INCS 745: Intrusion Detection and Hackers
Exploits
Trojan Horse Program
Dr. Lo’ai Tawalbeh
Prepared for
Arab Academy for Banking and
Financial Sciences (AABFS)
7/26/2016
Eng. Ammar Mahmood
1
Introduction
Trojan horse is a malicious program that
is disguised as or embedded within
legitimate software. They may look useful
or interesting (or at the very least
harmless) to an unsuspecting user, but are
actually harmful when executed.
 The term is derived from the classical
myth of the Trojan War.

7/26/2016
Eng. Ammar Mahmood
2
Introduction


Trojan horse programs cannot operate
autonomously, in contrast to some other types of
malware, like viruses or worms.
Trojan horse programs depend on actions by the
intended victims. As such, if trojans replicate and
even distribute themselves, each new victim
must run the program/trojan. Therefore their
virulence is of a different nature, depending on
successful implementation of social engineering
concepts rather than flaws in a computer
system's security design or configuration.
7/26/2016
Eng. Ammar Mahmood
3
Introduction

There are two common types of Trojan
horses:
 useful
software that has been corrupted by a
cracker inserting malicious code that executes
while the program is used. Examples include
various implementations of weather alerting
programs, computer clock setting software,
and peer to peer file sharing utilities
(Droppers).
7/26/2016
Eng. Ammar Mahmood
4
Introduction
 The
other type is a standalone program that
masquerades as something else, like a game
or image file, in order to trick the user into
some misdirected complicity that is needed to
carry out the program's objectives.
7/26/2016
Eng. Ammar Mahmood
5
Types of Trojan Horses

Trojan horses are almost always designed
to do various harmful things, but could be
harmless. They are broken down in
classification based on how they breach
systems and the damage they cause. The
seven main types of Trojan horses are:
7/26/2016
Eng. Ammar Mahmood
6
Types of Trojan Horses

Remote Access Trojans:



7/26/2016
allowing remote access to the victim's computer. This is
called a RAT (Remote Administration Tool). they provide the
attacker with total control of the victim's machine.
Example:The Bugbear virus that hit the Internet in
September 2002, for instance, installed a Trojan horse on
the victims' machines that could give the remote attacker
access to sensitive data.
Trojans acted as a server and listened on a port that had to
be available to Internet attackers. Attackers can now also
make use of a reverse connection to reach the backdoored
host so that they can reach the server even when it is
behind a firewall.
Eng. Ammar Mahmood
7
Types of Trojan Horses

Data Sending Trojans:



7/26/2016
spying on the user of a computer and send data back to the
hacker with information such as passwords, confidential
information such as credit card details, chat logs, address
lists, browsing habits to other people, take a screenshot,
keystrokes…etc.
The Trojan could look for specific information in particular
locations or it could install a key-logger and simply send all
recorded keystrokes to the hacker.
An example of this is the Badtrans.B email virus (released
in the wild in December 2001) that could log users'
keystrokes.
Eng. Ammar Mahmood
8
Types of Trojan Horses
 Destructive
Trojans:
The only function of these Trojans is to destroy and
delete files. This makes them very simple to use.
They can automatically delete all the core system
files on your machine.
 it is similar to a virus, but the destructive Trojan
has been created purposely to attack you, and
therefore is unlikely to be detected by your antivirus software.

7/26/2016
Eng. Ammar Mahmood
9
Types of Trojan Horses
 Proxy
Trojans:
These Trojans turn the victim's computer into a
proxy server, making it available to the whole world
or to the attacker alone. It is used for anonymous
Telnet, ICQ, IRC, etc.,
 activities. This gives the attacker complete
anonymity and the opportunity to do everything
from YOUR computer, including the possibility to
launch attacks from your network.

7/26/2016
Eng. Ammar Mahmood
10
Types of Trojan Horses
 FTP Trojans:
 These Trojans open an FTP server on the victim’s machine
that might store and serve illegal software and/or sensitive
data, and allow attackers to connect to your machine via
FTP.
 A Trojan FTP program is a File Transmission Protocol tool
that allows an attacker to download, upload and replace files
on the affected machine.
 often used to host potentially dangerous or illegal content
(warez, child porn, etc.) on the compromised computer.
 security software disabler Trojans:
 These are special Trojans, designed to stop/kill programs
such as anti-virus software, firewalls.
 Example: Bugbear virus installed a Trojan on the machines of
all infected users and was capable of disabling popular antivirus and firewalls software.
 Usually targeted to particular end-user software.
7/26/2016
Eng. Ammar Mahmood
11
Types of Trojan Horses
 denial-of-service

7/26/2016
attack (DDoS) Trojans.
Example: WinTrinoo is a DDoS tool that has
recently become very popular; through it, an
attacker who has infected many ADSL users can
cause major Internet sites to shut down; early
examples of this date back to February 2000,
when a number of prominent e-commerce sites
such as Amazon, CNN, E*Trade, Yahoo and eBay
were attacked.
Eng. Ammar Mahmood
12
Trojan Technologies

Rootkit Technology:




Rootkit technology involves a piece of malware (a Rootkit)
intercepting system calls and altering them in order to conceal
other malware.
The purpose of rootkits is usually to hide backdoors, rootkits can
hide things such as files, registry keys and processes.
Rootkits also alter system logs in order to hide the activity of an
attacker.
There are two main types of Rootkits


7/26/2016
Kernel level rootkits normally patch, replace or hook system calls so
they can alter them.
Application level rootkits work basically the same, except they may
simply inject themselves into an application or replace binaries of
the application with fakes.
Eng. Ammar Mahmood
13
Trojan Technologies

Polymorphism




7/26/2016
A Polymorphic virus is basically a virus that uses a self
encryption technique in order to try and evade Anti-Virus
programs.
The Polymorphic virus will alter or encrypt itself each time it
infects a different machine. It also encrypt the algorithm they use
to encrypt themselves, meaning each time they mutate they
change almost completely, or at least it would appear that way to
an Anti-Virus program.
it is very difficult to detect some Polymorphic viruses,because
you cannot rely on viral signatures since the virus can encrypt
itself.
In order for Anti-Virus programs to be able to detect Polymorphic
viruses, they must use decryption simulation techniques.
Eng. Ammar Mahmood
14
Trojan Technologies

Firewall Bypass: There are 3 types
 FWB
(Firewall Bypass) works by simply injecting the
Trojan into a process as a DLL. Firewall vendors
responded by blocking unknown DLL’s from injecting
themselves into trusted applications.
 FWB+: Trojans coders then found away around having a
DLL, by making the Trojan inject itself into the process with
out need for a DLL. Firewall vendors then responded once
again by blocking all the API used by Trojan coders to
inject their Trojans into known trusted applications.
 FWB #:Firewall Bypass Sharp works by finding the
address of the function, rather than just simply attempting
to call the API.
7/26/2016
Eng. Ammar Mahmood
15
Methods of Infection
The majority of Trojan horse infections
occur because the user was tricked into
running an infected program/file.
 There are 3 main way to infected by Trojan
horse:

7/26/2016
Eng. Ammar Mahmood
16
Methods of Infection

Websites :You can be infected by visiting a
rogue website. Internet Explorer is most often
targeted by makers of trojans and other pests,
because it contains numerous bugs.
 improperly
handle data (such as HTML or images) by
executing it as a legitimate program.
 ActiveX objects, and some older versions of Flash or
Java
7/26/2016
Eng. Ammar Mahmood
17
Methods of Infection

Email:
 If
you use Microsoft Outlook, you're
vulnerable to many of the same problems that
Internet Explorer has, even if you don't use IE
directly. The same vulnerabilities exist since
Outlook allows email to contain HTML and
images.
 Furthermore, an infected file can be included
as an attachment.
7/26/2016
Eng. Ammar Mahmood
18
Methods of Infection

Open ports:

Computers running their own servers (HTTP,
FTP, or SMTP, for example), allowing
Windows file sharing,
 or running programs that provide file sharing
capabilities such as Instant Messengers
(AOL's AIM, MSN Messenger, etc.) may have
vulnerabilities similar to those described
above
7/26/2016
Eng. Ammar Mahmood
19
Precautions against Trojan horses

end-user awareness:





7/26/2016
If you receive e-mail from someone that you do not know or you
receive an unknown attachment, never open it right away.
make sure that you have the settings so that attachments do not
open automatically.
Make sure your computer has an anti-virus program on it and
update it regularly
Operating systems offer patches to protect their users from
certain threats
Avoid using peer-to-peer or P2P sharing networks like Kazaa ,
Limewire, Ares, or Gnutella because they are generally
unprotected
Eng. Ammar Mahmood
20
Trojan detection



Detecting known/old Trojans that do not
specifically designed to attack you is easy job
done by security SW (e.g. antivirus) usually.
Detecting unknown Trojans can only be done by
manually reviewing the executable.
The process of manually reviewing executables
is a tedious and time-intensive job, and can be
subject to human error. Therefore it is necessary
to tackle this process intelligently and automate
part of it.
7/26/2016
Eng. Ammar Mahmood
21
Removing the Trojan


Removing Trojan horses can be a difficult task
and may require a new installation of the
operating system. Sometimes, simply
uninstalling the Trojan horse does not solve the
problem. The Trojan horse could have made
permanent changes or installed backdoors that
are unknown to the user.
However most of its signature (of the Trojan)
none by the security SW (e.g. antivirus) it can be
removed very easy.
7/26/2016
Eng. Ammar Mahmood
22
Ex. Of Protection SW



GFI (Trojan and executable analyzer tool): An executable
scanner intelligently analyses what an executable does
and assigns a risk level. It disassembles the executable
and detects in real time what the executable might do. It
compares these actions to a database of malicious
actions and then rates the risk level of the executable.
This way, potentially dangerous, unknown or one-off
Trojans can be detected.
The Trojan and executable scanner deals with
advanced hackers who create their own versions of
Trojans, the signatures of which are not known by antivirus software.
7/26/2016
Eng. Ammar Mahmood
23
Ex. Of Protection SW
7/26/2016
Eng. Ammar Mahmood
24
Example of Trojan SW
SubSeven is a RAT (Remote
Administration Tool) For Windows.
Executing server.exe on Windows 9x/NTx
system will allow full remote access on
that system.
 It is the most well known Trojan backdoor
application available (Remote Access
Trojans) to the public.

7/26/2016
Eng. Ammar Mahmood
25
Example of Trojan SW
Subseven consists of three main files:
1- Subseven client (R.A.T)
2- Subseven server (Trojan Horse)
3- Subseven server editor

7/26/2016
Eng. Ammar Mahmood
26
Example of Trojan SW
How dose it work?
1- We use server editor to configure the server , we specify
the startup method that will be used on the victim PC.
2- Then we configure the notification method ICQ, email or
IRC channel. That will be used to know the IP address
that the victim will use every time he connect to the
internet.
3- Then we send the sever file to the victim after we change
the icon and the extension of the server file.
4- After executing the file by the victim , the hacker receives
the notification which contains the ip address and port
number.
5- The hacker use the ip and port number to connect by the
client tool.

7/26/2016
Eng. Ammar Mahmood
27
Example of Trojan SW

Functions:















7/26/2016
send messages or questions to the victim
open the default browser at the specified
address
hide or show the Start button
take a screen shot of the victim's desktop
disable keyboard
chat with the victim
start/stop the victim's PC Speaker
restart windows
open/close the CD-ROM
set the length of the victim's mouse trails
set a password for the server
get all the active windows on the victim's
computer
enable/disable a specified window
disable the close button on a specified
window
get a list of all the available drives on the
victim's computer













Eng. Ammar Mahmood
turn monitor on/off
show/hide the taskbar
get more information about the victim's
computer
change the server name
listen for all the pressed keys
record sound
get the file's size
download/upload/execute file
set wallpaper
play file on the victim's computer
reverse/restore mouse buttons
set the online notification on/off
close the server on the victim's computer
28
7/26/2016
Eng. Ammar Mahmood
29
Fake Server icon
7/26/2016
Eng. Ammar Mahmood
30
Bind server with EXE file
7/26/2016
Eng. Ammar Mahmood
31
Example of Trojan SW


Melt option will delete the server after execution,
in fact it will install itself to windows/system
folder then it will delete itself.
Bind option allows you to join any EXE file to
your server to make sure that the person who
runs that server won't feel strange about it.
Same thing for fake error msg.
7/26/2016
Eng. Ammar Mahmood
32
7/26/2016
Eng. Ammar Mahmood
33
Resources
http://en.wikipedia.org/wiki/Main_Page
 http://www.hackpr.net (sub7 official
website)
 GFI\ The corporate threat posed by email
Trojans (white paper)
 http://www.pestpatrol.com/zks/pestinfo/s/su
bseven.asp

7/26/2016
Eng. Ammar Mahmood
34