what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

abouttrojans.txt

abouttrojans.txt
Posted Aug 31, 2004
Authored by Klemster, indiasec | Site indiasec.com

White paper discussing Windows trojans. Written for newbie home PC users.

tags | trojan
systems | windows
SHA-256 | 33f7db9373b30ae302e7ee598301369005f836114516b5f2ed62e23b3a46a86a

abouttrojans.txt

Change Mirror Download
All About Trojans
-----------------

By klemster (klemster@weed5.org)
http://www.weed5.org/

First Written On: 17th November, 2001. 9:48 PM
Last Modified On: 18th November, 2001. 1:27 PM

This article was originally written for another website, inactive
since about 2001.

====================================================================
Contents
--------

Introduction

01. What is a Trojan Horse?
02. What are the different types of trojans?
03. What does a RAT trojan do?
04. How does a RAT trojan work?
05. How do I get infected?
a. IRC
b. ICQ/Instant Messengers
c. E-Mail
d. Floppies/CDs
06. How do I know if I'm infected?
>> Port Scanners
07. Info On Some Trojans
08. How does the attacker get my IP Address?
09. How do I protect/disinfect myself?
a. Firewalls
b. Antivirus
10. Keyloggers
11. Password Retreivers
12. FTP Trojans
13. Binders
14. Why do people do all this?
>> Securing your documents(PGP)
15. Does this mean I shouldn't trust any friends?

Disclaimer

====================================================================
INTRODUCTION

This article explains trojans in brief and tells PC users how to
protect themselves from such attackers. Most of them have just a
little more knowledge than the victim himself. i.e. they know about
handling trojans.
The trojan legacy was started in an ancient myth, according to
which, during the war, the greeks presented a wooden horse to their
enemy and during the night, greek soldiers jumped out of the wooden
horse and defeated the enemy. It was restarted in the computing
world when CDC(Cult of the Dead Cow) made Back Orifice, which is
the most famous trojan ever, and it's port 31337 is one of the most
popular numbers.
Read the Disclaimer at the end of the text..

====================================================================
01. What is a Trojan Horse?

A trojan horse is a program that works against a user, more or
less a virus, and is mostly contained in programs that look
legitimate, but have a very dark side. These trojans work in the
"background", i.e. invisible to you. They do things that can render
you almost powerless. All trojans have a specific cause, for which
attackers use them. Most of them are RATs(Remote Administration Tools).
These programs are used by attackers to attack lamer people.
Having most trojans on your computer is harmless. Opening them
causes the problem.

====================================================================
02. What are the different types of trojans?

a. Remote Administration Tools(RAT)
b. Keyloggers
c. Password Retreivers
d. FTP Trojans

These trojans are explained later in this article.

====================================================================
03. What does a RAT Trojan do?

A RAT trojan runs a server on your computer, that enables the
attacker to connect to your computer and execute various functions.
Even if you have some idea on these trojans, you most probably won't
know that you're infected. This is because newer trojans are being
developed everyday, that are better and more effective than the
older ones. Powerful trojans give the attacker more control of your
computer that you yourself have, sitting in front of it! Others
just allow some easy fun functions, and still others have common
functions like downloading/uploading. The trojan also restarts
everytime you put on your computer.
About what a trojan can do, it can at most destroy your computer!

====================================================================
04. How does a RAT trojan work?

A RAT trojan is mostly contained in bigger programs. So, when
you run the program, you automatically trigger the trojan. This
trojan runs a server on a particular port, which will enable the
attacker to connect to the port in your computer with utmost ease and
do God Knows What! He now has access to all your system resources,
if he's using a powerful trojan, and can do almost anything. There
is nothing you can do to stop him, if you don't know which is the
trojan and don't have any clue about what it is.
The trojan then copies itself to a location on your computer,
which, where there is almost 100% possibility that you won't see,
and even if you see, you won't realise that it is a trojan. Then,
the trojan makes a registry entry or changes the win.ini file, to
enable itself to restart everytime you put on your computer.

====================================================================
05. How do I get infected?

a. IRC
---
The most common way that you get infected with a trojan is
through IRC. Almost all the files that others want to send to
you on IRC is a virus or a trojan!

b. ICQ/Instant Messengers
----------------------
(Many people don't use ICQ nowadays, but prefer MSN or Yahoo
messenger. Therefore, ignore the things about ICQ.)
ICQ is another easy way to get a trojan. There were a million
exploits in ICQ, but now most have been rectified, but not all.
A friend with whom you are chatting with on ICQ will send you
a file, which is the trojan. Before, there was a hole, using
which a attacker will send a file, that is an exe/vbs, which
appears as an image file/document file. Actually, the filename
of the file is too long, and so, if he has renamed the file as
"abc.jpg .exe" then, you'll be able to see
only abc.jpg. Now, that hole's been rectified and you will see
"abc.jp........exe" instead. You'll then execute the .exe file
that he's sent you, and just then you might receive a message
from him, and he'll distract you.

c. E-Mail
------
Nowadays, spam has become very common. You will most probably
find your inbox cluttered with dirty junk if you use hotmail.
Many e-mails contain attachments and some services have the
same problem as ICQ had, i.e. displaying even abc.jpg.exe as
abc.jpg. Therefore, there is a high possibility of spam
attachments containing trojans and viruses.

d. Floppies/CDs
------------
You can also be infected from infected floppies/cds. When you
use an infected one and run the infected program, or if the
autorun.ini starts the trojan, you are infected.

Almost all the time, the attacker tricks you into forgetting about the
program that he just gave you, and he is successful in his attempt.
Most of the time, you are too busy doing other things, that you'll
forget about the program that wasn't running properly. This program
is the trojan that has managed to fool you!

====================================================================
06. How do I know if I'm infected?

"I've recieved a file from a friend and double-clicked on it.
But, seems it doesn't work as when I clicked on it, nothing
happened!" - BOOM you're infected! Quick use an Anti Virus/Firewall!
A port scanner scans ports of a specified range of a particular
IP and tells those which are open.
Another simple and quick way to detect if you're infected is
by using netstat. Type "netstat -an" in your command promt and check
the results. If "xx.xx.xx.xx:tttt" (xx.xx.xx.xx = your ip; tttt =
trojan port) is in state listening, then you're infected.
Below is some info on some trojans. You'll know that you're
infected if you find the port listening or connected using netsat.

====================================================================
07. Info On Some Trojans

The complete list can be found at
http://www.weed5.org/papers/klemster/backdoor-list.txt

01. Netbus 1.x
Port(s) used: 12345, 12346, 12361, 12362
Forms: Whackamole(game), the real trojan.

02. Netbus Pro 2.1
Port(s) used: 20034

03. Back Orifice(BO)
Port(s) used: 31337, 6001.

04. Sub Seven
Port(s) used: 1243
Forms: The real trojan. Can be compiled in different forms(1.7+)

05. Deep Throat
Port(s) used: 6670

06. Senna Spy
Port(s) used: 11000

07. Ugly FTP / Evil FTP / WhackJob
Port(s) used: 23456

08. Netraider
Port(s) used: 57341

09. Ugly FTP
Port(s) used: 23456

10. Doly Trojan
Port(s) used: 1011

11. Blade Runner
Port(s) used: 5401, 5402
Forms: The real trojan.

12. ICQ Trojan
Port(s) used: 4950

13. Trojan Cow
Port(s) used: 2001

14. Shockrave
Port(s) used: 1981

15. ICQKiller
Port(s) used: 7789

16. Silencer
Port(s) used: 1001

17. Stealth Spy
Port(s) used: 555

18. Devil 1.03
Port(s) used: 65000

19. Striker
Port(s) used: 2565

====================================================================
08. How does the attacker get my IP Address?

If you use IRC, then even you will know how to get the IP
of a person. There are various tools, by which attackers can get your
IP address, if you use ICQ or AIM.
But, newer trojans nowadays have various features to notify the
attacker about your online presence. Some come with ICQ notification,
some mail your IP address and date, time to the e-mail of the
attacker, some upload your information to an internet website. All of
these functions are triggered the moment you go online. By this, a
attacker can easily get your IP address.

====================================================================
09. How do I protect/disinfect myself?

a. Firewalls
---------
The best way to do this is to get a firewall. Firewalls give you
all the protection you need against attackers. They monitor all
the ports of the computer. Some good firewalls are Zone Alarm,
by Zone Labs(http://www.zonelabs.com) and Lockdown 2000
(http://www.lockdown2000.com). They give you full access to you
than to programs.

b. Antivirus
---------
All the popular trojans can be detected by an antivirus. So, I
recommend you get an antivirus software. BO was supposedly the
world's first, and was a nightmare some 3-4 years ago, after it
was released at defcon 8. Now, netbus is gaining popularity. 90%
of the trojans nowadays are netbus. Almost all av's can detect
netbus and back orifice. A good antivirus is Noton Antivirus
(www.symantec.com). It can detect even low profile and
"unheard of" trojans. This is the simplest method.
Do the netstat check everytime you connect to the internet.

====================================================================
10. Keyloggers

Keyloggers are trojans, which are mostly not detected by av's
and are very dangerous. They save everything you type, anywhere on
your computer to a file, usually in a location which is very
difficult to find. This file can be viewed by the attacker, if he's
got access to your computer, or if he's planted the keylogger
using a RAT trojan. A keylogger is used mostly to get your mail
passwords, as you most likely will check your e-mail and you have
to type the password, which will be logged into a file.

====================================================================
11. Password Retreivers

Password Retrievers search your computer and registry for
passwords, usually Internet and ICQ passwords. After finishing
the scan, they mail it to the e-mail address of the attacker. This is
really simple for the attacker and there is nothing for him to do.

====================================================================
12. FTP Trojans

FTP or File Transfer Protocol is the universally accepted
protocol for client-server file exchange. An FTP trojan opens up
the default FTP port (21) and runs an FTP server on it, enabling
anyone knowing FTP or having an FTP client to connect and upload
and download files.

====================================================================
13. Binders

Binders used a lot by attackers. These binders can attach many
files and executables together into one executable. Using binders,
attackers attach a game or some other legitimate program and a
trojan. When you execute the game file, the trojan is also run.
Binded exes can fool the victims without arousing suspicion in
the victim. This makes it even more important for one to get an
AV or a Firewall.

====================================================================
14. Why do people do all this?

They want to show off before you. Many times, the people
attack the victims for some kind of information, like passwords, etc
they want from your computer or they just want get you scared. Most
of the time, they just break into your computer and show off to you.
Therefore, most of the time they don't cause any harm to your
computer, but your passwords and important documents - that's a
different story!

Securing your documents
-----------------------
To secure your documents and important information, you have
to use an encryption software that will make the data unreadable by
anyone, even you. To read it, you have to decrypt it using the key
provided at the encryption time. The best encryption software in
the world is PGP(Pretty Good Privacy), written by Phil Zimmerman.

====================================================================
15. Does this mean I shouldn't trust any friends?

Not at all! You can trust them, but always be cautioned. But, To
save yourself, you should be paranoid! Also, pl. note "Not to accept
any files from strangers or on IRC". Any vbs, exe, scr and com files
can contain viruses and trojans.

====================================================================
DISCLAIMER

There is no gurantee on the accurateness of this text and
this is subject to change anytime. This text is meant only for
educational purposes. Following or reading this text is entirely at
the choice and risk of the user. I will not be responsible for any
damages caused because of reading this directly or indirectly, or
abuse/misinterpretation of this paper.

====================================================================

klemster | klemster@weed5.org
Copyright 2002 Weed5 Security Group
http://www.weed5.org/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close