Introduction to Trojans and BackdoorsUpdated: 13 Oct 2010 | 1 commentFarzadCERTIFIED+22 VotesIntroductionTrojans and Backdoors are sorts of Bad-wares which their main purpose is to send and receive data andespecially commands through a port to another system. This port can be even a well-known port such as80 or an out of regular ports like 7777. The Trojans are most of the time defaced and shown as alegitimate and harmless application to encourage the user to execute them. The main characteristic of aTrojan is that first it should be executed by the user, second sends or receive data with another systemwhich is the attacker’s system.Sometimes the Trojan is combined with another application. This application can be a flash card, flashgame, a patch for OS, or even an antivirus. But actually the file is built of two applications which one ofthem is the harmless application, and the other one is the Trojan file.Technically defined, a Trojan horse is “a malicious and security-breaking program which is designed assomething benign”. Such a program is designed to cause damage, data leakage, or make the victim amedium to attack another system.A Trojan will be executed with the same privilege level as the user who executes it; nevertheless theTrojan may exploit vulnerabilities and increase the privilege.An important point is that not only the connection can be online (so that the commands or data aretransmitted immediately between the hacker and victim), but also the communication can be offlineand performed using emails, HTTP URL transmits or as the like.Auto Start Methods
One of the actions usually Trojans perform is to make themselves Auto-Start to be executed each timethe system reboots. Below are some registry keys Trojan Horses modify for this purpose:HKLMSoftwareMicrosoftWindowsCurrent VersionRunHKLMSoftwareMicrosoftWindowsCurrent VersionRunonceHKLMSoftwareMicrosoftWindowsCurrent VersionRunServicesHKLMSoftwareMicrosoftWindowsCurrent VersionRunServicesOnceHKLUSoftwareMicrosoftWindowsCurrent VersionRunHKLUSoftwareMicrosoftWindowsCurrent VersionRunOnceTypes of TrojansRemote Access TrojansThis sort of Trojans provides full or partial access and control over the victim system. The serverapplication will be sent to the victim and a client listens on the hacker’s system. After the server isstarted, it establishes the connection with the client through a predefined port. Most of the Trojans areof this kind.
Data Sending TrojansUsing email or a backdoor, this type of Trojan send data such as password, cookies or key strokes to thehacker’s system.Destructive TrojansThese Trojans are to make destructions such as deleting files, corrupting OS, or make the system crash.If the Trojan is not for fun, usually the purpose of such Trojans is to inactivate a security system like anantivirus or firewall.DDos Attack TrojansThis Trojans make the victim a Zombie to listen for commands sent from a DDos Server in the internet.There will be numerous infected systems standby for a command from the server and when the serversends the command to all or a group of infected systems, since all the systems perform the commandsimultaneously, a huge amount of legitimate request flood to a target and make the service stopresponding.Proxy TrojansIn order to avoid leaving tracks on the target, a hacker may send the commands or access the resourcesvia another system so that all the records will show the other system and not the hacker’s identities.This sort of Trojans are to make a system works as a medium for attacking another system and thereforethe Trojan transfers all the commands sent to it to the primary target and does not harm the proxyvictim.Security Software Disabler TrojanThis kind of Trojan disables the security system for further attacks. For instance they inactivate theantivirus or make it malfunction or make the firewall stop functioning.How to find the Trojan activityThe best method to find the Trojan is by monitoring the ports transmitting data on the network adapter.Note that as mentioned above there are Trojans which can transmit the commands and data viastandard ports such as 80 or SMPT (email) which this method of inspection is not effective on them.The command nbtstat is a very powerful tool to check which ports are used to send and receive data.You can use this command with switch –an for a proper result:
netstat –anIf you want to check if a particular port is being used by any application, you can add the findstr to thecommand:netstat –an | findstr 8080Wireshark is another application which can show all the data transferred on the Network Interface Cardand using it you can see what data are being transmitted out the system, and what is the listener of theport.Some Trojan SamplesTiniThis Trojan listens to port 7777 and provides shell access to the victim’s system for the hacker.ICMDThis application provides shell access, but can accept password and preferred port.NetBussThis Trojan has a GUI for controlling the victim’s system. Rather than a serious attack it’s mostly used forfun.Netcat (Known as NC)A very famous Trojan with many options for different methods of command and data transfer.Proxy Server TrojanThis Trojan makes the victim a proxy for attacking another system.VNCAlthough VNC is not a malicious application however since it is not detected by the Antivirus systems itcan be used as a means of Trojan horse attack.
Remote By MailThis Trojan can send and receive commands and data using series of emails. Although compared to ashell session the commands are very limited, however due to the protocol it uses (SMTP) it can bypassand evade most of the firewall systems.HTTP RatThis Trojan sends and receives commands by exchanging series of URLs with a server. Since it uses theHTTP protocol, it is a very dangerous Trojan and can evade almost all the firewall systems.Shttp TrojanSame as HTTP RatWrappersWrapper is an application which can concatenate two executable files and produce an applicationcontaining both. Most of the times, the Wrapper is used to attach a Trojan file to a small harmlessapplication such as a flash card to deceive the targeted user and encourage him to execute it.Some Wrappers are able to make modifications on the Trojan horse such as compressing it or addingblanks to the end of it and hide it to be detected by the Antivirus’.Some Wrappers SamplesWrapper Convert ProgramOne File EXE MakerYet Another Builder (Known as YAB and is a very powerful and dangerous application)Defacing ApplicationsDefacing application is a very simple and almost harmless application which can be used to change theicon of an executable file.
Whereas the icon of the Trojan is usually the default icon of the executable files, the hacker maybechange the Trojan’s icon and fake it as a harmless application or even another application such as aMicrosoft Word document or a text file.