Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Trojans and Back Doors

advertisement 
6.1 Define a Trojan
Exam Focus: Define a Trojan. Objective includes:


Define a Trojan.
Identify overt and covert channels.
Trojan horse
A Trojan horse (Trojan) is a malicious software program code that masquerades itself as a
normal program. When a Trojan horse program is run, its hidden code runs to destroy or
scramble data on the hard disk. An example of a Trojan horse is a program that masquerades as a
computer logs on to retrieve user names and password information. The developer of a Trojan
horse can use this information later to gain unauthorized access to computers. Trojan horses are
normally spread by e-mail attachments. Unlike viruses, Trojan horses do not replicate themselves
but only destroy information on hard disks.
Uses of a Trojan
The following are the uses of a Trojan:









It is used to delete or replace an operating system's critical files.
It is used to generate fake traffic in order to create DOS attacks.
It is used to download spyware, adware, and malicious files.
It is used to steal information, such as passwords, security codes, and credit card
information using keyloggers.
It is used to disable firewalls and antivirus.
It is used to record screenshots, audio, and video of the victim's PC.
It is used to infect the victim's PC as a proxy server for relaying attacks.
It uses the victim's PC for spamming and blasting email messages.
It uses the victim's PC as a botnet in order to perform DDoS attacks.
Types of Trojans
The following are the types of Trojans:











VNC Trojan
HTTP/HTTPS Trojan
ICMP Trojan
Command Shell Trojan
Data Hiding Trojan
Document Trojan
Covert Channel Trojan
Botnet Trojan
Proxy Server Trojan
Remote Access Trojan
Email Trojan









FTP Trojan
GUI Trojan
SPAM Trojan
Credit Card Trojan
Defacement Trojan
E-banking Trojan
Notification Trojan
Mobile Trojan
MAC OS X Trojan
The following are some important types of Trojans:
1. Command Shell Trojan: It provides a remote control of a command shell on a victim's
machine. The Trojan server is installed on the victim's machine. The Trojan server opens
a port for the attacker to connect. The client is installed on the attacker's machine. The
client is used to launch a command shell on the victim's machine. Netcat is a Command
Shell Trojan.
2. Email Trojan: Attackers send email messages to gain remote control of a victim
computer. Attackers can then send commands via email to retrieve files or folders. In
order to hide the identity, attackers use open relay SMTP server and fakes the email's
FROM field. RemoteByMail is an example of email Trojan.
3. Botnet Trojan: It creates a network of bots that is controlled via a Command and
Control center by infecting a large number of computers across a large geographical area.
Botnet is used for launching various attacks on a victim including denial of service
attacks, spamming, click fraud, and the theft of financial information. Illusion Bot and
NetBot Attacker are examples of botnet Trojans.
4. VNC Trojan: It starts a VNC Server in the infected system. It uses any VNC viewer with
the password "secret" to connect to the victim. Anti-virus will never detect this Trojan as
VNC program is considered as a utility. WinVNC and VNC Stealer are examples of
VNC Trojans.
5. HTTP/HTTPS Trojan: It can bypass any firewall and operate in the opposite manner of
a straight HTTP tunnel. It is executed on the internal host and generates a child at a
predetermined time. It is permitted to access the Internet as the child program appears to
be a user to the firewall. HTTP RAT is an example of HTTP Trojan.
6. Covert Channel Trojan: It presents various exploitation techniques. It generates
arbitrary data transfer channels in the data streams that are authorized by a network
access control system. It allows attackers to get an external server shell from within the
internal network and vice versa. It sets a TCP/UDP/HTTP CONNECT | POST channel
permitting TCP data streams (SSH, SMTP, POP, etc.) between an external server and a
box from within the internal network.
7. E-banking Trojan: It captures a victim's account information before it is encrypted and
forwards it to the attacker's Trojan command and control center.
8. Notification Trojan: It forwards the location of the victim's IP address to the attacker.
The attacker receives the notification whenever the victim's computer connects to the
Internet.
9. Credit Card Trojan: It is used to steal the victim's credit card related data, such as card
no., CVV2, and billing details. It tricks users to visit fake e-banking websites and enter
personal information. It uses email, FTP, IRC, or other methods to transmit the stolen
data to remote hackers.
10. Encryption Trojan: It encrypts data files in the victim's system and renders information
unusable.
11. Remote Access Trojan: It allows attackers to gain full control over computer systems.
Remote access Trojans are usually set up as client/server programs, so that an attacker
can connect to the infected system and control it remotely. RAT DarkComet and
Apocalypse are examples of Remote Access Trojans.
12. Data Sending Trojan: It is used to capture and redirect data. eBlaster is an example of
this type of Trojan. It can capture keystrokes, passwords, or any other type of information
and send them back to the attacker via email.
13. Document Trojan: Attackers embed a Trojan into a word document. This infects a
victim's computer. As the victim opens the document and clicks on the Trojan package,
Trojan is executed.
14. Destructive Trojan: It is used to destroy files or operating systems. This Trojan formats
all local and network drives. The user will not be able to boot the operating system.
15. DoS Attack Trojan: It is designed to cause a DoS attack.
16. Proxy Trojan: It is designed to work as proxies. These programs can help a hacker hide
and perform activities from the victim's computer.
17. FTP Trojan: It is specifically designed to work on port 21. These Trojans allow a hacker
to upload, download, or move files on the victim's computer. TinyFTPD is an example of
FTP Trojan.
18. GUI Trojan: It is a graphical user interface Trojan. MoSucker, Jumper, and Biodox are
GUI Trojans.
19. Security Software Disabler Trojan: It is designed to attack and kill antivirus or
software firewalls. The goal of disabling these programs is to make it easier for the
hacker to control the system.
Overt and covert channels
An overt channel is the normal and legitimate way in which programs communicate within a
computer system or network. Games or any legitimate programs are examples of an overt
channel. A covert channel is a mechanism used to send or receive information between two or
more machines. In this mechanism, any firewalls and IDS's are not altered on the network. This
mechanism is also used to derive its stealthy nature as it sends traffic via ports that most firewalls
will permit through. A Trojan is the simplest form of the covert channel. By using the covert
channel, the Trojan can communicate undetected, and the hacker can send commands to the
client component undetected.
HTTP RAT
HTTP RAT is a HTTP Trojan. It has the following functions:


It displays ads and records personal data/keystrokes.
It downloads unsolicited files and disables programs/system.



It floods Internet connection and distributes threats.
It tracks browsing activities and hijacks Internet browser.
It makes fraudulent claims regarding spyware detection and removal.
Shttpd Trojan
Shttpd is a small HTTP Server. It can be embedded inside any program. It can be wrapped with a
genuine program (game chess.exe). It will turn a computer into an invisible web server when
executed.
Banking Trojan analysis
Trojan captures valid Transaction Authentication Number (TAN) that is entered by a user. It
replaces the TAN with a random number that will be rejected by the bank. The intercepted TAN
can be misused with the user's login details.
On e-banking pages, a Trojan creates fake form fields. Additional fields produce extra
information, such as a card number and date of birth. This information can be used by attackers
to impersonate and compromise the account of a victim.
A Trojan first analyses POST requests, and then responses to a victim's browser. It compromises
the scramble pad authentication. As a user enters Customer Number and Personal Access Code,
the Trojan intercepts scramble pad input.
PhoneSnoop
The PhoneSnoop Trojan remotely activates the microphone of a BlackBerry handheld and listens
to sounds near or around it. It can be used to spy on an individual. Take the following steps to
use PhoneSnoop:





Install PhoneSnoop.
Go to Options > Advanced options > Applications to select PhoneSnoop application
permissions.
Change the permissions for Input Simulation and Phone to Allow.
Go to your Downloads or Home Screen and locate the PhoneSnoop icon and start the
application.
Enter the phone number for which you want to trigger the remote listening and click
Activate.
DNSChanger
The DNSChanger Trojan makes users download the program and run malicious code by using
social engineering techniques. It involves the following steps:
1.
2.
3.
4.
Users are prompted to download a new codec in order to watch videos.
The user then downloads the codec. This actually installs a fake codec.
Local machine's DNS settings are changed to attacker's IP address.
A video is played so as not to raise suspicion after the fake codec is installed.
5. A notification is sent to the attacker regarding the victim's machine using HTTP post
message.
Qaz
Qaz is a backdoor Trojan that searches for Notepad.exe, renames it Note.com, and then copies
itself to the computer as Notepad.exe. After this, whenever Notepad.exe is executed, the QAZ
Trojan executes and calls the original Notepad to avoid being noticed. The payload of the Trojan
uses WinSock and awaits a connection at port 7597. Any attacker who finds this port open on the
victim's Trojaned computer can connect to it. Qaz also spreads itself to other shared drives on
local networks.
How to remove Qaz: Qaz can be manually removed by editing the registry using the following
steps:
1. Run regedit from Start Menu > Run, and go
to:HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run.
2. Search for any registry key that contains the data value of startIE=XXXX\Notepad.exe.
When found, highlight the registry key that loads the file, and press the Delete key.
3. Reboot the computer, search for the file Note.com, and rename it as Notepad.exe.
What do Trojan creators look for?
Trojan creators look for the following:






Credit card information
Account data, such as email addresses, passwords, user names, etc.
Confidential documents
Financial data, such as bank account numbers, social security numbers, insurance
information, etc.
Calendar information that concerns the whereabouts of a victim
Using the victim's computer for illegal uses (hack, scan, flood, or infiltrate other
machines on the network or Internet)
Indications of a Trojan attack
The following are the indications of a Trojan attack:








Opening and closing of CD-ROM drawer by itself
Redirecting to unknown pages by a computer browser
Disabling of Anti-virus or improper working of Anti-virus
Disappearing of the taskbar
Appearing of strange chat boxes on a victim's computer
Changing of Windows color settings
Disappearing of Windows Start button
Changing of the account passwords or unauthorized access












Flipping of computer screen upside down or inverting of computer screen
Changing of screensaver's settings automatically
Complaining the ISP to the victim that his/her computer is IP scanning
Appearing of strange purchase statements in the credit card bills
Changing of wallpaper or background settings
Reversing functions of the right and left house buttons
Knowing too much personal information about a victim by people
Turning of the computer monitor itself off and on
Printing of documents or messages from the printer themselves
Disappearing or moving by itself of mouse pointer
Shutting down and powering off the computer by itself
Working of Ctrl+Alt+Del stops
Infect systems using a Trojan
Take the following steps to infect systems using a Trojan:
1. Use a Trojan Horse Construction Kit to create a new Trojan.
2. Create a dropper. The dropper is a part in a trojanized packet, which installs the malicious
code on the target system.
3. Use tools to install the Trojan on the victim's computer in order to create a wrapper.
4. Propagate the Trojan.
5. Execute the dropper.
6. Execute the damage routine.
Trojan vectors
A Trojan may infect any system through Trojan vectors. The most common Trojan vectors are as
follows:









Email attachments
Social engineering
NetBIOS remote installation
Physical access
Fake executables
Spyware and adware
IRC and IM chats
Flash applets
ActiveX controls, VBScript, and Java scripts
Different ways a Trojan can get into a system
A Trojan can get into a system in the following different ways:


Instant Messenger applications
IRC (Internet Relay Chat)








Attachments
Physical Access
Browser and email software bugs
NetBIOS (File Sharing)
Untrusted sites and freeware software
Downloaded files, games, and screensavers from Internet sites
Fake programs
Legitimate "shrink-wrapped" software packaged by a disgruntled employee.
Detecting a Back Orifice Trojan
Back Orifice Trojan, whether installed on the victim's computer or not, can be detected in the
following ways:

By entering the netstat command in the Command Prompt. If the following result is
displayed, there may be a Back Orifice Trojan in the computer:
C:\WINDOWS>netstat -an | find "UDP"

UDP IP_Address:31337 *:*
By inspecting the following registry address:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunService
s
If there is any file that may not have been intentionally installed and if the length of this
file is approximately 124,928, it most probably is a Back Orifice Trojan. (By default,
there is a 'default' key in the 'Name' field having ".exe" value in the corresponding 'Data'
field.)
Deploy a Trojan
Take the following steps to deploy a Trojan:
1. Attackers send an email to a victim. The email contains a link to the Trojan server.
2. The victim immediately connects to the Trojan server by clicking the link.
Countermeasures of a Trojan
The following are the countermeasures of a Trojan:





Downloading and executing applications from untrusted sources should be avoided.
Opening email attachments received from unknown senders should be avoided.
Patches and security updates should be installed for the operating systems and
applications.
CDs and floppy disks should be scanned with antivirus software.
Accepting the programs transferred by instant messaging should be avoided.








All unnecessary ports at the host and firewall should be blocked.
Weak, default configuration settings should be hardened.
Unused functionality including protocols and services should be disabled.
The commands should not be blindly typed and pre-fabricated programs or scripts should
not be implemented.
The internal network traffic should be monitored for odd ports or encrypted traffic.
Local workstation file integrity should be managed via checksums, auditing, and port
scanning.
Local versions of anti-virus, firewall, and intrusion detection software should be run on
the desktop.
Permissions should be restricted within the desktop environment so that malicious
applications installation can be prevented.
Educate users about Trojans
Network administrators should educate users to prevent from Trojans and backdoors. So they do
not install applications downloaded from the Internet or open email attachments from parties
they do not know. One other possible solution is to apply the least privilege rule. Many system
administrators do not give the necessary system permissions to the users to install programs on
their system. Proper use of Internet technologies should be included in regular employee security
awareness training.
Countermeasures of backdoor
The following are countermeasures of backdoor:



Before backdoor programs cause any damage, they should be automatically scanned and
detected by most commercial anti-virus products.
Users should be educated not to install applications downloaded from untrusted Internet
sites and email attachments.
Backdoors should be detected and eliminated using anti-virus tools, such as Windows
Defender, McAfee, and Nortan.
6.2 Identify the ports used by a Trojan
Exam Focus: Identify the ports used by a Trojan. Objective includes:

Common ports used by Trojans
Common ports used by Trojans
The following ports are used by Trojans:
Ports
Name
1 (UDP)
Sockets des Troie
50
DRAT
133
Farnaz
692
GayOL
1255
Scarab
2
Death
58
DMSetup
421
TCP Wrappers Trojan
1010-12, 1015-16 Doly Trojan
1807
SpySender
20
Senna Spy FTP server
99
Hidden Port, NCX
455-456
Fatal Connections/ Hackers Paradise
1050
MiniCommand
2115
Bugs
22
Shaft
110
ProMail Trojan
667
SniperNet
1080-81
WinHole
2155
Illusion Mailer Nirvana
30
Agent 40421
119
Happy99
669
DP Trojan
1095, 1097-98
Rat
2330 - 2338
Contact
Fport
Fport is a tool that is used to identify unknown open ports and their associated applications. It
reports all open TCP/IP applications and maps them to the owning application. It not only shows
the open ports and their status but also maps them to the running processes with their PID,
process name, and path. Fport contains the following five switches:
Switches
Description
/?
It shows help.
/a
It sorts the result by the application.
/p
It sorts the result by the port.
/i
It sorts the result by pid.
/ap
It sorts the result by the application's path.
6.3 Identify listening ports using netstat
Exam Focus: Identify listening ports using netstat. Objective includes:


NETSTAT command
Listening open ports using NETSTAT
NETSTAT command
The NETSTAT command is used to display protocol-related statistics and the state of current
TCP/IP connections. It is used to get information regarding the open connections on a computer,
incoming and outgoing data, and the ports of remote computers to which the computer is
connected. The netstat command reads the kernel routing tables in the memory to get all this
networking information. The following parameters are used with the NETSTAT command:
















-a: It is used to display all active connections and the TCP and UDP ports on which the
computer is listening.
-b: It is used to display the binary program's name involved in creating each connection
or listening port.
-e: It is used to display ethernet statistics, such as the number of bytes and packets sent
and received. This parameter can be combined with -s.
-f: It is used to display fully qualified domain names <FQDN> for foreign addresses.
-g: It is used to display multicast group membership information for both IPv4 and IPv6.
-i: It is used to display network interfaces and their statistics.
-n: It is used to display active TCP connections; however, addresses and port numbers
are expressed numerically and no attempt is made to determine names.
-m: It is used to display the STREAMS statistics.
-o: It is used to display active TCP connections and includes the process ID (PID) for
each connection. This parameter can be combined with -a, -n, and -p.
-p Windows and BSD: Protocol: It is used to show connections for the protocol
specified by the Protocol. If this parameter is used with -s to display statistics by
protocol, Protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6.
-p Linux: Process: It is used to show which processes are using which sockets (similar
to -b under Windows) (you must be root to do this).
-P Solaris: Protocol: It is used to show connections for the protocol specified by the
Protocol.
-r: It is used to display the contents of the IP routing table.
-s: It is used to display statistics by the protocol. By default, statistics are shown for the
TCP, UDP, ICMP, and IP protocols. If the IPv6 protocol for Windows XP is installed,
statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols.
The -p parameter can be used to specify a set of protocols.
-t Linux: It is used to display only TCP connections.
-v: When it is used in conjunction with -b, it will display the sequence of components
involved in creating the connection or listening port for all executables.
Listening open ports using NETSTAT
The NETSTAT command is used to show the ports that are open or in use. Open Command
Prompt and type:
C:'WINDOWS>netstat -an |find /i "listening"
TCP
0.0.0.0:135
0.0.0.0:0
LISTENING
TCP
0.0.0.0:445
0.0.0.0:0
LISTENING
TCP
0.0.0.0:1025
0.0.0.0:0
LISTENING
TCP
0.0.0.0:1084
0.0.0.0:0
LISTENING
TCP
0.0.0.0:2094
0.0.0.0:0
LISTENING
TCP
0.0.0.0:3389
0.0.0.0:0
LISTENING
TCP
0.0.0.0:5000
0.0.0.0:0
LISTENING
A network administrator can redirect it to a text file by adding >c:'openports.txt to the command,
if he wants to:
netstat -an |find /i "listening" > openports.txt
netstat -an |find /i "listening" > openports.txt
A network administrator can also change "listening" to "established" to see what ports his
computer actually communicates with, and then he can open the Command Prompt and type:
C:'WINDOWS>netstat -an |find /i
TCP
192.168.0.100:1084
TCP
192.168.0.100:2094
TCP
192.168.0.100:2305
TCP
192.168.0.100:2316
TCP
192.168.0.100:2340
"established"
192.168.0.200:1026
ESTABLISHED
192.168.0.200:1166
ESTABLISHED
209.211.250.3:80
ESTABLISHED
212.179.112.230:80
ESTABLISHED
209.211.250.3:110
ESTABLISHED
A network administrator can type NETSTAT -O to get a list of all the owning process ID
associated with each connection:
C:'WINDOWS>netstat -ao |find /i "listening"
TCP
pro1:epmap
pro1.dpetri.net:0
LISTENING
860
TCP
pro1:microsoft-ds
pro1.dpetri.net:0
LISTENING
TCP
pro1:1025
pro1.dpetri.net:0
LISTENING
908
TCP
pro1:1084
pro1.dpetri.net:0
LISTENING
596
TCP
pro1:2094
pro1.dpetri.net:0
LISTENING
596
TCP
pro1:3389
pro1.dpetri.net:0
LISTENING
908
TCP
pro1:5000
pro1.dpetri.net:0
LISTENING
1068
4
6.4 Understand "wrapping", reverse shell Trojan, and ICMP tunneling
Exam Focus: Understand "wrapping", reverse shell Trojan, and ICMP tunneling. Objective
includes:



Understand "wrapping".
Understand Reverse Shell Trojan.
Understand ICMP tunneling.
Wrapper
A wrapper is a program that is used to combine a harmful executable file with a harmless
executable file. For example, if an attacker wants to send a Trojan to the victim, the attacker uses
a wrapper to combine the harmful executable file, e.g. Trojan, with the harmless executable file,
such as any game file or any software. Now the resultant single file contains both the harmful
and harmless files, and the attacker sends this infected file to the victim. Saran Wrap, Exe2vbs,
and TOVB4 are some good examples of wrapper tools. The process of wrapping is shown below:
Kriptomatik and Advance File Joiner are wrapper covert programs.
Reverse Shell Trojan
Reverse shell Trojan is a malicious tool that is used to access a machine on the internal network
from outside. A simple Trojan program can be installed by the hacker on a system on the internal
network, such as the reverse WWW shell server.
The internal server tries to access the external master system to pick up commands on a regular
basis (usually every 60 seconds). This command is retrieved and executed on the internal system
of the victim if the attacker has typed something into the master system. The reverse WWW shell
server uses standard HTTP. Since the HTTP protocol is assumed clean, it becomes hard to detect
reverse shell Trojan.
ICMP tunneling
In ICMP tunneling, an attacker establishes a covert connection between two remote computers (a
client and proxy), using ICMP echo requests and reply packets. ICMP tunneling works by
injecting arbitrary data into an echo packet sent to a remote computer. The remote computer
replies in the same manner, injecting an answer into another ICMP packet and sending it back.
The client performs all communication using ICMP echo request packets, while the proxy uses
echo reply packets. Normally, ICMP tunneling involves sending what appear to be ICMP
commands but really they are the Trojan communications.
6.5 Understand Windows start up monitoring tools, and the Trojan horse constructing kit
Exam Focus: Understand Windows start up monitoring tools, and the Trojan horse constructing
kit. Objective includes:


Learn Windows start up monitoring tools.
Understand the Trojan horse constructing kit.
Start up monitoring tools
There are various start up monitoring tools that are used to monitor the programs running at start
up. One of the most used start up monitoring tools is Windows File Protection (WFP). It prevents
the replacement of protected system files and checks the file integrity when any Trojan tries to
overwrite a SYS, DLL, OCX, TTF, or EXE file. This tool ensures that only Microsoft-verified
files are used to replace system files.
Another tool, sigverif, checks to see what files Microsoft has digitally signed on a system. A
system administrator can also use the System File Checker or sfc /scannow.
Trojan horse constructing kit
Trojan horse constructing kits are the tools that enable hackers to create their own Trojans. These
toolkits help hackers create customized Trojans. These tools can be dangerous and can backfire
if not executed properly. The newly created Trojans cannot be detected by anti-virus as well as
Trojan-scanning tools because they don't match any known signatures.
Some of the Trojan kits available in the wild are Senna Spy Generator, the Trojan Horse
Construction Kit v2.0, Progenic Mail Trojan Construction Kit, and Pandora's Box.
6.6 Learn Trojan detection and evading techniques
Exam Focus: Learn Trojan detection and evading techniques. Objective includes:


Trojan detection.
Pen testing for Trojans and backdoors.
Steps for Trojan detection
A network administrator can take the following steps to detect Trojans:










Scan suspicious open ports
Scan suspicious running processes
Scan suspicious registry entries
Scan suspicious device drivers
Scan suspicious Windows services
Scan suspicious startup programs
Scan suspicious files and folders
Scan suspicious network activities
Scan suspicious modification to OS files
Run a Trojan scanner
Scanning for suspicious ports
One of the most important ways to detect a Trojan is to scan for unused ports in a victim's
machine to connect back to Trojan handlers. There are so many tools to scan process, which are
as follows:



IceSword: It is a process monitoring tool that displays hidden processes and resources
that Windows Explorer would never show. It can be used to check what processes are
running.
CurrPorts: It is network monitoring software that is used to display the list of all
currently opened TCP/IP and UDP ports. The CurrPorts tool shows information about the
process that opened the port. It also includes the process name, full path of the process,
version information of the process (product name, file description, and so on), the time
that the process was created, and the user that created it.
TCPView: It is a port monitoring tool that shows the detailed listings of all TCP and
UDP endpoints on the system. It includes information about the local and remote
addresses and state of TCP connections. On newer versions of Windows, TCPView also
reports the name of the process that owns the endpoint.
Scanning of the suspicious processes
Trojans mask themselves as genuine Windows services or hide their processes in order to avoid
detection. Trojans can hide their processes by using a rootkit. To spawn a non-visible
iexplorer.exe or firefox.exe process, Trojans inject code into other Windows processes such as
explorer.exe. Hidden Trojans and backdoors can be detected using process monitoring tools. A
Trojan can infect the Windows processes. So it is important to scan all suspicious process in
startup. For this, a network administrator can use the following tools:
What's Running: What's Running is a process monitoring tool that gives an inside look into
your Windows 2000/XP/2003 system. It inspects all processes and finds all the relevant details.
It gives the details such as performance and resource usage data. It also gives information about
dlls loaded, services running within the process and IP-connections each process has. It also
manages all the startup programs.
Few other tools: There are few other tools to monitor processes, such as, PrcView, Hijackthis,
Winsonar, HiddenFinder, Autoruns, killProcess, Security Task Manager, Yet Another (remote)
Process Monitors.
Scanning of the suspicious registry entries
The Trojan infection can be indicated by scanning registry values for suspicious entries.
Windows automatically executes instructions in Run, RunServices, RunOnce, RunServicesOnce,
HKEY_CLASSES_ROOT\exe file\shell\open\command "%1" %* sections of registry.
Instructions are inserted by Trojans at these sections of registry so that they may perform
malicious activities.
The tools that can be used for registry monitoring are Registry Fix, SysAnalyzer, Registry
Shower, Tiny Watcher, All-Seeing Eyes, Regshot, Active Registry Monitor, etc.
Scanning of the suspicious device drivers
Trojans are installed with the device drivers if drivers are installed from the untrusted source.
These drivers are used as a shield to avoid detection. Suspicious device drivers should be
scanned and verified if they are genuine and downloaded from the publisher's original site. There
are various device drivers, such as DriverView, Driver Detective, Driver Magician, Driver
Reviver, DriverGuide toolkit, DriverMax, DriverScanner, Double Driver, etc.
Scanning of the suspicious files and folders
Trojans normally modify system's files and folders. You can use the following tools to detect
system changes:



FCIV (File Checksum Integrity Verifier): It is a tool that computes and verifies
cryptographic hash values of files. It computes MD5 or SHA-1 cryptographic hash
values.
Tripwire: It is a tool that automatically calculates the cryptographic hashes of all system
files and any other file that is required to be monitored for modifications by a network
administrator. To see whether the files have been modified or not, tripwire periodically
scans all monitored files and recalculates the information. If changes are detected,
tripwire raises an alarm.
System Integrity Verifiers (SIV): It detects the Trojan versions of system binaries by
monitoring system files. Tripwire is an example of SIV. System Integrity Verifiers are
used for the following purposes:
o Monitoring and detecting changes in the crucial system files made by an attacker
o Issuing alerts corresponding to the changes in the crucial system files
o Detecting components, such as the Windows registry and the chron configuration
o Monitoring unauthorized root/administrator level access
There are various files and folder integrity checkers, such as FastSum, WinMD5, MD5
Checksum Verifier, Fsum Fronted, Advanced CheckSum Verifier (ACSV), Verisys, SysInspect,
AFICK (Another File Integrity Checker), Sentinel, and Xintegrity Professional.
Scanning for suspicious Windows Services
Trojans generate Windows services that permit attackers to remotely control the victim machine
and pass malicious instructions. To avoid detection, Trojans rename their processes to appear
like a genuine Windows service. Trojans use rootkit techniques in order to manipulate
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry keys to hide its
processes. There are various Windows services monitoring tools, such as SrvMan, Smart Utility,
ServiWin, Netwrix Service Monitor, Windows Service Manager Tray, Service Manager Plus,
AnVir Task Manager, Vista Services Optimizer, and Process Hacker.
Scanning for suspicious start up programs
The following actions should be taken to scan for suspicious start up programs:

Check start up folder using the following commands:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\(User-name)\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup

To check Windows services automatic started, perform the following steps:
Go to Run > Type services.msc > Sort by Startup Type


Check start up program entries in the registry.
Check that device drivers are automatically installed by using the following command:
C:\Windows\System32\drivers
Absolute Startup manager, Startup Inspector, ActiveStartup, Autoruns, StartEd Lite,
Manage PC Startup, Startup Tracker, and Program Starter are start up programs
monitoring tools.
There are various start up programs monitoring tools, such as Starter, Security AutoRun,
Absolute Startup manager, Startup Inspector, ActiveStartup, Autoruns, StartEd Lite, Manage PC
Startup, Startup Tracker, and Program Starter.
Scanning for suspicious network activities
Trojans connect to handlers and forward confidential information to attackers. Network traffic
going to malicious network addresses should be monitored by using network scanners and packet
sniffers. Tools such as Capsa are used to monitor network traffic and search for suspicious
activities sent over the web.
Emsisoft scanner
Emsisoft scanner provides protection against viruses, Trojans, spyware, adware, worms, bots,
keyloggers, and rootkits. It includes both antivirus and antimalware scanners. It also guards
against new infections, such as file guard, behavior blocker, and surf protection.
Evade anti-virus techniques
The following actions should be taken to evade anti-virus techniques:





The Trojan file should be broken into multiple pieces and zipped as single file.
Users should always write their own Trojan and embed it into an application.
Trojans should never be downloaded from the web.
The content of the Trojan should be changed using the hex editor. The checksum should
also be changed and the file should be encrypted.
Trojan's syntax should be changed in the following ways:
o Convert an EXE to VB script.
o Convert an EXE to a DOC file.
o Convert an EXE to a PPT file.
o Convert an EXE to a PDF file.
Anti-Trojan software
The following are Anti-Trojan software:










TrojanHunter
Emsisoft Anti-Malware
Trojan Guarder
Anti Hacker
Anti-Trojan Shield (ATS)
XopySpySE
Spyware Doctor
SPYWAREfighter
Comodo BOClean
Anti Trojan Elite
TrojanHunter
TrojanHunter is an Anti-Trojan software with file memory and registry scanning. Its high-speed
file scan engine can detect modified Trojans. It performs memory scanning to detect any
modified variant of a particular build of a Trojan.
Pen testing for Trojans and backdoors
Take the following steps for pen testing for Trojans and backdoors:
1. Scan the system for the following:
o Open ports
o Running processes
o Registry entries
o Device drivers
o Services
2. Check the associated executable files if any suspicious port, process, registry entry,
device driver, or service is discovered.
3. Collect more information regarding these from the publisher's websites if present, and the
Internet.
4. Verify if the open ports are known to be opened by Trojans in the wild.
5. Check the startup program and find if all the programs in the list can be recognized with
known functionalities.
6. Open several data files and compare hash value of these files with a pre-computed hash
in order to check the data files for modification or manipulation.
7. Check for suspicious network activities, such as upload of bulk files or unusually high
traffic going to a specific web address.
8. Check the critical OS modification or manipulation using tools such as TRIPWIRE. If
you have a backup copy, manually compare hash values.
9. Run an updated Trojan scanner from a reputed vendor in order to identify Trojans in
wild.
10. Document all your findings in previous steps. It is useful in determining the next action if
Trojans are present in the system.
11. Isolate infected systems from the network immediately in order to prevent further
infection.
12. Use an updated anti-virus to sanitize the complete system for Trojans.
Chapter Summary
In this chapter, we learned about a Trojan, uses of the Trojan, types of Trojans, things looked by
Trojan creators, countermeasures against the Trojan, and Trojan detection and evading
techniques. In this chapter, we discussed common ports used by Trojans and identified listening
open ports using NETSTAT. This chapter is also focused on "wrapping", reverse shell Trojan,
ICMP tunneling, Windows start up monitoring tools, and the Trojan horse constructing kit.
Glossary
Covert channel
A covert channel is a mechanism that is used to send or receive information between two or
more machines without altering any firewalls and IDS's on the network.
EtherPeek
Packet sniffer/network traffic monitoring tool
EtherPeek
Packet sniffer/network traffic monitoring tool
Fpipe
Source port forwarder and redirector tool
ICMP tunneling
In ICMP tunneling, an attacker establishes a covert connection between two remote computers (a
client and proxy), using ICMP echo requests and reply packets.
Macof
Tool to flood the local network with random MAC addresses
Macof address
Tool to flood the local network with random MAC addresses
NETSTAT
The NETSTAT command displays protocol-related statistics and the state of current TCP/IP
connections. It is used to get information about the open connections on a computer, incoming
and outgoing data, as well as the ports of remote computers to which the computer is connected.
Overt channel
An overt channel is the normal and legitimate way in which programs communicate within a
computer system or network.
QAZ
Backdoor Trojan
Reverse shell Trojan
Reverse shell Trojan is a malicious tool that is used to access a machine on the internal network
from outside.
Trojan
A Trojan is a program in which the malicious or harmful code is included inside apparently
harmless programming or data in such a manner that it can get control and cause damage.
urlsnarf
Web traffic monitoring tool
urlsnarf
Web traffic monitoring tool
Wrapper
A wrapper is a program that is used to combine a harmful executable file with a harmless
executable file.
Zeus
Zeus is a banking Trojan horse program. It steals data from infected computers through web
browsers and protected storage.
Related documents
Module B Requirements - Riverside Local Schools
Module B Requirements - Riverside Local Schools
Chapter 5 Protecting Information Resources
Chapter 5 Protecting Information Resources
Early People of the Aegean
Early People of the Aegean
Prof. Siddharth Garg - CECS - University of California, Irvine
Prof. Siddharth Garg - CECS - University of California, Irvine
Chapter 5 Protecting Information Resources
Chapter 5 Protecting Information Resources
Ancient Greece
Ancient Greece
The Rise of Greek Civilization
The Rise of Greek Civilization
Chapter 5
Chapter 5
Condoms Audit
Condoms Audit
Download
advertisement