Go4Expert (http://www.go4expert.com/)
-   Engineering Concepts (http://www.go4expert.com/articles/engineering-concepts-tutorials/)
-   -   The Trojan "Horse" (http://www.go4expert.com/articles/the-trojan-horse-t369/)

pradeep 19Jun2005 00:31

The Trojan "Horse"
We found it necessary to devote a chapter to Trojans. Trojan's are probably the most compromising of all types of attacks. Trojans are being released by the hundreds every week, each more cleverly designed that the other. We all know the story of the Trojan horse probably the greatest strategic move ever made.

In our studies we have found that Trojans are primarily responsible for almost all Windows Based machines being compromised.

For those of you who do not know what Trojans are we ll briefly explain. Trojans are small programs that effectively give "hackers" remote control over your entire Computer.

Some common features with Trojans are as follows:

* Open your CD-Rom drive
* Capture a screenshot of your computer
* Record your key strokes and send them to the "Hacker"
* Full Access to all your drives and files
* Ability to use your computer as a bridge to do other hacking related activities.
* Disable your keyboard
* Disable your mouse'and more!

Let's take a closer look at a couple of more popular Trojans:

* Netbus
* SubSeven

The Netbus Trojan has two parts to it as almost all Trojans do. There is a Client and a Server. The server is the file that would have to get installed on your system in order to have your system compromised. Here's how the hack would go.
The Hack

Objective: Getting the potential victim to install the server onto his/her system.

Method 1

Send the server file (for explanation purposes we'll call the file netbusserver.exe) to you via E-Mail. This was how it was originally done.

The hacker would claim the file to be a game of some sort. When you then double click on the file, the result is nothing. You don't see anything. (Very Suspicious)

Note: (How many times have you double clicked on a file someone has sent you and it apparently did nothing)

At this point what has happened is the server has now been installed on your system. All the "hacker" has to do is use the Netbus Client to connect to your system and everything you have on your system is now accessible to this "hacker."

With increasing awareness of the use of Trojans, "hackers" became smarter, hence method 2.

Method 2

Objective: Getting you to install the server on your system.

Let's see, how many of you receive games from friends' Games like hit gates in the face with a pie. Perhaps the game shoot Saddam' There are lots of funny little files like that. Now we ll show you how someone intent on getting access to your computer can use that against you.

There are utility programs available that can combine the ("server" (a.k.a. Trojan)) file with a legitimate "executable file." (An executable file is any file ending in .exe). It will then output another (.exe) file of some kind. Think of this process as mixing poison in a drink.

For Example: Tomato Juice + Poison = something

Now the result is not really Tomato Juice anymore but you can call it whatever you want. Same procedure goes for combining the Trojan with another file.

For Example: The "Hacker" in question would do this: (for demonstration purposes we'll use a chess game)

Name: chess.exe (name of file that starts the chess game)
Trojan: netbusserver.exe (The Trojan)

(Again for explanation purposes we'll call it that)

The joiner utility will combine the two files together and output 1 executable file called:


This file can then be renamed back to chess.exe. It's not exactly the same Chess Game. It's like the Tomato Juice, it's just slightly different.

The difference in these files will be noticed in their size.

The original file: chess.exe size: 50,000 bytes
The new file (with Trojan): chess.exe size: 65,000 bytes

(Note: These numbers and figures are just for explanation purposes only)

The process of joining the two files, takes about 10 seconds to get done. Now the "hacker" has a new chess file to send out with the Trojan in it.

Q. What happens when you click on the new chess.exe file?

Answer: The chess program starts like normal. No more suspicion because the file did something. The only difference is while the chess program starts the Trojan also gets installed on your system.

Now you receive an email with the attachment except in the format of chess.exe.

The unsuspecting will execute the file and see a chess game. Meanwhile in the background the "Trojan" gets silently installed on your computer.

If that's not scary enough, after the Trojan installs itself on your computer, it will then send a message from your computer to the hacker telling him the following information.

Username: (A name they call you)
IP Address: (Your IP address)
Online: (Your victim is online)

So it doesn't matter if you are on dial up. The potential hacker will automatically be notified when you log on to your computer.

You're probably asking yourself "how likely is it that this has happened to me'" Well think about this. Take into consideration the second chapter of this manual. Used in conjunction with the above mentioned methods can make for a deadly combination.

These methods are just but a few ways that "hackers" can gain access to your machine.

Listed below are some other ways they can get the infected file to you.

News Groups: By posting articles in newsgroups with file attachments like (mypic.exe) in adult newsgroups are almost guaranteed to have someone fall victim. Don't be fooled though, as these folks will post these files to any newsgroups.
Grapevine: Unfortunately there is no way to control this effect. You receive the file from a friend who received it from a friend etc.
Email: The most widely used delivery method. It can be sent as an attachment in an email addressed to you.
Unsafe Web sites: Web sites that are not "above the table" so to speak. Files downloaded from such places should always be accepted with high suspicion.
IRC: On IRC servers sometimes when you join a channel you will automatically get sent a file like "mypic.exe" or "sexy.exe" or sexy.jpg.vbs something to that effect. Usually you'll find wannabe's are at fault for this.
Chat Sites: Chat sites are probably one of the primary places that this sort of activity takes place. The sad part to that is 80% are not aware of it.

As you can see there are many different ways to deliver that file to you as a user. By informing you of these methods we hope we have made you more aware of the potential dangers around you. In Chapter 3 we'll discuss what files should be considered acceptable.

vishal sharma 29Jul2005 19:17

Re: The Trojan "Horse"
nice article pradeep......

i'll like to add something more to it.. as u have mentioned about sub7 i'll give u a some more info about it ...
sub7 is the best know trojan which is able to control netbus (which actually controls the entire sys proces..)
SubSeven can do everything that NetBus can do. This includes things such as

File controls
Upload / Download
Move, Copy, Rename, Delete
Erase harddrives and other disks
Execute programs
Can see your screen as you see it
Log any/all keypresses (even hidden passwords)
Open/close/move windows
Move mouse
Network control
Can see all open connections to and from your computer
Can close connections
Can 'bounce' or relay from their system to yours, so wherever they connect it seems as if You are doing it. This is how they prevent getting caught breaking into other computer systems and get You in trouble!

rhus sub7 was the best trojan till date ...

more later

The SubSeven trojan can also be configured to inform someone when its infected computer connects to the internet, and tells that person all the

pradeep 30Jul2005 12:12

Re: The Trojan "Horse"
Thanx for the wonderful & interesting information.

Uncle Gizmo 30Jul2005 15:20

Re: The Trojan "Horse"
That is very interesting! and poses several questions.

Who is vulnerable? (am I?)

which operating systems? (all of them?)

how do you prevent it happening? (canyon?)

can you find Trojans on your machine? (are programs like spybot OK?)

shabbir 30Jul2005 19:05

Re: The Trojan "Horse"

Originally Posted by Uncle Gizmo
Who is vulnerable? (am I?)

Everybody. when I am writing this I am vulnerable if My AV is out of date.


Originally Posted by Uncle Gizmo
which operating systems? (all of them?)

More on Windows


Originally Posted by Uncle Gizmo
how do you prevent it happening? (canyon?)

AV, Firewalls and spy removers


Originally Posted by Uncle Gizmo
can you find Trojans on your machine? (are programs like spybot OK?)

If they are there probably you can.

pradeep 1Aug2005 10:20

Re: The Trojan "Horse"
To stay protected, use a good anti-virus program like Norton Antivirus and an anti spyware program like SpyBot. This combo gives a good level of protection.

Uncle Gizmo 1Aug2005 16:10

Re: The Trojan "Horse"
Thank you for your replies. I use both, paid for versions of antivirus and a spy where programs. I am a bit paranoid therefore I don't think it's a good idea to reveal which versions are used because it makes me think that maybe that would give hackers and advantage, knowing what they were up against!

I recently went to the "shields up" web page which tests your PC for security. My PC got a clean bill of health, but interestingly another PC I use, (one for the kids) which just has a basic unregistered version of winXPpro (No Downloaded upgrades) on it also got a clean bill of health! this has access to the Internet frequently, and the kids download anything and everything they fancy!

So I wondered is the "shields up" site any good at detecting problems with your PC? Or are there any other sites which offer a similar service which you could recommend.

vishal sharma 2Aug2005 10:21

Re: The Trojan "Horse"
herez what I can suggest u all...

1) Always keep your Antivirus updated...

2) Download "hijackthis" to scan ur registry n do it regularly....


3) Scan ur computer once every 3days...coz thatís the approx. time when a new virus is


4) NEVER trust a form filler or password manager!

This r the steps that can be take to avoid ur comp from getting infected.. although as far as avoiding it from hackers is concerned let me just ask u all..
y do u think hacker is going to attack u ???
It is very important to understand the thinking of a hacker... A hacker will never try to get into your pc until hez sure of getting some very confidential info fm u....
but as u suggested the computer is for kids u need not worry...

Hackers are generally not bad they r just misunderstood...

shabbir 3Aug2005 09:48

Re: The Trojan "Horse"

4) NEVER trust a form filler or password manager!
Just the one that I trust is Google Autofill where I just dont have the Password field but all the rest to help me out.

sarrous 15May2009 16:13

Re: The Trojan "Horse"
Is this the place to ask about the Trojan Virus thats creating a chess.exe file and an autorun file on my C Drive.

This File can be deleted by the AV, but one week later it reappears and I have to do it again.

Many thanks.

All times are GMT +5.5. The time now is 09:00.