Trojans and Evading Techniques

Trojans and Evading Techniques

The module will include the understanding the concept of Trojan, Danger created by Trojans, how they can come to your computer, how do they destroy you. How many types of Trojans are there, how Trojans are attached behind other applications and finally the most important, Detection of Trojan on your computer and their prevention to safeguard your system and your data.

Knowing The Trojans

A Trojan is a malicious program misguided as some very important application. Trojans comes on the backs of other programs and are installed on a system without the Users knowledge. Trojans are malicious pieces of code used to install hacking software on a target system and aid the Hacker in gaining and retaining access to that system. Trojans and their counterparts are important pieces of the Hackers toolkit.

Knowing The Trojans

Trojans is a program that appears to perform a desirable and necessary function but that, because of hidden and unauthorized code, performs functions unknown and unwanted by the user. These downloads are fake programs which seems to be a legitimate application, it may be a software like monitoring program, system virus scanners, registry cleaners, computer system optimizers, or they may be applications like songs, pictures, screen savers, videos, etc.

Knowing The Trojans

You just need to execute that software or application, you will find the application running or you might get an error, but once executed the Trojan will install itself in the system automatically. Once installed on a system, the program then has system-level access on the target system, where it can be destructive and insidious. They can cause data theft and loss, and system crashes or slowdowns; they can also be used as launching points for other attacks

Knowing The Trojans

Many Trojans are used to manipulate files on the victim computer, manage processes, remotely run commands, intercept keystrokes, watch screen images, and restart or shut down infected hosts.

Different Types of Trojans

1. Remote Administration Trojans: There are Remote Access Trojans which are used to control the Victims computer remotely. Data Stealing Trojans: Then there are Data Sending Trojans which compromised the data in the Victims computer, then find the data on the computer and send it to the attacker automatically.

2.

3.

Security Disabler Trojan: There are Security software disablers Trojans which are used to stop antivirus software running in the Victims computer. In most of the cases the Trojan comes as a Remote Administration Tools which turns the Victims computer into a server which can controlled remotely. Once the Remote Access Trojan is installed in the system, the attacker can connect to that computer and can control it.

Some Famous Trojans

Beast

Some Famous Trojans

Back Orifice

Some Famous Trojans

Net Bus

Some Famous Trojans

ProRat

Some Famous Trojans

GirlFriend

Some Famous Trojans

Sub7

Components of Trojans
Trojan consists of two parts: 1. A Client component 2. A Server component. One which resides on the Victims computer is called the server part of the Trojan and the one which is on the attackers computer is called the client part of the Trojan. For the Trojan to function as a backdoor, the server component has to be installed on the Victims machine

Components of Trojans

Components of Trojans
1. Server component of the Trojan opens a port in the Victims computer and invites the Attacker to connect and administrate the computer. Client component of the Trojan tries to connect the Victim computer and administrate the computer without the permission of the User.

2.

Wrapper
A Wrapper is a program used to combine two or more executables into a single packaged program. The wrapper attaches a harmless executable, like a game, to a Trojans payload, the executable code that does the real damage, so that it appears to be a harmless file. Hackers use Wrappers to bind the Server part of the Software behind any image or any other file. Wrappers are also known as Binders.

Wrapper
Generally, games or other animated installations are used as wrappers because they entertain the user while the Trojan in being installed. This way, the user doesnt notice the slower processing that occurs while the Trojan is being installed on the systemthe user only sees the legitimate application being installed.

Modes of Transmission

Reverse Connection In Trojans

Reverse-connecting Trojans let an attacker access a machine on the internal network from the outside. The Hacker can install a simple Trojan program on a system on the internal network. On a regular basis (usually every 60 seconds), the internal server tries to access the external master system to pick up commands. If the attacker has typed something into the master system, this command is retrieved and executed on the internal system. Reverse WWW shell uses standard HTTP. Its dangerous because its difficult to detectit looks like a client is browsing the Web from the internal network

Detection And Removal of Trojans

Unusual system behavior is usually an indication of a Trojan attack. Actions such as Programs starting and running without the Users initiation CD-ROM drawers Opening or Closing Wallpaper, background, or screen saver settings changing by themselves Screen display flipping upside down Browser program opening strange or unexpected websites All above are indications of a Trojan attack. Any action that is suspicious or not initiated by the user can be an indication of a Trojan attack. One thing which you can do is to check the applications which are making network connections with other computers. One of those applications will be a process started by the Server Trojan.

TCPView
TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows NT, 2000, and XP, TCPView also reports the name of the process that owns the endpoint. Active connections will appear in Green Color. You can always Right Click on the check the properties of the application. Once you have got hold of the Trojan application, you can Kill the active connection and the running process and then delete the physical application file. This will make you recover from the attack of Trojan.

TCPView

Countermeasures
Most commercial antivirus programs have Anti-Trojan capabilities as well as spyware detection and removal functionality. These tools can automatically scan hard drives on startup to detect backdoor and Trojan programs before they can cause damage. Once a system is infected, its more difficult to clean, but you can do so with commercially available tools. Its important to use commercial applications to clean a system instead of freeware tools, because many freeware removal tools can further infect the system. In addition, portmonitoring tools can identify ports that have been opened or files that have changed.

Trojan Evading Technique

The key to preventing Trojans and backdoors from being installed on a system is to not to install applications downloaded from the Internet or open Email attachments from parties you dont know. Many systems administrators dont give users the system permissions necessary to install programs on their system for the very same reason.