1. Trojan Horse program
Back door and remote administration
programs:
Prepared By :
Ibrahim Al qarout
Supervisod By:
Dr. Lo’ai Tawalbeh
New York Institute of Technology
Institute (NYIT)-Jordan
2. Trojan Horse program
Name (Trojan horse)
According to legend , the Greeks won the Trojan war by
hiding in a huge, hollow wooden horse to sneak into the
fortified city of Troy.
It was built and filled with Greek warriors to get in troy
city and open doors for all warriors out side troy city waiting
to enter the city.
3. However there is another meaning of the term Trojan Horse
in the field of computer architecture. Here it basically
represents any piece of User Code which makes the Kernel
Code access anything it would not have been able to access
itself in the first place!. i.e make the OS do something it
wasnt supposed to be doing.And such security loopholes are
called Trojan Horses
In the context of computer software, a Trojan horse is a
program that contains or installs a malicious program
(sometimes called the payload )
4. Types of Trojan horse (payloads)
Trojan horse payloads are almost always designed to do
various harmful things, but could be harmless. They are
broken down in classification based on how they breach
systems and the damage they cause. The seven main types of
Trojan horse payloads are:
1.Remote Access
2. Email Sending
3. Data Destructive
4. FTP trojan (adding or copying data from the infected
computer)
5. denial-of-service attack (DoS)
5. Some examples are:
1.erasing or overwriting data on a computer.
2. Encrypting files in a crypto vital extortion attack.
3. Upload and download files.
4. Allowing remote access to the victim's computer. This
is called a RAT. (
Remote administration tool)
5. Installing a backdoor on a computer system.
6. Opening and closing CD-ROM tray.
7. Harvest e-mail addresses and use them for Spam.
8. Restarts the computer whenever the infected
program is started
6. Trojan horse programs are an easy way for intruders to
trick you (sometimes referred to as "social engineering") into
installing "back door" programs. These can allow intruders
easy access to your computer without your knowledge,
change your system configurations, or infect your computer
with a computer virus.
Trojan horse may appear to be useful or interesting
programs or very harmless to an unsuspecting user.
7. There are two common types of Trojan horses.
One, is otherwise useful software that has been corrupted by
a cracker (it is software remove protection methods:copy
prevention, trial/demo version, serial number, hardware key,
CD ) .
inserting malicious code that executes while the program
is used.Examples
1.include various implementations of
weather alerting programs.
2.computer clock setting software.
3. peer to peer file sharing utilities.
8. The other type is a standalone program that masquerades as
something else, like a game or image file, in order to trick the
user into some misdirected complicity that is needed to carry
out the program's objectives.
9. How you can know if you are under Trojan horse attack?
For example, you download what appears to be a movie
or music file, but when you click on it, you unleash a
dangerous program that erases your disk, sends your credit
card numbers and passwords to a stranger, or lets that stranger
hack your computer to commit illegal Denial of service
attacks .
How do I get rid of Trojans?!?
1.Clean Re-installation:
Back up your entire hard disk, format the disk, re-install the
operating system and all your applications from original CDs.
11. 4.. Avoid using peer to peer or P2P sharing networks like
kazaa,Lime wire Ares, or Guntella because they are generally
unprotected from viruses and Trojan Horse viruses spread
through them especially easily.
Some of these programs do offer some virus protection, but
this is often not strong enough. If you insist on using P2P, it
would be safe to not download files that claim to be "rare"
songs, books, movies, pictures, etc.
13. How do I avoid getting infected with (Trojan horse) in the
future?
1.NEVER download blindly from people or sites which you
aren't 100% sure about
2. Even if the file comes from a friend, you still must be sure
what the file is before opening it
3. NEVER use features in your programs that automatically get
or preview files
4. Never blindly type commands that others tell you to type, or
go to web addresses mentioned by strangers, or run pre-
fabricated programs or scripts
14. Example of a simple Trojan horse
1.A simple example of a trojan horse would be a program
named “waterfalls.scr" claiming to be a free waterfall
screensaver which, when run, instead would allow access to
the user's computer remotely.
2. AIDS (trojan horse)
AIDS, also known as Aids Info Disk or PC Cyborg Trojan, is
a trojan horse that replaces the AUTOEXEC.BAT file, which
would then be used by AIDS to count the number times the
computer has booted. Once this boot count reaches 90, AIDS
hides directories and encrypts the names of all files on drive
C: (rendering the system unusable).
16. Back door and remote administration
programs:
On Windows computers, three tools commonly used by
intruders to gain remote access to your computer are
1.BackOrifice:
Back Orifice (often shortened to BO) is a controversial
computer program designed for remote system
administration. It enables a user to control a computer
running the Microsoft Windows operating system from a
remote location. The name is a pun on Microsoft
BackOffice Server software.
17. 2. Netbus
NetBus or Netbus is a software program for remotely controlling a
Microsoft Windows computer system over a network. It was created
in 1998 and has been very controversial for its potential of being
used as a backdoor.
3. Sub Seven(help to hack other pc's).
Sub7, or Sub Seven, is the name of a popular Trojan or backdoor
program. It is mainly used by script kiddies for causing mischief,
such as hiding the computer cursor, changing system settings or
loading up pornographic websites. However, it can also be used for
more serious criminal applications, such as stealing credit card
details with a keystroke logger.
These back door or remote administration programs, once
installed, allow other people to access and control your computer.
18. A Remote administration programs (tool):
is used to remotely connect and manage a single or multiple
computers with a variety of tools, such as:
1.Screen/camera capture or control
2. File management (download/upload/execute/etc.)
3. Computer control (power off/on/log off)
4. Registry management (query/add/delete/modify)
5. Shell control (usually piped from command prompt)
19. we have 2 kind of connection:
1.Direct Connection
A direct-connect RAT is a simple set-up where the client
connects to a single or multiple servers directly. Stable
servers are multi-threaded, allowing for multiple clients
to be connected, along with increased reliability.
20. 2. Reverse Connection
new technology that came around about the same time that
routers became popular. A few advantages of a reverse-
connection:
1. No problems with routers blocking incoming data,
because the connection is started outgoing for a server
2. Allows for mass-updating of servers by broadcasting
commands, because many servers can easily connect to a
single client.
21. RAT (Remote access Trojans )Trojan
Horses:
(RAT)Malware or malicious software is software
designed to infiltrate or damage a computer system
without the owner's known.
Many Trojans and backdoors now have remote
administration capabilities allowing an individual to
control the victim's computer. Many times a file called
the server must be opened on the victim's computer
before the trojan can have access to it. These are
generally sent through email, P2P file sharing software,
and in internet downloads
22. They are usually disguised as a legitimate program or
file. Many server files will display a fake error message
when opened, to make it seem like it didn't open. Some
will also kill
1.ant virus software.
2.firewall software.
*Fire wall: a logical barrier designed to prevent
unauthorized or unwanted communications between
sections of a computer network
RAT Trojans can generally do the following:
1.Download, upload, delete, and rename files
2. Format drives
3. Open CD-ROM tray
4. Drop viruses and worms
23. 5. Log keystrokes
6. Hack passwords, credit card no.
7. View, kill, and start tasks in task manager
8. Print text, Play sounds
9. Randomly move and click mouse
Some RAT Trojans are pranks that are most likely being
controlled by a friend or enemy on April Fool's day or a
holiday. RATS are generally not harmful, and won't log
keystrokes or hack. They usually do whimsical things
like flip the screen upside-down, open the CD-ROM
tray, and swap mouse buttons.
24. Example of a Back door and remote administration programs:
Name:
Remote Administration Tool - RAT
Aliases:
Backdoor.RAT, RAT,
Ports:
2989 (UDP), 1095, 1097, 1098, 1099
Files:
Rat10.zip - 823 bytes Rat11.zip - 1.032 bytes Rat20.zip - 6,128 bytes
Rat10.exe - 8,192 bytes Rat10akaremote administration tool.exe - 8,192
bytes Rat11.exe - 8,192 bytes Rat20.exe - 12,288 bytes Rat21.exe -
12,288 bytes Set-up.exe - 295,936 bytes .exe - Msgsvr16.exe - Pitcher.exe
- 21,504 bytes Send.tags - 616 bytes Message.tags - Rat.c - 9,658 bytes
Created:
Nov 1999
Requires:
N/A
25. Actions:
Remote Access / AOL Trojan
Can register under 40 different HKEYs.
Versions:
1.0, 1.1, 2.0, 2.1, 5.3,
Registers:
HLMSOFTWAREMicrosoftWindowsCurrentVersionRun
HLMSOFTWAREMicrosoftWindowsCurrentVersion RunServices
and some 38 other entries !!!
Notes:
Works on Windows 95, 98, ME and Unix [Linux and FreeBSD]. RAT
server 1.1 has IRC support added. Send.tgz is Unix client. ˆ Source code
is available.
Country:
N/A
Program:
Written in Visual Basic 5.
26. Check if any unwanted program found in your system
Using the process monitor from remote administration
programs Tools, you will see whether any foreign programs
are running on your computer.
If you find some unwanted program, you can terminate it by
clicking the 'Terminate Process' button on the Toolbar. So
you can find out what programs are started behind your back
29. The Difference Between a
Virus and Trojan Horse
A computer virus attaches itself to a program or file so it can spread
from one computer to another, leaving infections as it travels. Much like
human viruses, computer viruses can range in severity: Some viruses
cause only mildly annoying effects while others can damage your
hardware, software or files. Almost all viruses are attached to an
executable file, which means the virus may exist on your computer but it
cannot infect your computer unless you run or open the malicious
program. It is important to note that a virus cannot be spread without a
human action, (such as running an infected program) to keep it going.
People continue the spread of a computer virus, mostly unknowingly, by
sharing infecting files or sending e-mails with viruses as attachments in
the e-mail.
30. A Trojan Horse is full of as much trickery as the mythological Trojan
Horse it was named after. The Trojan Horse, at first glance will appear to
be useful software but will actually do damage once installed or run on
your computer. Those on the receiving end of a Trojan Horse are usually
tricked into opening them because they appear to be receiving legitimate
software or files from a legitimate source. When a Trojan is activated on
your computer, the results can vary. Some Trojans are designed to be
more annoying than malicious (like changing your desktop, adding silly
active desktop icons) or they can cause serious damage by deleting files
and destroying information on your system. Trojans are also known to
create a backdoor on your computer that gives malicious users access to
your system, possibly allowing confidential or personal information to be
compromised. Unlike viruses and worms, Trojans do not reproduce by
infecting other files nor do they self-replicate.
31. Added into the mix, we also have what is called a blended threat. A
blended threat is a sophisticated attack that bundles some of the worst
aspects of viruses, worms, Trojan horses and malicious code into one
threat. Blended threats use server and Internet vulnerabilities to initiate,
transmit and spread an attack. This combination of method and techniques
means blended threats can spread quickly and cause widespread damage.
Characteristics of blended threats include: causes harm, propagates by
multiple methods, attacks from multiple points and exploits
vulnerabilities.
To be considered a blended thread, the attack would normally serve to
transport multiple attacks in one payload. For example it wouldn't just
launch a DoS attack — it would also install a backdoor and damage a
local system in one shot.
32. Additionally, blended threats are designed to use multiple modes of
transport. For example, a worm may travel through e-mail, but a single
blended threat could use multiple routes such as e-mail, IRC and file-
sharing sharing networks. The actual attack itself is also not limited to a
specific act. For example, rather than a specific attack on predetermined
.exe files, a blended thread could modify exe files, HTML files and
registry keys at the same time — basically it can cause damage within
several areas of your network at one time.
Blended threats are considered to be the worst risk to security since the
inception of viruses, as most blended threats require no human
intervention to propagate.