3. Trojans

8/7/2019 3. Trojans

http://slidepdf.com/reader/full/3-trojans 1/60

Trojan

Trojans are designed to allow a hacker remote access toa target computer system. Any type of code or Program

that is used for unauthorized remote access of your

computer known as Trojans.

8/7/2019 3. Trojans


Content1. Introduction

2. What is a Trojan

3. History of Trojan

4. Attacker’s Motive

5. Types of Trojans

6. Working of Trojans

7. Where Trojan live\located

8. Mode of Attacking

2

8/7/2019 3. Trojans


Content

9. Mode of Transmission

10. Type of Connections

11. Some Known Trojans

.

13. Detection and Removal a Trojan

14. Counter Measures of Trojan

3

8/7/2019 3. Trojans


History of Trojan .…

The History Introduction includes information about….

• The Greek myth that inspired the graphic novel.

• How the Tro an War be ins in Greek m tholo .

• About the Trojan horse story.

• What Happened after the Trojan war

4

8/7/2019 3. Trojans


Greek Myth…

In Greek mythology, the Trojan War was waged against the city of Troy by the Achaeans (Greeks) after Paris of Troy took Helen from

her husband Menelaus, the king of Sparta. The war is among the

most important events in Greek mythology and was narrated in

many works of Greek literature, including the Iliad and theOdyssey by Homer.

5

8/7/2019 3. Trojans


Greek Myth…

"The Iliad" relates a part of the last year of the siege of Troy, while

the Odyssey describes the journey home of Odysseus, one of theAchaean leaders. Other parts of the war were told in a cycle of epic

poems, which has only survived in fragments. Episodes from the

war provided material for Greek tragedy and other works of Greek

, .

6

8/7/2019 3. Trojans


The Trojan War…

The first nine years of the war consisted of both war in Troy and

war against the neighboring regions. The Greeks realized that Troy

was being supplied by its neighboring kingdoms, so Greeks weresent to defeat these areas.

As well as destroying Trojan economy, these battles let theGreeks gather a large amount of resources and other spoils of war,

including women.

7

8/7/2019 3. Trojans


The Greeks won many important battles and the Trojan hero

Hector fell, as did the Trojan ally Penthesilea. However, the Greeks

could not break down the walls of Troy.Patroclus was killed and, soonafter, Achilles was felled by Paris.

8

8/7/2019 3. Trojans


The Trojan Horse.. Still seeking to gain entrance into Troy, clever Odysseus (some say

with the aid of Athena) ordered a large wooden horse to be built. Its

insides were to be hollow so that soldiers could hide within it.

Once the statue had been built by the artist Epeius, a number of the Greek warriors, along with Odysseus, climbed inside. The rest of the Greek fleet sailed away, so as to deceive the Trojans.

9

8/7/2019 3. Trojans


The Trojan Horse..

Greek reassured the Trojans that the wooden horse was safe and

would bring luck to the Trojans. That night, after most of Troy was asleep or in a drunken stupor,Sinon let the Greek warriors out from the horse, and they

slaughtered the Trojans. Priam was killed as he huddled by Zeus'altar and Cassandra was pulled from the statue of Athena

10

8/7/2019 3. Trojans


After the Trojan war..

After the war Pol xena dau hter of Priam was sacrificed at the

tomb of Achilles and Astyanax, son of Hector, was also sacrificed,signifying the end of the war.

The surviving Trojan women were divided among the Greek men

along with the other plunder. The Greeks then set sail for home,which, for some, proved as difficult and took as much time as the

Trojan War itself (e.g., Odysseus and Menelaus).

11

8/7/2019 3. Trojans


What is Trojan…

Named after the Trojan Horse of ancient Greek history, a Trojan

is a network software application designed to remain hidden on aninstalled computer. Trojans generally serve malicious purposesand are therefore a form of malware, like viruses.

12

8/7/2019 3. Trojans


What is Trojan…

Trojan horses are designed to allow a hacker remote access to a

target computer system. Once a Trojan horse has been installed on

a target computer system, it is possible for a hacker to access it

remotely and perform various operations. The operations that ahacker can perform are limited by user privileges on the target

computer system and the design of the Trojan horse.

13

8/7/2019 3. Trojans


Trojans sometimes, for example, access personal information

stored locally on home or business computers, then send thesedata to a remote party via the Internet. Alternatively, Trojans may

serve merely as a "backdoor" application, opening network ports toallow other network applications access to that computer. Trojans

are also capable of launching Denial of Service (DoS) attacks. A

combination of firewalls and antivirus software protect networksagainst Trojans..

14

8/7/2019 3. Trojans


In the IT world, a Trojan horse is used to enter a victim’scomputer undetected, granting the attacker unrestricted access tothe data stored on that computer and causing great damage to the

victim. A Trojan can be a hidden program that runs on your

computer without your knowledge, or it can be ‘wrapped’ into a

legitimate program meaning that this program may therefore have

hidden functions that you are not aware of.

15

8/7/2019 3. Trojans


Attacker’s Motive

Credit Card Information (often used for domain registration,shopping with your credit card)

Any accounting data (E-mail passwords, Dial-Up passwords, WebServices passwords, etc.)

16

8/7/2019 3. Trojans


Attacker’s MotiveEmail Addresses (Might be used for spamming, as explainedabove)

Work Projects (Steal your presentations and work related papers)Children's names/pictures, Ages (pedophile attacker?!)

School work (steal your papers and publish them with his/hername on it)

17

8/7/2019 3. Trojans


Type of Trojan…

There are several types of Trojans each behaves differently and

produces differing results from the others. Depending upon the

type of Trojan, an attacker can use them to stage various types of

exploits.

18

8/7/2019 3. Trojans


Types of Trojans Attack..

Erasing or overwriting data on a computer

Spreading other malware, such as viruses. In this case the

Trojan horse is called a 'dropper'.

credit card numbers (known as a key logger)

Phish for bank or other account details, which can be used for

criminal activities.

Installing a backdoor on a computer system.

19

8/7/2019 3. Trojans


Types of Trojans

1. Remote Administration Tool

2. File Serving Trojan

. s r u e en a o erv ce ac ro an

4. Keylogging Trojan

5. Password Stealing Trojan

6. System Killing Trojan

20

8/7/2019 3. Trojans


Remote Administration Tool

This type of Trojan horse virus gives hacker behind the

malware the possibility to gain control over the infectedsystem. Often the remote administration Trojan horse virus

functions without being identified. It can help the hacker to

perform different functions including altering the registry,

uploading or downloading of files, interrupting different

types of communications between the infected computer andother machines.

21

8/7/2019 3. Trojans


File Serving TrojanTrojan horse viruses from this category are able to create a

file server on the infected machine. Usually this server is

configured as an FTP server and with its help the intruder

will be able to control network connections, upload and

download various files. These Trojan horse viruses are rather

small in size, sometimes not more than 10Kb, which makes

it difficult to detect them.

They are often attached to emails or hidden in other files that

users may download from the Internet. Regularly these

Trojan viruses spread with the help of funny forwarded

messages that a user receives from friends. Trojan horseviruses may also be hidden in small downloadable games.

22

8/7/2019 3. Trojans


Distributed Denial of Service Attack Trojan

A lot of computers can be tricked intro installing the Distributed

Denial of Service Trojan so that the hacker can gain control over one,

several or all computers through a client that is connected with a

mas er server. s ng e pr mary compu er w n one uge zom e

network of machines, hackers are able to sent attacks at particulartargets, including companies and websites. They simply flood the

target server with traffic, thus making it impossible for simple users

to access certain websites or systems. Often these attacks are used

to stop the activity of famous brands that could handle differentfinancial demands.

23

8/7/2019 3. Trojans


Keylogging Trojan Horse

These Trojan horse viruses make use of spyware with the goal of recording every step of user's activity on the computer. They are

called keylogging because they transmit to the hacker via email

the information about logged and recorded keystrokes. Hackers

use this type of malware for their financial benefit (through card

fraud or identity theft). Some individuals or companies can offer agreat reward for valuable information.

24

8/7/2019 3. Trojans


Password Stealing Trojan

The name speaks for itself - Trojans from this category are used to

steal passwords. The Trojan transmits information about passwords

to the hacker through email. Just like keylogging Trojans, this

malware is used mainly for hacker's financial benefit (a lot of people

use passwords to access their bank accounts or credit cards).

25

8/7/2019 3. Trojans


System Killing Trojan

These Trojans are meant to destroy everything in the system

starting with drive Z and ending with drive A. One of the

recent Trojan horse viruses of this type is called

Trojan.Killfiles.904. The reasons for creating such Trojansare unknown but the results could be catastrophic.

26

8/7/2019 3. Trojans


Working of Trojan

Trojans work similar to the client-server model. Trojans come intwo parts, a Client part and a Server part. The attacker deploys the

Client to connect to the Server, which runs on the remote machine

when the remote user (unknowingly) executes the Trojan on the

machine. The typical protocol used by most Trojans is the TCP/IP

protocol, but some functions of the Trojans may make use of theUDP protocol as well.

27

8/7/2019 3. Trojans


…Working of Trojan

When the Server is activated on the remote computer, it will

usually try to remain in a stealth mode, or hidden on thecomputer. This is configurable - for example in the Back Orifice

Trojan, the server can be configured to remain in stealth mode and

hide its process. Once activated, the server starts listening on

default or configured ports for incoming connections from the

attacker. It is usual for Trojans to also modify the registry and/oruse some other auto starting method.

28

8/7/2019 3. Trojans


…Working of Trojan

,

address to connect to the machine. Many Trojans haveconfigurable features like mailing the victim's IP, as well as

messaging the attacker via ICQ or IRC. This is relevant when the

remote machine is on a network with dynamically assigned IP

address or when the remote machine uses a dial-up connection to

connect to the Internet. DSL users on the other hand, have staticIPs so the infected IP is always known to the attacker..

29

8/7/2019 3. Trojans


… Working of Trojan

Most of the Trojans use auto-starting methods so that the servers

are restarted every time the remote machine reboots / starts. This

is also notified to the attacker. As these features are beingcountered, new auto-starting methods are evolving. The start up

method ranges from associating the Trojan with some commonexecutable files such as explorer.exe to the known methods likemodifying the system files or the Windows Registry. Some of the

popular system files targeted by Trojans are Auto start Folder,

Win.ini, System.ini, Wininit.ini, Winstart.bat, Autoexec.batConfig.sys. Could also be used as an auto-starting method for

Trojans.

30

8/7/2019 3. Trojans


Where Trojan live\located…

Autostart FolderThe Autostart folder is located in C:\Windows\Start

Menu\Programs\startup and as its name suggests, automatically starts everything placed there.

Win.iniWindows system file using load=Trojan.exe and run=Trojan.exe toexecute the Trojan

System.iniUsing Shell=Explorer.exe trojan.exe results in execution of every fileafter Explorer.exe

Wininit.iniSetup-Programs use it mostly; once run, it's being auto-deleted, whichis very handy for Trojans to restart.

31

8/7/2019 3. Trojans


Trojan Method of Attacking…

A Trojan may infect a system through various attack vectors.A Trojan employs an attack vector to install its payload on the

target’s computer systems. The most

common attack vectors are:

• Emails & Attachments• Deception & Social Engineering• Website Bugs & Downloads

• Physical Access (pen drive)

• Fake Executables

32

8/7/2019 3. Trojans


How can you be infected..

Website Bugs & Downloads : You can be infected by visiting arogue website. Internet Explorer is most often targeted by makers

of Trojans and other pests. Even using a secure web browser, suchas Mozilla's Firefox, if Java is enabled, your computer has the

potential of receiving a Trojan horse.

Instant message: Many get infected through files sent through

various messengers. This is due to an extreme lack of security in

some instant messengers, such of AOL's instant messenger.

Emails & Attachments : Attachments on e-mail messages may

contain Trojans. Trojan horses via SMTP.

33

8/7/2019 3. Trojans


Type of connections in Trojan..

1. Direct Connection: A direct-connect RAT is a simple set-up where

the client connects to a single or multiple servers directly. Stable

servers are multi-threaded, allowing for multiple clients to beconnected, along with increased reliability.

34

8/7/2019 3. Trojans


Type of connections in Trojan..

2. Reverse Connection : new technology that came around about

the same time that routers became popular.

advanta es of Reverse connection:

a) No problems with routers blocking incoming data, because

the connection is started outgoing for a server.

b) Allows for mass-updating of servers by broadcasting

commands, because many servers can easily connect to asingle client.

35

8/7/2019 3. Trojans


Some Known Trojans..

On Windows computers, Many tools commonly used by

intruders to gain remote access to your computer like:

• Beast• Back Orifice

• Netbus• Donald Dick• Sub Seven(help to hack other pc's).

36

8/7/2019 3. Trojans


… Trojan BeastBeast is a Windows-based backdoor Trojan horse more commonly

known in the underground cracker community as a RAT (Remote

Administration Tool). It is capable of infecting almost all Windows

versions i.e. 95 through XP.

Written in Delphi and released first by its author Tataye in 2002, it

became quite popular due to its unique features. It used the

typical client/server mechanism where the client would be under

operation by the attacker and the server is what would infect thevictim.

37

8/7/2019 3. Trojans


…Trojan Beast

Using the 'reverse connection' there was no need for the attacker to knowthe target IP, instead the server itself connected to a predefined DNS,

which was redirected to the attacker IP. For its DLL, it used the 'injection

method' i.e. they were injected into a specified process, commonly

'explorer.exe' (Windows Explorer), 'iexplore.exe' (Internet Explorer) or

'msnmsgr.exe' (MSN Messenger). Due to this the DLLs were automatically loaded into the memory once these processes were executed.

38

8/7/2019 3. Trojans


Trojan Beast…

Beast was one of the first Trojans to feature a 'reverse connection to its

victims and once established, it gave the attacker complete control over

the infected computer.

39

8/7/2019 3. Trojans


Trojan Beast

40

8/7/2019 3. Trojans


Back Orifice Trojan…

Back Orifice (often shortened to BO) is a controversial computer

program designed for remote system administration. It enables auser to control a computer running the Microsoft Windows

operating system from a remote location. The name is a pun on

Microsoft BackOffice Server software.

Although Back Orifice has legitimate purposes, such as remoteadministration, there are other factors that make it suited for less

benign business. The server can hide itself from cursory looks by

users of the system. As the server can be installed without user

interaction, it can be distributed as payload of a Trojan horse.

41

8/7/2019 3. Trojans


Back Orifice Trojan…

42

8/7/2019 3. Trojans


Netbus Trojan…

Netbus is a software program for remotely controlling a Microsoft

Windows computer system over a network. It was created in 1998

and has been very controversial for its potential of being used as

a backdoor.

ere are wo componen s o e c en –server arc ec ure. e

server must be installed and run on the computer that should beremotely controlled. It was a .exe file with a file size of almost 500

KB. The name and icon varied a lot from version to version.

Common names were "Patch.exe" and "SysEdit.exe". When

started for the first time, the server would install itself on thehost computer, including modifying the Windows registry so thatit starts automatically on each system startup.

43

8/7/2019 3. Trojans


Netbus Trojan…The client was a separate program presenting a graphical user

interface that allowed the user to perform a number of activities

on the remote computer.

44

8/7/2019 3. Trojans


Donald Dick Trojan …It is also known as Backdoor.DonaldDick.153 Trojan.PSW.EPS.dr

Trojan.PSW.Ring0.a

This is a Windows 9x Internet Backdoor Trojan. When running itgives full access to the system over the Internet to anyone

runn ng e appropr a e c en so ware.

Attacker does :

• Read/write/delete/run any file on the computer

• Record keystrokes

• Get information about the system

• Open/close the CD-ROM tray • And many other things

45

8/7/2019 3. Trojans


Donald Dick Trojan

46

8/7/2019 3. Trojans


Sub Seven Trojan…

Sub7, or Sub Seven, is the name of a popular Trojan or backdoor

ro ram. It is mainl used b scri t kiddies for causin mischief

such as hiding the computer cursor, changing system settings or

loading up pornographic websites. However, it can also be used for

more serious criminal applications, such as stealing credit carddetails with a keystroke logger.

These back door or remote administration programs, onceinstalled, allow other people to access and control your computer.

47

8/7/2019 3. Trojans


Sub Seven Trojan …It’s helping to access the remote control of pc..

48

8/7/2019 3. Trojans


Ways of Detecting/Removal a Trojan..

1.Using Anti-Trojan Software

2.Manual Detection

3.TCP Viewer

4.Process Viewer

5.Process Explorer

49

8/7/2019 3. Trojans


Using Anti-Trojan Software..Antivirus software is designed to detectand delete Trojan horses, as well as

preventing them from ever beinginstalled. Although it is possible to

remove a Trojan horse manually, it

re uires a full understandin of how that

particular Trojan horse operates. In

addition, if a Trojan horse has possibly

been used by a hacker to access acomputer system, it will be difficult to

know what damage has been done and

what other problems have beenintroduced.

50

8/7/2019 3. Trojans


Manual Detection Trojan

Though manual removal/detection of Trojans is

difficult, but this is best way to remove the Trojans

completely from the computer. With practice, it

becomes easy to manually detect/remove theTrojans

51

8/7/2019 3. Trojans


TCP Viewer

TCPView is a Windows program that will show you detailed listings

o a an en po nts on your system, nc u ng t e oca

and remote addresses and state of TCP connections. On WindowsNT,2000, and XP, TCPView also reports the name of the process that

owns the endpoint. TCPView provides a more informative and

conveniently presented subset of the Netstat program that ship withWindows. The TCPView download includes Tcpvcon, a command-line

version with the same functionality.

52

8/7/2019 3. Trojans


Process Viewer

It is a free GUI-based process viewer utility that displaysdetailed information about processes running under Windows.

For each process it displays memory, threads, and module

usage. For each DLL, it shows full path and versioninformation.

53

8/7/2019 3. Trojans


Process Viewer

Preview comes with a command-line version that allows you to write

scripts to check whether a process is running and stop it, if necessary.

54

8/7/2019 3. Trojans


Process Explorer is a system monitoring and examination utility. It

provides the functionality of Windows Task Manager along with a

rich set of features for collecting information about processes

running on the user's system. It can be used as the first step indebugging software or system problems.

rocess xp orer

55

8/7/2019 3. Trojans


..Process Explorer

Process Explorer can be used to track down problems. For

example, it provides a means to list or search for named resources

that are held by a process or all processes. This can be used to

track down what is holding a file open and preventing its use by another program.

56

8/7/2019 3. Trojans


..Process Exploreras another example, it can show the command lines used to start a

program, allowing otherwise identical processes to be distinguished.

Or like Task Manager, it can show a process that is maxing out theCPU, but unlike Task Manager it can show which thread (with the

call stack) is using the CPU – information that is not even availableunder a debugger.

57

8/7/2019 3. Trojans


..Counter Measures of Trojan

• Always Use Process Explorer To Detect Or Remove The Trojan In

Your Computer.• Use Updated Antivirus To Detect The Trojan.

• Ignore To Open The Unwanted exe Files.

58

8/7/2019 3. Trojans


..Counter Measures of Trojan

• 4. Ignore To Click On Unwanted Links Of Email.• 5. Always Try To Disable The Pendrive Auto Run Functionality In

Your Computer.• 6. Never Allowed The Unknown User To Use Your Computer.

59

8/7/2019 3. Trojans


60

3. Trojans

Documents

Transcript of 3. Trojans