The TROJON HORSE

What is a Trojan ?
"A Trojan Horse, or Trojan, is a term used to describe malware that appears, to the user, to
perform a desirable function but, in fact, facilitates unauthorized access to the user's computer
system". - Wikipedia

"A Trojan horse is an apparently useful program containing hidden functions that can exploit the
privileges of the user [running the program], with a resulting security threat.". - CERT Advisory

Types of Trojan :-
The different types of Trojan Horses are as follows-

1) Remote Access Trojans :- Abbreviated as RATs, a Remote Access Trojans are

potentially the most damaging, designed to provide the attacker with complete
control of the victim's system.

2) Data Sending Trojans :- A type of a Trojan horse that is designed to provide

the attacker with sensitive data such as passwords, credit card information, log files, e-mail address
or IM contact lists. They could install a keylogger and send all recorded keystrokes back to the
attacker.

3) Destructive Trojans :- Once this Trojan is installed on your computer, it will begin to
systematically or completely randomly delete information from your computer. This can include
files, folders, registry entries, and important system files, which likely to cause the failure of your
operating system.

4) Proxy Trojans :- A type of Trojan horse designed to use the victim's computer as a proxy
server. This gives the attacker the opportunity to conduct illegal activities, or even to use your
system to launch malicious attacks against other networks.

5) FTP Trojans :- A type of Trojan horse designed to open port 21 (FTP) and acts like an FTP
server. Once installed, the attacker not only could download/upload files/programs to victim's
computer but also install futher malware on your computer.

6) Security Software Disabler Trojan :- A type of Trojan horse designed stop or kill security
programs such as an antivirus program or firewall without the user knowing. This Trojan type is
normally combined with another type of Trojan as a payload.

7) DoS Attack Trojans :- These trojans are used by the attacker to launch a DoS/DDoS attack
against some website or network or any individual. In this case they are well known as "Zombies".

How Trojan Works ?

Trojans typically consist of two parts, a client part and a server part. When a victim (unknowingly)
runs a Trojan server on his machine, the attacker then uses the client part of that Trojan to connect
to the server module and start using the Trojan. The protocol usually used for communications is
TCP, but some Trojans' functions use other protocols, such as UDP, as well. When a Trojan server
runs on a victim’s computer, it (usually) tries to hide somewhere on the computer; it then starts
listening for incoming connections from the attacker on one or more ports, and attempts to modify
the registry and/or use some other auto-starting method.

It is necessary for the attacker to know the victim’s IP address to connect to his/her machine.
Many Trojans include the ability to mail the victim’s IP and/or message the attacker via ICQ or
IRC. This system is used when the victim has a dynamic IP, that is, every time he connects to the
Internet, he is assigned a different IP (most dial-up users have this). ADSL users have static IPs,
meaning that in this case, the infected IP is always known to the attacker; this makes it
considerably easier for an attacker to connect to your machine.

Most Trojans use an auto-starting method that allows them to restart and grant an attacker
access to your machine even when you shut down your computer.

How Trojan Horses Are Installed ?

Infection from Trojans is alarmingly simple. Following are very common ways to become infected
that most computer users perform on a very regular basis.

 Software Downloads
 Websites containing executable content (ActiveX control)
 Email Attachments
 Application Exploits (Flaws in a web applications)
 Social Engineering Attacks

The Removal :-
Antivirus software is designed to detect and delete Trojan horses ideally preventing them from
ever being install

1) NetBus :-
  Latest Version: NetBus 2.10 Pro
 Developer: Carl-Fredrik Neikter
 Default Port: 20034 (variable)
 Language: Delphi
 Operating System: Windows 95/98, NT4 or
later
 Type: Remote Access
 Download: NB2ProBeta.zip

2) Back Orifice XP :-
  Latest Version: BOXP Beta 7
 Developer: Javier Aroche
 Default Port: 15380
 Language: Microsoft Visual C++ 6.0
 Operating System: Windows 95/98/ME/NT/2000/XP
 Type: Remote Access
 Download: boxp_beta7_bin.zip

3) SubSeven / Sub7 :-
  Latest Version: SubSeven 2.2
 Developer: Mobman
 Default Port: 1080, 1369, 5873, 27374
(variable)
 Language: Delphi
 Operating System: Windows
95/98/ME/NT/2000
 Type: Remote Access, Keylogger, Eavesdropper, Sniffer, Proxy server, FTP server
 Download: Subseven.2.2.zip

4) Beast :-
 Latest Version: Beast 2.07
 Developer: Tataye
 Default Port: 6666
 Language: Delphi
 Operating System: Windows
95/98/ME/NT/2000/XP
 Type: Remote Access,
Keylogger
 Download:
Beast_2.07.rar