The Trojan Horse got its name from the old mythical story about how the Greeks gave their enemy a huge wooden horse as a gift during the war.
The enemy accepted this gift and they brought it into their kingdom, and during the night, Greek soldiers crept out of the horse and attacked the city, completely overcoming it.
A Trojan horse is an unauthorised program contained within a legitimate program. This unauthorised program performs functions unknown by the user. A legitimate program that has been altered by the placement of unauthorized code within it; this code performs functions unknown by the user.
Working:
Trojans come in two parts, a Client part and a Server part. When the victim runs the server on its machine, the attacker will then use the Client to connect to the Server and start using the trojan. TCP/IP protocol is the usual protocol type used for communications, but some functions of the trojans use the UDP protocol as well. When the Server is being run on the victim’s computer, it will (usually) try to hide somewhere on the computer,start listening on some port(s) for incoming connections from the attacker,modify the registry and/or use some other autostarting method.
It’s necessary for the attacker to know the victim’s IP address to connect to his/her machine. Many trojans have features like mailing the victim’s IP, as well as messaging the attacker via ICQ or IRC. This is used when the victim has dynamic IP which means every time you connect to the Internet you get a different IP (most of the dial-up users have this).
Most of the trojans use Auto-Starting methods so even when you shut down your computer they’re able to restart and again give the attacker access to your machine. New auto-starting methods and other tricks are discovered all the time. The variety starts from “joining” the trojan into some executable file you use very often like explorer.exe, for example, and goes to the known methods like modifying the system files or the Windows Registry. System files are located in the Windows directory and here are short explanations of their abuse by the attackers:
– Autostart Folder – The Autostart folder is located in C:\Windows\Start Menu\Programs\startup and as its name suggests, automatically starts everything placed there.
– Win.ini – Windows system file using load=Trojan.exe and run=Trojan.exe to execute the Trojan
– System.ini – Using Shell=Explorer.exe trojan.exe results in execution of every file after Explorer.exe
– Wininit.ini – Setup-Programs use it mostly; once run, it’s being auto-deleted, which is very handy for trojans to restart
– Winstart.bat – Acting as a normal bat file trojan is added as @trojan.exe to hide its execution from the user
– Autoexec.bat – It’s a DOS auto-starting file and it’s used as auto-starting method like this -> c:\Trojan.exe
– Config.sys – Could also be used as an auto-starting method for trojans
– Explorer Startup – Is an auto-starting method for Windows95, 98, ME and if c:\explorer.exe exists, it will be started instead of the usual c:\Windows\Explorer.exe, which is the common path to the file.
Registry is often used in various auto-starting methods. Here are some known ways:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“Info”=”c:\directory\Trojan.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“Info”=”c:\directory\Trojan.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
“Info”=”c:\directory\Trojan.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
“Info=”c:\directory\Trojan.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Info”=”c:\directory\Trojan.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“Info”=”c:\directory\Trojan.exe”
– Registry Shell Open
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
A key with the value “%1 %*” should be placed there and if there is some executable file placed there, it will be executed each time you open a binary file. It’s used like this: trojan.exe “%1 %*”; this would restart the trojan.
– ICQ Net Detect Method
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\]
This key includes all the files that will be executed if ICQ detects Internet connection. As you can understand,this feature of ICQ is very handy but it’s frequently abused by attackers as well.
– ActiveX Component
[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName]
StubPath=C:\directory\Trojan.exe
These are the most common Auto-Starting methods using Windows system files, and the Windows registry.
Trojans Variations
1.Remote Access Trojans
These are probably the most publicly used trojans,just because they give the attackers the power to do more things on the victim’s machine than the victim itself, while standing in front of the machine. Most of these trojans are often a combination of the other variations you’ll read below. The idea of these trojans is to give the attacker a COMPLETE access to someone’s machine, and therefore access to files, private conversations, accounting data, etc.
2.Password Sending Trojans
The purpose of these trojans is to rip all the cached passwords and also look for other passwords you’re entering then send them to a specific mail address, without the user noticing anything. Passwords for ICQ, IRC, FTP, HTTP or any other application that require a user to enter a login+password are being sent back to the attacker’s e-mail address, which in most cases is located at some free web based e-mail provider. Most of them do not restart when Windows is loaded, as the idea is to gather as much info about the victim’s machine as passwords, mIRC logs, ICQ conversations and mail them; but it depends on the needs of the attacker and the specific situation.
3.Keyloggers
These Trojans are to log the keystrokes of the victim and then let the attacker search for passwords or other sensitive data in the log file. Most of them come with two functions like online and offline recording. Of course they could be configured to
send the log file to a specific e-mail address on a daily basis.
4.Destructive
The only function of these Trojans is to destroy and delete files. This makes them very simple and easy to use. They can automatically delete all your core system files (for example: .dll, .ini or .exe files, possibly others) on your machine. The Trojan is being activated by the attacker or sometimes works like A logic bomb and starts on a specific day and at specific hour.
5.Denial Of Service (DoS) Attack Trojans
These Trojans are getting very popular these days, giving the attacker power to start DDoS if having enough victims of course. The main idea is that if you have 200 ADSL users infected and start attacking the victim simultaneously, this will generate a LOT of traffic (more then the victim’s bandwidth, in most cases) and its the access to the Internet will be shut down. WinTrinoo is a DDoS tool that has become really popular recently, and if the attacker has infected many ADSL users, major Internet sites could be shut down as a result, as we’ve seen it happen in the past few months.
Another variation of a DoS trojan is the mail-bomb trojan, whose main aim is to infect as many machines as possible and simultaneously attack specific e-mail address/addresses with random subjects and contents which cannot be filtered.
6.Proxy/Wingate Trojans
Interesting feature implemented in many trojans is turning the victim’s computer into a proxy/wingate server available to the whole world or to the attacker only. It’s used for anonymous Telnet, ICQ, IRC, etc., and also to register domains with stolen credit cards and for many other illegal activities. This gives the attacker complete anonymity and the chance to do everything from YOUR computer and if he/she gets caught the trace leads back to you.
7.FTP Trojans
These trojans are probably the most simple ones and are kind of outdated as the only thing they do is to open port 21(the port for FTP transfers) and let EVERYONE connect to your machine or just the attacker. Newer versions are password protected so only the one that infected you may connect to your computer.
8.Software Detection Killers
There are such functionalities built into some trojans, but there are also separate programs that will kill ZoneAlarm, Norton Anti-Virus and many other (popular anti-virus/firewall) programs, that protect your machine. When they are disabled, the attacker will have full access to your machine, to perform some illegal activity, use your computer to attack others and often disappear. Even though you may notice that these programs are not working or functioning properly, it will take you some time to remove the trojan, install the new software, configure it and get back online with some sense of security.
How Can I Get Infected:
Following are ways to get infected with Trojans,
1 ICQ
2 IRC
3 Attachments
4 Physical Access
5 Browser And E-mail Software Bugs
6 Netbios(FileSharing)
Trojan Programs:
Trojans can be classified as :
1.Backdoors
2.General Trojans
3.PSW Trojans
4.Trojan Clickers
5.Trojan Downloaders
6.Trojan Droppers
7.Trojan Proxies
8.Trojan Spies
9.Trojan Notifiers
10.ArcBombs
Backdoors
Today backdoors are the most dangerous type of Trojans and the most widespread. These Trojans are remote administration utilities that open infected machines to external control via a LAN or the Internet. They function in the same way as legal remote administration programs used by system administrators. This makes them difficult to detect.The only difference between a legal administration tool and a backdoor is that backdoors are installed and launched without the knowledge or consent of the user of the victim machine. Once the backdoor is launched, it monitors the local system without the user’s knowledge; often the backdoor will not be visible in the log of active programs.
Once a remote administration utilitiy has been successfully installed and launched, the victim machine is wide open.
Backdoor functions can include:
1.Sending/ receiving files
2.Launching/ deleting files
3.Executing files
4.Displaying notification
5.Deleting data
6.Rebooting the machine
In other words, backdoors are used by virus writers to detect and download confidential information, execute malicious code, destroy data, include the machine in bot networks and so forth. In short, backdoors combine the functionality of most other types of Trojans in one package.
Backdoors have one especially dangerous sub-class: variants that can propagate like worms. The only difference is that worms are programmed to propagate constantly, whereas these ‘mobile’ backdoors spread only after a specific command from the ‘master’.
General Trojans
This loose category includes a variety of Trojans that damage victim machines or threaten data integrity, or impair the functioning of the victim machine.
Multi-purpose Trojans are also included in this group, as some virus writers create multi-functional Trojans rather than Trojan packs.
PSW Trojans
This family of Trojans steals passwords, normally system passwords from victim machines. They search for system files, which contain confidential information such as passwords and Internet access telephone numbers and then send this information to an email address coded into the body of the Trojan. It will then be retrieved by the ‘master’ or user of the illegal program.
Some PSW Trojans steal other types of information such as:
System details (memory, disk space, operating system details)
Local email client
IP-address
Registration details
Passwords for on-line games
Trojan-AOL are PSW Trojans that steal passwords for aol (American Online) They are contained in a sub-groups because they are so numerous.
Trojan Clickers
This family of Trojans redirects victim machines to specified websites or other Internet resources. Clickers either send the necessary commands to the browser or replace system files where standard Internet urls are stored (e.g. the ‘hosts’ file in MS Windows).
Clickers are used:
1.To raise the hit-count of a specific site for advertising purposes
2.To organize a DoS attack on a specified server or site
3.To lead the victim to an infected resource where the machine will be attacked by other malware (viruses or Trojans)
Trojan Downloaders
This family of Trojans downloads and installs new malware or adware on the victim machine. The downloader then either launches the new malware or registers it to enable autorun according to the local operating system requirements. All of this is done without the knowledge or consent of the user.
The names and locations of malware to be downloaded are either coded into the Trojan or downloaded from a specified website or other Internet location.
Trojan Droppers
These Trojans are used to install other malware on victim machines without the knowledge of the user. Droppers install their payload either without displaying any notification, or displaying a false message about an error in an archived file or in the operating system. The new malware is dropped to a specified location on a local disk and then launched.
Droppers are normally structured in the following way:
The dropper functionality contains code to install and execute all of the payload files.
In most cases, the payload contains other Trojans and at least one hoax: jokes, games, graphics and so forth. The hoax is meant to distract the user or to prove that the activity caused by the dropper is harmless, whereas it actually serves to mask the installation of the dangerous payload.
Hackers using such programs achieve two objectives:
Hidden or masked installation of other Trojans or viruses
Tricking antivirus solutions, which are unable to analyse all components
Trojan Proxies
These Trojans function as a proxy server and provide anonymous access to the Internet from victim machines. Today these Trojans are very popular with spammers who always need additional machines for mass mailings. Virus coders will often include Trojan-proxies in Trojan packs and sell networks of infected machines to spammers.
Trojan Spies
This family includes a variety of spy programs and key loggers, all of which track and save user activity on the victim machine and then forward this information to the master.
Trojan-spies collect a range of information including:
1.Keystrokes
2.Screenshots
3.Logs of active applications
4.Other user actions
These Trojans are most often used to steal banking and other financial information to support online fraud.
Trojan Notifiers
These Trojans inform the ‘master’ about an infected machine. Notifiers confirm that a machine has been successfully infected, and send information about IP-address, open port numbers, the email address etc. of the victim machine. This information may be sent by email, to the master’s website, or by ICQ.
Notifiers are usually included in a Trojan ‘pack’ and used only to inform the master that a Trojan has been successfully installed on the victim machine.
ArcBombs
These Trojans are archived files coded to sabotage the de-compressor when it attempts to open the infected archived file. The victim machine will slow or crash when the Trojan bomb explodes, or the disk will be filled with nonsense data. ArcBombs are especially dangerous for servers, particularly when incoming data is initially processed automatically: in such cases, an ArcBomb can crash the server.
There are three types of ArcBombs:
1.incorrect header in the archive,
2.repeating data
3.a series of identical files in the archive.
An incorrect archive header or corrupted data can both cause the de-compressor to crash when opening and unpacking the infected archive.
A large file containing repeating data can be packed into a very small archive: 5 gigabytes will be 200 KB when packed using RAR and 480 KB in ZIP format.
Moreover, special technologies exist to pack an enormous number of identical files in one archive without significantly affecting the size of the archive itself: for instance, it is possible to pack 10100 identical files into a 30 KB RAR file or a 230 KB ZIP file.
Spyware and adware:
Spyware and adware are forms of a trojan horse.
Spyware programs perform a useful function, and also install a program that monitors usage of the victim’s computer for the purpose of marketing to the user.
Adware programs are similiar to spyware programs, except the additional software they install shows advertising messages directly to the user.
Suhas A Desai
*Undergraduate Computer Engineering Student,Walchand CE,Sangli,INDIA.
*Previous Publications in area “Linux Based Biometrics Security
with Smart Card” are include:ISA EXPO 2004,InTech Journal,TX,USA,IEEE
Real Time and Embedded System symposium 2005,CA,USA.,e-Smart
2005,France.
*Writes security newsletters and features for many security sites.
