There are several definitions put forth for a Trojan program.
Through it all, the common underlying feature is that it is a malicious
code.
| Concept |
A Trojan horse may be:
|
Trojan horses can do anything that the user who executes the
program on the remote machine can. This includes deleting files, transmitting to
the intruder any files that can be read, changing any files that can be
modified, installing other programs such as programs that provide unauthorized
network access that the user is entitled to and executing privilege-elevation
attacks; that is, the Trojan horse can attempt to exploit a vulnerability to
increase the level of access beyond that of the user running the Trojan horse.
If this is successful, the Trojan horse can operate with the increased
privileges and go about installing other malicious code.
If the user has administrative access to the operating system, the
Trojan horse can do anything that an administrator can.
A compromise of any system on a network may have consequences for
the other systems on the network. Particularly vulnerable are systems that
transmit authentication material, such as passwords, over shared networks in
clear text or in a trivially encrypted form, which is very common.
If a system on such a network is compromised via a Trojan (or
another method), the intruder may be able to record usernames and passwords or
other sensitive information as it navigates the network.
Additionally, a Trojan, depending on the actions it performs, may
falsely implicate the remote system as the source of an attack by spoofing and
thereby cause the remote system to incur liability.
Working of Trojans
| Concept |
Trojans work similar to the client-server model. Trojans
come in two parts, a Client part and a Server part. The attacker deploys the
Client to connect to the Server, which runs on the remote machine when the
remote user (unknowingly) executes the Trojan on the machine. The typical
protocol used by most Trojans is the TCP/IP protocol, but some functions of the
Trojans may make use of the UDP protocol as well.
|
When the Server is activated on the remote computer, it will
usually try to remain in a stealth mode, or hidden on the computer. This is
configurable - for example in the Back Orifice Trojan, the server can be
configured to remain in stealth mode and hide its process. Once activated, the
server starts listening on default or configured ports for incoming connections
from the attacker. It is usual for Trojans to also modify the registry and/or
use some other auto starting method.
| Note |
To exploit a Trojan, attackers need to ascertain the remote
IP address to connect to the machine. Many Trojans have configurable features
like mailing the victim's IP, as well as messaging the attacker via ICQ or IRC.
This is relevant when the remote machine is on a network with dynamically
assigned IP address or when the remote machine uses a dial-up connection to
connect to the Internet. DSL users on the other hand, have static IPs so the
infected IP is always known to the attacker.
|
Most of the Trojans use auto-starting methods so that the servers
are restarted every time the remote machine reboots / starts. This is also
notified to the attacker. As these features are being countered, new
auto-starting methods are evolving. The start up method ranges from associating
the Trojan with some common executable files such as explorer.exe to the known
methods like modifying the system files or the Windows Registry. Some of the
popular system files targeted by Trojans are Autostart Folder, Win.ini,
System.ini, Wininit.ini, Winstart.bat, Autoexec.bat Config.sys. Could also be
used as an auto-starting method for Trojans
Explorer Startup - This is an auto-starting method for Windows95,
98, ME and if c: \explorer.exe exists, it will be started instead of the usual
c: \Windows\Explorer.exe, which is the common path to the file.
Registry is often used in various auto-starting methods. Here are
some known ways:
-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]"Info"="c:\directory\Trojan.exe"
-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]"Info"="c:\directory\Trojan.exe"
-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]"Info"="c:\directory\Trojan.exe"
-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]"Info="c: \directory\Trojan.exe"
-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]"Info"="c:\directory\Trojan.exe"
-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]"Info"="c:\directory\Trojan.exe"
Registry Shell Open methods
-
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
A key with the value "%1 %*" should be placed there and if there
is some executable file placed there, it will be executed each time a binary
file is opened. It is used like this: trojan.exe "%1 %*"; this would restart the
Trojan.
ICQ Net Detect Method
-
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\]
This key includes all the files that will be executed if ICQ
detects Internet connection. This feature of ICQ is frequently abused by
attackers as well.
ActiveX Component method
-
[HKEY_LOCAL_MACHINE\Software\Microsoft\ActiveSetup\InstalledComponents\KeyName] StubPath=C: \directory\Trojan.exe
These are the most common Auto-Starting methods using Windows
system files, and the Windows registry.
For more information continue read on : www.oceninfo.co.cc being with us and be a master of computer
COMMENTS