This document provides an introduction to trojans and backdoors, including what they are, how they work, common types of trojans, and methods of detecting trojan activity. Trojans and backdoors allow hackers to send and receive data through open ports to gain control of systems. Common trojan types include remote access trojans, data sending trojans, and trojans that disable security software. Netstat and Wireshark can be used to monitor network activity and detect trojans. Wrappers and defacing applications help disguise trojans by changing file icons or combining with other programs.

1. Introduction to Trojans and Backdoors
Updated: 13 Oct 2010 | 1 comment
FarzadCERTIFIED
+2
2 Votes
Introduction
Trojans and Backdoors are sorts of Bad-wares which their main purpose is to send and receive data and
especially commands through a port to another system. This port can be even a well-known port such as
80 or an out of regular ports like 7777. The Trojans are most of the time defaced and shown as a
legitimate and harmless application to encourage the user to execute them. The main characteristic of a
Trojan is that first it should be executed by the user, second sends or receive data with another system
which is the attacker’s system.
Sometimes the Trojan is combined with another application. This application can be a flash card, flash
game, a patch for OS, or even an antivirus. But actually the file is built of two applications which one of
them is the harmless application, and the other one is the Trojan file.
Technically defined, a Trojan horse is “a malicious and security-breaking program which is designed as
something benign”. Such a program is designed to cause damage, data leakage, or make the victim a
medium to attack another system.
A Trojan will be executed with the same privilege level as the user who executes it; nevertheless the
Trojan may exploit vulnerabilities and increase the privilege.
An important point is that not only the connection can be online (so that the commands or data are
transmitted immediately between the hacker and victim), but also the communication can be offline
and performed using emails, HTTP URL transmits or as the like.
Auto Start Methods

2. One of the actions usually Trojans perform is to make themselves Auto-Start to be executed each time
the system reboots. Below are some registry keys Trojan Horses modify for this purpose:
HKLMSoftwareMicrosoftWindowsCurrent VersionRun
HKLMSoftwareMicrosoftWindowsCurrent VersionRunonce
HKLMSoftwareMicrosoftWindowsCurrent VersionRunServices
HKLMSoftwareMicrosoftWindowsCurrent VersionRunServicesOnce
HKLUSoftwareMicrosoftWindowsCurrent VersionRun
HKLUSoftwareMicrosoftWindowsCurrent VersionRunOnce
Types of Trojans
Remote Access Trojans
This sort of Trojans provides full or partial access and control over the victim system. The server
application will be sent to the victim and a client listens on the hacker’s system. After the server is
started, it establishes the connection with the client through a predefined port. Most of the Trojans are
of this kind.

3. Data Sending Trojans
Using email or a backdoor, this type of Trojan send data such as password, cookies or key strokes to the
hacker’s system.
Destructive Trojans
These Trojans are to make destructions such as deleting files, corrupting OS, or make the system crash.
If the Trojan is not for fun, usually the purpose of such Trojans is to inactivate a security system like an
antivirus or firewall.
DDos Attack Trojans
This Trojans make the victim a Zombie to listen for commands sent from a DDos Server in the internet.
There will be numerous infected systems standby for a command from the server and when the server
sends the command to all or a group of infected systems, since all the systems perform the command
simultaneously, a huge amount of legitimate request flood to a target and make the service stop
responding.
Proxy Trojans
In order to avoid leaving tracks on the target, a hacker may send the commands or access the resources
via another system so that all the records will show the other system and not the hacker’s identities.
This sort of Trojans are to make a system works as a medium for attacking another system and therefore
the Trojan transfers all the commands sent to it to the primary target and does not harm the proxy
victim.
Security Software Disabler Trojan
This kind of Trojan disables the security system for further attacks. For instance they inactivate the
antivirus or make it malfunction or make the firewall stop functioning.
How to find the Trojan activity
The best method to find the Trojan is by monitoring the ports transmitting data on the network adapter.
Note that as mentioned above there are Trojans which can transmit the commands and data via
standard ports such as 80 or SMPT (email) which this method of inspection is not effective on them.
The command nbtstat is a very powerful tool to check which ports are used to send and receive data.
You can use this command with switch –an for a proper result:

4. netstat –an
If you want to check if a particular port is being used by any application, you can add the findstr to the
command:
netstat –an | findstr 8080
Wireshark is another application which can show all the data transferred on the Network Interface Card
and using it you can see what data are being transmitted out the system, and what is the listener of the
port.
Some Trojan Samples
Tini
This Trojan listens to port 7777 and provides shell access to the victim’s system for the hacker.
ICMD
This application provides shell access, but can accept password and preferred port.
NetBuss
This Trojan has a GUI for controlling the victim’s system. Rather than a serious attack it’s mostly used for
fun.
Netcat (Known as NC)
A very famous Trojan with many options for different methods of command and data transfer.
Proxy Server Trojan
This Trojan makes the victim a proxy for attacking another system.
VNC
Although VNC is not a malicious application however since it is not detected by the Antivirus systems it
can be used as a means of Trojan horse attack.

5. Remote By Mail
This Trojan can send and receive commands and data using series of emails. Although compared to a
shell session the commands are very limited, however due to the protocol it uses (SMTP) it can bypass
and evade most of the firewall systems.
HTTP Rat
This Trojan sends and receives commands by exchanging series of URLs with a server. Since it uses the
HTTP protocol, it is a very dangerous Trojan and can evade almost all the firewall systems.
Shttp Trojan
Same as HTTP Rat
Wrappers
Wrapper is an application which can concatenate two executable files and produce an application
containing both. Most of the times, the Wrapper is used to attach a Trojan file to a small harmless
application such as a flash card to deceive the targeted user and encourage him to execute it.
Some Wrappers are able to make modifications on the Trojan horse such as compressing it or adding
blanks to the end of it and hide it to be detected by the Antivirus’.
Some Wrappers Samples
Wrapper Convert Program
One File EXE Maker
Yet Another Builder (Known as YAB and is a very powerful and dangerous application)
Defacing Applications
Defacing application is a very simple and almost harmless application which can be used to change the
icon of an executable file.

6. Whereas the icon of the Trojan is usually the default icon of the executable files, the hacker maybe
change the Trojan’s icon and fake it as a harmless application or even another application such as a
Microsoft Word document or a text file.