This document is a seminar report on Trojan horse malware presented by a student named Naman Kikani. It contains an introduction to malware and Trojans, chapters on what Trojans are and how they work, common types of Trojan malware, how Trojans are used, and how to protect yourself from Trojans. The report provides information on how Trojans can give attackers remote access and control over an infected computer without the user's knowledge to steal data or carry out other malicious activities. It describes some specific Trojans like backdoor and ransomware Trojans and explains how programs like Back Orifice work using a client-server model to control an infected machine remotely.
Malicious Software,Terminology of malicious programme,Malicious programs,Nature of Viruses,Virus Operation-four phases or life cycle of virus,Virus Structure,Types of Viruses,Anti-Virus Software
Malicious Software,Terminology of malicious programme,Malicious programs,Nature of Viruses,Virus Operation-four phases or life cycle of virus,Virus Structure,Types of Viruses,Anti-Virus Software
Malware classification using Machine LearningJapneet Singh
Uses examples from book titled "Malware Data Science" to explain how AV companies use Machine learning to identify malware. Also, refers to open-source project "Ember" which provides a data set and python code to train and classify malware.
A computer virus is a malware program that when executed replicates by inserting copies of itself into other computer programs, data files. When this replication succeeds, the affected areas are then said to be infected. Viruses often perform some type of harmful activity on the infected hosts such as accessing private information, corrupting data or even rendering the computer useless. However, not all viruses carry a destructive payload or attempt to hide themselves.
The CEH v11 program provides an in-depth understanding of ethical hacking phases, various attack vectors, and preventative countermeasures. It will teach you how hackers think and act maliciously so that you will be better positioned to set up your security infrastructure and defend against future attacks.
Malware classification using Machine LearningJapneet Singh
Uses examples from book titled "Malware Data Science" to explain how AV companies use Machine learning to identify malware. Also, refers to open-source project "Ember" which provides a data set and python code to train and classify malware.
A computer virus is a malware program that when executed replicates by inserting copies of itself into other computer programs, data files. When this replication succeeds, the affected areas are then said to be infected. Viruses often perform some type of harmful activity on the infected hosts such as accessing private information, corrupting data or even rendering the computer useless. However, not all viruses carry a destructive payload or attempt to hide themselves.
The CEH v11 program provides an in-depth understanding of ethical hacking phases, various attack vectors, and preventative countermeasures. It will teach you how hackers think and act maliciously so that you will be better positioned to set up your security infrastructure and defend against future attacks.
The term malware refers to software designed to intentionally damage a computer, a server, a client or a computer network. Alternatively, a software defect happens when a faulty component leads to unintentional harm.
When using the Internet there is always the risk of running into some sort of a malware or the other, if proper security measures are not taken to keep one’s system safe. This PPT aims at providing information about the malware, Trojan Horse. It touches upon its actions and characteristics in brief and then proceeds to provide more information on its various types along with the purpose of those types of Trojans.
malware, types of malware, virus, trojans, worm, rootkit, ransomware, malware protection, malware protection laws India, how malware works, history of malware
WORM VIRUS ACCESS CONTROL HOW DO WORM VIRUS/COMPUTER WORMS WORK AND SPREAD HOW TO TELL IF YOU’RE COMPUTER HAS A WORM TRPOJAN TYPES OF TROJAN ACCESS CONTROL DISTRIBUTED DENIAL OF SERVICE SQL INJECTIONS & DATA ATTACK AUTHENTICATION BASIC AUTHENTICATION
Press articles often try to simplify reading and, as a result, don’t always go that much into detail when illustrating a new cyber-attack to the broad public. That being said, we thought it might be helpful to write a post on this exact topic and demystify malware typology. Because, whereas we might not all be cybersecurity prodigies, understanding more about the threats on our machines can help us better protect ourselves. Without further ado, we give to you our very own Malware Dictionary.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
trojon horse Seminar report
1. School of Engineering
Seminar Report
On
Trojan horse-malware
Academic Year 2019-20
Supervised by
Supervisor’s Name
Mr.Ravirajsinh Chauhan Sir
Mr.Mitul Patel Sir
P P Savani School of Science
Student’sFull Name NAMAN KIKANI
EnrollmentNo. 20SS02IT027
Branch: Bsc.it(B batch)
3. Trojon horse Malware
2
CERTIFICATE
This is to certify that Mr. /Ms. ____________________________________________,
Enrollment No. _______________________ from the Department of
_____________________________________________, has successfullycompletedthe
Seminar on the Trojon horse-Malware during June – Oct, 2019.
Date:
________________________
Name and Sign of Supervisor
4. Trojon horse Malware
3
Table of Contents
Sr.
No
Component
Page.
No.
1. Chapter 1: INTRODUCTION 5
2. Chapter 2: what is Trojon horse? 7
3. Chapter 3: How to work? 9
4.
Chapter 4 : Common Tyapes of Trojon malware
10
5. Chapter 5: Trojan horse built for what? 16
6. Chapter 6 : Protect yourself 19
7 Chapter 7:Conclusion 20
8 Chapter 8 : References 21
5. Trojon horse Malware
4
List of Figures/Tables
Sr. No Fig. Name Page. No.
1. 2.1 Trojon horse 7
2. 2.2 Malwarevirus 8
3. 4.1 Back Orifice RCTH Client 11
4. 4.2 NetbusClient 1.70 12
5. 4.3 A typical netstat display 13
6.
4.4 netstat display on a machine infected with
Netbus.
14
6. Trojon horse Malware
5
CHAPTER 1
INTRODUCTION
1.1What is Malware??
Malware, short for malicious software, is a blanket term for viruses, worms, trojans
and other harmful computer programs hackers use to wreak destruction and gain
access to sensitive information. As Microsoft puts it, "[malware] is a catch-all term to
refer to any software designed to cause damage to a single computer, server, or
computer network." In other words, software is identified as malware based on
its intended use, rather than a particular technique or technology used to build it.
This means that the question of, say, what the difference is between malware and a
virus misses the point a bit: a virus is a type of malware, so all viruses are malware
(but not every piece of malware is a virus).
1.2Types of malware
There are a number of different ways of categorizing malware; the first is by how the
malicious software spreads. You've probably heard the words virus, trojan, and worm used
interchangeably, but as Symantec explains, they describe three subtly different ways
malware can infect target computers:
A worm is a standalone piece of malicious software that reproduces itself and
spreads from computer to computer.
A virus is a piece of computer code that inserts itself within the code of another
standalone program, then forces that program to take malicious action and spread
itself.
A trojan is a program that cannot reproduce itself but masquerades as something
the user wants and tricks them into activating it so it can do its damage and spread.
Malware can also be installed on a computer "manually" by the attackers themselves, either
by gaining physical access to the computer or using privilege escalation to gain remote
administrator access.
Another way to categorize malware is by what it does once it has successfully infected its
victim's computers. There are a wide range of potential attack techniques used by malware:
Spyware is defined by Webroot Cybersecurity as "malware used for the purpose of
secretly gathering data on an unsuspecting user." In essence, it spies on your
behavior as you use your computer, and on the data you send and receive, usually
with the purpose of sending that information to a third party. A keylogger is a
specific kind of spyware that records all the keystrokes a user makes—great for
stealing passwords.
7. Trojon horse Malware
6
A rootkit is, as described by TechTarget, "a program or, more often, a collection of
software tools that gives a threat actor remote access to and control over a computer
or other system." It gets its name because it's a kit of tools that (generally illicitly)
gain root access (administrator-level control, in Unix terms) over the target system,
and use that power to hide their presence.
Adware is malware that forces your browser to redirect to web advertisements,
which often themselves seek to download further, even more malicious software.
As The New York Times notes, adware often piggybacks onto tempting "free"
programs like games or browser extensions.
Ransomware is a flavor of malware that encrypts your hard drive's files and
demands a payment, usually in Bitcoin, in exchange for the decryption key. Several
high-profile malware outbreaks of the last few years, such as Petya, are ransomware.
Without the decryption key, it's mathematically impossible for victims to regain
access to their files. So-called scareware is a sort of shadow version of ransomware;
it claims to have taken control of your computer and demands a ransom, but actually
is just using tricks like browser redirect loops to make it seem as if it's done more
damage than it really has, and unlike ransomware can be relatively easily disabled.
Cryptojacking is another way attackers can force you to supply them with Bitcoin—
only it works without you necessarily knowing. The crypto mining malware infects
your computer and uses your CPU cycles to mine Bitcoin for your attacker's profit.
The mining software may run in the background on your operating system or even
as JavaScript in a browser window.
Malvertising is the use of legitimate ads or ad networks to covertly deliver malware
to unsuspecting users’ computers. For example, a cybercriminal might pay to place
an ad on a legitimate website. When a user clicks on the ad, code in the ad either
redirects them to a malicious website or installs malware on their computer. In some
cases, the malware embedded in an ad might execute automatically without any
action from the user, a technique referred to as a “drive-by download.”
Any specific piece of malware has both a means of infection and a behavioral category. So,
for instance, WannaCry is a ransomware worm. And a particular piece of malware might
have different forms with different attack vectors: for instance, the Emotet banking malware
has been spotted in the wild as both a trojan and a worm.
A look at the Center for Internet Security's top 10 malware offenders for June of 2018 gives
you a good sense of the types of malware out there. By far the most common infection
vector is via spam email, which tricks users into activating the malware, Trojan-style.
WannaCry and Emotet are the most prevalent malware on the list, but many others,
including NanoCore and Gh0st, are what's called Remote Access Trojans or RATs—
essentially, rootkits that propagate like Trojans. Cryptocurrency malware like CoinMiner
rounds out the list.
8. Trojon horse Malware
7
CHAPTER 2
What is Trojon Horse?
2.1What is trojon horse?
“ The most dangerous Computer malware Trojan Horse Is the
computer virus that is created by hackers and attackers and it’s dangerous virus.”
2.1 Trojon horse
Trojan horse attacks pose one of the most serious threats to computer
security. If you were referred here, youmay have not only been attacked but may also be
attacking others unknowingly.According to legend, the Greeks won the Trojan war by hiding in
a huge, hollow wooden horse to sneak into the fortified city of Troy.In today'scomputer world,
a Trojan horse is defined as a "malicious, security-breaking program that is disguised as
something benign". For example, you download whatappears to be a movie or music file, but
when you clickon it, youunleash a dangerous program that erases your disk, sends yourcredit
card numbers and passwords to a stranger, or lets that stranger hijack your computer to
commit illegal denial of service attacks like those that have virtually crippled the DALnet IRC
networkfor months on end. The followinggeneral information applies to all operating systems,
but by far most of the damage is done to/withWindows users due to its vast popularity and
many weaknesses. (Note: Many people use terms like Trojan horse, virus, worm, hacking and
cracking all interchangeably, but they really don't mean the same thing. Let's just say that once
you are "infected", trojans are just as dangerous as viruses and can spread to hurt others just as
easily!) Trojans can be far more malicious than viruses and youshould care - they're programs
that let someone else remotely administer your computer withoutyour knowing about it. There
are legitimate programs that do this too, systems administrators use them to administer
networks, but Trojans are a different matter. If you'reon a network youknow it has an
administrator to keep things running smoothly. A Trojan can be planted by anyone, without
your permission or knowledge. And unlike a remote administration program, a Trojan can be
highly destructive. So let's take a quick lookat whatTrojans do, and more importantly, what you
can do to stop them. Trojans can log every keystroke youtype (even when you're offline) and
have your e-mail program send the information to the person who planted the Trojan without
your knowingit. Trojans can get all your passwords, credit card numbers and other information
stored on yourcomputer - or even things that you type into the computer and don't save. They
can be used to read, delete or change all your files, turn your screen upside down,abruptly
disconnect you fromthe Internet, or direct yourbrowser to only certain web sites and other
nuisances. It gets worse - Trojans can be used to spy on you through your chat and instant
message programs, web cam or microphone, and even destroy your hardware.
They can damage your reputation as well as yourhardware and data. Trojans can be used to get
into your address book and send very convincinglooking e-mails saying whateversomeone else
likes from you to youremployer, bank manager, clients, girlfriend, whomever, and they can
make you seem to say really awfulthings topeople in on-line chats or conferences. You can
imagine some of the consequences - a 'Net conferencewith important clients and youwon'tsee
9. Trojon horse Malware
8
the message coming from you saying "screw you,you'reall a bunch of lamers anyway,"but the
persons you'retalking with will.Or someone can plant a Trojan and use yourcomputer to hack
into somebody else's computer. And all kinds of other bad things. Possibly the worst things
about Trojans are that most people don't even know they exist, and most anti-virus scanners do
not pick up or delete them. Trojans are becoming more common, especially as more people have
cable and DSL or other "always on" connections,though youcan get them using regular dial-up
connections too. And some of the newer Trojans are harder to detect (this is one reason to be
careful of running .htm or .html files youreceive by e-mail - there are Trojans out now that use
HTML code and will bypass firewalls- a couple of examples are NOOB and godmessage). They
are, in short, very easy to plant on your computer withoutyour knowing it until substantial
damage has been done. There are all kinds of script kiddies out there using ICQ and IRC, not to
mention e-mail. Criminals use the Internet, too, and there may be people out there who just
plain don't like youand would do something that vicious to get revenge - the Internet, like the
real world,has its share of crackpots,and most of these programs require no technical expertise
to use. Be aware enough from reading this to realize that Trojans can be a serious threat to your
privacy,reputation, data and computer hardware. There are some things youcan do. Be careful
about accepting files overthe Internet or opening e-mail attachments unless you know what
they are and who they'refrom. Get a good firewall,like Zonealarm, available free from Zonelabs.
Evenif other firewalls have had youbefuddled, this one won't.It's very powerfuland it's also
very user- friendly. And head over to the Moosoft site and pick up a copy of The Cleaner. It's a
great anti-trojan scanning and cleaning program, and it also has a neat little feature called
TCActivethat youcan run at Windows startup. It'llsit in your system tray,use almost no
computer resources, and keep any knownTrojans fromactivating on yourmachine. If you do
find your machine infected with a Trojan Horse program, don't panic. Disconnectfrom the
Internet, run your Trojan scanner, and delete the Trojan. Trojans can't be cleaned, like many
viruses can. They can only be deleted, but doing this will in no way harm your machine or your
software.
2.2 Malware virus
10. Trojon horse Malware
9
CHAPTER 3
How to works?
3.1 How to work trojonhorse malware?
Trojans are also known to create a backdoor on your computer
that gives malicious users access to your system, possibly allowing confidential or
personal information to be compromised. Unlike other viruses and worms, Trojans do
not reproduce by infecting other files nor do they self-replicate.
• Nothing But a Server Client Program
• Uses TCP/IP protocol as well as UDP protocol
• It is only be send to the target system by user interaction only.
What’s the most used programming Language for writing Trojan virus?
C Programming Language.
C# Programming Language.
11. Trojon horse Malware
10
CHAPTER 4
Common Tyapes of Trojon malware
4.1 Commontypes ofTrojan malware
Here’s a look at some of the most common types of Trojan malware,
including their names and what they do on your computer:
4.1.1 Backdoor Trojan
This Trojan can create a “backdoor” on your computer. It lets an attacker access your
computer and control it. Your data can be downloaded by a third party and stolen. Or
more malware can be uploaded to your device.
4.1.2 Distributed Denial of Service (DDoS) attack Trojan
This Trojan performs DDoS attacks. The idea is to take down a network by flooding it
with traffic. That traffic comes from your infected computer and others.
4.1.3 Downloader Trojan
This Trojan targets your already-infected computer. It downloads and installs new
versions of malicious programs. These can include Trojans and adware.
4.1.4 Fake AV Trojan
This Trojan behaves like antivirus software, but demands money from you to detect and
remove threats, whether they’re real or fake.
4.1.5 Game-thief Trojan
The losers here may be online gamers. This Trojan seeks to steal their account
information.
4.1.6 Infostealer Trojan
As it sounds, this Trojan is after data on your infected computer.
4.1.7Mailfinder Trojan
This Trojan seeks to steal the email addresses you’ve accumulated on your device.
4.1.8 Ransom Trojan
This Trojan seeks a ransom to undo damage it has done to your computer. This can
include blocking your data or impairing your computer’s performance.
4.1.9 Remote Access Trojan
This Trojan can give an attacker full control over your computer via a remote network
connection. Its uses include stealing your information or spying on you.
12. Trojon horse Malware
11
4.1.10 Rootkit Trojan
A rootkit aims to hide or obscure an object on your infected computer. The idea? To
extend the time a malicious program runs on your device.
4.1.11 SMS Trojan
This type of Trojan infects your mobile device and can send and intercept text messages.
Texts to premium-rate numbers can drive up your phone costs.
4.1.12 Trojan banker
This Trojan takes aim at your financial accounts. It’s designed to steal your account
information for all the things you do online. That includes banking, credit card, and bill
pay data.
4.1.13 Trojan IM
This Trojan targets instant messaging. It steals your logins and passwords on IM
platforms.
Problem Detection and Removal
RCTH Program Operation
Before outlining detection and removal procedures, let’s discuss the operation of the
RCTH programs. Tosolve a problem you must first understand it. More importantly, there is no
absolute solution to these programs and definitely no "tell me what keysto press" solution. A
good understanding of how the RCTH programs work and how they can hide is the best weapon.
There are now hundreds of this type of program. They all consist of two parts...a server that
runs on your computer, and a client that runs on the controlling computer (shown below).They
are all freely available on the Internet. The server silently opens up a virtual networkport and
listens for requests from clients. People running the clients can connect to the server from
anywhere on the Internet and controlyour computer almost like they were sitting in front of it.
In fact,some things are easier using these programs than they wouldbe using your keyboard.
For example, the program automatically decrypts passwords used to protect Microsoftshared
directories. They can also scan a range of addresses looking forlistening servers so once you're
infected, anyone can find you.
4.1 Back Orifice RCTH Client
13. Trojon horse Malware
12
4.2 Netbus Client 1.70
The server program can be named anything so youcan't simply look fora list of names.
Detection 1. Install and run BOClean. The manual procedures below are forpeople who,for
some reason, don'thave access to BOClean. There are four waysto detect RCTH programs:
1. Check the of running processes for a match against a "Trojan database".
2. Check for programs fingerprint of files fora match against a "Trojan database".
3. Check the fingerprint that are automatically started when you boot yourcomputer.
4. Check for open virtual network ports. Each has limitations and advantages. The first two
methods are traditional virus checkingmethods. They depend upon a database of code
fragments or patterns that uniquely identify each of the suspect programs or behavior analysis
that leads a file to be suspect. Of course, the database has to be constantly updated to keep up
with new programs. The file checkmethod can be time consuming because it has to checkevery
file. However,most virus tools now do this only once when they'reinstalled and then only in the
background when a fileis read. The process checkonly examines running programs so it can be
quicker. Note that if the writer of the RCTH program obfuscated the fingerprint using
compression, encryption,overlays, or some other method, the fingerprint may not be
recognizable to the toolas a RCTH program. This possibility and the lag time associated with
updating tools to detect new programs' fingerprints necessitates multiple checksusing each of
the detection methods. Keep in mind that "fingerprint tools" only workif they know the
fingerprint. The fingerprint protection tools can find the publicized or otherwise discovered
programs because they know about them. On the other hand, if someone wanted to target an
individual or organization, had the ability to write their ownprogram, and kept quiet about it,
traditional fingerprint tools like virus checkers wouldnever find it. All the presently identified
RCTH programs automatically restart when you boot your computer. To do this they have an
entry in the registry, the win.ini file, the system.ini file, the autoexec.bat file, the startup folder or
similar places. Of course, lots of other programs automatically start up when you boot so the
challenge is identifying the ones that aren't supposed to be there. Since the RCTH programs can
be renamed, this is not a small challenge. If the programs were installed with their default
names, they are easy to spot. If they'vebeen renamed, we have to verify that the file is actually
something we want started. Sometimes there is no way to do this except to remove the entry
and see whatbreaks. StartupCop is an easy to use tool that allowsyou to enable and disable the
various startup items as you'reinvestigating. All the presently identified RCTH programs open a
virtual networkport to communicate. Every TCP/IP based system has a set of 131,070 ports it
can use to communicate with other computers. Some ports are dedicated to particular uses. For
example port 80 is used by a web server, port 25 by a mail server, and ports 137-139 are used
14. Trojon horse Malware
13
by Microsoftfile sharing services. Each of the RCTH programs also have default ports on which
they listen forconnections by other machines. If we find one of these default ports active,we're
almost guaranteed that we'vedetected an infection. On the other hand, these programs allow
the interloper to change the default port. In that case, wehave to verify that any open port has
been opened by a program that we authorized to run. Twotools to perform this task are
Foundstone's FPort(free)and Winternal's TCPViewPro(fee).Finally,some desktop firewalls
will tell youwhat programs are opening what ports. Withoutsuch a tool, it becomes a matter of
stopping services to see what ports close. Another problem occurswhen the RCTH program
doesn't hold the port open continuously.At least one program sits silently until it has some data
to send (yourpasswords), opens a port, sends data, and closes the port. As you can see there are
waysaround every detection method. That is why the only 100% effectivesolution to this
problem is not to get infected in the first place. Of course, that is not toorealistic unless we
refuse to run any programs because there is always a chance, howeverslight, one of these RCTH
programs might get by a big vendor. Besides, there are many, many useful programs written by
shareware and freewareauthors that would be a shame to ignore. However,the need for care
has been exponentially increased due to these RCTH programs. Another option is the ages old
unix (and other host) system administration trickof fingerprinting yourcritical files and
checking them for modifications once in a while using something like Tripwire.
Virtual Port Example.
We will use the DOS utility netstat to checkforopen ports. If you'reusing Windows NT4 or
Windows 98 you can proceed to the checks below.Unfortunately,the original TCP stack that
comes with Windows 95 doesn't produce accurate reports. It will tell youyour computer isn't
vulnerable when it actually is. To fixthis problem, upgrade your Windows95 TCP/IP stackby
downloading and running the MicrosoftWinsock2patch before performing the rest of this
procedure. This has been a rather simple and painless upgrade for everyoneI'vetalked to. It
may also increase your networkperformance and reliability. The MicrosoftDial-up patch 1.3
also installs winsock2but it is more complicatedto install. If youhave access to Winternals
TCPViewPro,use that instead. It has the advantage of telling youwhat program is talking on
each port...something netstat doesn't do in the Windowsworld. Recently, Foundstone released a
similar tool called FPortthat is free.
1. Open an MSDOS window.
2. Close all other programs..
4.3 A typical netstat display.
3. Type netstat -an
4. Examine the second column after the colon. In the listing above, the item of interest in the
first line is "80" and in the second line is "135". These are the virtual port numbers by which
15. Trojon horse Malware
14
programs communicate with the outside world. Other computers which want to communicate
with yourmachine must use yourIP address plus one of these virtual ports to form the
equivalent of a telephone number to find you.
In the example above, a personal web server is listening on port 80.
5. If yousee the numbers '12345 'or '31337', youalmost definitely have one of the programs
installed (Netbus and Back Orificerespectively).The Netbus port is activebelow.
6. The list above has many additional ports open whichmakes it confusing. Most of these ports
were caused by having a web and email browser open. To decrease the number of ports you
need to examine its best to run netstat right after a reboot and before any other applications are
started. Many Windows 95/98 machines will only have ports 137, 138, and 139 activefor
Microsoftfile sharing use. If youdon't use Microsoftfile sharing, turn it off in the network
controlpanel so youdon't have those ports open. Youcan also delete the netbios protocolin the
same place. Otherwise, you have to ensure that all open ports are supposed to be open which
requires a familiarity with network protocolsand services. Generally, you'llfind that these ports
are opened by programs that are automatically started in the registry. So the process of
validating registry entries is related to the process of validating ports. Sometimes it just boils
down to removing registry entries (aftercopying the information forrestoration if needed) and
seeing what breaks and whatports no longer open. Its a tedious process. One helpful hint. If you
telnet to a port on which Netbus is listening, it will answer "Netbus v1.x"depending upon the
version.
4.4netstat display on a machine infected with Netbus.
17. Trojon horse Malware
16
CHAPTER 5
Trojan horse built for what?
5.1 Built for stealing:
1- Credit cards and master cards..etc.
2- Email addresses.
3-Work projects.
4-Photos and other files.
5-Passwords and secret codes.
5.2 Tasks of the Trojon
• erasing or overwriting data on a computer
• corrupting files in a subtle way
• spreading other malware, such as viruses. In this case the Trojan horse is called a
'dropper'.
• To launch DDoS attacks or send Spam.
• logging keystrokes to steal information such as passwords and credit card
numbers (known as a key logger)
• phish for bank or other account details, which can be used for criminal activities.
• Shutting down the windows and rebooting of windows etc.
5.3 ANTI-TROJANS
AntiTrojan software specifically designed to help detect Trojans (notnecessarily virus/worms).
Most can be run along side yourchosen antivirus program. Howeverno trojan scanner is 100%
effectiveas manufactures cannot keep up withthe rapid change of viruses that happens daily.
Be sure to update yours regularly!
5.3.1 Anti-Trojan
Anti-Trojan 5.5 is a powerful trojan scanner and remover which detects more than 9000
different types of trojan horses. It uses three methods to find them. The first is the
portscan which gives you information if there are open ports on your computer. The
18. Trojon horse Malware
17
second one is the registry scan which searches through the system registry database for
trojans. The third and the most important part is the disk scan. It scans your harddisks
for dangerous trojan files and removes them safely. Supports:
Win95/98/ME/NT4/2000/XP Supports many languages.
5.3.2 PC Door-Guard
A full-featured extensive and thorough intrusion scanner that scans any media on your
PC for backdoors and trojan horses. Supports: Win95/98/ME/NT/2000
5.3.3 Pestpatrol
PestPatrol is a utility, similar to anti-virus products, but instead of scanning for viruses
it scans for worms and Trojans, even tools and utilities used by hackers and maybe even
trusted employees. Used along with anti-virus software, PestPatrol will keep you safe
from malicious objects, commonly referred to as Pests. You routinely scan for viruses,
why not make PestPatrol part of your daily routine?
Supports: Win95/98/ME/NT/2000/XP
SubSevenTrojan.
SubSeven was made to fill in the gaps left by NetBus. NetBus was the first 'point and
click' Trojan that made it very easy for hackers to abuse an infected system. The makers
of SubSeven wanted to take this even further and give the hackers even more control
than NetBus ever could. SubSeven can do everything that NetBus can do. This includes
things such as
• File controls
Upload / Download o Move, Copy, Rename, Delete o Erase hard drives and other
disks o Execute programs
• Monitoring
Can see your screen as you see it o Log any/all key presses (even hidden
passwords) o Open/close/move windows o Move mouse
• Network control
Can see all open connections to and from your computer o Can close connections
19. Trojon horse Malware
18
Can 'bounce' or relay from their system to yours, so wherever they connect it
seems as if You are doing it. This is how they prevent getting caught breaking
into other computer systems and get You in trouble!
The SubSeven Trojan can also be configured to inform someone when its
infected computer connects to the internet, and tells that person all the
information about you they need to use the trojan aginst you.
This notification can be done over an IRC network, by ICQ, or by email.
20. Trojon horse Malware
19
CHAPTER 6
Protect your self…?
6.1 protect your computer from Trojan?
1- Don’t open unknown links.
2- Don’t connect unknown USB and other connecters.
3- Don’t open any offers in sites.
4- use best antivirus software. Avast is the best.
5- use best Trojan Remover Software.
6- Delete unwanted old files.
21. Trojon horse Malware
20
CHAPTER 7
CONCLUSION
• In this seminar we have learned what is Trojan and all the functionality and aspects of
the Trojan horse.
• Trojans are malicious programs that claims to be something desirable but they are
much more dangerous than viruses and may steal yourdata or may damage ,erase your
disk. So be careful while downloading any document , movie ,music file etc..from
internet. It is evident that there will soon be some very sophisticated ways to hide this
type of program. If youvalue your privacy,yourcomputer data, and your reputation, it
is imperative to refuse to run unknown executable programs. It is unfortunate that the
publishing of these easily used and abused programs has made our computing
environment less friendly to sharing and open communication. However,if the
programs hadn't been publicized, sneakier people could have used similar tactics
without warning. Almost every existing operating system allows the sort of features that
make RCTH programs possible. Operators run programs.
• Programs open sockets. Programs capture keystrokes. Operating systems provide
mechanisms to automatically start programs. The vulnerability that exists is that we
(industry wide) use computers that don't have many internal controls. They let us do
what we want.Without internal controls, it is up to us to control them. If wedon't
controlthem, we'lleither have increasingly serious security breaches or the computer
industry will go back to lockeddown mainframe type processing to forceautomatic
controls. I suspect this latest threat willhasten the use of "certified applications",
increased access controls to both organizational data and the Internet, locked down
desktop configurations, the "NetworkComputer/Browser/Application Server
architecture, and an increased level of caution associated with our computing
environment. Maybe hackers willforce us back to terminals (static browsers),
mainframes(application servers), and service bureaus(application service providers).