allows an attacker to download, upload and replace files on the affected machine. often used to host potentially dangerous or illegal content (warez, child porn, etc.) on the compromised computer. security software disabler Trojans: These are special Trojans, designed to stop/kill programs such as anti-virus software, firewalls. Example: Bugbear virus installed a Trojan on the machines of all infected users and was capable of disabling popular antivirus and firewalls software. Usually targeted to particular end-user software. 7/26/2016 Eng. Ammar Mahmood 11 Types of Trojan Horses denial-of-service 7/26/2016 attack (DDoS) Trojans. Example: WinTrinoo is a DDoS tool that has recently become very popular; through it, an attacker who has infected many ADSL users can cause major Internet sites to shut down; early examples of this date back to February 2000, when a number of prominent e-commerce sites such as Amazon, CNN, E*Trade, Yahoo and eBay were attacked. Eng. Ammar Mahmood 12 Trojan Technologies Rootkit Technology: Rootkit technology involves a piece of malware (a Rootkit) intercepting system calls and altering them in order to conceal other malware. The purpose of rootkits is usually to hide backdoors, rootkits can hide things such as files, registry keys and processes. Rootkits also alter system logs in order to hide the activity of an attacker. There are two main types of Rootkits 7/26/2016 Kernel level rootkits normally patch, replace or hook system calls so they can alter them. Application level rootkits work basically the same, except they may simply inject themselves into an application or replace binaries of the application with fakes. Eng. Ammar Mahmood 13 Trojan Technologies Polymorphism 7/26/2016 A Polymorphic virus is basically a virus that uses a self encryption technique in order to try and evade Anti-Virus programs. The Polymorphic virus will alter or encrypt itself each time it infects a different machine. It also encrypt the algorithm they use to encrypt themselves, meaning each time they mutate they change almost completely, or at least it would appear that way to an Anti-Virus program. it is very difficult to detect some Polymorphic viruses,because you cannot rely on viral signatures since the virus can encrypt itself. In order for Anti-Virus programs to be able to detect Polymorphic viruses, they must use decryption simulation techniques. Eng. Ammar Mahmood 14 Trojan Technologies Firewall Bypass: There are 3 types FWB (Firewall Bypass) works by simply injecting the Trojan into a process as a DLL. Firewall vendors responded by blocking unknown DLL’s from injecting themselves into trusted applications. FWB+: Trojans coders then found away around having a DLL, by making the Trojan inject itself into the process with out need for a DLL. Firewall vendors then responded once again by blocking all the API used by Trojan coders to inject their Trojans into known trusted applications. FWB #:Firewall Bypass Sharp works by finding the address of the function, rather than just simply attempting to call the API. 7/26/2016 Eng. Ammar Mahmood 15 Methods of Infection The majority of Trojan horse infections occur because the user was tricked into running an infected program/file. There are 3 main way to infected by Trojan horse: 7/26/2016 Eng. Ammar Mahmood 16 Methods of Infection Websites :You can be infected by visiting a rogue website. Internet Explorer is most often targeted by makers of trojans and other pests, because it contains numerous bugs. improperly handle data (such as HTML or images) by executing it as a legitimate program. ActiveX objects, and some older versions of Flash or Java 7/26/2016 Eng. Ammar Mahmood 17 Methods of Infection Email: If you use Microsoft Outlook, you're vulnerable to many of the same problems that Internet Explorer has, even if you don't use IE directly. The same vulnerabilities exist since Outlook allows email to contain HTML and images. Furthermore, an infected file can be included as an attachment. 7/26/2016 Eng. Ammar Mahmood 18 Methods of Infection Open ports: Computers running their own servers (HTTP, FTP, or SMTP, for example), allowing Windows file sharing, or running programs that provide file sharing capabilities such as Instant Messengers (AOL's AIM, MSN Messenger, etc.) may have vulnerabilities similar to those described above 7/26/2016 Eng. Ammar Mahmood 19 Precautions against Trojan horses end-user awareness: 7/26/2016 If you receive e-mail from someone that you do not know or you receive an unknown attachment, never open it right away. make sure that you have the settings so that attachments do not open automatically. Make sure your computer has an anti-virus program on it and update it regularly Operating systems offer patches to protect their users from certain threats Avoid using peer-to-peer or P2P sharing networks like Kazaa , Limewire, Ares, or Gnutella because they are generally unprotected Eng. Ammar Mahmood 20 Trojan detection Detecting known/old Trojans that do not specifically designed to attack you is easy job done by security SW (e.g. antivirus) usually. Detecting unknown Trojans can only be done by manually reviewing the executable. The process of manually reviewing executables is a tedious and time-intensive job, and can be subject to human error. Therefore it is necessary to tackle this process intelligently and automate part of it. 7/26/2016 Eng. Ammar Mahmood 21 Removing the Trojan Removing Trojan horses can be a difficult task and may require a new installation of the operating system. Sometimes, simply uninstalling the Trojan horse does not solve the problem. The Trojan horse could have made permanent changes or installed backdoors that are unknown to the user. However most of its signature (of the Trojan) none by the security SW (e.g. antivirus) it can be removed very easy. 7/26/2016 Eng. Ammar Mahmood 22 Ex. Of Protection SW GFI (Trojan and executable analyzer tool): An executable scanner intelligently analyses what an executable does and assigns a risk level. It disassembles the executable and detects in real time what the executable might do. It compares these actions to a database of malicious actions and then rates the risk level of the executable. This way, potentially dangerous, unknown or one-off Trojans can be detected. The Trojan and executable scanner deals with advanced hackers who create their own versions of Trojans, the signatures of which are not known by antivirus software. 7/26/2016 Eng. Ammar Mahmood 23 Ex. Of Protection SW 7/26/2016 Eng. Ammar Mahmood 24 Example of Trojan SW SubSeven is a RAT (Remote Administration Tool) For Windows. Executing server.exe on Windows 9x/NTx system will allow full remote access on that system. It is the most well known Trojan backdoor application available (Remote Access Trojans) to the public. 7/26/2016 Eng. Ammar Mahmood 25 Example of Trojan SW Subseven consists of three main files: 1- Subseven client (R.A.T) 2- Subseven server (Trojan Horse) 3- Subseven server editor 7/26/2016 Eng. Ammar Mahmood 26 Example of Trojan SW How dose it work? 1- We use server editor to configure the server , we specify the startup method that will be used on the victim PC. 2- Then we configure the notification method ICQ, email or IRC channel. That will be used to know the IP address that the victim will use every time he connect to the internet. 3- Then we send the sever file to the victim after we change the icon and the extension of the server file. 4- After executing the file by the victim , the hacker receives the notification which contains the ip address and port number. 5- The hacker use the ip and port number to connect by the client tool. 7/26/2016 Eng. Ammar Mahmood 27 Example of Trojan SW Functions: 7/26/2016 send messages or questions to the victim open the default browser at the specified address hide or show the Start button take a screen shot of the victim's desktop disable keyboard chat with the victim start/stop the victim's PC Speaker restart windows open/close the CD-ROM set the length of the victim's mouse trails set a password for the server get all the active windows on the victim's computer enable/disable a specified window disable the close button on a specified window get a list of all the available drives on the victim's computer Eng. Ammar Mahmood turn monitor on/off show/hide the taskbar get more information about the victim's computer change the server name listen for all the pressed keys record sound get the file's size download/upload/execute file set wallpaper play file on the victim's computer reverse/restore mouse buttons set the online notification on/off close the server on the victim's computer 28 7/26/2016 Eng. Ammar Mahmood 29 Fake Server icon 7/26/2016 Eng. Ammar Mahmood 30 Bind server with EXE file 7/26/2016 Eng. Ammar Mahmood 31 Example of Trojan SW Melt option will delete the server after execution, in fact it will install itself to windows/system folder then it will delete itself. Bind option allows you to join any EXE file to your server to make sure that the person who runs that server won't feel strange about it. Same thing for fake error msg. 7/26/2016 Eng. Ammar Mahmood 32 7/26/2016 Eng. Ammar Mahmood 33 Resources http://en.wikipedia.org/wiki/Main_Page http://www.hackpr.net (sub7 official website) GFI\ The corporate threat posed by email Trojans (white paper) http://www.pestpatrol.com/zks/pestinfo/s/su bseven.asp 7/26/2016 Eng. Ammar Mahmood 34