Module 6 Engineered by . Presented by Professionals.SECURITY NEWS November 29, 2010 3:52 PM ET Security researchers have discovered a dangerous piece of ransomware attacking computers around the world Experts at the security firm Kaspersky Lab noted that in 3 blog post today (Now. 29) that they have been notified of computers Infected by ransomware. A type of malware, ransomware holds a computer system — or its data — hostage against Its user, and then demands a type of ransom — wiring payment to the hacker or urging the user to buy « fake removal tool, for example ~ for Its return. Kaspersky Lab sald that, “unlike the previous variants," the new ransomware ‘doesn't delete files after encryption. Instead It overwrites data in the files, which ‘makes it impossible to use data-recovery software such as PhotoRec, which we suggested during the last attack itpv/rwncsecurtynewsdaly.com Cea Ce ee teeModule ©»jecctives ‘@ How to Deploy a Trojan? ‘@ Whatisa Trojan? Types of Trojans ‘Overt and Covert Channels ‘@ How to Detect Trojans? ‘@ Purpose of Trojans @ Evading Anti-Virus Techniques ‘@ Indications of a Trojan Attack @ Trojan and Backdoor @ Common Ports used by Trojans Countermeasures e How to Infect Systems Using a @ Anti-Trojan Software Trojan? Penetration Testing Cea Cee eesModule Flow Trojan Trojan Infection Types of Trojans Anti-Trojan Software measures Penetration Testing rtWhat is a ro) an? @ tis. program in which the malicious or harmful code is contained inside apparantly harmless programming or data in such a way that it can get control and cause damage, such as ruining the file allocation table on your hard disk @_ With the help of a Trojan, an attacker gets access to the stored passwords in the Trojaned computer and would be able to read personal documents, delete files and display pictures, and/or show messages on the screen Send me credit card details oe infected with Trojan Hare is my credit card number and expire date Send me facebook: 2ecount information \Vietim ts Lenidon Infected with Trojan, Here is my facebook login and profile Send me e-banking login info 1. Viti in Pate Tt infected with Here iz my bank ATM and pincode Cadel eee eesand Channels Overt Channel A legitimate communication path A channel that transfer within a computer 0 ormation within a network, for transfer of data system, ar network, in that Example of overt channel violates the security policy includes games or any legitima The simplest form of covert channel is a Trojan ed Coens ) Coreen) EH e 7 Card Les eesPurpose of Trojans ww Sees ee oeneeey enc using keyloggers See ee oat Saas ne eee eet ae eee re cen Pos er eee ers ee eee ea audio and video of read eed iene! Cees etait Seperated eid aa Stata eed See eatani ae cdmeWhat Do Trojan Creators Look For? & Credit card information Account data (email addresses, passwords, user names, etc.) Confidential documents Financial data (bank account numbers, social security numbers, insurance information , etc.) Calendar Information concerning the victim’s whereabouts Using the victim’s computer for illegal purposes, such as to hack, scan, flood, or infiltrate other machines on the network or Internet WAHL > 4 AEX || VISA Hacker Coa Bee eesIndications of a Vrojan Stack cD-ROM drawer opens and closes by itself Strange chat boxes ‘appear on victims computer Computer screen flips upside down or inverts Wallpaper or background setting change Documents or messages are printed from the printer themselves Computer browser is redirected to unknown pages Windows color settings change Screensaver’s settings change automatically Functions of the right and left house buttons are reversed Mouse pointer disappears or moves by itself Anti-virus is disabled oF does not werk properly The taskbar disappears bo ‘The account passwords are changed or Windows Start button disappears ‘The ISP complains to the victim that his/her computer Is IP scanning Strange purchase statements appear in the credit card bills People know too much personal information about a victim The computer monitor turns itself offand on ‘The computer shuts down and powers off by itself CtrlsAlteDel stops working [iO Ome (25Common Ports used by Trojans 1 (UDP) Sockets des Trole 50 baat y 20 Senna Spy FTP se DMsetup 133 Farnaz 42a “TCP Wrappers trojan ez Hidden Port, NCX_-a Gayo . ~ass-a56 y . 30 no Fatal Connections! 3010-22, 1015-16 3285 Agent 40421 ProMall trojan Hackers Paradise Doly Tolan Scarab — 1050 ° 2 2155 1095, 1097-98 Ilusion Mailer, — Nirvana 2330-2338 Contact Cea ee eee eee esModule Flow Trojan Concepts Types of Trojans Trojan Counter- Anti-Trojan Software measures Penetration Testing ee eee eratHow to Infect Using a 2 Create a new Trojan packet using a Trojan Horse Construction Kit Create a dropper, which is a part in a trojanized packet that installs the malicious code on the target system Example of a Dropper eee KLM\Softwaro\Mic....\run\Iexploror.exe Malicious code Client address: elient.attacker.com Dropzone: dropzone.attacker.com Malicious Code Wrapper Wrapper File name: my_name.jpg. Wrapper data: Graphic file Ceara SES Cr eeeicae iene meee’ ATHENAHow to Infect Systems Using a ro a5? Yl | Create a wrapper using tools to install Trojan on the victim's computer Dropper 9g ra ee st Troan code execution Attacker Wrapper Trojan Packet Victim's System Cer Cee ere eer er?Awrapper binds 2 Trojan executable with an innocent ooking EXE application Wrappers such as games or office applications L Chess.exe 3¢ Teglan.exe Filesize: 90K WK ete 200 wrapping application in the single file ul Aetackers might send a birthday greeting that will install a Trojan as the user watches, for example, a birthday cake dancing across the screen Ca eee esWrapper Covert Programs version 1.0% e Kriptomatik Advance File Joiner Cid ene eae ee es& Different Ways a Trojan can Get ‘into a System Legitimate "shrink-wrapped” software packaged by a disgruntled employee Y7, Fake programs 9 / A Downloading files, eames, | oe and screensavers from e \ \ \ \ itn eam a IRC (Internet Relay Chat) @ seechmene } / Internet sites Untrusted sites and freeware software Physical Access Browser and email NetBIOS (Filesharing) up software bugs Cierecasd ee eae eae) ®ATHENAee a Computers typically get infected by clicking. Lhe eRe oae pauieaic oko seoring sae into oe ie that ncaloa elon on ecioornersthes 2 ipo occontaantoaae oe GF hie Sonn saoeoeemse So msc command the computer to send spam email Lae LCE Dewrcunemer, the attack server Attacker sends an email ‘to vietim containing link Jmmesiately connects to Victim Trojanserverinfusia’ Internet Attacker installs the Trojan infecting is machine Trojan Server (Russia) Cae Ce eee esEvading “nti-Virus Techniques Break the Trojan file into multiple pieces and zip 2MK = ALWAYS write your own Trojan and embed it into an application Never use Trojans downloaded from the web (anti-virus can detect these easily) Change the content of the Change Trojan’s syntax: Trojan using hex editor and > Convert an EXE to VB script also change the checksum > Convert an EXE to a DOC file and encrypt the file > Convert an EXE to a PPT file > Convert an EXE to a PDF fileModule Flow Trojan Concepts Trojan Infection Trojan Anti-Trojan Software measures Penetration Testing ee eerco Peay ona Diaerag Long Cer ee ee CesCommand Shell Trojans 4 Command shell Trojan gives remote control of a command shell on a victim's machine J Trojan server is installed on the victim's machine, which opens a port for attacker to connect. The client is installed on the attacker's machine, which Is used to launch a command shell on the victim’s machine 0 20 40 60 80 100 Ll ! | | | | 1 ! I Netcat client Netcat server = - 504 ec) C:> ne -L -p -t -e cmd.exe C:> ne ae paleo sires ®ATHENACommand Shell Trojan: Netcat GBB command Prompt somewhere: ne [-options] hostname port{=] [ports] Listen for inbound: ne -1 ~p port [options] [hostname] [port] aed tc er eects) es rere ey a es Timeout for connects and final net reads ae yeas ee port numbers can be individual or ranges: mon [inclusive] os Cranld SES ee eesGUI Trojan: MoSucker “ATHENA AANA URN TEMAGUI Trojan: Jumper and BiodoxDocument Trojans a FedEx. Royal Communications Company 443 162" Stret SW Washington. De 20554 RE: Fedex Shipment Airway Bill Number: 867676340056, Dear tr, Stevens: September 2, 2010 Ure have receNed a package addressed to you al the value of USD 2,200. ‘The custom auty nas not been pald fortis shipment wich is isted a ‘Apple iMae 24° Computer ease callus at Fedex at 1800-254.446 Ext 345 oF mall me at ‘moberis@fedex com regarding his shipment Pease visit our Fedex Package Tracking Website to see more detais ‘bolt ns shipment ana advice us on now fo proceed. The WedSRe Ik IS attached with tis leer sincerely, Michelle Roberts Customer Service Representative Intemational Shipment ang Handling Fedex Attanta Ovision Tet 1800-254-466 Ext 945, iin teste com roberts@ledex com into 3 Word docoment fe infects victim computer ‘rojants executed ae viet opens the ‘document and clicks on Trojan package Victim's System Cadel See ee ees/-mail Trojans @ Attacker gains remote control of a victim computer by sending email messages @ Attackers can then retrieve files or folders by sending commands through email ‘@ Attacker uses open relay SMTP server and fakes the email's FROM field to hide origin Attacker Internet Firewall Cee eae ete)E-mail Trojans: RemoteBy MailTrojans | eevee You Are Hacked!!!!!- View Help Original cale.exe coer Bete ert) eens rats eer di preterit rg oer) pore @®ATHENA “RON BTA ANH & QU TE HANGDefacement Trojans: Restorator SeeBotnet Trojans © Botnet Trojans infect a large number of computers across a large geographical area to create a network of bots that is controlled through a Command and Control (C&C) center @ Botnet is used to launch various attacks on a victim including denial-of-ser attacks, spamming, click fraud, and the theft of financial information Q 2 Botnet C&C Server Company Website Cadel eee eesInce ney [\Decurente and Seting® admhisvedonEvem IRC Admicietation 1) Host fovanoayerazcs Pott [8557 Chan [irovencanvius Host [tojanoayiurcom Pott han [uopancsyviue WEB Adhesion 1) Host Reieeh tne: [i] WriPeot [2 A T Bindshet pot [ TRC Access Bor Pass Options 1 neta Ketel Diver IF Auto OP admin on IRC charnel_[F IRC server need password Save cervons sain regkty (7 Inect code fciver fale) IF Bypase XP SP2 Frew Colored IRC message =IZYe (413) ee Rae as aids Chasis eee terBotnet Trojan: NetBot Attacker amarante “SENESANE) aaaProxy Server Trojans 2 @ © Trojan Proxy is usually a standalone application that allows remote attackers to use the victim’s computer as a proxy to connect to the Internet © Proxy server Trojan, when infected, starts a hidden proxy server on the victim’s computer @ Thousands of machines on the Internet are infected with proxy servers using this technique ° =— — tia: Attacker Victim (Proxied) Internet ‘Target Company Cea Ce eeProxy Server Trojan: W3bPrOxy TrOj4n is a proxy server Trojan which support multi connection from many clients and to mail of the Trojan owner CriseFTP Trojans @ FTP Trojans install an FTP server on the victim's machine, which opens FTP ports @ Anattacker can then connect to the victim's machine using FTP port to download any files that exist on the victim's computer Send me oe e:\ereditcard. txt fle ee | = Bees Hacker Victim (67 server installed in the background) Cae Ce eee esFTP Trojan: TinyF TPD {GT command Prompt Ce eee ee enters Site eee peer aerte cry cca Reo eee eters Pree ca a ra rare eee Cente err eer oe eer need ever errr tres ttre use enena SPT Crccoccocey See is pee A eerie ~Trojans aC] C913] e VIC Trojan starts a VNC Server daemon in the infected system It connects to the victim using any VNC viewer with the password “secret” Since VNC program is considered a utility, this, Trojan will never be detected by anti virus Mey Rone 3 Cae Cee eae ete)VNC Trojans Winvnc Pees Incoming Connections I Accept Socket Connections VNC Stealer Diy Naber camat T™ Disable Remote Keyboard & Pointer T Dieable Local Keyboard & Pointer Update Handing fe Pol Console Pot FullScreen Galea. 1 PotFoegaundWadow F- PotOnE vent Pot Window Under Cursor Fp Setings Host: Username: Cid ene eae ee esHTTP/HTTPS Trojans eae Interne, Sener teu Peo ert ay Peer Cy Eee ketene Co pce cone SC mL aD -s - Recents ey executed on the internal host and eee) een eer Creed eens C4131, Co opr © by -Baunct ene eae ee esHTTP Trojan: HTTP RAT fect the victim's computer with © and plant HTTP Trojan re @ Connect Yo the ie address jap ised See W Displays eds, records personal server exe data/keystrokes using HTTP RA @® Downloads unsolicited files, disables programs/system @ Floods internet connection, and distributes threats & Tracks browsing activities and hijacks Internet browser Makes fraudulent claims about spyware detectian and removal Cisse nee ®ATHEShttpd Trojan - HTTPS (SSL) ° @ @ SHTTPD is a small HTTP Server that can be embedded inside any program @ It can be wrapped with a genuine program (game chess. exe), when executed it will turn a computer into an invisible web server 2 Normally Firewall allows you $ 2 through port 443 Encrypted Traffic IP: 10.0.0.8:443 Connect to the victim using Web Browser Infect the victim’s computer with JOUST . EXE hetp://10.0.0.5:443 Shttpd should be running in the background listening on port 443 (SSL) Cede Ce eee esTunneling ee ea eee F Cancer ies ‘They rely on techniques called tunneling, which allow one Pen hd te ei eee eee To eehaaladet Ra ery he Brocco the Tunneling aissies =. ICMP echo-request eee aie and echo-reply clEH e o Cetre alam atesICMP Trojan: expen Peper irae Eibocamen and Sting Admin VMDOWSIDeak pC eer rrr ee eer ra [Ei CommandPrompt Ss™~CSsS i ETT! ere anette nice a ee i fs Sheed Sarnia tae ent ee a) ul re ag (Command: ) ICMP Client (ecu ) (9/5) ® > Crd Po jena eee eesRemote Access Trojans (complete) access tothe system Jason Attacker Sitting In Russa This Trojan works like a remote desktop access. Hacker gains complete GUI access to the remote system 1. Infect (Rebecea’s) computer with server.exe and plant Reverse Connecting Trojan 2. The Trojan connects to Port 80 ta the attacker in Russia establishing a reverse connection 3. Jason, the attacker, has complete control over Rebecca's machineRemote Access Trojan: RAT DarkComet SeRemote Access Trojan: ApocalypseCovert Channel Trojan: CCTT @ @ 4. Covert Channel Tunneling Too! (CCTT) Trojan presents various exploitation techniques, creating arbitrary data transfer channels in the data streams authorized by a network access control system 2. Itenables attackers to get an external server shell from within the internal network and vice-versa 3. Itsets a TCP/UDP/HTTP CONNECT | POST channel allowing TCP data streams (SSH, SMTP, POP, etc...) between an external server and a box from within the internal network © ‘Encoded data through Te2/U0P victims’ credit card users to visit fake e- ‘the stolgastiifelta lemiote - related data such banking websites and —_ | agai igh AB | as cardno,,cvv2,and | enter personal ~ fIRG, or other methods billing datails information op Piers chs tet wo ater details of vet ict ATHENAData Hiding Trojans (Encrypted Trojans) Attackers demand a ransom or force victims to make purchases from their Encryption Trojan encrypts data files in victim's system and renders information unusable online drug stores in return for the password to unlock “Your computer caught files our software while browsing illegal porn pages, all your documents, text files, databases inthe folder Se My Documents a was encrypted with Information complex password.” =~ “Do not try to search “for a program that encrypted your information — it simply does not exists in your hard disk anymore,” ‘pay us the money to unlock the password 0 Confidential Important inant Flas & elders Information Cee en ee eet eesBlackBerry Trojan: PhoneSnoop Trojan remotely activates the microphone of a BlackBerry handheld and listens to sounds near or around it a It can be used to spy on an “=| Enter the phone number that you individual | want to trigger the remote listening z * | and click Activate Change the permissions for Input Install PhoneSnoo} ge the p p a Simulation and Phone to Allow 9° (PhoneSnoop jad) e Go to Options > Advanced Options Go to your Downloads or Hame > Applications to select PhoneSnoop Screen and locate the PhoneSnoop application permissions icon and start the application @®ATHENA “RON BTA ANH & QU TE HANGMAC OS X Trojan: This Trojan uses soci: 7 Users are prompted to download a new codec to watch videos The user then downloads the codec which actually installs i913] Pe nee Ui ee Rt eee es alee cs o Crea See ee eesMAC OS X Trojan: Local machine's DNS After the fake codec is settings are changed installed, a video is to attacker’s IP played so as not to raise address suspicion Hackers take complete A notification is sent to control of victim’s MAC the attacker about the OS X computer victim's machine using econo” BR ¢ 3 H a . Cael ee eee ae eee cece!Od Vv Mac OS X Trojan: Hell Raiser ee eee eee ee eee e:e eee)Module Flow di measures Trojan Concepts Types of Trojans Trojan Infection Anti-Trojan Software Penetration Testing 1 ©by Ce cae es aesHow to Trojans? Ca Ce eee esScanning for Suspicious Look for the to unknown or suspicious IP addresses ve et es 600) Caer) Cea) cee eae rey Cs 0. r 0 o. ‘ 9° 70 Cooter Be eae aesPort Monitoring Tool: IceSwordPort Monitoring Tools: Curr °or's and TCPViewScanning for Suspicious Processes S Trojans camouflage themselves as genuine Windows services or hide their processes to avoid detection Trojans inject code into other Windows processes such a5 explorerexe to spawn anon visible iexplorenexe or firefox exe process @® ATHENA Trojans can also use rootkit methods to hide their processes Use process monitoring tools to detect hidden Trojans and backdoors Crd ieseead ee eesProcess Monitoring Tool: What's RunningProcess Monitoring Tools PreView ‘eep,//oes.teameticom HijackThis uipyffreeantirus.com Winsonar ep: fewbyte.com HiddenFinder tips//ewsoftplate.com Autoruns eep//technetmlerosoft.com KillProcess http: orangetampxoftwarecom Security Task Manager heep:/fonwsineubercom Yet Another (remote) Process Monitor ‘nep //yaprocmon sourceforge.net Cee eee! mtd SsScanning for Suspicious Registry Entries Windows automatically ‘executes instructions in Runservices Runonos Runservicesonce KEY CLASSES _ROOT\exe fi2e\shell\open\comna nd "aL" ee, sections of registry Netus Trojan registry ent Scanning registry values _// for suspicious entries ‘may indicate the Tro}an Infection Trojans insert Instructions at these sections of registry | to perform malicious = activities“egistry Entry Monitoring Tools | 9 oe. SE een, MI Registry Watcher | http://w jocobsen.com «aul (og) sysAnalyzer AM Resshot peter con BE reir satan nt Registry Shower mips fue seuistryshowvercom ©@ Tiny Watcher Active Registry Monitor ‘np febleedernemberscom Inepi/ ve devicelock comScanning for Suspicious See eee ere ier ree and eee eee ney Co Pee crc een ec coe ea aaa Peek et the publisher's original site (9154) e 7 Crd l= ene eae ee esDevice Drivers Monitoring Tools: DriverViewDevice Drivers Monitoring Tools Driver Detective Es ‘ep cvershqcom sepi//no.drivermagician.com ([aeEQ Unknown Device Identifier SS tpizrw.zhongdvacom Driver Reviver itp faa reviversoftcom DriverMax ttpif/wr.inmovative-sol.com Double Driver htte:/pewwboozetorg Be | ae | a es DriverGuide Toolkit DriverScanner Inap:sAov.drverguldetookit.com ‘eep:/ fon. unibue.com Cid ene eae ee esScanning for Suspicious Trojans spawn ed ee reer eet eee ete ete tsa ear oo eo service in order to avold Peery C41 314 e > Coca os oe eee eee at eet ae) = neWindows Services Monitoring Tools: Windows Service Manager (SrvMan) Tittpy Rooks syaproos ord Ca sllmughts Reserved. Reproduction istetlyProhibted.‘i ncows Services Monitoring Tools Oy ea Windows Service Manager Tray @ Netwrix Service Monitor -tp//u.cldhoodcoder.com hetps//voess nerves com | NM Service Manager Plus re) AnVir Task Manager & iapvantsochinet intps/Atwneanlcom Vista Services Optimizer er eT Process Hacker eepis/processhacker:sourceforge.net Cee ee eeeScanning for Suspicious Check start up folder Check start up program $ di entries in the registry Details are covered in \ipponts \noaméng\ stare next slide indowa\start . ° Check Windows services [ir Check device drivers automatic started automatically loaded Go to Run > Type C:\Windows services.mse > Sort by driver Startup Type Te een Por Wests ers My (9144 e 7 eerWindows Startup Explorer Startup Setting Windows Startup Setting IE Startup Setting aKLN\s n\Explozer aKLN\S n\Explozer n\Explozer aKCU\s. n\Explozer\ aKCU\ 0 dows, AKCU\Software\nicrosoft\Windows\CurrentVersion \RunOncs: AKL AKL aKeU Ce oe eee ere)Startup Programs Monitoring Tools: Starter Caen Ep on rte tema Agar Diese & OU 6 ao a 8 g a 8 B a 8 8 5 8 a 8 8 a 8 a 8 5Startup Programs Monitoring Tools: Security AutoRun Tito icpmonltor alter vsta oreStartup Programs Monitoring Tools Absolute Startup manager http://www obsolutestartup.com ActiveStartup hetpi//wenw hexilesoficom StartEd Lite Inepis/stortedfee.outertechcom Startup Tracker ‘tp //unnu-doughnox.com [ E Startup Inspector bitex/ fue ssindowsstortup.com Autoruns Ittp//technetamicrosoftcom Manage PC Startup htter/furmw pestartup.com Program Starter Ings? tookscomScanning for Suspicious and It is a command line utility that Itis an enterprise class system computes MDS or SHAT integrity verifier that scans and cryptographic hashes for files reports critical system files for changes — ened Cee aad 2 Steen THAECONTROL. D It checks integrity of critical files that have been digitally signed by MicrosoftFiles and Folder Integrity Checker: FastSum and WinMDS5“ilies and Folder Integrity Checker | SF weitere 9S orton. = Advanced CheckSum Verifier Veri = (acsv) ys Ieip//mndorcock hittp://wwwr.irnissnet “er AFICK (Another File a ae cam TE) integrity checker) beep afk soureforge.net Sentinel ‘ . ~ Xintegrity Professional hetp:/pwowruntimewarecom heepi/wxrwaintegrity.com eer eeeScanning for Suspicious )/ciworl Activities Trojans connect back to handlers and send confidential information to attackers Use network scanners and packet sniffers to monitor network traffic going to malicious remote addresses Run tools such as Capsa to monitor network traffic and look for suspicious activities sent over the Web Cid eee eesDetecting Trojans and Worms with Capsa Network Analyzer Capsa is an intuitive network analyzer, which provides detailed information to help check if there eM Cuenta? Cf Ce ceed eae ee ee #®ATHENAModule Flow Trojan Concepts Trojan Trojan Infection Anti-Trojan Software Penetration Testing oe ee eerTrojan Avoid downloading and executing applications from untrusted sources: FT ‘Avoid opening email attachments received from unknown senders Install patches and security updates for the operating systems and applications Scan CDs and floppy disks with antivirus software before using Avoid accepting the programs transferred by Instant messaging Block all unnecessary ports at the host and firewall Harden weak, default configuration settings Disable unused functionality including protocols and services ‘Avoid typing the commands blindly and implementing pre-fabricated programs er scripts Cer a Mans local workstation file Integrity through checksums, auditing, and port scanning Run local versions of anti-virus, firewall, and intrusion detection software on the desktop nalicious applications installation Restrict permissions within the desktop environment to prever Coane ited Cea ete dees @ ATHENABackdoor Countermeasures Most commercial anti- Educate users not to Use anti-virus tools virus products can install applications such as Windows automatically scan and downloaded from Defender, McAfee, detect backdoor untrusted Internet and Norton to detect programs before they sites and email and eliminate can cause damage attachments backdoors =) ¢ Coane eee eesTrojan Horse Construction Kit Eu) (reer) ef Pcs coal Ee) Construct Trojan Trojan Horse construction kits help attackers to construct Trojan horses of their choice Trojan Execution The tools in these kits can _ CT een. be dangerous and can backfire if not executed properly EH Cn) eel Fe eee ®ATHENAModule Flow Trojan Concepts Trojan Infection Types of Trojan Trojans measures. Penetration Testing oe ee eerAnti-Trojan Software: TrojanHunter Registry scan No suspicious entries found Inifite scan No suspicious entries found Port sean 'No suspicious open ports found Memory sean No tans found in memory File scan (autostarted files, running executables) No tojan Bes found hitp://vwvw.misee.netAnti-Trojan Software: Cree od beds Ree ca ees-ot-Trojan Softwares ah [J] Trojan Guarder Anti Hacker ‘mip:ffwen.you-softcom Intp//anee ide my ico 4 @ Anti-Trojan Shield (ATS) ‘nep:/fwvnw.atshee.com ‘neep://wvnw paretologic.com ‘Spyware Doctor tip:/faow petoolscom SPYWAREfighter ‘itp://swr spamfighte.com Comodo BOClean ‘tep://wwnv-comedo.com Anti Trojan Elite ‘neep://unne remove-rojan.com D0 %)% XoftSpySE | Cae Ce eee esModule Flow Trojan Concepts Trojan Infection Types of Trojan Counter- Trojans Detection measures Anti-Trojan Software eeeUse tools such as @ Scan the system for open ports, leeSword, CurrPorts running processes, registry entries, ‘and TCPView device drivers and services © Irany suspicious port, process, registry entry, device driver or service is discovered, check the associated executable files Use tools such as What's Running and HijackThis @ Collect mere information about these from publisher's websites, if se tools such a2 available, and Internet JV Power Tools « Check if the open ports are known and Regshot Po to be opened by Trojans in wild Use tools such as DriverView and Driver Detective Use tools such as SrvMan and ServiWin Cd eee aesUse tools such as i - Starter, Security AutoRun and Autoruns Use tools such as FCIV, TRIPWIRE and SIGVERIF Use tools such as Capea Network Analyzer Use tools such as FIV and TRIPWIRE Use tools such as Trojan Hunter and Spyware Doctor Pen Testing for Trojans and Backdoors Check the startup programs and determine If all the programs in the list can be recognized with known funetionalities Check the data files for modification or manipulation by opening several files and comparing hash value of these files with a pre computed hash Upload of bulk files or unusually high traffic going to a particular web address Check the eritical OS file modification or manipulation using tools such as TRIPWIRE or manually comparing hash values If you have a backup copy Run an updated Trojan seanner from 2 reputed vendor ta identify Trojans in wild Coal ee eesPen Testing for Trojans and Backdoors If Trojans) © Document all your findings in are previous steps; it helps in Rear determining the next action if Trojans are identified in the systems yesy W © Isolate infected system from the network immediately to prevent further infection © Sanitize the complete system ' for Trojans using an updated Ye. anti-virus Is updated anti-virus running? wes V @®ATHENA “RON BTA ANH & QU TE HANGModule Summary Qs They are used primarily to gain and retain access on the target system QQ They often reside deep in the system and make registry changes that allow it to meet its purpose as a remote administration tool Q Popular Trojans include MoSucker, RemoteByMail, Illusion Bot, HTTP RAT, and Zeus QQ Awareness and preventive measures are the best defenses against TrojansQuotes EN ever trust anything that can think for itself if you can't see where it keeps its brain. 99 - J.K. Rowling, An Author Se are