[Security] Trojans and Protection

[Reply] [View by Thread] [Help]
[Back To Article Discussion Forum]

View and vote on the article here: Trojans and Protection

Trojans and Protection

Category

Security

Summary

Body

Trojans & Protection Originally written for CyberArmy by an unknown author, edited for CAU Knowledge Bank by Inzomniak. This text is about Windows based trojans and is addressed (mostly) to the general public. In this tutorial you will find out what are computer trojans, how they work, how to detect and remove them and prevent future infestation. I hope that after reading this you'll realize that trojans are dangerous and still represent a big security problem. Trojans & Protection Table of Contents 1. Introduction 2. What is a trojan horse? 3. History 4. RAT's and what they can do 5. Some trojans and their known ports 6. A list of ports assigned on your computer 7. Features in RAT''s - SubSeven - Back Orifice - Netbus - Deep Throat 8. Scanning for trojans 9. Getting rid of the Trojan 10. Future protection 11. Understanding the attacker 12. Backdoors in Trojans 1. Introduction This text is about Windows based trojans and is addressed (mostly) to the general public. In this tutorial you will find out what are computer trojans, how they work, how to detect and remove them and prevent future infestation. I hope that after reading this you'll realize that trojans are dangerous and still represent a big security problem. 2. What is a trojan horse? A trojan horse is an unauthorised program contained within a legitimate program. This program performs unknown and probably unwanted functions to the user. Basically this file gives the hacker (if you can call him that) full access to your computer. This program opens a port, keeps it open and lets him connect to your computer through your IP with the client file. Think of a Trojan as a program that allows somebody else to do what you can do to your computer and more (and even faster than you). Also a Trojan retrieves all the information you typed in since you turned on your computer and all the stored information on your computer is in his hands. 3. History In the 12th century B.C., Greece declared war on the city of Troy. The dispute erupted when the prince of Troy abducted the queen of Sparta and declared that he wanted to make her his wife, which made the Greeks and especially the queen of Sparta quite furious.The Greeks gave chase and engaged Troy in a 10-year war, but unfortunately for them, all of their efforts went down the drain. Troy was simply too well fortified. In a last effort, the Greek army pretended to be retreating, leaving behind a huge wooden horse. The people of Troy saw the horse, and, thinking it was some kind of a present from the Greeks, pulled the horse into their city, without knowing that the finest soldiers of Greece were sitting inside it, since the horse was hollow. Under the cover of night, the soldiers snuck out and opened the gates of the city, and later, together with the rest of the army, killed the entire army of Troy. 4. RAT's and what they can do Nowadays the most popular trojans are RAT's (Remote Administration Trojans). These trojans contain: - The Server File (by executing this file you get infected) - The Client File (this file is used by the hacker to connect to another computer) - Other files (DLL's, etc) The server file (usually called server.exe) is the most dangerous file. Never execute this file unless you really want to get infected, or you are testing a Trojan on yourself. RAT's let you have access to your victim's hard drive, and also perform many functions on his computer (opens and closes his CD-ROM drive, shut down his computer, turn off the monitor, play sounds, reverse mouse buttons, delete, copy, edit, download, and run files etc), which will scare off most computer users. Files can be uploaded from his computer to yours and then executed (other trojans, viruses, password stealing programs). Modern RAT's are very simple to use. Just fool someone into running the server file and get his IP and you have FULL control over his/her computer (some trojans are limited by their functions, but more functions also mean larger server files. Some trojans are merely meant for the attacker to use them to upload another Trojan to his target's computer and run it).The size of a Trojan is variable. It is from about 50k (only with open port & connect functions) up to a few Megs (multiple functions). A Trojan can be binded to another file, so when you run that program both are executed (the trojan which runs in the background and the main program). And you won't even think it is a Trojan, nothing looks suspicious. Other trojans display a message such as an error telling you, for example, that the file can't be opened. Actually, the file is opened, the Trojan is installed and this error message is displayed by a function in the Trojan. 5.Some trojans and their known ports The Thing - 6400 NetBus 1.x - 12345 NetBus 1.x (avoiding Netbuster) - 12346 NetBus Pro - 20034 BackOriffice - 31337 SubSeven - 1243 NetSphere - 30100 Deep Throat - 6670 Master Paradise - 31 Silencer - 1001 Millennium - 20000 Devil 1.03 - 65000 NetMonitor - 7306 Streaming Audio Trojan - 1170 Socket23 - 5000 Socket25 - 30303 Gatecrasher - 6969 Telecommando - 61466 Gjamer - 12076 IcqTrojen - 4950 Priotrity - 16969 Voodoo - 1245 Wincrash - 5742 Wincrash2 - 2583 Netspy - 1033 ShockRave - 1981 Stealth Spy - 555 Pass Ripper - 2023 Attack FTP - 666 GirlFriend - 21554 Fore - 50766 DeltaSource (DarkStar) - 6883 Tiny Telnet Server - 34324 Kuang - 30999 SennaSpyTrojans - 11000 Backdoor - 1999 WebEx - 1001 UglyFtp - 23456 TrojanCow - 2001 TheSpy - 40412 Striker - 2565 Silencer - 1001 RoboHack - 5569 RemoteWindowsShutdown - 53001 Prosiak 0.47 - 22222 ProgenicTrojan - 11223 PortalOfDoom - 9872 InIkiller - 9989 IcqTrojan - 4950 BladeRunner - 5400 Wingate (Socks-Proxy) - 1080 SubSeven - 27374 Satan's Backdoor - 666 Shivka-Burka - 1600 SpySender - 1807 Doly Trojan - 1011 Psyber Stream Server - 1170 Ultors Trojan - 1234 FTP99CMP - 1492 VooDoo Doll - 1245 Trojan Cow - 2001 Bugs - 2115 Deep Throat - 2140 The Invasor - 2140 Phineas Phucker - 2801 Wincrash 3 - 4092 Sockets de Troie - 5000 Sockets de Troie 1.x - 5001 Firehotcker - 5321 Blade Runner 1.x - 5401 Blade Runner 2.x - 5402 DeepThroat - 6771 GateCrasher - 6969 Priority - 6969 Remote Grab - 7000 NetMonitor 1.x - 7301 NetMonitor 2.x - 7306 NetMonitor 3.x - 7307 NetMonitor 4.x - 7308 ICKiller - 7789 Portal of Doom 1.x - 9873 Portal of Doom 2.x - 9874 Portal of Doom 3.x - 9875 Portal of Doom 4.x - 10067 Portal of Doom 5.x - 10167 iNi-Killer - 9989 Senna Spy - 11000 Progenic Trojan - 11223 Hack?99 KeyLogger - 12223 GabanBus - 1245 Whack-a-mole - 12361 Whack-a-mole 1.x - 12362 Priority - 16969 Millennium - 20001 Prosiak - 22222 Prosiak - 33333 Evil FTP - 23456 Ugly FTP - 23456 Delta - 26274 Back Orifice - 31338 DeepBO - 31338 NetSpy DK - 31339 BOWhack - 31666 BigGluck - 34324 The Spy - 40412 Masters Paradise 1.x - 40422 Masters Paradise 2.x - 40423 Masters Paradise 3.x - 40426 Sockets de Troie - 50505 Fore - 50766 Remote Windows Shutdown - 53001 Devil - 65000 Streaming Audio Trojan - 1170 A complete list can be found in the Trojan removal utility The Cleaner available at www.moosoft.com. 6. A list of ports assigned on your computer This list shows you the ports assigned on your computer for various tasks (any other open ports are suspected to be opened by trojans): 0 ip IP 1 icmp ICMP 3 ggp GGP 6 tcp TCP 7 echo tcp 7 echo udp 8 egp EGP 9 discard tcp 9 discard udp 11 systat tcp 12 pup PUP 13 daytime tcp 13 daytime udp 15 netstat tcp 17 udp UDP 17 qotd tcp 17 qotd udp 19 chargen tcp 19 chargen udp 20 hmp HMP 20 ftp-data tcp 21 ftp tcp 22 xns-idp XNS-IDP 23 telnet tcp 25 smtp tcp 27 rdp RDP 37 time tcp 37 time udp 39 rlp udp 42 name tcp 42 name udp 43 whois tcp 53 domain tcp 53 domain udp 57 mtp tcp 66 rvd RVD 67 bootp udp 69 tftp udp 77 rje tcp 79 finger tcp 87 link tcp 95 supdup tcp 101 hostnames tcp 102 iso-tsap tcp 103 dictionary tcp 104 x400-snd tcp 105 csnet-ns tcp 109 pop tcp 110 pop3 tcp 111 portmap tcp 111 portmap udp 113 auth tcp 115 sftp tcp 117 path tcp 119 nntp tcp 123 ntp udp 137 nbname udp 138 nbdatagram udp 139 nbsession tcp 144 NeWS tcp 153 sgmp udp 158 tcprepo tcp 161 snmp udp 162 snmp-trap udp 170 print-srv tcp 175 vmnet tcp 315 load udp 400 vmnet0 tcp 500 sytek udp 512 exec tcp 512 biff udp 513 login tcp 513 who udp 514 shell tcp 514 syslog udp 515 printer tcp 517 talk udp 518 ntalk udp 520 efs tcp 520 route udp 525 timed udp 526 tempo tcp 530 courier tcp 531 conference tcp 531 rvd-control udp 532 netnews tcp 533 netwall udp 540 uucp tcp 543 klogin tcp 544 kshell tcp 550 new-rwho udp 556 remotefs tcp 560 rmonitor udp 561 monitor udp 600 garcon tcp 601 maitrd tcp 602 busboy tcp 700 acctmaster udp 701 acctslave udp 702 acct udp 703 acctlogin udp 704 acctprinter udp 705 acctinfo udp 706 acctslave2 udp 707 acctdisk udp 750 kerberos tcp 750 kerberos udp 751 kerberos_master tcp 751 kerberos_master udp 752 passwd_server udp 753 userreg_server udp 754 krb_prop tcp 888 erlogin tcp 7. Features in RAT's This chapter discusses features in the most common RAT's used nowadays. SubSeven This is the most used Trojan in the world. It has a friendly interface and does not require advanced knowledge of anything, just basic knowledge of Windows. Well, Sub7 is an all in one Trojan because it is a password Trojan (it can steal passwords), destructive Trojan (has access to your Hard Disk like you do and more), joke and fun Trojan (can open CD-ROMs, print files, chat with victim, turn off monitor, etc), keylogger (logs all keystrokes). Features: - PC info (retrieve pc info) - Home info (retrieve home info-many people don't have this the function usually returns not found at all categories) - Change server port - Change server password - Update server (from URL or local file) - Remove password (this is a way to remove the trojan if you are connected to the server) - Close server - Restart server - Remote and local scanners (scans a wide range of IP's for Sub7 servers on a specified port) - Keylogger (log all keys) - Send keys - Disable keys - Enable keys - Open logged keys - Msg manager - The Matrix - Spy manager - ICQ takeover - FTP server - Find files - Dial-up passwords - AOL instant messenger password - ICQ passwords - Other passwords - Registry editor - Network browser - Process manager (see all processes running on the victim's computer and you can also disable them, kill processes) - App redirect (you are able to redirect console applications input and output to an edit box) - Port redirect (redirect data on a specified TCP-port to another host and port) - Netstat (see all open ports) - File manager (complete control over his Hard Disk including local hard disk browsing, edit, run, copy, delete, upload, download files, create folders play wav files, rename files, set wallpaper) - Window manager - Text to speech - Clipboard manager - Print manager - Fun manager (screen capture, webcam capture, flip screen, open browser, change resolution, change windows colours, play tic-tac-toe with victim, restart computer, hide/show mouse, reverse/restore mouse buttons, control mouse, change volume settings, record microphone, set time and date, hide/show desktop icons, open/close CD-ROM, hide/show start button, hide/show clock, start/stop speaker, hide/show taskbar, turn on/off monitor, enable/disable Ctrl Alt Del, Num Lock, Caps Lock, Scroll Lock) - Plugins (here you can see what plugins are installed with the server; you can install more plugins by uploading them on his computer) BackOriffice This was the first RAT. It is harder to use. It doesn't have a friendly interface (for a newbie). It hides itself pretty well. Name: Back Orifice Alias: BO Author: Sir Dystic [cDc] Origin: United States Release Date: 30th July 1998 Version: 1.20 Size: 124'928 Bytes plus config data record Type: Trojan Horse Dangerous: Very Vulnerable Systems: Windows 95/98 Customisable: Fully, incl. Plugins Droppers: Available Comment: Extremely powerful Description: Since its release on DEFCON VI by Cult of the Dead Cow (cDc), it has spread extraordinarily fast around the globe. Well, Sir Dystic did a great job. It is configurable for many special purposes by using plugins. The many options make it no easy toy for hacker kids however. One must know a lot to use this one right. Back Orifice hides itself from the task list when active. Upon infection, it installs itself in the Registry as server, therefore launched by Windows upon system boot. It copies itself into the <WindowsRootDir>\system directory, and then deletes the installer. The standard installer has an invisible icon. You need to have Windows 95 or 98 to get infected. BO won't install itself on a NT system. For infection it is needed that you run the executable on your system. It is *not* possible to get infected by just browsing the web or reading E-Mails. Theoretically. However, there are bugs in many Internet software packages, including Microsoft Internet Explorer, Microsoft Outlook Express and Netscape Communicator. Some bugs may allow someone to run arbitrary code on your machine without the need for your help. But these bugs are *very* difficult to exploit, and this can only be done by a true hacker. Those attacking you with Back Orifice however usually are only kids playing super hacker, so you needn't get worried about those security bugs too much. But to be on the safe side please install the updates, service packs and bugfixes for the Internet software and for your Windows, available at www.microsoft.com and www.netscape.com Back Orifice is fully configurable. The standard port is 31337, name is " .exe" and it uses no password. But this can all be configured. BO always places an entry in the RunServices section in the Registry. BO uses the UDP protocol for communication, which means that it is not locatable by a common port scan. It only responds to packets encrypted using the password it was configured to by the attacker. It has also the option to run plugins. These plugins can be written by anyone, and therefore is a BO server not limited to its standard functionality, but can easily be extended with other functions, known examples include sending a mail upon infection, and connecting to an IRC server and tell all the chatters there that the computer is infected. BO lends full control over the infected machine, including: application launch and control, directory and file mgmt, net connection and share mgmt, compression and decompression, HTTP server, keyboard log, screen capture, webcam capture, play sounds, ping, plugin mgmt, process mgmt, port redirection mgmt, Registry mgmt, resolve host, display dialog boxes, system information including cached passwords, lockup, reboot, TCP file send and receive. There is the possibility to misconfigure BO so it will not copy itself to the system directory but stay where it is and run from there. The Registry entry in this case is not valid, which makes it harder to locate BO leaves a file called windll.dll in the system directory. This dll is used for hooking the keyboard. Droppers are available, enabling anyone to package BO into another program, infecting the target upon execution of that program. The most powerful of these droppers, SilkRope 2.x, even encrypts BO; so it wont be located with a common file scan. NetBus This program is a remote administration and spy tool. Furthermore it is shareware. That means you have to pay for the Trojan. NetBus Pro has many features for remote administration like: - File manager (complete control of the remote file system including exploring, download, upload, run, delete, etc.) - Registry manager (control the registry) - Application redirect (you are able to redirect console applications input and output to an edit box in NetBus Pro) - Capture screen - Key logging (log all keys) - Webcam capture - Network browsing - Message manager (chat with user) - Plugin manager (run and stop installed NetBus server plugins on the user's system) - Open cd - Shut down computer - Play sounds - Show images - Swap mouse - Disable keys - Record audio (microphone needed on user's computer) - Port redirect (redirect data on a specified TCP-port to another host and port) - Key click (generate a sound every time a key is pressed on the keyboard) - Go to URL (goes to a specified URL within the default web browser) - Send text (send keystrokes to the focused window on the system) NetBus has fewer features than SubSeven and it is easy to use. Deep Throat Deep Throat v3.0 is similar to SubSeven but also with less functions. It has a friendly interface and it is easy to use. Features: - Sys info (retrieve info about user) - FTP server (enable a ftp server on the host) - Capture screen - Retrieve passwords - Reboot (reboots the host's computer) - Send text (send a message to the user) - Show picture - Create directory - Set wallpaper - Delete file - Play sound - Run program - Netget (download something from the web) - Find files - Turn off/on monitor - Open/close CD-ROM - Hide/show taskbar, start button, systray, clock, desktop - Reverse mouse - Freeze mouse - Enable/disable Ctrl-Alt-Del - Dialog box and chat box (send a message to the victim or chat with him/her) - Scanner (scan a range of IP's for DT3 servers) - Keylogger (logs all keys) - Send to URL (opens the default browser and sends it to the specified URL) - Change FTP port (change ftp port for ftp server) - Server status (what type of server it is) - Hang up modem (disconnect him/her) - Drive info - Process list (list of processes running on the host) - Bind executables (binds the server to another file) - Update - Reg add (edit registry) 8. Scanning for trojans If you reached this section you must be thinking all right I know how trojans work, how do I know if I am infected? Simple. Use a port scanner. You may choose a local port scanner or an IP port scanner, try: Nitros Anti Spy Software 2001 http://www.internet-monitoring-software.com/antispy/ - 95/98/ME Necrosoft NScan http://www.nscan.org Trojan Hunter v1.5 www.come.to/soul4blade - scan IP's for trojans Xnetstat http://www.freshsw.com/xns/standard/ - monitor connections on ports NetScanTools http://www.netscantools.com/ - various scanning utilities Active Ports 1.3 http://www.ntutility.com - for Windows NT, XP, 2K Some trojans have features such as scanning for their servers (Sub7, Deep Throat). You just enter the IP class you want to scan eg. From 193.172.231.1 to 193.172.255.255 (255 is the max value). You can find your IP in some of these port scanners and other programs above (like NetScanTools), or by downloading this program ITrace32 from www.ipswitch.com. Some antiviruses have now the check ports option. This is another way to scan for trojans but only on localhost (that's you). In chapter 5 copy the part with the trojans names and ports and paste (replace) it to another file called trojans.txt in the Trojan Hunter directory. Active Ports - Easy to use tool for Windows NT/2000/XP that enables you to monitor all open TCP/IP and UDP ports on the local computer. Active Ports maps ports to the owning application so you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to terminate the owning process. Another download site: http://www.protect-me.com/freeware.html Nitros Anti Spy Software 2001 - Nitrous Anti Spy has the ability to tell you every dynamic link library, system task, and thread process currently active on your machine, showing the file location of the active program. Along with this, it has the ability to stop the current process. Nitros Anti Spy Software also comes along with a port scanner and a firewall. These utilities locate open ports on your machine, as well as monitor other commonly used ports. NAS has a database of ports used by hackers and the common Trojan spy programs out there. Nitrous Anti Spy also can show you what files load on start-up, as well as a built in registry editor. 9. Getting rid of the Trojan Found a suspicious open port? Good, or better yet not good. This can be a Trojan. Check the lists, if you want to identify it yourself. Maybe it is the IRC port (from 6660-6669). You can get rid of it automatically by installing and running an antivirus or a Trojan removal utility. You can install Anti Viral Toolkit Pro from http://www.kaspersky.com, Norton AntiVirus from http://www.symantec.com/nav, and RAV from http://www.rav.ro, Anti Virus eXpert from http://www.avx.ro/, or a Trojan removal utility like The Cleaner from www.moosoft.com. Download their trial offers and if you like these programs, buy them (if you got money!). Now if you don't want an antivirus you can identify and get rid of the Trojan by using other programs. Go back to chapter 8 (if you didn't do the scan). If you did the scan, you probably found the Trojan and you know which it is. Now the only way to remove the Trojan is to connect to your own machine (find out your IP with ITrace32, for example) with the client program from the Trojan. In the server options you may find the remove server button. Click that. When it is done you're free of the Trojan. I am writing this part because I have seen a lot of people infested by themselves. They just downloaded the Trojan and executed both the client and the server file. And then they left it (or maybe they deleted it). But they were still infested. For all of you who got infested this way you can remove the Trojan easily. Bad aspects: 1. Some clients don't have this option (remove server). 2. Your machine may have a password (if you don't know the password you can't get rid of the trojan). This is a sign that you have been infested by somebody else (just install an antivirus and scan your Hard Disk). 10. Future Protection If you don't want to have any problems with trojans do the following: Download and install one or more firewalls. a) VisNetic Firewall - http://www.ccsoftware.ca/VisNetic/download.cfm VisNetic Firewall is in place of ConSeal Firewall. In addition to all of the features present in ConSeal (fine-grained rules control, separate rule sets for each device, password protection, etc.), VisNetic Firewall also adds these exciting features: - Stateful inspection of packets - Full support for Windows 2000 and XP - Time-sensitive rules - Email notification of rule hits - Ability to automatically email the log file - Intuitive Windows Explorer style interface - Real-time Activity Viewer b) BlackICE Defender - http://www.networkice.com/ BlackICE Defender delivers bullet-proof intrusion detection and personal firewall protection to your PC. It scans your DSL, cable, or dial-up Internet connection looking for hacker activity, much like antivirus programs scan your hard disk looking for viruses. BlackICE will not slow down your PC or your Internet experience. c) Sygate Personal Firewall Pro - http://www.sygate.com/ - 95/98/ME/NT/2000/XP Sygate Personal Firewall PRO, ICSA certified and built on Sygate's unique and proven technology, is the first personal firewall software that provides a multi-layered shield of network, content, application, and operating system security. Sygate Personal Firewall PRO is the ultimate desktop security solution trusted by professionals and relied upon by millions of users. d) Zone Alarm - www.zonelabs.com ZoneAlarm is designed to protect your DSL or cable-connected PC from hackers. This program includes four interlocking security services: a firewall, an Application Control, an Internet Lock, and Zones. The firewall controls the door to your computer and allows only traffic that you understand and initiate. The Application Control allows you to decide which applications can and cannot use the Internet. The Internet Lock blocks Internet traffic while your computer is unattended or while you are not using the Internet, and it can be activated automatically with your computer's screensaver or after a set period of inactivity. Zones monitor all activity on your computer and alert you when a new application attempts to access the Internet. e) LockDown2000 - http://www.lockdown2000.com/ Scan your Hard Disk daily (if you are paranoid) or at least weekly with an antivirus and The Cleaner (This program is specialised in detecting and removing trojans, and is sometimes better than an antivirus). Also scan with Trojan Hunter. Be careful what programs you download from the Internet. You should scan these programs before executing them. Be careful with friends (or presumed friends). Let's say you and your friend are playing a split screen game on your computer. After a while he (rarely a girl does this but it is not excluded) asks you for some water, juice, soda, etc. You go to the kitchen. Meanwhile he puts a diskette in your floppy and runs the server file. Your computer is infected. Now you have two choices: a) Never bring a friend over. b) Download Secret Folders (http://sihs.bizland.com) and configure it. When you leave your computer use the NO ACCESS feature. c) Download Rearguard (http://www.greyware.com/software/grr/) for the registry. It will help you if any programs decides do add/modify/delete something from the registry (for example: a trojan trying to install itself). The least expected Trojan is within a binded file. A binded file is an application composed of two or more programs so when you execute the binded file you execute two programs, for example, one is WinAmp and the other is a trojan. You only see the WinAmp window and you think it is perfectly ok. You can say that the binded file was made just for you by somebody you know or somebody you don't. This can happen by downloading files not from their official sites. So be careful! Never execute mail attachments. Always scan them first. Even after you scan them and there's nothing wrong with them AND the file is from somebody you know, still be careful (I wouldn't execute the file if I were you!). Also tricks like this file meandmyfriends.jpg.exe WITH the JPEG icon, now this is surely a Trojan. Download Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network, available at Sam's publishing (sams.net) and read it. On IRC with the DCC function. Scan received files. Always know that the file can have any icon and any name but must be an .exe file. Scan .com and .bat files. View .bat files. Install Linux. It is more secure than Windows. It's free. 11. Understanding the attacker Trojans can acquire some information on you and the attacker is looking on your HD for: credit card information, accounts, passwords, data bases, mail accounts, personal info (home address, e-mail address, pictures with you and your family/friends, letters, telephone number, your C.V.), company and work information, school work and any services he can access. Why is he/she doing this)? Reasons (if the attacker doesn't know you): fun; needs credit cards, dial-up accounts and others; boredom; 12. Backdoors in trojans Some trojans infest your computer even if you run the client file. The programmer was hoping to catch a larger number of victims (the ones that use the trojan to connect to others and the ones infested by them). Also some programmers don't do that. But they add a special feature to the server so he can access any infested computer without knowing the password for the server. Could be a universal password for all servers, sort of: if (password==his_password) connect(); else if(password==universal_password) connect(); else disconnect(); So if you infested somebody and you think only you know the password to the server, think again. The creator of the Trojan could also have access to that computer.

This article was imported from the CyberArmy University site. (original author: )

There are no replies to this post yet.

Guest:
Subject:
Message:	On 2007-04-29 10:02:30, System wrote >View and vote on the article here: [url=/library/article?id=233]Trojans and Protection[/url]<br/><br/><hr width="90%"/><center><h3>Trojans and Protection</h3></center><table width="100%"><tr><td valign="top">[b]Category[/b]</td><td width="100%"><center><table border="1" cellpadding="3" cellspacing="0" style="border-collapse: collapse" bordercolor="#000000" width="95%" bgcolor="#364C7D"><tr><td width="100%">Security</td></tr></table></center></td></tr><tr><td valign="top">[b]Summary[/b]</td><td width="100%"><center><table border="1" cellpadding="3" cellspacing="0" style="border-collapse: collapse" bordercolor="#000000" width="95%" bgcolor="#364C7D"><tr><td width="100%"></td></tr></table></center></td></tr><tr><td valign="top">[b]Body[/b]</td><td width="100%"><center><table border="1" cellpadding="3" cellspacing="0" style="border-collapse: collapse" bordercolor="#000000" width="95%" bgcolor="#364C7D"><tr><td width="100%"> [b]Trojans & Protection[/b] Originally written for CyberArmy by an unknown author, edited for CAU Knowledge Bank by Inzomniak. This text is about Windows based trojans and is addressed (mostly) to the general public. In this tutorial you will find out what are computer trojans, how they work, how to detect and remove them and prevent future infestation. I hope that after reading this you'll realize that trojans are dangerous and still represent a big security problem. [b]Trojans & Protection[/b] [b]Table of Contents[/b] 1. Introduction 2. What is a trojan horse? 3. History 4. RAT's and what they can do 5. Some trojans and their known ports 6. A list of ports assigned on your computer 7. Features in RAT''s - SubSeven - Back Orifice - Netbus - Deep Throat 8. Scanning for trojans 9. Getting rid of the Trojan 10. Future protection 11. Understanding the attacker 12. Backdoors in Trojans [b]1. Introduction[/b] This text is about Windows based trojans and is addressed (mostly) to the general public. In this tutorial you will find out what are computer trojans, how they work, how to detect and remove them and prevent future infestation. I hope that after reading this you'll realize that trojans are dangerous and still represent a big security problem. [b]2. What is a trojan horse?[/b] A trojan horse is an unauthorised program contained within a legitimate program. This program performs unknown and probably unwanted functions to the user. Basically this file gives the hacker (if you can call him that) full access to your computer. This program opens a port, keeps it open and lets him connect to your computer through your IP with the client file. Think of a Trojan as a program that allows somebody else to do what you can do to your computer and more (and even faster than you). Also a Trojan retrieves all the information you typed in since you turned on your computer and all the stored information on your computer is in his hands. [b]3. History[/b] In the 12th century B.C., Greece declared war on the city of Troy. The dispute erupted when the prince of Troy abducted the queen of Sparta and declared that he wanted to make her his wife, which made the Greeks and especially the queen of Sparta quite furious.The Greeks gave chase and engaged Troy in a 10-year war, but unfortunately for them, all of their efforts went down the drain. Troy was simply too well fortified. In a last effort, the Greek army pretended to be retreating, leaving behind a huge wooden horse. The people of Troy saw the horse, and, thinking it was some kind of a present from the Greeks, pulled the horse into their city, without knowing that the finest soldiers of Greece were sitting inside it, since the horse was hollow. Under the cover of night, the soldiers snuck out and opened the gates of the city, and later, together with the rest of the army, killed the entire army of Troy. [b]4. RAT's and what they can do[/b] Nowadays the most popular trojans are RAT's (Remote Administration Trojans). These trojans contain: - The Server File (by executing this file you get infected) - The Client File (this file is used by the hacker to connect to another computer) - Other files (DLL's, etc) The server file (usually called server.exe) is the most dangerous file. Never execute this file unless you really want to get infected, or you are testing a Trojan on yourself. RAT's let you have access to your victim's hard drive, and also perform many functions on his computer (opens and closes his CD-ROM drive, shut down his computer, turn off the monitor, play sounds, reverse mouse buttons, delete, copy, edit, download, and run files etc), which will scare off most computer users. Files can be uploaded from his computer to yours and then executed (other trojans, viruses, password stealing programs). Modern RAT's are very simple to use. Just fool someone into running the server file and get his IP and you have FULL control over his/her computer (some trojans are limited by their functions, but more functions also mean larger server files. Some trojans are merely meant for the attacker to use them to upload another Trojan to his target's computer and run it).The size of a Trojan is variable. It is from about 50k (only with open port & connect functions) up to a few Megs (multiple functions). A Trojan can be binded to another file, so when you run that program both are executed (the trojan which runs in the background and the main program). And you won't even think it is a Trojan, nothing looks suspicious. Other trojans display a message such as an error telling you, for example, that the file can't be opened. Actually, the file is opened, the Trojan is installed and this error message is displayed by a function in the Trojan. [b]5.Some trojans and their known ports[/b] The Thing - 6400 NetBus 1.x - 12345 NetBus 1.x (avoiding Netbuster) - 12346 NetBus Pro - 20034 BackOriffice - 31337 SubSeven - 1243 NetSphere - 30100 Deep Throat - 6670 Master Paradise - 31 Silencer - 1001 Millennium - 20000 Devil 1.03 - 65000 NetMonitor - 7306 Streaming Audio Trojan - 1170 Socket23 - 5000 Socket25 - 30303 Gatecrasher - 6969 Telecommando - 61466 Gjamer - 12076 IcqTrojen - 4950 Priotrity - 16969 Voodoo - 1245 Wincrash - 5742 Wincrash2 - 2583 Netspy - 1033 ShockRave - 1981 Stealth Spy - 555 Pass Ripper - 2023 Attack FTP - 666 GirlFriend - 21554 Fore - 50766 DeltaSource (DarkStar) - 6883 Tiny Telnet Server - 34324 Kuang - 30999 SennaSpyTrojans - 11000 Backdoor - 1999 WebEx - 1001 UglyFtp - 23456 TrojanCow - 2001 TheSpy - 40412 Striker - 2565 Silencer - 1001 RoboHack - 5569 RemoteWindowsShutdown - 53001 Prosiak 0.47 - 22222 ProgenicTrojan - 11223 PortalOfDoom - 9872 InIkiller - 9989 IcqTrojan - 4950 BladeRunner - 5400 Wingate (Socks-Proxy) - 1080 SubSeven - 27374 Satan's Backdoor - 666 Shivka-Burka - 1600 SpySender - 1807 Doly Trojan - 1011 Psyber Stream Server - 1170 Ultors Trojan - 1234 FTP99CMP - 1492 VooDoo Doll - 1245 Trojan Cow - 2001 Bugs - 2115 Deep Throat - 2140 The Invasor - 2140 Phineas Phucker - 2801 Wincrash 3 - 4092 Sockets de Troie - 5000 Sockets de Troie 1.x - 5001 Firehotcker - 5321 Blade Runner 1.x - 5401 Blade Runner 2.x - 5402 DeepThroat - 6771 GateCrasher - 6969 Priority - 6969 Remote Grab - 7000 NetMonitor 1.x - 7301 NetMonitor 2.x - 7306 NetMonitor 3.x - 7307 NetMonitor 4.x - 7308 ICKiller - 7789 Portal of Doom 1.x - 9873 Portal of Doom 2.x - 9874 Portal of Doom 3.x - 9875 Portal of Doom 4.x - 10067 Portal of Doom 5.x - 10167 iNi-Killer - 9989 Senna Spy - 11000 Progenic Trojan - 11223 Hack?99 KeyLogger - 12223 GabanBus - 1245 Whack-a-mole - 12361 Whack-a-mole 1.x - 12362 Priority - 16969 Millennium - 20001 Prosiak - 22222 Prosiak - 33333 Evil FTP - 23456 Ugly FTP - 23456 Delta - 26274 Back Orifice - 31338 DeepBO - 31338 NetSpy DK - 31339 BOWhack - 31666 BigGluck - 34324 The Spy - 40412 Masters Paradise 1.x - 40422 Masters Paradise 2.x - 40423 Masters Paradise 3.x - 40426 Sockets de Troie - 50505 Fore - 50766 Remote Windows Shutdown - 53001 Devil - 65000 Streaming Audio Trojan - 1170 A complete list can be found in the Trojan removal utility The Cleaner available at www.moosoft.com. [b]6. A list of ports assigned on your computer[/b] This list shows you the ports assigned on your computer for various tasks (any other open ports are suspected to be opened by trojans): 0 ip IP 1 icmp ICMP 3 ggp GGP 6 tcp TCP 7 echo tcp 7 echo udp 8 egp EGP 9 discard tcp 9 discard udp 11 systat tcp 12 pup PUP 13 daytime tcp 13 daytime udp 15 netstat tcp 17 udp UDP 17 qotd tcp 17 qotd udp 19 chargen tcp 19 chargen udp 20 hmp HMP 20 ftp-data tcp 21 ftp tcp 22 xns-idp XNS-IDP 23 telnet tcp 25 smtp tcp 27 rdp RDP 37 time tcp 37 time udp 39 rlp udp 42 name tcp 42 name udp 43 whois tcp 53 domain tcp 53 domain udp 57 mtp tcp 66 rvd RVD 67 bootp udp 69 tftp udp 77 rje tcp 79 finger tcp 87 link tcp 95 supdup tcp 101 hostnames tcp 102 iso-tsap tcp 103 dictionary tcp 104 x400-snd tcp 105 csnet-ns tcp 109 pop tcp 110 pop3 tcp 111 portmap tcp 111 portmap udp 113 auth tcp 115 sftp tcp 117 path tcp 119 nntp tcp 123 ntp udp 137 nbname udp 138 nbdatagram udp 139 nbsession tcp 144 NeWS tcp 153 sgmp udp 158 tcprepo tcp 161 snmp udp 162 snmp-trap udp 170 print-srv tcp 175 vmnet tcp 315 load udp 400 vmnet0 tcp 500 sytek udp 512 exec tcp 512 biff udp 513 login tcp 513 who udp 514 shell tcp 514 syslog udp 515 printer tcp 517 talk udp 518 ntalk udp 520 efs tcp 520 route udp 525 timed udp 526 tempo tcp 530 courier tcp 531 conference tcp 531 rvd-control udp 532 netnews tcp 533 netwall udp 540 uucp tcp 543 klogin tcp 544 kshell tcp 550 new-rwho udp 556 remotefs tcp 560 rmonitor udp 561 monitor udp 600 garcon tcp 601 maitrd tcp 602 busboy tcp 700 acctmaster udp 701 acctslave udp 702 acct udp 703 acctlogin udp 704 acctprinter udp 705 acctinfo udp 706 acctslave2 udp 707 acctdisk udp 750 kerberos tcp 750 kerberos udp 751 kerberos_master tcp 751 kerberos_master udp 752 passwd_server udp 753 userreg_server udp 754 krb_prop tcp 888 erlogin tcp [b]7. Features in RAT's[/b] This chapter discusses features in the most common RAT's used nowadays. [b]SubSeven[/b] This is the most used Trojan in the world. It has a friendly interface and does not require advanced knowledge of anything, just basic knowledge of Windows. Well, Sub7 is an all in one Trojan because it is a password Trojan (it can steal passwords), destructive Trojan (has access to your Hard Disk like you do and more), joke and fun Trojan (can open CD-ROMs, print files, chat with victim, turn off monitor, etc), keylogger (logs all keystrokes). Features: - PC info (retrieve pc info) - Home info (retrieve home info-many people don't have this the function usually returns not found at all categories) - Change server port - Change server password - Update server (from URL or local file) - Remove password (this is a way to remove the trojan if you are connected to the server) - Close server - Restart server - Remote and local scanners (scans a wide range of IP's for Sub7 servers on a specified port) - Keylogger (log all keys) - Send keys - Disable keys - Enable keys - Open logged keys - Msg manager - The Matrix - Spy manager - ICQ takeover - FTP server - Find files - Dial-up passwords - AOL instant messenger password - ICQ passwords - Other passwords - Registry editor - Network browser - Process manager (see all processes running on the victim's computer and you can also disable them, kill processes) - App redirect (you are able to redirect console applications input and output to an edit box) - Port redirect (redirect data on a specified TCP-port to another host and port) - Netstat (see all open ports) - File manager (complete control over his Hard Disk including local hard disk browsing, edit, run, copy, delete, upload, download files, create folders play wav files, rename files, set wallpaper) - Window manager - Text to speech - Clipboard manager - Print manager - Fun manager (screen capture, webcam capture, flip screen, open browser, change resolution, change windows colours, play tic-tac-toe with victim, restart computer, hide/show mouse, reverse/restore mouse buttons, control mouse, change volume settings, record microphone, set time and date, hide/show desktop icons, open/close CD-ROM, hide/show start button, hide/show clock, start/stop speaker, hide/show taskbar, turn on/off monitor, enable/disable Ctrl Alt Del, Num Lock, Caps Lock, Scroll Lock) - Plugins (here you can see what plugins are installed with the server; you can install more plugins by uploading them on his computer) [b]BackOriffice[/b] This was the first RAT. It is harder to use. It doesn't have a friendly interface (for a newbie). It hides itself pretty well. Name: Back Orifice Alias: BO Author: Sir Dystic [cDc] Origin: United States Release Date: 30th July 1998 Version: 1.20 Size: 124'928 Bytes plus config data record Type: Trojan Horse Dangerous: Very Vulnerable Systems: Windows 95/98 Customisable: Fully, incl. Plugins Droppers: Available Comment: Extremely powerful Description: Since its release on DEFCON VI by Cult of the Dead Cow (cDc), it has spread extraordinarily fast around the globe. Well, Sir Dystic did a great job. It is configurable for many special purposes by using plugins. The many options make it no easy toy for hacker kids however. One must know a lot to use this one right. Back Orifice hides itself from the task list when active. Upon infection, it installs itself in the Registry as server, therefore launched by Windows upon system boot. It copies itself into the <WindowsRootDir>\system directory, and then deletes the installer. The standard installer has an invisible icon. You need to have Windows 95 or 98 to get infected. BO won't install itself on a NT system. For infection it is needed that you run the executable on your system. It is not possible to get infected by just browsing the web or reading E-Mails. Theoretically. However, there are bugs in many Internet software packages, including Microsoft Internet Explorer, Microsoft Outlook Express and Netscape Communicator. Some bugs may allow someone to run arbitrary code on your machine without the need for your help. But these bugs are very difficult to exploit, and this can only be done by a true hacker. Those attacking you with Back Orifice however usually are only kids playing super hacker, so you needn't get worried about those security bugs too much. But to be on the safe side please install the updates, service packs and bugfixes for the Internet software and for your Windows, available at www.microsoft.com and www.netscape.com Back Orifice is fully configurable. The standard port is 31337, name is " .exe" and it uses no password. But this can all be configured. BO always places an entry in the RunServices section in the Registry. BO uses the UDP protocol for communication, which means that it is not locatable by a common port scan. It only responds to packets encrypted using the password it was configured to by the attacker. It has also the option to run plugins. These plugins can be written by anyone, and therefore is a BO server not limited to its standard functionality, but can easily be extended with other functions, known examples include sending a mail upon infection, and connecting to an IRC server and tell all the chatters there that the computer is infected. BO lends full control over the infected machine, including: application launch and control, directory and file mgmt, net connection and share mgmt, compression and decompression, HTTP server, keyboard log, screen capture, webcam capture, play sounds, ping, plugin mgmt, process mgmt, port redirection mgmt, Registry mgmt, resolve host, display dialog boxes, system information including cached passwords, lockup, reboot, TCP file send and receive. There is the possibility to misconfigure BO so it will not copy itself to the system directory but stay where it is and run from there. The Registry entry in this case is not valid, which makes it harder to locate BO leaves a file called windll.dll in the system directory. This dll is used for hooking the keyboard. Droppers are available, enabling anyone to package BO into another program, infecting the target upon execution of that program. The most powerful of these droppers, SilkRope 2.x, even encrypts BO; so it wont be located with a common file scan. [b]NetBus[/b] This program is a remote administration and spy tool. Furthermore it is shareware. That means you have to pay for the Trojan. NetBus Pro has many features for remote administration like: - File manager (complete control of the remote file system including exploring, download, upload, run, delete, etc.) - Registry manager (control the registry) - Application redirect (you are able to redirect console applications input and output to an edit box in NetBus Pro) - Capture screen - Key logging (log all keys) - Webcam capture - Network browsing - Message manager (chat with user) - Plugin manager (run and stop installed NetBus server plugins on the user's system) - Open cd - Shut down computer - Play sounds - Show images - Swap mouse - Disable keys - Record audio (microphone needed on user's computer) - Port redirect (redirect data on a specified TCP-port to another host and port) - Key click (generate a sound every time a key is pressed on the keyboard) - Go to URL (goes to a specified URL within the default web browser) - Send text (send keystrokes to the focused window on the system) NetBus has fewer features than SubSeven and it is easy to use. [b]Deep Throat[/b] Deep Throat v3.0 is similar to SubSeven but also with less functions. It has a friendly interface and it is easy to use. Features: - Sys info (retrieve info about user) - FTP server (enable a ftp server on the host) - Capture screen - Retrieve passwords - Reboot (reboots the host's computer) - Send text (send a message to the user) - Show picture - Create directory - Set wallpaper - Delete file - Play sound - Run program - Netget (download something from the web) - Find files - Turn off/on monitor - Open/close CD-ROM - Hide/show taskbar, start button, systray, clock, desktop - Reverse mouse - Freeze mouse - Enable/disable Ctrl-Alt-Del - Dialog box and chat box (send a message to the victim or chat with him/her) - Scanner (scan a range of IP's for DT3 servers) - Keylogger (logs all keys) - Send to URL (opens the default browser and sends it to the specified URL) - Change FTP port (change ftp port for ftp server) - Server status (what type of server it is) - Hang up modem (disconnect him/her) - Drive info - Process list (list of processes running on the host) - Bind executables (binds the server to another file) - Update - Reg add (edit registry) [b]8. Scanning for trojans[/b] If you reached this section you must be thinking all right I know how trojans work, how do I know if I am infected? Simple. Use a port scanner. You may choose a local port scanner or an IP port scanner, try: Nitros Anti Spy Software 2001 http://www.internet-monitoring-software.com/antispy/ - 95/98/ME Necrosoft NScan http://www.nscan.org Trojan Hunter v1.5 www.come.to/soul4blade - scan IP's for trojans Xnetstat http://www.freshsw.com/xns/standard/ - monitor connections on ports NetScanTools http://www.netscantools.com/ - various scanning utilities Active Ports 1.3 http://www.ntutility.com - for Windows NT, XP, 2K Some trojans have features such as scanning for their servers (Sub7, Deep Throat). You just enter the IP class you want to scan eg. From 193.172.231.1 to 193.172.255.255 (255 is the max value). You can find your IP in some of these port scanners and other programs above (like NetScanTools), or by downloading this program ITrace32 from www.ipswitch.com. Some antiviruses have now the check ports option. This is another way to scan for trojans but only on localhost (that's you). In chapter 5 copy the part with the trojans names and ports and paste (replace) it to another file called trojans.txt in the Trojan Hunter directory. Active Ports - Easy to use tool for Windows NT/2000/XP that enables you to monitor all open TCP/IP and UDP ports on the local computer. Active Ports maps ports to the owning application so you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to terminate the owning process. Another download site: http://www.protect-me.com/freeware.html Nitros Anti Spy Software 2001 - Nitrous Anti Spy has the ability to tell you every dynamic link library, system task, and thread process currently active on your machine, showing the file location of the active program. Along with this, it has the ability to stop the current process. Nitros Anti Spy Software also comes along with a port scanner and a firewall. These utilities locate open ports on your machine, as well as monitor other commonly used ports. NAS has a database of ports used by hackers and the common Trojan spy programs out there. Nitrous Anti Spy also can show you what files load on start-up, as well as a built in registry editor. [b]9. Getting rid of the Trojan[/b] Found a suspicious open port? Good, or better yet not good. This can be a Trojan. Check the lists, if you want to identify it yourself. Maybe it is the IRC port (from 6660-6669). You can get rid of it automatically by installing and running an antivirus or a Trojan removal utility. You can install Anti Viral Toolkit Pro from http://www.kaspersky.com, Norton AntiVirus from http://www.symantec.com/nav, and RAV from http://www.rav.ro, Anti Virus eXpert from http://www.avx.ro/, or a Trojan removal utility like The Cleaner from www.moosoft.com. Download their trial offers and if you like these programs, buy them (if you got money!). Now if you don't want an antivirus you can identify and get rid of the Trojan by using other programs. Go back to chapter 8 (if you didn't do the scan). If you did the scan, you probably found the Trojan and you know which it is. Now the only way to remove the Trojan is to connect to your own machine (find out your IP with ITrace32, for example) with the client program from the Trojan. In the server options you may find the remove server button. Click that. When it is done you're free of the Trojan. I am writing this part because I have seen a lot of people infested by themselves. They just downloaded the Trojan and executed both the client and the server file. And then they left it (or maybe they deleted it). But they were still infested. For all of you who got infested this way you can remove the Trojan easily. Bad aspects: 1. Some clients don't have this option (remove server). 2. Your machine may have a password (if you don't know the password you can't get rid of the trojan). This is a sign that you have been infested by somebody else (just install an antivirus and scan your Hard Disk). [b]10. Future Protection[/b] If you don't want to have any problems with trojans do the following: Download and install one or more firewalls. a) VisNetic Firewall - http://www.ccsoftware.ca/VisNetic/download.cfm VisNetic Firewall is in place of ConSeal Firewall. In addition to all of the features present in ConSeal (fine-grained rules control, separate rule sets for each device, password protection, etc.), VisNetic Firewall also adds these exciting features: - Stateful inspection of packets - Full support for Windows 2000 and XP - Time-sensitive rules - Email notification of rule hits - Ability to automatically email the log file - Intuitive Windows Explorer style interface - Real-time Activity Viewer b) BlackICE Defender - http://www.networkice.com/ BlackICE Defender delivers bullet-proof intrusion detection and personal firewall protection to your PC. It scans your DSL, cable, or dial-up Internet connection looking for hacker activity, much like antivirus programs scan your hard disk looking for viruses. BlackICE will not slow down your PC or your Internet experience. c) Sygate Personal Firewall Pro - http://www.sygate.com/ - 95/98/ME/NT/2000/XP Sygate Personal Firewall PRO, ICSA certified and built on Sygate's unique and proven technology, is the first personal firewall software that provides a multi-layered shield of network, content, application, and operating system security. Sygate Personal Firewall PRO is the ultimate desktop security solution trusted by professionals and relied upon by millions of users. d) Zone Alarm - www.zonelabs.com ZoneAlarm is designed to protect your DSL or cable-connected PC from hackers. This program includes four interlocking security services: a firewall, an Application Control, an Internet Lock, and Zones. The firewall controls the door to your computer and allows only traffic that you understand and initiate. The Application Control allows you to decide which applications can and cannot use the Internet. The Internet Lock blocks Internet traffic while your computer is unattended or while you are not using the Internet, and it can be activated automatically with your computer's screensaver or after a set period of inactivity. Zones monitor all activity on your computer and alert you when a new application attempts to access the Internet. e) LockDown2000 - http://www.lockdown2000.com/ Scan your Hard Disk daily (if you are paranoid) or at least weekly with an antivirus and The Cleaner (This program is specialised in detecting and removing trojans, and is sometimes better than an antivirus). Also scan with Trojan Hunter. Be careful what programs you download from the Internet. You should scan these programs before executing them. Be careful with friends (or presumed friends). Let's say you and your friend are playing a split screen game on your computer. After a while he (rarely a girl does this but it is not excluded) asks you for some water, juice, soda, etc. You go to the kitchen. Meanwhile he puts a diskette in your floppy and runs the server file. Your computer is infected. Now you have two choices: a) Never bring a friend over. b) Download Secret Folders (http://sihs.bizland.com) and configure it. When you leave your computer use the NO ACCESS feature. c) Download Rearguard (http://www.greyware.com/software/grr/) for the registry. It will help you if any programs decides do add/modify/delete something from the registry (for example: a trojan trying to install itself). The least expected Trojan is within a binded file. A binded file is an application composed of two or more programs so when you execute the binded file you execute two programs, for example, one is WinAmp and the other is a trojan. You only see the WinAmp window and you think it is perfectly ok. You can say that the binded file was made just for you by somebody you know or somebody you don't. This can happen by downloading files not from their official sites. So be careful! Never execute mail attachments. Always scan them first. Even after you scan them and there's nothing wrong with them AND the file is from somebody you know, still be careful (I wouldn't execute the file if I were you!). Also tricks like this file meandmyfriends.jpg.exe WITH the JPEG icon, now this is surely a Trojan. Download Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network, available at Sam's publishing (sams.net) and read it. On IRC with the DCC function. Scan received files. Always know that the file can have any icon and any name but must be an .exe file. Scan .com and .bat files. View .bat files. Install Linux. It is more secure than Windows. It's free. [b]11. Understanding the attacker[/b] Trojans can acquire some information on you and the attacker is looking on your HD for: credit card information, accounts, passwords, data bases, mail accounts, personal info (home address, e-mail address, pictures with you and your family/friends, letters, telephone number, your C.V.), company and work information, school work and any services he can access. Why is he/she doing this)? Reasons (if the attacker doesn't know you): fun; needs credit cards, dial-up accounts and others; boredom; [b]12. Backdoors in trojans[/b] Some trojans infest your computer even if you run the client file. The programmer was hoping to catch a larger number of victims (the ones that use the trojan to connect to others and the ones infested by them). Also some programmers don't do that. But they add a special feature to the server so he can access any infested computer without knowing the password for the server. Could be a universal password for all servers, sort of: if (password==his_password) connect(); else if(password==universal_password) connect(); else disconnect(); So if you infested somebody and you think only you know the password to the server, think again. The creator of the Trojan could also have access to that computer. </td></tr></table></center></td></tr></table><br/><br/>This article was imported from the CyberArmy University site. <small>(original author: )</small>
Signature:
Optional Image Link:
http://

CyberArmy::Forum v0.6
Generated In 0.00895 seconds