Originally written for CyberArmy by an unknown author, edited for CAU Knowledge Bank by Inzomniak.
This text is about Windows based Trojans and is addressed (mostly) to the general public. In this
tutorial you will find out what are computer Trojans, how they work, how to detect and remove
them and prevent future infestation. I hope that after reading this you'll realize that Trojans are
dangerous and still represent a big security problem.
Trojans & Protection
Table of Contents
1. Introduction
2. What is a trojan horse?
3. History
4. RAT's and what they can do
5. Some Trojans and their known ports
6. A list of ports assigned on your computer
7. Features in RAT''s
- SubSeven
- Back Orifice
- Netbus
- Deep Throat
8. Scanning for Trojans
9. Getting rid of the Trojan
10. Future protection
11. Understanding the attacker
12. Backdoors in Trojans
1. Introduction
This text is about Windows based Trojans and is addressed (mostly) to the general public. In this
tutorial you will find out what are computer Trojans, how they work, how to detect and remove
them and prevent future infestation. I hope that after reading this you'll realize that Trojans are
dangerous and still represent a big security problem.
2. What is a trojan horse?
A trojan horse is an unauthorised program contained within a legitimate program. This program
performs unknown and probably unwanted functions to the user. Basically this file gives the
hacker (if you can call him that) full access to your computer. This program opens a port, keeps
it open and lets him connect to your computer through your IP with the client file.
Think of a Trojan as a program that allows somebody else to do what you can do to your
computer and more (and even faster than you). Also a Trojan retrieves all the information you
typed in since you turned on your computer and all the stored information on your computer is in
his hands.
3. History
In the 12th century B.C., Greece declared war on the city of Troy. The dispute erupted when the
prince of Troy abducted the queen of Sparta and declared that he wanted to make her his wife,
which made the Greeks and especially the queen of Sparta quite furious.The Greeks gave chase
and engaged Troy in a 10-year war, but unfortunately for them, all of their efforts went down
the drain. Troy was simply too well fortified. In a last effort, the Greek army pretended to be
retreating, leaving behind a huge wooden horse. The people of Troy saw the horse, and, thinking it
was some kind of a present from the Greeks, pulled the horse into their city, without knowing
that the finest soldiers of Greece were sitting inside it, since the horse was hollow.
Under the cover of night, the soldiers snuck out and opened the gates of the city, and later,
together with the rest of the army, killed the entire army of Troy.
4. RAT's and what they can do
Nowadays the most popular Trojans are RAT's (Remote Administration Trojans).
These Trojans contain:
- The Server File (by executing this file you get infected)
- The Client File (this file is used by the hacker to connect to another computer)
- Other files (DLL's, etc)
The server file (usually called server.exe) is the most dangerous file. Never execute this file
unless you really want to get infected, or you are testing a Trojan on yourself. RAT's let you have
access to your victim's hard drive, and also perform many functions on his computer (opens and
closes his CD-ROM drive, shut down his computer, turn off the monitor, play sounds, reverse
mouse buttons, delete, copy, edit, download, and run files etc), which will scare off most
computer users. Files can be uploaded from his computer to yours and then executed (other
Trojans, viruses, password stealing programs).
Modern RAT's are very simple to use. Just fool someone into running the server file and get his IP
and you have FULL control over his/her computer (some Trojans are limited by their functions,
but more functions also mean larger server files. Some Trojans are merely meant for the
attacker to use them to upload another Trojan to his target's computer and run it).The size of a
Trojan is variable. It is from about 50k (only with open port & connect functions) up to a few
Megs (multiple functions). A Trojan can be bound to another file, so when you run that program
both are executed (the trojan which runs in the background and the main program). And you won't
even think it is a Trojan, nothing looks suspicious.
Other Trojans display a message such as an error telling you, for example, that the file can't be
opened. Actually, the file is opened, the Trojan is installed and this error message is displayed by
a function in the Trojan.
5.Some Trojans and their known ports
The Thing - 6400
NetBus 1.x - 12345
NetBus 1.x (avoiding Netbuster) - 12346
NetBus Pro - 20034
BackOriffice - 31337
SubSeven - 1243
NetSphere - 30100
Deep Throat - 6670
Master Paradise - 31
Silencer - 1001
Millennium - 20000
Devil 1.03 - 65000
NetMonitor - 7306
Streaming Audio Trojan - 1170
Socket23 - 5000
Socket25 - 30303
Gatecrasher - 6969
Telecommando - 61466
Gjamer - 12076
IcqTrojen - 4950
Priotrity - 16969
Voodoo - 1245
Wincrash - 5742
Wincrash2 - 2583
Netspy - 1033
ShockRave - 1981
Stealth Spy - 555
Pass Ripper - 2023
Attack FTP - 666
GirlFriend - 21554
Fore - 50766
DeltaSource (DarkStar) - 6883
Tiny Telnet Server - 34324
Kuang - 30999
SennaSpyTrojans - 11000
Backdoor - 1999
WebEx - 1001
UglyFtp - 23456
TrojanCow - 2001
TheSpy - 40412
Striker - 2565
Silencer - 1001
RoboHack - 5569
RemoteWindowsShutdown - 53001
Prosiak 0.47 - 22222
ProgenicTrojan - 11223
PortalOfDoom - 9872
InIkiller - 9989
IcqTrojan - 4950
BladeRunner - 5400
Wingate (Socks-Proxy) - 1080
SubSeven - 27374
Satan's Backdoor - 666
Shivka-Burka - 1600
SpySender - 1807
Doly Trojan - 1011
Psyber Stream Server - 1170
Ultors Trojan - 1234
FTP99CMP - 1492
VooDoo Doll - 1245
Trojan Cow - 2001
Bugs - 2115
Deep Throat - 2140
The Invasor - 2140
Phineas Phucker - 2801
Wincrash 3 - 4092
Sockets de Troie - 5000
Sockets de Troie 1.x - 5001
Firehotcker - 5321
Blade Runner 1.x - 5401
Blade Runner 2.x - 5402
DeepThroat - 6771
GateCrasher - 6969
Priority - 6969
Remote Grab - 7000
NetMonitor 1.x - 7301
NetMonitor 2.x - 7306
NetMonitor 3.x - 7307
NetMonitor 4.x - 7308
ICKiller - 7789
Portal of Doom 1.x - 9873
Portal of Doom 2.x - 9874
Portal of Doom 3.x - 9875
Portal of Doom 4.x - 10067
Portal of Doom 5.x - 10167
iNi-Killer - 9989
Senna Spy - 11000
Progenic Trojan - 11223
Hack?99 KeyLogger - 12223
GabanBus - 1245
Whack-a-mole - 12361
Whack-a-mole 1.x - 12362
Priority - 16969
Millennium - 20001
Prosiak - 22222
Prosiak - 33333
Evil FTP - 23456
Ugly FTP - 23456
Delta - 26274
Back Orifice - 31338
DeepBO - 31338
NetSpy DK - 31339
BOWhack - 31666
BigGluck - 34324
The Spy - 40412
Masters Paradise 1.x - 40422
Masters Paradise 2.x - 40423
Masters Paradise 3.x - 40426
Sockets de Troie - 50505
Fore - 50766
Remote Windows Shutdown - 53001
Devil - 65000
Streaming Audio Trojan - 1170
A complete list can be found in the Trojan removal utility The Cleaner available at www.moosoft.com.
6. A list of ports assigned on your computer
This list shows you the ports assigned on your computer for various tasks (any other open ports
are suspected to be opened by Trojans):
0 ip IP
1 icmp ICMP
3 ggp GGP
6 tcp TCP
7 echo tcp
7 echo udp
8 egp EGP
9 discard tcp
9 discard udp
11 systat tcp
12 pup PUP
13 daytime tcp
13 daytime udp
15 netstat tcp
17 udp UDP
17 qotd tcp
17 qotd udp
19 chargen tcp
19 chargen udp
20 hmp HMP
20 ftp-data tcp
21 ftp tcp
22 xns-idp XNS-IDP
23 telnet tcp
25 smtp tcp
27 rdp RDP
37 time tcp
37 time udp
39 rlp udp
42 name tcp
42 name udp
43 whois tcp
53 domain tcp
53 domain udp
57 mtp tcp
66 rvd RVD
67 bootp udp
69 tftp udp
77 rje tcp
79 finger tcp
87 link tcp
95 supdup tcp
101 hostnames tcp
102 iso-tsap tcp
103 dictionary tcp
104 x400-snd tcp
105 csnet-ns tcp
109 pop tcp
110 pop3 tcp
111 portmap tcp
111 portmap udp
113 auth tcp
115 sftp tcp
117 path tcp
119 nntp tcp
123 ntp udp
137 nbname udp
138 nbdatagram udp
139 nbsession tcp
144 NeWS tcp
153 sgmp udp
158 tcprepo tcp
161 snmp udp
162 snmp-trap udp
170 print-srv tcp
175 vmnet tcp
315 load udp
400 vmnet0 tcp
500 sytek udp
512 exec tcp
512 biff udp
513 login tcp
513 who udp
514 shell tcp
514 syslog udp
515 printer tcp
517 talk udp
518 ntalk udp
520 efs tcp
520 route udp
525 timed udp
526 tempo tcp
530 courier tcp
531 conference tcp
531 rvd-control udp
532 netnews tcp
533 netwall udp
540 uucp tcp
543 klogin tcp
544 kshell tcp
550 new-rwho udp
556 remotefs tcp
560 rmonitor udp
561 monitor udp
600 garcon tcp
601 maitrd tcp
602 busboy tcp
700 acctmaster udp
701 acctslave udp
702 acct udp
703 acctlogin udp
704 acctprinter udp
705 acctinfo udp
706 acctslave2 udp
707 acctdisk udp
750 kerberos tcp
750 kerberos udp
751 kerberos_master tcp
751 kerberos_master udp
752 passwd_server udp
753 userreg_server udp
754 krb_prop tcp
888 erlogin tcp
7. Features in RAT's
This chapter discusses features in the most common RAT's used nowadays.
SubSeven
This is the most used Trojan in the world. It has a friendly interface and does not require
advanced knowledge of anything, just basic knowledge of Windows. Well, Sub7 is an all in one
Trojan because it is a password Trojan (it can steal passwords), destructive Trojan (has access
to your Hard Disk like you do and more), joke and fun Trojan (can open CD-ROMs, print files, chat
with victim, turn off monitor, etc), keylogger (logs all keystrokes).
Features:
- PC info (retrieve pc info)
- Home info (retrieve home info-many people don't have this the function usually returns not
found at all categories)
- Change server port
- Change server password
- Update server (from URL or local file)
- Remove password (this is a way to remove the trojan if you are connected to the server)
- Close server
- Restart server
- Remote and local scanners (scans a wide range of IP's for Sub7 servers on a specified port)
- Keylogger (log all keys)
- Send keys
- Disable keys
- Enable keys
- Open logged keys
- Msg manager
- The Matrix
- Spy manager
- ICQ takeover
- FTP server
- Find files
- Dial-up passwords
- AOL instant messenger password
- ICQ passwords
- Other passwords
- Registry editor
- Network browser
- Process manager (see all processes running on the victim's computer and you can also disable
them, kill processes)
- App redirect (you are able to redirect console applications input and output to an edit box)
- Port redirect (redirect data on a specified TCP-port to another host and port)
- Netstat (see all open ports)
- File manager (complete control over his Hard Disk including local hard disk browsing, edit, run,
copy, delete, upload, download files,
create folders play wav files, rename files, set wallpaper)
- Window manager
- Text to speech
- Clipboard manager
- Print manager
- Fun manager (screen capture, webcam capture, flip screen, open browser, change resolution,
change windows colours, play tic-tac-toe with victim, restart computer, hide/show mouse,
reverse/restore mouse buttons, control mouse, change volume settings, record microphone,
set time and date, hide/show desktop icons, open/close CD-ROM, hide/show start button,
hide/show clock, start/stop speaker, hide/show taskbar, turn on/off monitor, enable/disable
Ctrl Alt Del, Num Lock, Caps Lock, Scroll Lock)
- Plugins (here you can see what plugins are installed with the server; you can install more plugins
by uploading them on his computer)
BackOriffice
This was the first RAT. It is harder to use. It doesn't have a friendly interface (for a newbie). It
hides itself pretty well.
Name: Back Orifice
Alias: BO
Author: Sir Dystic [cDc]
Origin: United States
Release Date: 30th July 1998
Version: 1.20
Size: 124'928 Bytes plus config data record
Type: Trojan Horse
Dangerous: Very
Vulnerable Systems: Windows 95/98
Customisable: Fully, incl. Plugins
Droppers: Available
Comment: Extremely powerful
Description:
Since its release on DEFCON VI by Cult of the Dead Cow (cDc), it has spread extraordinarily fast
around the globe. Well, Sir Dystic did a great job. It is configurable for many special purposes by
using plugins. The many options make it no easy toy for hacker kids however. One must know a
lot to use this one right.
Back Orifice hides itself from the task list when active. Upon infection, it installs itself in the
Registry as server, therefore launched by Windows upon system boot. It copies itself into the
<WindowsRootDir>\system directory, and then deletes the installer.
The standard installer has an invisible icon. You need to have Windows 95 or 98 to get infected.
BO won't install itself on a NT system. For infection it is needed that you run the executable on
your system. It is *not* possible to get infected by just browsing the web or reading E-Mails.
Theoretically. However, there are bugs in many Internet software packages, including Microsoft
Internet Explorer, Microsoft Outlook Express and Netscape Communicator. Some bugs may allow
someone to run arbitrary code on your machine without the need for your help. But these bugs
are *very* difficult to exploit, and this can only be done by a true hacker.
Those attacking you with Back Orifice however usually are only kids playing super hacker, so you
needn't get worried about those security bugs too much. But to be on the safe side please install
the updates, service packs and bugfixes for the Internet software and for your Windows,
available at www.microsoft.com and www.netscape.com Back Orifice is fully configurable. The
standard port is 31337, name is " .exe" and it uses no password. But this can all be configured.
BO always places an entry in the RunServices section in the Registry. BO uses the UDP protocol
for communication, which means that it is not locatable by a common port scan. It only responds
to packets encrypted using the password it was configured to by the attacker. It has also the
option to run plugins. These plugins can be written by anyone, and therefore is a BO server not
limited to its standard functionality, but can easily be extended with other functions, known
examples include sending a mail upon infection, and connecting to an IRC server and tell all the
chatters there that the computer is infected. BO lends full control over the infected machine,
including: application launch and control, directory and file mgmt, net connection and share mgmt,
compression and decompression, HTTP server, keyboard log, screen capture, webcam capture,
play sounds, ping, plugin mgmt, process mgmt, port redirection mgmt, Registry mgmt, resolve
host, display dialog boxes, system information including cached passwords, lockup, reboot, TCP
file send and receive.
There is the possibility to misconfigure BO so it will not copy itself to the system directory but
stay where it is and run from there. The Registry entry in this case is not valid, which makes it
harder to locate BO leaves a file called windll.dll in the system directory. This dll is used for
hooking the keyboard.
Droppers are available, enabling anyone to package BO into another program, infecting the target
upon execution of that program. The most powerful of these droppers, SilkRope 2.x, even
encrypts BO; so it wont be located with a common file scan.
NetBus
This program is a remote administration and spy tool. Furthermore it is shareware. That means
you have to pay for the Trojan. NetBus Pro has many features for remote administration like:
- File manager (complete control of the remote file system including exploring, download, upload, run, delete, etc.)
- Registry manager (control the registry)
- Application redirect (you are able to redirect console applications input and output to an edit box in NetBus Pro)
- Capture screen
- Key logging (log all keys)
- Webcam capture
- Network browsing
- Message manager (chat with user)
- Plugin manager (run and stop installed NetBus server plugins on the user's system)
- Open cd
- Shut down computer
- Play sounds
- Show images
- Swap mouse
- Disable keys
- Record audio (microphone needed on user's computer)
- Port redirect (redirect data on a specified TCP-port to another host and port)
- Key click (generate a sound every time a key is pressed on the keyboard)
- Go to URL (goes to a specified URL within the default web browser)
- Send text (send keystrokes to the focused window on the system)
NetBus has fewer features than SubSeven and it is easy to use.
Deep Throat
Deep Throat v3.0 is similar to SubSeven but also with less functions. It has a friendly interface
and it is easy to use.
Features:
- Sys info (retrieve info about user)
- FTP server (enable a ftp server on the host)
- Capture screen
- Retrieve passwords
- Reboot (reboots the host's computer)
- Send text (send a message to the user)
- Show picture
- Create directory
- Set wallpaper
- Delete file
- Play sound
- Run program
- Netget (download something from the web)
- Find files
- Turn off/on monitor
- Open/close CD-ROM
- Hide/show taskbar, start button, systray, clock, desktop
- Reverse mouse
- Freeze mouse
- Enable/disable Ctrl-Alt-Del
- Dialog box and chat box (send a message to the victim or chat with him/her)
- Scanner (scan a range of IP's for DT3 servers)
- Keylogger (logs all keys)
- Send to URL (opens the default browser and sends it to the specified URL)
- Change FTP port (change ftp port for ftp server)
- Server status (what type of server it is)
- Hang up modem (disconnect him/her)
- Drive info
- Process list (list of processes running on the host)
- Bind executables (binds the server to another file)
- Update
- Reg add (edit registry)
8. Scanning for Trojans
If you reached this section you must be thinking all right I know how Trojans work, how do I know if
I am infected? Simple. Use a port scanner. You may choose a local port scanner or an IP port
scanner, try:
Nitros Anti Spy Software 2001 http://www.internet-monitoring-software.com/antispy/ - 95/98/ME
Necrosoft NScan http://www.nscan.org
Trojan Hunter v1.5 www.come.to/soul4blade - scan IP's for Trojans
Xnetstat http://www.freshsw.com/xns/standard/ - monitor connections on ports
NetScanTools http://www.netscantools.com/ - various scanning utilities
Active Ports 1.3 http://www.ntutility.com - for Windows NT, XP, 2K
Some Trojans have features such as scanning for their servers (Sub7, Deep Throat). You just enter
the IP class you want to scan eg. From
193.172.231.1 to 193.172.255.255 (255 is the max value).
You can find your IP in some of these port scanners and other programs above (like NetScanTools),
or by downloading this program
ITrace32 from www.ipswitch.com. Some antiviruses have now the check ports option. This is
another way to scan for Trojans but only on localhost (that's you).
In chapter 5 copy the part with the Trojans names and ports and paste (replace) it to another file
called Trojans.txt in the Trojan Hunter directory.
Active Ports - Easy to use tool for Windows NT/2000/XP that enables you to monitor all open
TCP/IP and UDP ports on the local computer. Active Ports maps ports to the owning application so
you can watch which process has opened which port. It also displays a local and remote IP address
for each connection and allows you to terminate the owning process.
Another download site:
http://www.protect-me.com/freeware.html
Nitros Anti Spy Software 2001 - Nitrous Anti Spy has the ability to tell you every dynamic link
library, system task, and thread process currently active on your machine, showing the file
location of the active program. Along with this, it has the ability to stop the current process.
Nitros Anti Spy Software also comes along with a port scanner and a firewall. These utilities locate
open ports on your machine, as well as monitor other commonly used ports. NAS has a database of
ports used by hackers and the common Trojan spy programs out there. Nitrous Anti Spy also can
show you what files load on start-up, as well as a built in registry editor.
9. Getting rid of the Trojan
Found a suspicious open port? Good, or better yet not good. This can be a Trojan. Check the lists, if
you want to identify it yourself. Maybe it is the IRC port (from 6660-6669). You can get rid of it
automatically by installing and running an antivirus or a Trojan removal utility. You can install Anti
Viral Toolkit Pro from http://www.kaspersky.com, Norton AntiVirus from
http://www.symantec.com/nav, and RAV from http://www.rav.ro, Anti Virus eXpert from
http://www.avx.ro/, or a Trojan removal utility like The Cleaner from www.moosoft.com. Download
their trial offers and if you like these programs, buy them (if you got money!).
Now if you don't want an antivirus you can identify and get rid of the Trojan by using other
programs. Go back to chapter 8 (if you didn't do the scan). If you did the scan, you probably found
the Trojan and you know which it is. Now the only way to remove the Trojan is to connect to your
own machine (find out your IP with ITrace32, for example) with the client program from the Trojan.
In the server options you may find the remove server button. Click that. When it is done you're
free of the Trojan.
I am writing this part because I have seen a lot of people infested by themselves. They just
downloaded the Trojan and executed both the client and the server file. And then they left it (or
maybe they deleted it). But they were still infested. For all of you who got infested this way you
can remove the Trojan easily.
Bad aspects:
1. Some clients don't have this option (remove server).
2. Your machine may have a password (if you don't know the password you can't get rid of the
trojan). This is a sign that you have been infested by somebody else (just install an antivirus and
scan your Hard Disk).
10. Future Protection
If you don't want to have any problems with Trojans do the following:
Download and install one or more firewalls.
a) VisNetic Firewall - http://www.ccsoftware.ca/VisNetic/download.cfm
VisNetic Firewall is in place of ConSeal Firewall. In addition to all of the features present in ConSeal
(fine-grained rules control, separate rule sets for each device, password protection, etc.), VisNetic
Firewall also adds these exciting features:
- Stateful inspection of packets
- Full support for Windows 2000 and XP
- Time-sensitive rules
- Email notification of rule hits
- Ability to automatically email the log file
- Intuitive Windows Explorer style interface
- Real-time Activity Viewer
b) BlackICE Defender - http://www.networkice.com/
BlackICE Defender delivers bullet-proof intrusion detection and personal firewall protection to your
PC. It scans your DSL, cable, or dial-up Internet connection looking for hacker activity, much like
antivirus programs scan your hard disk looking for viruses. BlackICE will not slow down your PC or
your Internet experience.
c) Sygate Personal Firewall Pro - http://www.sygate.com/ - 95/98/ME/NT/2000/XP
Sygate Personal Firewall PRO, ICSA certified and built on Sygate's unique and proven technology, is
the first personal firewall software that provides a multi-layered shield of network, content,
application, and operating system security. Sygate Personal Firewall PRO is the ultimate desktop
security solution trusted by professionals and relied upon by millions of users.
d) Zone Alarm - www.zonelabs.com
ZoneAlarm is designed to protect your DSL or cable-connected PC from hackers. This program
includes four interlocking security services: a firewall, an Application Control, an Internet Lock, and
Zones. The firewall controls the door to your computer and allows only traffic that you understand
and initiate. The Application Control allows you to decide which applications can and cannot use the
Internet. The Internet Lock blocks Internet traffic while your computer is unattended or while you
are not using the Internet, and it can be activated automatically with your computer's screensaver
or after a set period of inactivity. Zones monitor all activity on your computer and alert you when a
new application attempts to access the Internet.
e) LockDown2000 - http://www.lockdown2000.com/
Scan your Hard Disk daily (if you are paranoid) or at least weekly with an antivirus and The Cleaner
(This program is specialised in detecting and removing Trojans, and is sometimes better than an
antivirus). Also scan with Trojan Hunter.
Be careful what programs you download from the Internet. You should scan these programs before
executing them. Be careful with friends (or presumed friends). Let's say you and your friend are
playing a split screen game on your computer. After a while he (rarely a girl does this but it is not
excluded) asks you for some water, juice, soda, etc. You go to the kitchen. Meanwhile he puts a
diskette in your floppy and runs the server file. Your computer is infected. Now you have two
choices:
a) Never bring a friend over.
b) Download Secret Folders (http://sihs.bizland.com) and configure it. When you leave your
computer use the NO ACCESS feature.
c) Download Rearguard (http://www.greyware.com/software/grr/) for the registry. It will help you
if any programs decides do add/modify/delete something from the registry (for example: a
trojan trying to install itself).
The least expected Trojan is within a binded file. A binded file is an application composed of two or
more programs so when you execute the binded file you execute two programs, for example, one is
WinAmp and the other is a trojan. You only see the WinAmp window and you think it is perfectly ok.
You can say that the binded file was made just for you by somebody you know or somebody you
don't. This can happen by downloading files not from their official sites. So be careful!
Never execute mail attachments. Always scan them first. Even after you scan them and there's
nothing wrong with them AND the file is from somebody you know, still be careful (I wouldn't
execute the file if I were you!). Also tricks like this file meandmyfriends.jpg.exe WITH the JPEG icon,
now this is surely a Trojan.
Download Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network,
available at Sam's publishing (sams.net) and read it. On IRC with the DCC function. Scan received
files. Always know that the file can have any icon and any name but must be an .exe file. Scan .com
and .bat files. View .bat files. Install Linux. It is more secure than Windows. It's free.
11. Understanding the attacker
Trojans can acquire some information on you and the attacker is looking on your HD for: credit card
information, accounts, passwords, data bases, mail accounts, personal info (home address, e-mail
address, pictures with you and your family/friends, letters, telephone number, your C.V.), company
and work information, school work and any services he can access.
Why is he/she doing this)? Reasons (if the attacker doesn't know you): fun; needs credit cards,
dial-up accounts and others; boredom;
12. Backdoors in Trojans
Some Trojans infest your computer even if you run the client file. The programmer was hoping to
catch a larger number of victims (the ones that use the trojan to connect to others and the ones
infested by them).
Also some programmers don't do that. But they add a special feature to the server so he can
access any infested computer without knowing the password for the server. Could be a universal
password for all servers, sort of:
if (password==his_password) connect();
else
if(password==universal_password) connect();
else disconnect();
So if you infested somebody and you think only you know the password to the server, think again.
The creator of the Trojan could also have access to that computer.
|
|