CEHv6 Module 08 Trojans and Backdoors pdf pdf
I T
E th ic a l H a c k in g a n d
C o u n te rm e a su re s
V e rs io n
6 M o d le
V II
I M o d u le
V II
ro ja n s a n d B a c k d o o rs
Scen ario
Zechariah works for an In suran ce firm . Though bein g a top perform er for his bran ch, he n ever got credit from his Man ager, perform er for his bran ch he n ever got credit from his Man ager Ron . Ron was biased to a particular sect of em ployees. On Ron ’s birthday all em ployees in cludin g Zechariah greeted him .
Zechariah person ally wen t to greet Ron an d asked him to check his Zechariah person ally wen t to greet Ron an d asked him to check his em ail as a birthday surprise was awaitin g him ! Zechariah had plan n ed som ethin g for Ron . Un kn own of Zechariah s evil in ten tion Ron open s the Un kn own of Zechariah’s evil in ten tion Ron open s the bday .zip bday .zip file. file. Ron extracts the con ten ts of the file an d run s the an d bday .exe en joys the flash greetin g card.
Zechariah had Ron in fect his own com puter by a Rem ote Con trol p y Trojan .
W hat harm can Zechariah do to R on ? Is Zechariah s in ten tion justified? Is Zechariah’s in ten tion justified? Copyright © by EC-Counci l
News Copyright © by EC-Counci l Source: http:/ / w w w .canada.com /
Module Objective
This m odule will fam iliarize you y with:
- Trojan s • Trojan s
- Overt & Covert Chan n els
- Types of Trojan s an d how Trojan works
- In dication s of Trojan attack
- Differen t Trojan s used in the wild
- Tools for sen din g Trojan • Wrappers • ICMP Tun n elin g
ICMP Tun n elin g
- Con structin g a Trojan horse usin g Con struction Kit • Tools for detectin g Trojan • Anti-Trojans
- Avoiding Trojan Infection A idi T j I f i Copyright © by EC-Counci l
Module Flow
In troduction to T j
Overt & Covert Ch l
Types an d W ki f T j Trojan s Chan n els Workin g of a Trojan
In dication s of Trojan Attack
Differen t Trojan s Tools to Sen d Trojan
ICMP Tun n elin g Trojan Construction Kit Wrappers An ti-Trojan Coun term easures
Tools to detect Trojan
Copyright © by EC-Counci l
An ti Trojan Coun term easures Tools to detect Trojan
In troduction
Malicious users are always on the prowl to sn eak in to Malicious users are always on the prowl to sn eak in to networks an d create trouble Trojan attacks have affected several businesses around the globe In m ost cases, it is the absent-m inded user who invites trouble by down loadin g files or bein g careless about security aspects This m odule covers different Trojan s, the way they attack, and the tools used to send them across the network and the tools used to send them across the network Copyright © by EC-Counci l
What is a Trojan A Trojan is a sm all program that run s hidden on an in fected com puter With the help of a Trojan , an attacker gets access to stored passwords in the Trojan ed com puter an d would be able to read person al docum en ts, delete files an d display pictures, an d/ or show m essages on the screen an d/ o sho m essages on the sc een Copyright © by EC-Counci l
Overt an d Covert Chan n els
Overt Chan n el Covert Chan n el
A chan n el that tran sfers in form ation A legitim ate com m un ication path within within a com puter system , or network, in a com puter system , or n etwork, for p y , , a way that violates security policy h i l i li transfer of data An overt channel can be exploited to An overt channel can be exploited to create the presence of a covert channel
The sim plest form of covert channel is a by choosin g com pon en ts of the overt Trojan channels with care that are idle or n ot related
Ke ylo gge r.e x e Ch e s s .e xe Copyright © by EC-Counci l Workin g of Trojan s Trojan ed System Trojan ed System Attacker k
In tern et An attacker gets access to the Trojan ed system as the system goes on lin e By the access provided by the Trojan , the attacker can stage differen t types of attacks Copyright © by EC-Counci l
Different Types of Trojans
Rem ote Access Trojans Data-Sen din g Trojan s Destructive Trojan s Den ial-of-Service (DoS) Attack Trojan s Trojan s Proxy Trojan s FTP Trojan s FTP Trojan s Security Software Disablers Copyright © by EC-Counci l What Do Trojan Creators Look For For Credit card in form ation Accoun t data (em ail addresses, passwords, user n am es, an d so on ) Con fiden tial docum en ts Fin an cial data (ban k accoun t n um bers, social security n um bers, in suran ce in form ation , an d so on ) Calen dar in form ation con cern in g the victim ’s whereabouts g
Usin g the victim ’s com puter for illegal purposes, such as to hack, scan , flood, or in filtrate other m achin es on
the n etwork or In tern etH a cke r Copyright © by EC-Counci l
Different Ways a Trojan Can Get in to a System in to a System
In stan t Messen ger application s
IRC (Internet Relay Chat) Attachm en ts Physical access Browser an d em ail software bugs NetBIOS (FileSharin g) Fake program s Un trusted sites an d freeware software Down loadin g files, gam es, an d screen savers from In tern et sites sites Legitim ate "shrin k-wrapped" software packaged by a disgruntled em ployee Copyright © by EC-Counci l
In dications of a Trojan Attack
CD-ROM drawer open s and closes by itself Com puter screen flips upside down or inverts Wallpaper or backgroun d settings chan ge by them selves Docum ents or m essages print from the printer by them selves g p p y Com puter browser goes to a stran ge or un kn own web page by itself Windows color settings change by them selves Screen saver settin gs chan ge by them selves S tti h b th l Copyright © by EC-Counci l
In dications of a Trojan Attack (cont d) (cont’d)
Right an d left m ouse button s reverse their fun ction s Mouse poin ter disappears Mouse poin ter m oves an d fun ction s by itself Win dows Start button disappears Stran ge chat boxes appear on the victim ’s com puter The ISP com plain s to the victim that his/ her com puter is The ISP com plain s to the victim that his/ her com puter is
IP scanning Copyright © by EC-Counci l
In dications of a Trojan Attack (cont d) (cont’d)
People chattin g with the victim kn ow too m uch person al in form ation about him or his com puter The com puter shuts down an d powers off by itself The taskbar disappears e as ba d sappea s The accoun t passwords are chan ged or un authorized person s can access legitim ate accoun ts Stran ge purchase statem en ts appear in the credit card bills The com puter m on itor turn s itself off an d on Modem dials and connects to the Internet by itself Ctrl+Alt+Del stops workin g While rebootin g the com puter, a m essage flashes that there are other users still connected Copyright © by EC-Counci l
Ports Used by Trojan s
Tro ja n Pro to co l P o rts
Back Orifice UDP 31337 or 31338 Deep Throat UDP 2140 an d 3150 NetBus TCP 12345 an d 12346 Wh k l TCP 12361 d 12362 Whack-a-m ole TCP 12361 an d 12362 NetBus 2 Pro TCP 20 0 34 GirlFrien d TCP 21544 Masters Paradise TCP 3129, 40 421, 40 422,
Copyright © by EC-Counci l 40 423 an d 40 426
H ow to Determ in e which Ports are Listen in g are “Listen in g”
Go to Start Æ Run Æ cm d Type netstat –an Type netstat –an | findstr <port number> Copyright © by EC-Counci l
Trojan s Copyright © by EC-Counci l Trojan : iCm d iCm d works like tin i.exe but accepts m ultiple con n ection s an d you can set a password d
Win dow1: Type icmd.exe 54 jason
Win dow2: Type telnet <IP add>
password jason Copyright © by EC-Counci l
MoSucker Trojan
MoSucker is a Trojan that When this program is
enables an attacker to get bl tt k t t executed, get rem ote t d t t n early com plete con trol access on the in fected over an in fected PC m achin e Copyright © by EC-Counci lMoSucker Trojan : Screeen shot Copyright © by EC-Counci l
Proxy Server Trojan h d f hi h This tool, when in fected, starts a hidden proxy server on the victim ’s com puter
Thousands of m achines on the In tern et are in fected with the proxy servers usin g this techn ique
Copyright © by EC-Counci l
Proxy Server Trojan (con t’d)
Type mcafee 8080 on the victim m achin e (you can specify an y port you Set the IP address of the proxy server like) You can also wrap this trojan usin g like). You can also wrap this trojan usin g an d port in IE d i
IE On eFileExe m aker TARGET IN TERN ET PROX Y ATTACKER Copyright © by EC-Counci l SARS Trojan Notification
Notification types:
SARS Trojan notification sends th e location of the victim ’s IP address to the attacker Whenever the victim ’s com puter connects to the Internet, the attacker receives the n otification Atta cke r
yp g Q
- SIN Notication
- Directly n otifies the attacker's se
- ICQ Notification
- Notifies the attacker usin g ICQ channels >PH P Notification
- Sen ds the data by con n ectin g to PH P server on the attacker's se
- E-Mail Notification
- Sen ds the n otification through em ail Victim s in fe cte d w ith Tro ja n s<>Sen ds the n otification through em ail
- Net S>Notification is sen t through n et sen d com m an d
- CGI Notifica
- Sen ds the data by con n ectin g to PH P server on h k ' Copyright © by EC-Counci l the attacker's s>IRC n otification
- Notifies the attacker usin g IRC chan n els
SARS Trojan Notification (cont d) (cont’d) Copyright © by EC-Counci l
Wrappers
H ow does an attacker get a Trojan in stalled on the victim 's com puter? Answer: Usin g wrappers i i ' ? A U i
- + Chess.exe 90 k Trojan .exe 20 k
A wrapper attaches a given EXE application (such as A wrapper attaches a given EXE application (such as gam es or office application s) to the Trojan executable The two program s are wrapped together in to a sin gle fil Wh file. When the user run s the wrapped EXE, it first th th d EXE it fi t in stalls the Trojan in the backgroun d an d then run s the wrapped application in the foregroun d
Chess.exe 110 k
The user on ly sees the latter application
Attackers m ight sen d a birthday greetin g that w ill in stall a Trojan as the user w atches, for exam ple, a birthday cake dan cin g across the screen Copyright © by EC-Counci l
Wrapper Covert Program Graffiti.exe is an exam ple of a legitim ate file that can be used to drop the Trojan in to the target system Trojan in to the target system This program run s as soon as Win dows boots up an d, on execution , keeps the user distracted for a given period of tim e by run n in g on the desktop Copyright © by EC-Counci l
Wrappin g Tools On e file EXE Maker
- Com bin es two or m ore files in to a sin gle file
- Com piles the selected list of files in to on e host file
- You can provide com m an d lin e argum en ts p g
- It decom presses an d executes the source program
Yet An other Bin der
- Custom izable option s
- Supports Win dows platform s
- Also kn own as YAB
Pretator Wrapper
- Wraps m an y files in to a sin gle executable Copyright © by EC-Counci l
On e Exe Maker / YAB / Pretator Wrappers Wrappers Copyright © by EC-Counci l
Packagin g Tool: WordPad
You can in sert OLE object j (exam ple: EXE files) in to a Wordpad docum en t an d chan ge the followin g usin g the built-in package editor:- File n am e text
1
2
- Icon • Icon • Execution com m an ds
3
4
4
5 Copyright © by EC-Counci l
Rem oteByMail Rem ote Con trol a com puter by Rem ote Con trol a com puter by sen din g em ail m essages It can retrieve files or folders by sen din g com m an ds through em ail It is an easier an d m ore secure way of accessin g files or executin g program s
Sen d m e c:\ creditcard.txt file Any com m ands for m e? File sen t to the attacker H ere is the file attached H ere is the file attached.
Victim Em ail Attacker Copyright © by EC-Counci l
Tool: Icon Plus
Icon Plus is a con version program for tran slatin g icon s between various form ats form ats
An attacker can use this kin d of application to disguise his m alicious code disguise his m alicious code or Trojan so that users are tricked in to executin g it
Copyright © by EC-Counci l Classic tool presen ted here as proof of con cept
Defacin g Application : Restorator
Restorator is a versatile skin editor for an y Win 32 program that chan ges im ages, icon s, text, soun ds, videos, dialogs, m en us, an d other text soun ds videos dialogs m en us an d other parts of the user in terface User-styled Custom Application s (UCA) can be created by usin g this software t d b i thi ft Restorator has m an y built-in tools Restorator has m an y built in tools Powerful fin d-an d-grab fun ction s let the user retrieve resources from all files on their disks Defaced calc.exe usin g Restorator D f d l i R t t Copyright © by EC-Counci l
Tetris
Gam es like Tetris, chess, an d solitaire are perfect carriers solitaire are perfect carriers for Trojan s
It is easy to send by em ail It is easy to trick the “ign oran t” users Copyright © by EC-Counci l
H TTP Trojans
The attacker m ust install a sim ple Trojan program on a m achin e in the internal network, the Reverse WWW shell server Reverse WWW shell allows an attacker to access a m achine on the internal network from the outside On a regular basis, usually 60 secon ds, the internal server will try to access the external m aster system to pick up com m ands If the attacker has typed som ething in to the m aster system , this com m and is retrieved and executed on the internal system Reverse WWW shell uses standard http protocol It l It looks like an in tern al agen t is browsin g the web k lik i t l t i b i th b Copyright © by EC-Counci l
Trojan Attack through H ttp Clicks a file to down load
In tern et Trojan attacks through http request
Victim Server
Copyright © by EC-Counci l H TTP Trojan (H TTP RAT)
Victim Infect victim ’s com puter with
s e rve r.e xe an d plan t H TTP Trojan s e rve r e xe an d plan t H TTP Trojan
3 The Trojan sends
3
an em ail to the Gen erate s e rve r.e xe attacker with the l location of an IP ti f
IP address Copyright © by EC-Counci l Shttpd Trojan - H TTP Server
SH TTPD is a sm all H TTP Server that can easily be em bedded in side an y program C++ Source code is provided Even though shttpd is NOT a trojan, it can easily be wrapped with a chess.exe an d turn a Even though shttpd is NOT a trojan it can easily be wrapped with a chess exe an d turn a com puter in to an in visible Web Server shttpd Trojan from http:/ / www.eccoun cil.org/ cehtools/ shttpd.zip id dowm loaded
In fect the Victim com puter with J OUST.EXE Shttpd should be run n in g in the backgroun d Attacker listen in g on port 443 (SSL) Norm ally Firewall allows N ll Fi ll ll you through port 443 Con n ect to the victim usin g
Web Browser Web Browser
IP: 10 .0 .0 .5:443 http:/ / 10 .0 .0 .5:443 Copyright © by EC-Counci l
Reverse Con n ectin g Trojan s
In fect (Rebecca’s) com puter with f s e rve r.e xe an d plan t Reverse Con n ectin g Trojan1 Yu ri, the H acker The Trojan con n ects to Port 8 0 to the H acker in Russia establishin g a reverse con n ection
2 ,
sittin g in Russia, listening for clients to connect H ll th
con n ection Re b e cca
Yuri, the H acker, has com plete con trol
3 H e usually run s the
listen er service on port 8 0
Re b e cca
Victim
Yuri, the H acker, has com plete con trol over Rebecca’s m achin e
3 Copyright © by EC-Counci l Nuclear RAT Trojan (Reverse Con n ectin g) Con n ectin g) Copyright © by EC-Counci l
Tool: BadLuck Destructive Trojan TrojanThis is a dan gerous an d destructive tool When executed, this tool destroys the operating system The user will n ot be able to use the operatin g system after the m achin e has been in fected by the Trojan
D O N OT OP EN TH IS FILE! Copyright © by EC-Counci l
ICMP Tunneling
Covert channels are m ethods in which an attacker can hide the data in a protocol that Covert channels are m ethods in which an attacker can hide the data in a protocol that is un detectable Covert channels rely on techniques called tun n elin g, which allow on e protocol to be carried over an other protocol
ICMP tun n elin g is a m ethod of usin g ICMP echo-request and echo-reply as a carrier of an y payload an attacker m ay wish to use in an attem pt to stealthily access, or control, a com prom ised system Copyright © by EC-Counci l
ICMP Backdoor Trojan
ICMP S e rve r Com m an d: icmpsrv -install
ICMP Clie n t Com m an d: icmpsend <victim IP> Com m an d: icmpsrv install Com m an d: icmpsend <victim IP>
Com m ands are d sen t usin g
ICMP protocol Copyright © by EC-Counci l Backdoor.Theef (AVP) Usin g this Trojan , the server open s various ports on the victim ’s m achin e (eg ports 69 470 0 1350 0 and 28 0 0 ) m achin e (eg. ports 69, 470 0 , 1350 0 an d 28 0 0 ) On ce com prom ised, the hacker can perform m an y fun ction s on the victim ’s m achin e, ren derin g it com pletely vuln erable
A brief list of the fun ction s available:
- File system : upload/ down load, execute, etc
- Regsitry: full editin g
- System : force shutdown disable m ouse/ keyboard shutdown • System : force shutdown , disable m ouse/ keyboard, shutdown firewalls/ AV software, set user n am e etc. (plus lots m ore)
- Spy: start/ stop keylogger, grab logged data
• Machin e In fo: Em ail/ dialup/ user details - option s to retrieve or set
for all Copyright © by EC-Counci l for all- Rem ote m essagebox
- Rem ote in fo
- Rem ote file browser (+ down load, upload, delete, m ake/ del dir)
- Rem ote shell • Rem ote shell
- Rem ote task m anager (+ start/ kill)
- Rem ote keylogger
- Rem otely reboot or shutdown system
- Reverse con n ection (bypasses routers) ( yp )
- More victim s at the sam e tim e
- Unlim ited num ber of hosts/ ports to connect to
- Installing into location where it is im possible to access with win dows explorer
- Task m an ager process hidder
- Windows firewall bypass Copyright © by EC-Counci l
- Rem ote Web Down loader (Main Fun ction )
- Down loads an d executes a file from the In tern et rem otely
- Adds a adm in user to the host an d allows for rem ote desktop con n ecti>Usern am e:- xplorer
- Password:- l3vel69
- Rem ove Se
- Uninstalls the server from the host • Uninstalls the server from the host
- Shutdown s the server but does n ot un in stall Copyright © by EC-Counci l
- Shutoff, Log Off Victim es PC
- Full fun ction in g an d in teractive File Man ager g
- Sen d Error Msg's
- System In fo
- Chan ge Wallpaper, System Colors C l Copyright © by EC-Counci l
- Get Basic Com puter In form ation
- Execute Com m an d (Sen ds back output!)
- Term in al Server (Rem ote D kt ) bl / di bl Desktop) en abler/ disabler
- File Browser with File Upload/ Down load/ Execute/ File In fo List/ Kill Processes • Active or Offlin e keylogger y gg
- Open s Win dows Program -Mscon fig, Calculator, Pain t, Narrator, N NotePade,WordPad, RegEdit, Clock • En ables/ Disables En ables/ Disables TaskMan ager an d H ides Shutdown
- Kills processes Kills processes Copyright © by EC-Counci l
• Tin yftpd [Con trolPort] [Bin dPort] [UserNam e] [Password] [H om eDir] [AllowedIP] [Access] [-H ide]
Copyright © by- User : m ohdjase1
- Key : 66618 e8 69accfc4f96 Copyright © by EC-Counci l
- Registry access
- File il upload/ down load
- Keylogger Copyright © by EC-Counci l
- The Trojan H orse Construction Kit v2.0
- The Progen ic Mail Trojan Con struction Kit - PMT
- Pan dora’s Box Copyright © by EC-Counci l
- Netstat • Fport • TCPView
- Process Viewer • What’s on m y com puter
- Insider • Insider
- What’s run n in g on m y com puter
- MS Con fig • MS Con fig
- Ethereal
- It takes com plete con trol over all run n in g processes
- It shows all open ports an d m aps them to run n in g p g processes
- It shows all DLLs loaded or Win dows open ed by each process
- It term inates or blocks an y y process, an d m an ages start-up application s an d Browser H elper Objects(BH O)
- It tweaks an d optim izes Win dows
- It schedules a com puter to shut down at a specified tim e
- Trojan Guard • Trojan H un ter
- Zon eAlarm f Win 98 &up, 4.530 • Zon eAlarm f Win 98 &up 4 530
- Win Patrol f Win All, 6.0
- LeakTest, 1.2
- Kerio Person al Firewall, 2.1.5
- Sub-Net
- TAVScan
- SpyBot Search & Destroy • An ti Trojan • Clean er Copyright © by EC-Counci l
- Destroys m alware and rem oves registry entries
- Does n ot require a reboot to rem ove all traces
- Discon n ects the threat without discon necting you
- Gen erates option al report an d safe copy of eviden ce
- Autom atically sweeps an d detects INSTANTLY in the backgroun d >Con figurable "Stealth m ode" com pletely hides BOClean from users
- Updates autom atically from a n etwork file share
Backdoor.Theef (AVP): Screen shot Screen shot Copyright © by EC-Counci l
T2W (TrojanToWorm )
Use an y file with the stub tran sform in g it in to worm
Copyright © by EC-Counci l Bioran te RAT
Features:
H ighlighted con n ection list if webcam is detected On lin e Keylogger On lin e Keylogger Screen Capture - PNG com pression Webcam Capture - PNG com pression Com puter in form ation with custom izable script Uses on ly 1 port Each server assign s own down load folder\ profile Copyright © by EC-Counci l Biorante RAT: Screenshots Copyright © by EC-Counci l
DownTroj
Down Troj is a Trojan horse with the followin g features:
Coded in C/ C++ an d also has:
DownTroj: Screenshot Copyright © by EC-Counci l
Turkojan Turkojan can get rem ote passwords via advan ced password ad an ced pass ord m an ager Copyright © by EC-Counci l
Trojan .Satellite-RAT Elevated risks are typically in stalled without adequate n otice an d Elevated risks are typically in stalled without adequate n otice an d
con sen t an d m ay m ake un wan ted chan ges to your system , such as
recon figurin g your browser's hom epage an d search settin gs Copyright © by EC-Counci lYakoza
Added to Registry: H KEY_ LOCAL_ MACH INE\ SOFTWARE\ Microsoft\ Win dows NT\ Curren tVersion \ Win logon "Shell" Old data: Explorer.exe Old data: Explorer exe New data: explorer.exe svshost.exe Copyright © by EC-Counci l
DarkLabel B4 DarkLabel is a firewall bypass reverse con n ection rem ote adm in istration tool, that allows you to rem otely con trol com puters that are behin d firewalls an d y y p routers Copyright © by EC-Counci l
Trojan .H av-Rat H av-Rat uses reverse con n ection , so, n o n eed for open in g ports on target/ user This tool can m ess with people Thi l i h l an d steal in form ation Copyright © by EC-Counci l
Poison Ivy PI is a reverse con n ection , forward rem ote adm in istration tool, written in m asm (server) an d d i i i l i i ( ) d Delphi (clien t) PI does n ot use an y plugin s/ dlls or an y other files besides the server an d does n ot drop an y other files on the target system h Copyright © by EC-Counci l
Poison Ivy: Screenshot 1 Copyright © by EC-Counci l
Poison Ivy: Screenshot 2 Copyright © by EC-Counci l
Rapid H acker Rapid H acker can hack / crack / bypass waitin g lim it at Rapidshare.com an d Rapidshare.de R id h d R id h d Copyright © by EC-Counci l
SharK
SharK uses the RC4 cipher to en crypt the traffic SharK uses the RC4 cipher to en crypt the traffic Keylogger works with WH _ KEYBOARD_ LL hooks Keylogger works with WH KEYBOARD LL hooks Man ipulate run n in g processes, win dows, an d services Man ipulate run n in g processes, win dows, an d services from the rem ote console Interactive Process blacklistin g, which alerts the attacker if the blacklisted process is foun d on the attacker if the blacklisted process is foun d on the victim ’s m achin e an d prom pts the attacker to take action Code in jection in to a hidden In tern et Explorer win dow Code in jection in to a hidden In tern et Explorer win dow is an attem pt to bypass firewalls Copyright © by EC-Counci l
Shark: Screenshot 1 Copyright © by EC-Counci l
Shark: Screenshot 2 Copyright © by EC-Counci l
Shark: Screenshot 3 Copyright © by EC-Counci l
H ackerzRat Copyright © by EC-Counci l
TYO
It is a FTP keylogger and com patible with windows vista t s a ey ogge a d co pat b e t do s sta
Copyright © by EC-Counci l
1337 Fun Trojan Copyright © by EC-Counci l
Crim in al Rat Beta Copyright © by EC-Counci l
VicSpy Copyright © by EC-Counci l
Optix PRO Copyright © by EC-Counci l
ProAgen t Copyright © by EC-Counci l
OD Client Features :-
Win dows XP & Win dows Server Rootin g (Rem ote desktop)
Shutdown Server
AceRat
Features:
Mhacker-PS Copyright © by EC-Counci l
Copyright © by EC-Counci l
RubyRAT Public Fe a tu re s :
SINn er Copyright © by EC-Counci l
Con soleDevil
Con soleDevil is a sm all RAT (Rem ote Adm in istration Tool)
that allows you to take con trol over a rem ote com puters that allows you to take con trol over a rem ote com puterswin dows con sole (com m an d prom pt) from where you can do
alm ost everythin g such as pin gin g servers, browse directories directories Copyright © by EC-Counci lZom bieRat Zom bieRat is m ade in Delphi 20 0 5
Fe a tu re s :
button
FTP Trojan - TinyFTPD
Tin yFTPD is a sim ple FTP Trojan which supports m ost of the standard FTPD Com m ands Tin yFTPD is a sim ple FTP Trojan which supports m ost of the standard FTPD Com m ands
IP can login 8 tim es sim ultan eously Usage:
EC-Counci l VNC Trojan
VNC Trojan starts VNC Server daem on in the backgroun d when in fected It con n ects to the victim usin g an y VNC viewer g y with the password “secret” Sin ce VNC program is con sidered a utility - this Trojan will n ever be detected by An ti Virus Copyright © by EC-Counci l
VNC Trojan : Screen shots Copyright © by EC-Counci l
Webcam Trojan
Webcam Trojan provides an attacker with the capability
of rem otely con trollin g a m achin e via a clien t in the f l ll h l h attackers m achin e an d a server in the victim s m achin e Copyright © by EC-Counci lDJ I RAT Copyright © by EC-Counci l
Skiddie Rat Copyright © by EC-Counci l
Biohazard RAT Copyright © by EC-Counci l
Troya
Troya is a rem ote Trojan without Clien t, for con trollin g an other PC from your PC It is a web-based Trojan It i b b d T j After sending and running server in the Rem ote PC, you can put the IP Address of that PC in your web browser an d connect to that PC and take control of it connect to that PC and take control of it EC-Counci l
Copyright © by ProRat Activation Key :
Dark Girl Rem ote Access Works as a keylogger Copyright © by EC-Counci l
DaCryptic Fun ction s: Fun ction s:
Net-Devil Copyright © by EC-Counci l
Trojan : PokerStealer.A
PokerStealer.A is a Trojan that heavily relies on social en gin eerin g PokerStealer A is a Trojan that heavily relies on social en gin eerin g It com es with the filen am e PokerGam e.app as 65 KB Zip archive; un zipped, it is pp 5 p ; pp , 18 0 KB
When it run s, activates ssh on the in fected m achin e, then sen ds the user n am e and password hash, alon g with the IP address of the Mac, to a specified e-m ail d d h h l ith th IP dd f th M t ifi d il address with a subject “H owdy” It asks for an adm in istrator s password after displayin g a dialog sayin g, A It asks for an adm in istrator’s password after displayin g a dialog sayin g “A corrupt preferen ce file has been detected an d m ust be repaired After obtain in g the password the attacker can take con trol on the m achin e an d After obtain in g the password the attacker can take con trol on the m achin e an d delete all the n ecessary files Copyright © by EC-Counci l
PokerStealer.A: Screen shot Copyright © by EC-Counci l
Trojan :H ovdy.a
H ovdy.a, is an exploit for the recen tly revealed an d un patched privilege H ovdy.a, is an exploit for the recen tly revealed an d un patched privilege escalation bug in Apple Rem ote Desktop It asks for an adm in istrator’s password by displayin g a dialog sayin g, “A corrupt preferen ce file has been detected an d m ust be repaired
It gathers the usern am e, password an d IP address from the in fected system an d
sen d it to the server After obtain in g the password the attacker can take con trol on the m achin e an d g p delete all the files from the hard disk Copyright © by EC-Counci lH ovdy.a: Screen shot Copyright © by EC-Counci l
Classic Trojan s Copyright © by EC-Counci l Classic Trojans Found in the Wild Wild These are classic outdated tools an d is presen ted here for proof of
W a rn in g
These are classic outdated tools an d is presen ted here for proof of con cept ( You will n ot be able to fin d the source code for these tools on the In tern et). It is presen ted in this m odule so that you are en couraged to view the source code of these tools to un derstan d the attack en gin eerin g behin d them
Beast
NetBus behin d them
Phatbot Am itis QAZ
SubSeven Netcat
QAZ Back Orifice Back Oriffice 20 0 0
Don ald Dick Let m e rule
Copyright © by EC-Counci l
Tin i RECUB
Trojan : Tin i
Tin i is a tin y Trojan program that is on ly 3 kb an d program m ed in assem bly lan guage. It takes m inim al d i bl l It t k i i l ban dwidth to get on a victim 's com puter an d it takes a sm all am oun t of disk space Tin i on ly listen s on port 7777 an d run s a com m an d prom pt when som eon e attaches to this port. The port n um ber is fixed an d can n ot be custom ized. This m akes it easier for a victim system to detect by scan n in g for port 7777 From a tin i clien t, the attacker can teln et to tin i server at port 7777
source: http:/ / n tsecurity.n u/ toolbox/ tin i Copyright © by EC-Counci l
Tin i: Screen shot Copyright © by EC-Counci l
Trojan : NetBus
NetBus is a Win 32-based Trojan program N tB i Wi 32 b d T j Like Back Orifice, NetBus allows a , rem ote user to access and control the victim ’s m achine by way of its Internet lin k It was written by a Swedish program m er n am ed Carl-Fredrik Neikter, in March 1998 This virus is also kn own as Backdoor.Netbus Source: http:/ / www.jcw.cc/ n etbus-down load.htm l
Classic Trojan presen ted here as proof of con cept Copyright © by EC-Counci l
Trojan : Netcat
Netcat is called the “swiss-arm y” kn ife of n etworkin g tools Provides a basic TCP/ UDP networking subsystem th at allows users to in teract m an ually or via script with n etwork application s Outboun d or in boun d con n ection s, TCP or UDP, to or from an y ports Built-in port-scan n in g capabilities with ran dom izer Built-in loose source-routin g capability il i l i bili
y p
Cryptcat tool: N etcat w ith encry ption yp Copyright © by EC-Counci l
Netcat: Screen shot Copyright © by EC-Counci l
Netcat Client/ Server Co n n e ct to th e N e tca t s e rve r S e rve r p u s h e s a “s h e ll” to th e clie n t
Netcat server Netcat clien t C:> nc –L –p <port> -t –e cmd.exe C:> nc <ip> <port> Copyright © by EC-Counci l Netcat Com m an ds Copyright © by EC-Counci l
Trojan : Beast
Beast is a powerful Rem ote Adm in istration Beast is a powerful Rem ote Adm in istration Tool (AKA Trojan ) built with Delphi 7 One of the distinct features of the Beast is O f th di ti t f t f th B t i that it is an all-in -on e Trojan (clien t, server, an d server editor are stored in the sam e application ) An im portan t feature of the server is that it uses in jecting techn ology j g gy New version has system tim e m anagem ent N i h t ti t Copyright © by EC-Counci l
H ackin g Tools H ackin g Tools Copyright © by EC-Counci l H ackin g Tool: Loki
(www.phrack.com ) (www phrack com ) Loki was written by daem on 9 to provide shell access over ICMP, m aking it m uch m ore difficult to detect than TCP or UDP based backdoors to detect than TCP- or UDP-based backdoors As far as the n etwork is con cern ed, a series of ICMP packets are shot back an d forth: a pin g, pon g respon se. As far as the attacker is con cern ed, com m an ds can be typed in to the Loki clien t an d executed on the server
Classic tool presen ted here as proof of con cept Copyright © by EC-Counci l
Loki Counterm easures
Configure firewall to block ICMP or lim it the Configure firewall to block ICMP or lim it the allowable IP’s in com in g an d outgoin g echo packets Blockin g ICMP will disable the pin g request an d m ay cause an in con ven ien ce to users
Be careful while deciding on security versus con ven ien ce Loki also has the option to run over UDP port 53 (DNS queries an d responses) d Copyright © by EC-Counci l
Atelier Web Rem ote Com m an der
Access to the rem ote com puter desktop Local files can be uploaded to the rem ote system Files can be rem otely zipped or un zipped Allows sen din g or receivin g the Clipboard contents like text, pictures, and Windows contents like text pictures and Windows Clipboard form ats Copyright © by EC-Counci l
Trojan H orse Construction Kit Trojan H orse con struction kits help hackers to Trojan H orse con struction kits help hackers to con struct Trojan horses of their choice The tools in these kits can be dan gerous an d can backfire if n ot executed properly
Som e of the Trojan kits available in the wild are as follows:
Trojan Detectin g Tools Copyright © by EC-Counci l
H ow to Detect Trojans Scan for suspicious open ports usin g tools such as: p p p g
Scan for suspicious run n in g processes usin g :
Scan for suspicious registry en tries usin g the followin g tools:
Scan for suspicious n etwork activities:
Run Trojan scan n er to detect Trojan s Copyright © by EC-Counci l
Tool:Netstat Netstat is used to display active TCP con n ection s, IP routin g tables, Netstat is used to display active TCP con n ection s IP routin g tables an d ports on which the com puter is listen in g Copyright © by EC-Counci l
Tool: fPort fport reports all open TCP/ IP fport can be used to quickly p p p / an d UDP ports, an d m aps them to the own in g application p q y iden tify un kn own open ports an d their associated application s
Copyright © by EC-Counci l
Tool: TCPView
TCPView is a Win dows program p g that will show the detailed listin gs of all TCP an d UDP en dpoin ts on the system , in cludin g the local an d rem ote addresses an d state of an d rem ote addresses an d state of TCP con n ection s
When TCPView is run , it will When TCPView is run it will en um erate all active TCP an d UDP en dpoin ts, resolvin g all IP addresses to their dom ain n am e version s version s Copyright © by EC-Counci l
CurrPorts Tool
CurrPorts allows you to view y a list of ports that are currently in use an d the application that is usin g it You can close a selected con n ection an d also term in ate the process usin g it, and export all or selected it, and export all or selected item s to an H TML or text report It is a valuable tool for checking your open ports Copyright © by EC-Counci l
Tool: Process Viewer
PrcView is a process viewer utility that displays the detailed in form ation about processes run n in g un der Windows PrcView com es with a com m and line version that allows the user to write scripts to check if a process is run n in g to kill it, and so on The Process Tree shows the process hierarchy for all running processes Copyright © by EC-Counci l
Delete Suspicious Device Drivers
Check for kernel-based device drivers an d rem ove the suspicious drivers an d rem ove the suspicious “sys” files Som etim es, the file is locked when Som etim es the file is locked when the system is running; boot the system in safe m ode and delete the file If still “access denied,” then boot the system in console m ode and delete them View the loaded drivers by going to
S ta rt
Æ All Pro gram s Æ
Acce s s o rie s A i t T l
Æ Sys te m To o ls Æ Æ S Æ
S ys te m In fo rm a tio n Copyright © by EC-Counci l
Check for Run n in g Processes: What s on My Com puter What’s on My Com puter It provides addition al in form ation about any file, folder, or program b t fil f ld run n in g on your com puter Allows search of in form ation on the web Keeps out viruses an d Trojan s Keeps your com puter secure p y p Copyright © by EC-Counci l
Super System H elper Tool
The key features of the tool are as follows:
This tool does a good job g j b protecting system s from viruses, Trojan s an d Sypware Copyright © by EC-Counci l
In zider - Tracks Processes an d Ports Ports http:/ / n tsecurity nu/ cgi http:/ / n tsecurity.n u/ cgi- bin / down load/ in zider.exe.pl
This is a useful tool that lists processes in the Win dows system an d the ports each on e listen s on Win dows system an d the ports each on e listen s on For in stan ce, un der Win dows 20 0 0 , Beast in jects itself in to other processes, so it is n ot visible in the Task Man ager as a separate process
Copyright © by EC-Counci l Tool: What's Run n in g It gives the com plete in form ation about processes, services, IP con n ection s, m odules, and drivers, run n in g on your com puter , , g y p Copyright © by EC-Counci l
Tool: MSCon fig
Microsoft System Con figuration Utility or MSCONFIG is a tool used Check for Trojan startup en tries an d Utility or MSCONFIG is a tool used to troubleshoot problem s with your com puter
Check for Trojan startup en tries an d disable them
Copyright © by EC-Counci l Tool: Registry-What’s Run n in g Check the registry an d rem ove Trojan startup en tries
Copyright © by EC-Counci l Tool: Autorun s
This utility shows you what program s are configured to run durin g system bootup or login , and shows the entries in the order Windows processes them . These program s include those in and shows the entries in the order Windows processes them . These program s include those in your startup folder, Run , Run On ce, an d other Registry keys Copyright © by EC-Counci l
Tool: H ijack This (System
Checker) Checker) Copyright © by EC-Counci lTool: Startup List Copyright © by EC-Counci l
An ti-Trojan Software j Copyright © by EC-Counci l An ti-Trojan Software There are m an y an ti-Trojan software program s available with m an y ven dors Below is the list of som e of the an ti-Trojan softwares that are available for trial: available for trial:
Trojan H un ter
Trojan H un ter is an advan ced trojan scan n er j j an d toolbox, that searches for an d rem oves
Trojan s from your system It uses several proven m ethods to fin d a wide variety of Trojan s such as file scan n in g, port scan n in g, m em ory scan n ing, g, p
g, y
g, an d registry scan n in g It also allows you to add custom trojan defin ition s an d detection rules Copyright © by EC-Counci l
Trojan H un ter: Screen shot
Copyright © by EC-Counci lFeatures:
Com odo BOClean Com odo BOClean protects your com puter again st trojan s, m alware, an d other threats It con stan tly scan s your system in the backgroun d an d in tercepts an y recogn ized trojan activity The program can ask the user what to do, or run in the un atten ded m ode an d autom atically shutdown s an d rem oves an y suspected Trojan application
Copyright © by EC-Counci l Com odo BOClean: Screenshot Copyright © by EC-Counci l
Trojan Rem over: XoftspySE Xoftspy detects and rem oves all the spyware trying to install on your PC X ft d t t d ll th t i t i t ll PC It scan s for m ore than 42,0 0 0 differen t Spyware an d Adware parasites It fin ds an d rem oves threats in cludin g: Spyware, worm s, hijackers, Adware, Malware, keyloggers, hacker tools, PC parasites, Trojan H orses, spy program s, an d trackware It gets alerts about poten tially harm ful websites g p y Copyright © by EC-Counci l
XoftspySE: Screen shot Copyright © by EC-Counci l