Lets talk about categories of Trojans. Trojans are categorized as follows as:
- Remote Access
- Data Destruction
- Server Trojan(Proxy, FTP , IRC, Email, HTTP/HTTPS, etc.)
- Security software disabler
- Denial-of-service attack (DoS)
These are few known categories as per behavior of trojan programs.
Let's start with first category ie. Remote Access Trojans. These are also known as RATs(Remote Access Trojans). These are one of the most common trojan programs available.
RATs are malicious programs that run invisibly on host PCs and permit an intruder remote access and control. On a basic level, many RATs mimic the functionality of legitimate remote control programs such as Symantec's pcAnywhere but are designed specifically for stealth installation and operation. Intruders usually hide these Trojan horses in games and other small programs that unsuspecting users then execute on their PCs. Typically, exploited users either download and execute the malicious programs or are tricked into clicking rogue email attachments.
Most RATs come in client and server components. Intruders ultimately launch the server program on a victim's machine by binding the installing component to some other legitimate program. (Intruders can use a program called a binder to combine RATs with legitimate executables so that the RATs execute in the background while the legitimate applications run, leaving victims unaware of the scurrilous activities.) In many cases, intruders can customize the server program: set IP port numbers; define when the program starts, what it's called, how it hides, and whether it uses encryption; customize logon passwords; and determine when and how the program communicates. After defining the server executable's behavior, the intruder generates the program, then tricks the host machine's owner into running it.
The process can send the intruder (aka the originator) an email message announcing its latest takeover success or contact a hidden Internet chat channel with a broadcast of the exploited PC's IP address.Alternatively, after the RAT server program is launched, it can communicate directly with an originating client program on the intruder's PC by using a predefined TCP port. No matter how the RAT parts establish connectivity, the intruder uses the client program to send commands to the server program.
RAT originators can explore a particular machine or send a broadcast command that instructs all the Trojans under their control to work in a symphonic effort to spread or do more damage. One predefined keyword can instruct all the exposed machines to format their hard disks or attack another host. Intruders often use RATs to take over as many machines as they can to coordinate a widespread distributed Denial of Service (DoS) attack (known as a zombie attack) against a popular host. When the traffic-flooded victim tries to track down the intruder, the trail stops at hundreds of innocent, compromised DSL and cable-modem users, and the intruder walks away undetected.
Features of RAT:
RATs can delete and modify files, format hard disks, upload and download files, harass users, and drop off other malware.
It has the ability to capture every screen and keystroke means that intruders can gather users' passwords, directory paths, drive mappings, medical records, bank-account and credit card information, and personal communications. If your PC has a microphone, RATs can capture your conversations. If you have a WebCam, many RATs can turn it on and capture video—a privacy violation without par in the malicious-code world. Everything you say and do around the PC can be recorded. Some RATs include a packet sniffer that captures and analyzes every packet that crosses the PC's network card. An intruder then can use the information a RAT captures to create future back doors, cause privacy violations, perform identity theft, and create financial problems—problems that might not be readily identifiable for months. Whether you can ever trace these problems back to the RAT is debatable.
Another feature is an unauthorized user's ability to remotely control the host PC is a powerful tool when wielded in the wrong hands. Remote users not only can manipulate PC resources but can pose as the PC's legitimate user and send email on behalf of the user, mischievously modify documents, and use the PC to attack other computers.
Detecting and Removing RATs
If a computer virus or email worm has ever infected your company, the company is a prime candidate for a RAT. Typical antivirus scanners are less likely to detect RATs than worms or viruses because of binders and intruder encryption routines. Also, RATs have the potential to cause significantly more damage than a worm or virus can cause. Finding and eradicating RATs should be a systems administrator's top priority.
The best anti-malware weapon is an up-to-date, proven antivirus scanner. Scanners detect most RATs and automate the removal process as much as possible. Many security administrators rely on Trojan-specific tools to detect and remove RATs, but you can't trust some of these products any more than you trust the Trojans themselves. Agnitum's Tauscan, however, is a top Trojan scanner that has proved its efficiency over the years.
A clear clue to RAT infection is an unexpected open IP port on the suspected machine, especially if the port number matches a known Trojan port. When you suspect that a PC has been infected, disconnect the PC from the Internet so that the remote intruder can't detect the security probe and initiate more damage. Using the Task List, close all running programs that connect to the Internet (e.g., email, Instant Messaging—IM—clients). Close all programs running from the system tray. Don't boot to safe mode because doing so often prevents the Trojan from loading into memory, thus defeating the purpose of the test.
Netstat is a common IP-troubleshooting utility that comes with many OSs, including Windows. You can use it to display all the active and listening IP ports—UDP and TCP—on a local host. Open a DOS command prompt and type
to list all the open IP ports on the local computer. Investigate any unexpected ports.
To look for known Trojan ports, be highly suspicious of unknown FTP server processes (port 21) or Web servers (port 80). The Netstat command has a weakness, however: It tells you which IP ports are active, not which programs or files are initiating the activity. You need to use a port enumerator to find out which executable is creating which connection process. Winternals Software's TCPView Professional Edition is an excellent port enumerator. Tauscan can tie a program to a port connection as well as identify the Trojan. Windows XP's Netstat utility includes a new —o parameter that will show the process identifier (PID) of the program or service that's using the port. You can look up the PID in Task Manager to identify the specific program.
If you don't have a port enumerator to easily show you the culprit, follow these steps: Look for unknown programs in startup areas such as the registry, .ini files, and the Startup folder. Then, boot the PC into safe mode if possible, and run the Netstat command to make sure the RAT isn't already loaded into memory. Then, one by one, execute any suspicious programs you found during your investigations, and rerun the Netstat command between each execution. If a program initiates a connection to the Internet, I give it even more scrutiny. Incidentally, during my hunts for Trojans, I've found and deleted many spyware programs that freeware programs installed. Research the programs you don't recognize, and delete the programs you're unsure about.
The Netstat command and a port enumerator are great ways to check one machine, but how do you check an entire network? Most Intrusion Detection Systems (IDSs) contain signatures that can detect common Trojan packets within legitimate network traffic. FTP and HTTP datagrams have verifiable structures, as do RAT packets. A properly configured and updated IDS can reliably detect even encrypted Back Orifice and SubSeven traffic.