Hi All ! I think we all know what I am going to talk about here ie. TROJAN. All must have faced one or more times infection of trojan. I don't think there is any solid way to save ourselves from these viruses / trojans. Anti-virus companies releasing new definitions hour by hour.Still all viruses are not detectable by all antiviruses.
There can be case that you might feel like someone is also watching your computer screen. Your mouse start moving itself, you are not able to shutdown your machine. Once you open task manager and switch to users tab you find 2 users are logged in to your machine.
There can be another case where you get up in the morning and check your office emails, but you are not able to open your mail, then you try to open another mail account and then another mail account and you find that passwords for all accounts have been changed suddenly and you are not able to log in.
There can be another case if you use internet banking, you do transactions using your computer. Some day you realize that very few amount has been transferred to some other account or you found that your account has been emptied.
These are few cases I have just discussed to tell you about the POWER of TROJANS. Trojan is powerful technique under which cyber crime is conducted.
So, basically what is trojan? How it works? How will you know that you are infected with a trojan ? Is there any way of gettting rid of these?
Ok. I will try to answer every question here.. Lets start with first part. What is trojan?
Trojan is a small program (malicious piece of software). It should be called as destructive programs which resides in your computer. It will promise to do something useful for you, but will do exactly the opposite. Like if you download a keygen to generate a key for some software ( means you are user of pirated softwares) , that keygen, not only generates a key but also launch a small server program on your machine, which sends your personal data to its owner.
So Trojan is a program which is shown as helpful to you but in the end do the damage to your machine( some times more than that).
Do you know why a trojan is called a trojan ?
Actually, there is a small story behind it. The term comes from Greek mythology about the Trojan War, as told in the Aeneid by Virgil and mentioned in the Odyssey by Homer. According to legend, the Greeks presented the citizens of Troy with a large wooden horse in which they had secretly hidden their warriors. During the night, the warriors emerged from the wooden horse and overran the city.
Let's see how a trojan works.
If you think of trojan. It is very simple program. One part of software(server/client) is working on your machine which is sending the data to its another part of software(client/server). They are just exchanging information over the internet. But the problem is that data belongs to you and you have no info that your data is being sent over the network.
A trojan program comes in 2 parts ie . SERVER and CLIENT.
SERVER is a program which is used to create services means to sends the data to its client from your machine.
CLIENT is a program which is used to receive the data which is being send by its server program.
Now any of these two can be installed on your machine depending upon the type of trojan. Yes, there are different types of trojans. Trojans are categories now a days according to their working and behavior. I will tell you later about these categories.
I have already told that trojan behave like a friendly program then do the damage. usually some hackers attach a trojan program with some useful softwares. Whenever you install a friendly program on your machine, a harmful program (trojan) is also installed.
Official working style of trojan is:
Trojans usually consist of two parts, a Client and a Server. The server is run on the victim's machine and listens for connections from a Client used by the attacker.
When the server is run on a machine it will listen on a specific port or multiple ports for connections from a Client. In order for an attacker to connect to the server they must have the IP Address of the computer where the server is being run. Some trojans have the IP Address of the computer they are running on sent to the attacker via email or another form of communication.
Once a connection is made to the server, the client can then send commands to the server; the server will then execute these commands on the victim's machine.
Today, with NAT infrastructure being common, most computers cannot be reached by their external ip address. Therefore many trojans now connect to the computer of the attacker, which has been set up to take the connections, instead of the attacker connecting to the victim. This is called a 'reverse-connect' trojan. Many trojans nowadays also bypass many personal firewall installed on the victims computer (eg. Poison-Ivy).
hmmm trojans my Favorite :)
Lets talk about categories of Trojans. Trojans are categorized as follows as:
Let's start with first category ie. Remote Access Trojans. These are also known as RATs(Remote Access Trojans). These are one of the most common trojan programs available.
RATs are malicious programs that run invisibly on host PCs and permit an intruder remote access and control. On a basic level, many RATs mimic the functionality of legitimate remote control programs such as Symantec's pcAnywhere but are designed specifically for stealth installation and operation. Intruders usually hide these Trojan horses in games and other small programs that unsuspecting users then execute on their PCs. Typically, exploited users either download and execute the malicious programs or are tricked into clicking rogue email attachments.
Most RATs come in client and server components. Intruders ultimately launch the server program on a victim's machine by binding the installing component to some other legitimate program. (Intruders can use a program called a binder to combine RATs with legitimate executables so that the RATs execute in the background while the legitimate applications run, leaving victims unaware of the scurrilous activities.) In many cases, intruders can customize the server program: set IP port numbers; define when the program starts, what it's called, how it hides, and whether it uses encryption; customize logon passwords; and determine when and how the program communicates. After defining the server executable's behavior, the intruder generates the program, then tricks the host machine's owner into running it.
The process can send the intruder (aka the originator) an email message announcing its latest takeover success or contact a hidden Internet chat channel with a broadcast of the exploited PC's IP address.Alternatively, after the RAT server program is launched, it can communicate directly with an originating client program on the intruder's PC by using a predefined TCP port. No matter how the RAT parts establish connectivity, the intruder uses the client program to send commands to the server program.
RAT originators can explore a particular machine or send a broadcast command that instructs all the Trojans under their control to work in a symphonic effort to spread or do more damage. One predefined keyword can instruct all the exposed machines to format their hard disks or attack another host. Intruders often use RATs to take over as many machines as they can to coordinate a widespread distributed Denial of Service (DoS) attack (known as a zombie attack) against a popular host. When the traffic-flooded victim tries to track down the intruder, the trail stops at hundreds of innocent, compromised DSL and cable-modem users, and the intruder walks away undetected.
Features of RAT:
RATs can delete and modify files, format hard disks, upload and download files, harass users, and drop off other malware.
It has the ability to capture every screen and keystroke means that intruders can gather users' passwords, directory paths, drive mappings, medical records, bank-account and credit card information, and personal communications. If your PC has a microphone, RATs can capture your conversations. If you have a WebCam, many RATs can turn it on and capture video—a privacy violation without par in the malicious-code world. Everything you say and do around the PC can be recorded. Some RATs include a packet sniffer that captures and analyzes every packet that crosses the PC's network card. An intruder then can use the information a RAT captures to create future back doors, cause privacy violations, perform identity theft, and create financial problems—problems that might not be readily identifiable for months. Whether you can ever trace these problems back to the RAT is debatable.
Another feature is an unauthorized user's ability to remotely control the host PC is a powerful tool when wielded in the wrong hands. Remote users not only can manipulate PC resources but can pose as the PC's legitimate user and send email on behalf of the user, mischievously modify documents, and use the PC to attack other computers.
Detecting and Removing RATs
If a computer virus or email worm has ever infected your company, the company is a prime candidate for a RAT. Typical antivirus scanners are less likely to detect RATs than worms or viruses because of binders and intruder encryption routines. Also, RATs have the potential to cause significantly more damage than a worm or virus can cause. Finding and eradicating RATs should be a systems administrator's top priority.
The best anti-malware weapon is an up-to-date, proven antivirus scanner. Scanners detect most RATs and automate the removal process as much as possible. Many security administrators rely on Trojan-specific tools to detect and remove RATs, but you can't trust some of these products any more than you trust the Trojans themselves. Agnitum's Tauscan, however, is a top Trojan scanner that has proved its efficiency over the years.
A clear clue to RAT infection is an unexpected open IP port on the suspected machine, especially if the port number matches a known Trojan port. When you suspect that a PC has been infected, disconnect the PC from the Internet so that the remote intruder can't detect the security probe and initiate more damage. Using the Task List, close all running programs that connect to the Internet (e.g., email, Instant Messaging—IM—clients). Close all programs running from the system tray. Don't boot to safe mode because doing so often prevents the Trojan from loading into memory, thus defeating the purpose of the test.
Netstat is a common IP-troubleshooting utility that comes with many OSs, including Windows. You can use it to display all the active and listening IP ports—UDP and TCP—on a local host. Open a DOS command prompt and type
To look for known Trojan ports, be highly suspicious of unknown FTP server processes (port 21) or Web servers (port 80). The Netstat command has a weakness, however: It tells you which IP ports are active, not which programs or files are initiating the activity. You need to use a port enumerator to find out which executable is creating which connection process. Winternals Software's TCPView Professional Edition is an excellent port enumerator. Tauscan can tie a program to a port connection as well as identify the Trojan. Windows XP's Netstat utility includes a new —o parameter that will show the process identifier (PID) of the program or service that's using the port. You can look up the PID in Task Manager to identify the specific program.
If you don't have a port enumerator to easily show you the culprit, follow these steps: Look for unknown programs in startup areas such as the registry, .ini files, and the Startup folder. Then, boot the PC into safe mode if possible, and run the Netstat command to make sure the RAT isn't already loaded into memory. Then, one by one, execute any suspicious programs you found during your investigations, and rerun the Netstat command between each execution. If a program initiates a connection to the Internet, I give it even more scrutiny. Incidentally, during my hunts for Trojans, I've found and deleted many spyware programs that freeware programs installed. Research the programs you don't recognize, and delete the programs you're unsure about.
The Netstat command and a port enumerator are great ways to check one machine, but how do you check an entire network? Most Intrusion Detection Systems (IDSs) contain signatures that can detect common Trojan packets within legitimate network traffic. FTP and HTTP datagrams have verifiable structures, as do RAT packets. A properly configured and updated IDS can reliably detect even encrypted Back Orifice and SubSeven traffic.
Data Destruction Trojan
Now another category is DATA Destruction Trojans. These kinds of trojans are quite simlar to RATs, but the purpose of these trojans are little deifferent. They also send the data to remote locations, but after sending this data to remote locations, they do damage the data on local machine and then later on, hacker can ask you to pay the price for data. Or sometimes, these trojans don't destroy the data, but encrypt them. Again, hacker may contact you to ask some money to decrypt your data. This is again cyber crime. Few years ago, there were many such cases where hackers demanded the money to give back the data to companies. These kinds of HACKERS target companies, instead of individual users most of the time.
To detect such trojans on your machine you have to adopt the same way as used for RATs. Moreover you can use some third party softwares to protect your personal files.
Downloader is damn impressive implementation of client - server based programming.
It has again 2 parts client and server. Usually in case of trojans, server is installed on Victim's machine and client is installed on Hacker's machine. But in case of downloaders. client is installed on victim's machine and server is installed on hacker's machine. The purpose of the DOWNLOADER is to have control on remote machine for longer time.
Downloader whenever gets installed on a machine, it starts transmitting the information regarding the victim to Hacker. It opens the port on victim's machine, so that hacker can communicate through those ports.
When a connection is made between server and client, now hacker can send various viruses or wroms or whatever he wants to send to your machine easily through downloaders. It helps Hackers to always keep their harmful programs undetectable from victim's anti-virus programs because hacker will always keep update the code of virus with the time and will make sure that victim's machine has the latest virus.
Downloader can result that your machine is attacked by various kinds of viruses or worms at the same time. Downloader itself is just a carrier program which helps for other trojans to installed on your machine. Its like making a road to your machine from hacker's machine, through which different-2 viruses are served to you.
Server Trojans are again the programs which when installed on victim's machine, then those machines can be used as base for attacking others. Victim's machine can be used as file server or proxy server without the knowledge of owner. Basically Hacker would be using your machine and bandwidth for attacking others. This can be very dangerous because in such cases if hacker is using victim's machine for attacking other machines, on tracing the attack, victim's IP will be shown, and victim may have to face legal issues in these cases.
Moreover if victim's machine is being used as ftp server, hacker can use it for downloading or uploading his own malicious code and can use it for supplying through victim's machine.
knew little information about it but not with such ease and detail
Thanks really good one
cool post ..new side of trojans may be true
Thanks for the help, but like you said "If you are having problems such as you think somebody is moving your mouse, when you dont know about it and also changing your keys and muking every thing up, i usally have these problems these days. Even though im of my laptop, my mouse keeps moving without me touching anything on the touch-pad.
So, as you said that you could get the Downloader or the reverse connect trojan, could you please tell me where to get the download for it? iv serched on some sites but cant find any reverse connect programs.
|All times are GMT +5.5. The time now is 10:55.|