The document discusses various types of trojans and how they work. It describes remote access trojans, password sending trojans, keyloggers, and other types of trojans. It also discusses how trojans are used to gain unauthorized access to systems and steal sensitive information. The document provides signs that a system may be infected with a trojan and outlines best practices for preventing trojan infections.

1. Ethical HackingILKOM2009 / 2010

2. TrojanA trojan is a small program that runs hidden on an infected computer.Sebuah program atau code yang tanpa otorisasi yang menempel pada program sah. Program tanpa otorisasi ini melakukan aktivitas yang tidak diketahui dan tidak diinginkan oleh pengguna.Penyerang dapat mengakses sistem yang terkena trojan ketika sistem tersebut melakukan online.

3. TrojanWith the help of a trojan an attacker gets access to stored passwords in the trojaned computer and would be able to read personal documents, delete files, display pictures, and/or show messages on the screen.Transmitting to intruder any files that can be read, installing other program that provide unauthorized network access.

4. TrojanTrojan jg berusaha utk mengexploit vulnerablility utk meningkatkan level akses dari belakang sistem user yang terkena trojan. Bila ini berhasil maka akan meningkatkan level hak akses.Bila user menggunakan akses level administrator pada OS maka trojan dapat melakukan apa saja sebagaimana yang dpt dilakukan administrator.

5. Tipe TrojanRemote Access TrojansPassword sending TrojansKeyloggerDestructive TrojansDenial of service (DoS) attack TrojansProxy TrojansFTP TrojansSecurity software disablers

6. Remote Access TrojansTrojan ini biasanya tertuju pada media dan berakibat otoritas tinggi karena kemampuannya untuk memberikan kepada penyerang kekuatan untuk melakukan hal melebihi kemampuan dari korban itu sndiri.Biasanya kombinasi berbagai trojan.Password sending TrojansTrojan ini mengambil semua cache password dan menangkap pasword yang menuju ke korban dan meng-emailkan ke penyerang tanpa korban sadari.

7. KeyloggerTrojan menyalin tekanan pada keyboard korban dan membiarkan penyerang mencari password atau sensitif mesin di dalam log file.Destructive TrojansTrojan ini khusus untuk menghancurkan atau menghapus file utama sprt .dll, .ini, .exeDenial of service (DoS) attack TrojansTrojan ini digunakan penyerang utk melakukan DoS. Varian trojan ini yaitu mail-bomb trojan yang bertujuan utama menginfeksi sebanyak dan berurutan pada spesifik email/address dengan subjek dan konten acak tanpa bisa difilter.

8. FTP trojanTrojan ini membuka port 21 dan memberikan siapa saja atau penyerang ke dalam mesin.Proxy TrojansTrojan ini mengubah menjadi sebuah proxy bagi seluruh dunia atau penyerang saja. Trojan ini digunakan untuk anonymous telnet, ICQ, IRC dan sebagainya.Security software disablersAda sebuah fungsi dari trojan yaitu mendisable security software pada target, sehingga penyerang dapat melakukan explot lebih leluasa untuk keperluan ilegal lainnya.

9. Pembuat trojan cariCredit card information, e-mail addresses.Accounting data (passwords, user names, etc.)Confidential documentsFinancial data (bank account numbers, Social Security numbers, insurance information, etc.)Using the victims computer for illegal purposes, such as to hack, scan, flood, or infiltrate other machines on the network or Internet.

10. Indikasi terserang trojanCD-ROM drawer opens and closes by itself.Computer screen flips upside down or inverts.Wall paper or background settings change by themselves.Documents or messages print from the printer by themselves.Computer browser goes to a strange or unknown web page by itself.Windows color settings change by themselves.Screen saver settings change by themselves.

11. Indikasi terserang trojanRight and left mouse buttons reverse their FunctionsMouse pointer disappears.Mouse moves by itself.Windows Start button disappears.Strange chat boxes appear on the victim’s computer and the victim is forced to chat with a stranger.The ISP complains to the victim that their computer is IP scanning.

12. Indikasi terserang trojanComputer shuts down and powers off by itself.Task bar disappears.The account passwords are changed or unauthorized persons can access legitimate accounts.Strange purchase statements in credit card bills.The computer monitor turns itself off and on.Modem dials, and connects, to the Internet by itself.Ctrl + Alt + Del stops working.While rebooting the computer a message flashes that there are other users still connected.

13. Trojan launcherPhatBotThis Trojan allows the attacker to control computers and link them into P2P networks that can then be used to send large amounts of spam e-mail messages, or flood Web sites with data, in an attempt to knock them offline. It can steal Windows Product Keys, AOL login names and passwords as well as the CD key of some famous games. It tries to disable antivirus and firewall software.AmitisThe Server copies itself to the windows directory so even if the main file is deleted the victim is still infected.The server automatically sends the requested notification as soon as the victim goes online.

14. Trojan launcherSenna SpySenna Spy Generator 2.0 is a trojan generator. Senna Spy Generator is able to create Visual Basic source code for a trojan based on the selection of a few options.This trojan is compiled from generated source code, anything could be changed in it.Feature server diantaranya mengubah wallpaper, execute dos command, find filter, FTP server, hang up internet connection, mengambil kunci lisensi.Back orificeBack Orifice (BO) is a remote administration system which allows a user to control a computer across a TCP/IP connection using a simple console or GUI application. On a local LAN or across the internet, BO gives its user more control of the remote Windows machine than the person at the keyboard of the remote machine.NetbusNetBus is a Win32 based Trojan program. Like Back Orifice, NetBus allows a remote user to access and control the victim’s machine by way of its Internet link.

15. Trojan launcherSubSevenIts symptoms include a slowing down the computer, and a constant stream of error messages. SubSeven is a trojan virus most commonly spread through file attachments in e-mail messages, and the ICQ program.NetcatOutbound or inbound connections, TCP or UDP, to, or from,any port.Ability to use any local source port.Ability to use any locally-configured network source address.Built-in port-scanning capabilities, with randomizerBuilt-in loose source-routing capability.Subroot Telnet Trojan It is a telnet remote administration tool.Donald DickDonald Dick is a tool that enables a user to control another computer over a network. It uses a client-server architecture with the server residing on the victim's computer. The attacker uses the client to send command through TCP or SPX to the victim listening on a pre-defined port.Donald Dick uses default port either 23476 or 23477.

16. Menghindari trojanDo not download blindly from people, or sites, if it is not 100% safe.Even if the file comes from a friend, be sure what the file is before opening it.Do not use features in programs that automatically get, or preview, files.Do not blindly type commands when told to type them, or go to web addresses mentioned by strangers, or run pre-fabricated programs or scripts

17. Menghindari trojanDo not be lulled into a false sense of security just because an antivirus program is running in the system.Ensure that the corporate perimeter defenses are kept continuously up-to-date.Filter and scan all content that could contain malicious content at the perimeter defenses.Run local versions of antivirus, firewall, and intrusion detection software at the desktop.

18. Menghindari trojanRigorously control user permissions within the desktop environment to prevent the installation of malicious applications.Manage local workstation file integrity through checksums, auditing and port scanning.Monitor internal network traffic for unusual open ports or encrypted traffic.Use multiple virus scanners.

19. SniffingSniffer adalah sebuah software yang menangkap data informasi yang vital dari lalu lintas spesifik dalam jaringan tertentu.“data interception” tehcnology. (menangkap/mencegat)The objective of sniffing is to grab:Password (e-mail, web, SMB, ftp, SQL, telnet) Email text Files in transfer (e-mail, ftp, SMB)

20. SniffingYang biasa menjadi cara yaitu pada ethernet / jaringan kabel. Dimana proses ethernet protokol bekerja dengan membroadcast paket ke semua host dlm jaringan, dengan header paket yang mengandung MAC address tujuan paket. Dan sniffer memanfaatkan kondisi ini untuk menjadi alamat palsu.

21. Jenis SniffingPassive sniffing : menangkap paket yang berjalan di dalam jaringan pada saat dilakukan broadcast.Active sniffing : menangkap paket yang ditujukan ke destination address dan sniffer meracuni ethernet dengan alamat palsu.

22. SniffingSniffer tidak saja digunakan untuk proses penangkapan informasi penting bagi penyusup tetapi digunakan NIDS (network intrusion detection system) untuk menemukan paket-paket asing sehingga dapat memberikan alarm bagi sistem selain itu juga sebagai metrics dan analisis.

23. Etherflood : memenuhi sebuah ethernet dengan random alamat dan kemudian ethernet mengirimkan informasi pada semua portnya. Sehingga semua jaringan dapat di sniff oleh penyerang dari semua port ethernet tersebut.ARP poisoning : meracuni paket ARP dari NIC penyerang sehingga memaksa NIC korban untuk mengirimkan data kepada penyerang (gateway). Dan jika pemaksaan dilakukan dengan MAC flooding terhadap switch maka akan menjadikan switch bersifat “hub”.

24. Small NetworkUse of static IP addresses and static ARP tables which prevent hackers from adding spoofed ARP entries for machines in the networkLarge NetworksNetwork switch "Port Security" features should be enabledUse of Arpwatch to monitor ethernet activityMencegah spoof

25. EtherealEthereal is a network protocol analyzer for UNIX and Windows. It allows the user to examine data from a live network or from a capture file on a disk.The user can interactively browse the captured data, viewing summary and detailed information of each packet captured.DsniffDsniff is a collection of tools for network auditing and penetration testing. ARPSPOOF, DNSSPOOF, and MACOF facilitate the interception of network traffic that is normally unavailable to an attacker.

26. SniffitSniffit is a packet sniffer for TCP/UDP/ICMP packets. It provides detailed technical information about the packets and packet contents in different formats. AldebaranAldebaran is an advanced LINUX sniffer/network analyzer. It supports sending data to another host, dump file encryption, real-time mode, packet content scanning.

27. NtopNtop is a network traffic probe that shows network usage.In webmode, it acts as a web server, creating an html dump of the network status. IPTrafIPTraf is a network monitoring utility for IP networks. It intercepts packets on the network and gives out various pieces of information about the currently monitored IP traffic.monitor the load on an IP network, the types of network services that are most in use.

28. Network ProbeThis network monitor and protocol analyzer gives the user an instant picture of the traffic situation on the target network and can be sorted, searched, and filtered by protocols, hosts, conversations, and network interfaces. SnortSniffer mode simply reads the packets off of the network and displays them for you in a continuous stream on the console. Packet logger mode logs the packets to the disk.Network intrusion detection mode is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user defined rule set.

29. ensure that a packet sniffer cannot be installed.The best way to be secured against sniffing is to use encryption. ARP Spoofing is used to sniff a switched network. So the attacker will try to ARP spoof the gateway. This can be prevented by permanently adding the MAC address of the gateway to the ARP cache.Mencegah sniff

30. Change the network to SSH.There are various tools to detect a sniffer in a network. They are as follows:ARP WatchPromiscanAntisniffProdetectMencegah sniff