Professional Documents
Culture Documents
Trojans Trojans and Evading Techniques
Trojans Trojans and Evading Techniques
Trojans Trojans and Evading Techniques
2.
3.
Security Disabler Trojan: There are Security software disablers Trojans which are used to stop antivirus software running in the Victims computer. In most of the cases the Trojan comes as a Remote Administration Tools which turns the Victims computer into a server which can controlled remotely. Once the Remote Access Trojan is installed in the system, the attacker can connect to that computer and can control it.
Beast
Back Orifice
Net Bus
ProRat
GirlFriend
Sub7
Components of Trojans
Trojan consists of two parts: 1. A Client component 2. A Server component. One which resides on the Victims computer is called the server part of the Trojan and the one which is on the attackers computer is called the client part of the Trojan. For the Trojan to function as a backdoor, the server component has to be installed on the Victims machine
Components of Trojans
Components of Trojans
1. Server component of the Trojan opens a port in the Victims computer and invites the Attacker to connect and administrate the computer. Client component of the Trojan tries to connect the Victim computer and administrate the computer without the permission of the User.
2.
Wrapper
A Wrapper is a program used to combine two or more executables into a single packaged program. The wrapper attaches a harmless executable, like a game, to a Trojans payload, the executable code that does the real damage, so that it appears to be a harmless file. Hackers use Wrappers to bind the Server part of the Software behind any image or any other file. Wrappers are also known as Binders.
Wrapper
Generally, games or other animated installations are used as wrappers because they entertain the user while the Trojan in being installed. This way, the user doesnt notice the slower processing that occurs while the Trojan is being installed on the systemthe user only sees the legitimate application being installed.
Modes of Transmission
TCPView
TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows NT, 2000, and XP, TCPView also reports the name of the process that owns the endpoint. Active connections will appear in Green Color. You can always Right Click on the check the properties of the application. Once you have got hold of the Trojan application, you can Kill the active connection and the running process and then delete the physical application file. This will make you recover from the attack of Trojan.
TCPView
Countermeasures
Most commercial antivirus programs have Anti-Trojan capabilities as well as spyware detection and removal functionality. These tools can automatically scan hard drives on startup to detect backdoor and Trojan programs before they can cause damage. Once a system is infected, its more difficult to clean, but you can do so with commercially available tools. Its important to use commercial applications to clean a system instead of freeware tools, because many freeware removal tools can further infect the system. In addition, portmonitoring tools can identify ports that have been opened or files that have changed.