CEHv6 Module 08 Trojans and Backdoors pdf pdf

I T

E th ic a l H a c k in g a n d

C o u n te rm e a su re s

V e rs io n

6 M o d le

V II

I M o d u le

V II

ro ja n s a n d B a c k d o o rs

Scen ario

Zechariah works for an In suran ce firm . Though bein g a top perform er for his bran ch, he n ever got credit from his Man ager, perform er for his bran ch he n ever got credit from his Man ager Ron . Ron was biased to a particular sect of em ployees. On Ron ’s birthday all em ployees in cludin g Zechariah greeted him .

Zechariah person ally wen t to greet Ron an d asked him to check his Zechariah person ally wen t to greet Ron an d asked him to check his em ail as a birthday surprise was awaitin g him ! Zechariah had plan n ed som ethin g for Ron . Un kn own of Zechariah s evil in ten tion Ron open s the Un kn own of Zechariah’s evil in ten tion Ron open s the bday .zip bday .zip file. file. Ron extracts the con ten ts of the file an d run s the an d bday .exe en joys the flash greetin g card.

Zechariah had Ron in fect his own com puter by a Rem ote Con trol p y Trojan .

Module Objective

This m odule will fam iliarize you y with:

Trojan s • Trojan s
Overt & Covert Chan n els
Types of Trojan s an d how Trojan works
In dication s of Trojan attack
Differen t Trojan s used in the wild
Tools for sen din g Trojan • Wrappers • ICMP Tun n elin g

ICMP Tun n elin g

Con structin g a Trojan horse usin g Con struction Kit • Tools for detectin g Trojan • Anti-Trojans
Avoiding Trojan Infection A idi T j I f i

_{EC-Counci l}

Module Flow

In troduction to T j

Overt & Covert Ch l

Types an d W ki f T j Trojan s Chan n els Workin g of a Trojan

In dication s of Trojan Attack

Differen t Trojan s Tools to Sen d Trojan

ICMP Tun n elin g Trojan Construction Kit Wrappers An ti-Trojan Coun term easures

Tools to detect Trojan

An ti Trojan Coun term easures Tools to detect Trojan

In troduction

Malicious users are always on the prowl to sn eak in to Malicious users are always on the prowl to sn eak in to networks an d create trouble Trojan attacks have affected several businesses around the globe In m ost cases, it is the absent-m inded user who invites trouble by down loadin g files or bein g careless about security aspects This m odule covers different Trojan s, the way they attack, and the tools used to send them across the network and the tools used to send them across the network _{Copyright © by} _{EC-Counci l}

What is a Trojan A Trojan is a sm all program that run s hidden on an in fected com puter With the help of a Trojan , an attacker gets access to stored passwords in the Trojan ed com puter an d would be able to read person al docum en ts, delete files an d display pictures, an d/ or show m essages on the screen an d/ o sho m essages on the sc een _{Copyright © by} EC-Counci l

Overt an d Covert Chan n els

Overt Chan n el Covert Chan n el

A chan n el that tran sfers in form ation A legitim ate com m un ication path within within a com puter system , or network, in a com puter system , or n etwork, for p y , , a way that violates security policy h i l i li transfer of data An overt channel can be exploited to An overt channel can be exploited to create the presence of a covert channel

The sim plest form of covert channel is a by choosin g com pon en ts of the overt Trojan channels with care that are idle or n ot related

In tern et An attacker gets access to the Trojan ed system as the system goes on lin e By the access provided by the Trojan , the attacker can stage differen t types of attacks _{Copyright © by} EC-Counci l

Different Types of Trojans

Rem ote Access Trojans Data-Sen din g Trojan s Destructive Trojan s Den ial-of-Service (DoS) Attack Trojan s Trojan s Proxy Trojan s FTP Trojan s FTP Trojan s Security Software Disablers _{Copyright © by} EC-Counci l What Do Trojan Creators Look For For Credit card in form ation Accoun t data (em ail addresses, passwords, user n am es, an d so on ) Con fiden tial docum en ts Fin an cial data (ban k accoun t n um bers, social security n um bers, in suran ce in form ation , an d so on ) Calen dar in form ation con cern in g the victim ’s whereabouts g

Usin g the victim ’s com puter for illegal purposes, such as to hack, scan , flood, or in filtrate other m achin es on

the n etwork or In tern et

Different Ways a Trojan Can Get in to a System in to a System

In stan t Messen ger application s

IRC (Internet Relay Chat) Attachm en ts Physical access Browser an d em ail software bugs NetBIOS (FileSharin g) Fake program s Un trusted sites an d freeware software Down loadin g files, gam es, an d screen savers from In tern et sites sites Legitim ate "shrin k-wrapped" software packaged by a disgruntled em ployee _{Copyright © by} _{EC-Counci l}

In dications of a Trojan Attack

CD-ROM drawer open s and closes by itself Com puter screen flips upside down or inverts Wallpaper or backgroun d settings chan ge by them selves Docum ents or m essages print from the printer by them selves g p p y Com puter browser goes to a stran ge or un kn own web page by itself Windows color settings change by them selves Screen saver settin gs chan ge by them selves S tti h b th l _{Copyright © by} _{EC-Counci l}

In dications of a Trojan Attack (cont d) (cont’d)

Right an d left m ouse button s reverse their fun ction s Mouse poin ter disappears Mouse poin ter m oves an d fun ction s by itself Win dows Start button disappears Stran ge chat boxes appear on the victim ’s com puter The ISP com plain s to the victim that his/ her com puter is The ISP com plain s to the victim that his/ her com puter is

In dications of a Trojan Attack (cont d) (cont’d)

People chattin g with the victim kn ow too m uch person al in form ation about him or his com puter The com puter shuts down an d powers off by itself The taskbar disappears e as ba d sappea s The accoun t passwords are chan ged or un authorized person s can access legitim ate accoun ts Stran ge purchase statem en ts appear in the credit card bills The com puter m on itor turn s itself off an d on Modem dials and connects to the Internet by itself Ctrl+Alt+Del stops workin g While rebootin g the com puter, a m essage flashes that there are other users still connected _{Copyright © by} _{EC-Counci l}

Ports Used by Trojan s

Tro ja n Pro to co l P o rts

Back Orifice UDP 31337 or 31338 Deep Throat UDP 2140 an d 3150 NetBus TCP 12345 an d 12346 Wh k l TCP 12361 d 12362 Whack-a-m ole TCP 12361 an d 12362 NetBus 2 Pro TCP 20 0 34 GirlFrien d TCP 21544 Masters Paradise TCP 3129, 40 421, 40 422,

H ow to Determ in e which Ports are Listen in g are “Listen in g”

Win dow1: Type icmd.exe 54 jason

Win dow2: Type telnet <IP add>

MoSucker Trojan

MoSucker is a Trojan that When this program is

Proxy Server Trojan h d f hi h This tool, when in fected, starts a hidden proxy server on the victim ’s com puter

Thousands of m achines on the In tern et are in fected with the proxy servers usin g this techn ique

Proxy Server Trojan (con t’d)

Type mcafee 8080 on the victim m achin e (you can specify an y port you Set the IP address of the proxy server like) You can also wrap this trojan usin g like). You can also wrap this trojan usin g an d port in IE d i

Notification types:

SARS Trojan notification sends th e location of the victim ’s IP address to the attacker Whenever the victim ’s com puter connects to the Internet, the attacker receives the n otification _{Atta cke r}

yp g Q

SIN Notication
Directly n otifies the attacker's se
ICQ Notification
Notifies the attacker usin g ICQ channels
Sen ds the data by con n ectin g to PH P server on the attacker's se
E-Mail Notification
Sen ds the n otification through em ail

_{Victim s in fe cte d w ith Tro ja n s<>Sen ds the n otification through em ail Net S>Notification is sen t through n et sen d com m an d
CGI Notifica
Sen ds the data by con n ectin g to PH P server on h k '
_{Copyright © by} _{EC-Counci l} the attacker's s>IRC n otification Notifies the attacker usin g IRC chan n els}

Wrappers

H ow does an attacker get a Trojan in stalled on the victim 's com puter? Answer: Usin g wrappers i i ' ? A U i

+ Chess.exe 90 k Trojan .exe 20 k

A wrapper attaches a given EXE application (such as A wrapper attaches a given EXE application (such as gam es or office application s) to the Trojan executable The two program s are wrapped together in to a sin gle fil Wh file. When the user run s the wrapped EXE, it first th th d EXE it fi t in stalls the Trojan in the backgroun d an d then run s the wrapped application in the foregroun d

Chess.exe 110 k

The user on ly sees the latter application

Wrapper Covert Program Graffiti.exe is an exam ple of a legitim ate file that can be used to drop the Trojan in to the target system Trojan in to the target system This program run s as soon as Win dows boots up an d, on execution , keeps the user distracted for a given period of tim e by run n in g on the desktop _{Copyright © by} EC-Counci l

Wrappin g Tools On e file EXE Maker

Com bin es two or m ore files in to a sin gle file
Com piles the selected list of files in to on e host file
You can provide com m an d lin e argum en ts p g
It decom presses an d executes the source program

Yet An other Bin der

Custom izable option s
Supports Win dows platform s
Also kn own as YAB

Pretator Wrapper

Wraps m an y files in to a sin gle executable

_{EC-Counci l}

Packagin g Tool: WordPad

You can in sert OLE object j (exam ple: EXE files) in to a Wordpad docum en t an d chan ge the followin g usin g the built-in package editor:

File n am e text

Icon • Icon • Execution com m an ds

Rem oteByMail Rem ote Con trol a com puter by Rem ote Con trol a com puter by sen din g em ail m essages It can retrieve files or folders by sen din g com m an ds through em ail It is an easier an d m ore secure way of accessin g files or executin g program s

Sen d m e c:\ creditcard.txt file Any com m ands for m e? File sen t to the attacker H ere is the file attached H ere is the file attached.

Tool: Icon Plus

Icon Plus is a con version program for tran slatin g icon s between various form ats form ats

An attacker can use this kin d of application to disguise his m alicious code disguise his m alicious code or Trojan so that users are tricked in to executin g it

Defacin g Application : Restorator

Restorator is a versatile skin editor for an y Win 32 program that chan ges im ages, icon s, text, soun ds, videos, dialogs, m en us, an d other text soun ds videos dialogs m en us an d other parts of the user in terface User-styled Custom Application s (UCA) can be created by usin g this software t d b i thi ft Restorator has m an y built-in tools Restorator has m an y built in tools Powerful fin d-an d-grab fun ction s let the user retrieve resources from all files on their disks Defaced calc.exe usin g Restorator D f d l i R t t _{Copyright © by} _{EC-Counci l}

Tetris

Gam es like Tetris, chess, an d solitaire are perfect carriers solitaire are perfect carriers for Trojan s

H TTP Trojans

The attacker m ust install a sim ple Trojan program on a m achin e in the internal network, the Reverse WWW shell server Reverse WWW shell allows an attacker to access a m achine on the internal network from the outside On a regular basis, usually 60 secon ds, the internal server will try to access the external m aster system to pick up com m ands If the attacker has typed som ething in to the m aster system , this com m and is retrieved and executed on the internal system Reverse WWW shell uses standard http protocol It l It looks like an in tern al agen t is browsin g the web k lik i t l t i b i th b _{Copyright © by} _{EC-Counci l}

Trojan Attack through H ttp Clicks a file to down load

In tern et Trojan attacks through http request

Victim Server

Victim Infect victim ’s com puter with

s e rve r.e xe an d plan t H TTP Trojan s e rve r e xe an d plan t H TTP Trojan

3 The Trojan sends

an em ail to the Gen erate s e rve r.e xe attacker with the l location of an IP ti f

SH TTPD is a sm all H TTP Server that can easily be em bedded in side an y program C++ Source code is provided Even though shttpd is NOT a trojan, it can easily be wrapped with a chess.exe an d turn a Even though shttpd is NOT a trojan it can easily be wrapped with a chess exe an d turn a com puter in to an in visible Web Server shttpd Trojan from http:/ / www.eccoun cil.org/ cehtools/ shttpd.zip id dowm loaded

In fect the Victim com puter with J OUST.EXE Shttpd should be run n in g in the backgroun d Attacker listen in g on port 443 (SSL) Norm ally Firewall allows N ll Fi ll ll you through port 443 Con n ect to the victim usin g

Web Browser Web Browser

Reverse Con n ectin g Trojan s

In fect (Rebecca’s) com puter with f s e rve r.e xe an d plan t Reverse Con n ectin g Trojan

1 Yu ri, the H acker The Trojan con n ects to Port 8 0 to the H acker in Russia establishin g a reverse con n ection

2 ,

sittin g in Russia, listening for clients to connect H ll th

con n ection Re b e cca

Yuri, the H acker, has com plete con trol

3 H e usually run s the

listen er service on port 8 0

Re b e cca

Victim

Yuri, the H acker, has com plete con trol over Rebecca’s m achin e

Tool: BadLuck Destructive Trojan Trojan

This is a dan gerous an d destructive tool When executed, this tool destroys the operating system The user will n ot be able to use the operatin g system after the m achin e has been in fected by the Trojan

ICMP Tunneling

Covert channels are m ethods in which an attacker can hide the data in a protocol that Covert channels are m ethods in which an attacker can hide the data in a protocol that is un detectable Covert channels rely on techniques called tun n elin g, which allow on e protocol to be carried over an other protocol

ICMP tun n elin g is a m ethod of usin g ICMP echo-request and echo-reply as a carrier of an y payload an attacker m ay wish to use in an attem pt to stealthily access, or control, a com prom ised system _{Copyright © by} EC-Counci l

ICMP Backdoor Trojan

ICMP S e rve r Com m an d: icmpsrv -install

ICMP Clie n t Com m an d: icmpsend <victim IP> Com m an d: icmpsrv install Com m an d: icmpsend <victim IP>

Com m ands are d sen t usin g

ICMP protocol Copyright © by ^{EC-Counci l} Backdoor.Theef (AVP) Usin g this Trojan , the server open s various ports on the victim ’s m achin e (eg ports 69 470 0 1350 0 and 28 0 0 ) m achin e (eg. ports 69, 470 0 , 1350 0 an d 28 0 0 ) On ce com prom ised, the hacker can perform m an y fun ction s on the victim ’s m achin e, ren derin g it com pletely vuln erable

A brief list of the fun ction s available:

File system : upload/ down load, execute, etc
Regsitry: full editin g
System : force shutdown disable m ouse/ keyboard shutdown • System : force shutdown , disable m ouse/ keyboard, shutdown firewalls/ AV software, set user n am e etc. (plus lots m ore)
Spy: start/ stop keylogger, grab logged data
• Machin e In fo: Em ail/ dialup/ user details - option s to retrieve or set
for all

_{EC-Counci l}

T2W (TrojanToWorm )

Use an y file with the stub tran sform in g it in to worm

Features:

H ighlighted con n ection list if webcam is detected On lin e Keylogger On lin e Keylogger Screen Capture - PNG com pression Webcam Capture - PNG com pression Com puter in form ation with custom izable script Uses on ly 1 port Each server assign s own down load folder\ profile _{Copyright © by} _{EC-Counci l} Biorante RAT: Screenshots Copyright © by ^{EC-Counci l}

DownTroj

Down Troj is a Trojan horse with the followin g features:

Rem ote m essagebox
Rem ote in fo
Rem ote file browser (+ down load, upload, delete, m ake/ del dir)
Rem ote shell • Rem ote shell
Rem ote task m anager (+ start/ kill)
Rem ote keylogger
Rem otely reboot or shutdown system

Coded in C/ C++ an d also has:

Reverse con n ection (bypasses routers) ( yp )
More victim s at the sam e tim e
Unlim ited num ber of hosts/ ports to connect to
Installing into location where it is im possible to access with win dows explorer
Task m an ager process hidder
Windows firewall bypass

_{EC-Counci l}

Trojan .Satellite-RAT Elevated risks are typically in stalled without adequate n otice an d Elevated risks are typically in stalled without adequate n otice an d

con sen t an d m ay m ake un wan ted chan ges to your system , such as

Yakoza

Added to Registry: H KEY_ LOCAL_ MACH INE\ SOFTWARE\ Microsoft\ Win dows NT\ Curren tVersion \ Win logon "Shell" Old data: Explorer.exe Old data: Explorer exe New data: explorer.exe svshost.exe _{Copyright © by} EC-Counci l

DarkLabel B4 DarkLabel is a firewall bypass reverse con n ection rem ote adm in istration tool, that allows you to rem otely con trol com puters that are behin d firewalls an d y y p routers _{Copyright © by} EC-Counci l

Trojan .H av-Rat H av-Rat uses reverse con n ection , so, n o n eed for open in g ports on target/ user This tool can m ess with people Thi l i h l an d steal in form ation _{Copyright © by} EC-Counci l

Poison Ivy PI is a reverse con n ection , forward rem ote adm in istration tool, written in m asm (server) an d d i i i l i i ( ) d Delphi (clien t) PI does n ot use an y plugin s/ dlls or an y other files besides the server an d does n ot drop an y other files on the target system h _{Copyright © by} EC-Counci l

SharK

SharK uses the RC4 cipher to en crypt the traffic SharK uses the RC4 cipher to en crypt the traffic Keylogger works with WH _ KEYBOARD_ LL hooks Keylogger works with WH KEYBOARD LL hooks Man ipulate run n in g processes, win dows, an d services Man ipulate run n in g processes, win dows, an d services from the rem ote console Interactive Process blacklistin g, which alerts the attacker if the blacklisted process is foun d on the attacker if the blacklisted process is foun d on the victim ’s m achin e an d prom pts the attacker to take action Code in jection in to a hidden In tern et Explorer win dow Code in jection in to a hidden In tern et Explorer win dow is an attem pt to bypass firewalls _{Copyright © by} _{EC-Counci l}

TYO

It is a FTP keylogger and com patible with windows vista t s a ey ogge a d co pat b e t do s sta

OD Client Features :-

Rem ote Web Down loader (Main Fun ction )
Down loads an d executes a file from the In tern et rem otely

Win dows XP & Win dows Server Rootin g (Rem ote desktop)

Adds a adm in user to the host an d allows for rem ote desktop con n ecti>Usern am e:- xplorer
Password:- l3vel69
Rem ove Se
Uninstalls the server from the host • Uninstalls the server from the host

Shutdown Server

Shutdown s the server but does n ot un in stall

AceRat

Features:

Shutoff, Log Off Victim es PC
Full fun ction in g an d in teractive File Man ager g
Sen d Error Msg's
System In fo
Chan ge Wallpaper, System Colors C l

RubyRAT Public Fe a tu re s :

Get Basic Com puter In form ation
Execute Com m an d (Sen ds back output!)
Term in al Server (Rem ote D kt ) bl / di bl Desktop) en abler/ disabler
File Browser with File Upload/ Down load/ Execute/ File In fo List/ Kill Processes • Active or Offlin e keylogger y gg

Con soleDevil

Con soleDevil is a sm all RAT (Rem ote Adm in istration Tool)

win dows con sole (com m an d prom pt) from where you can do

Zom bieRat Zom bieRat is m ade in Delphi 20 0 5

Fe a tu re s :

Open s Win dows Program -Mscon fig, Calculator, Pain t, Narrator, N NotePade,WordPad, RegEdit, Clock • En ables/ Disables En ables/ Disables TaskMan ager an d H ides Shutdown

button

Kills processes Kills processes

_{EC-Counci l}

FTP Trojan - TinyFTPD

Tin yFTPD is a sim ple FTP Trojan which supports m ost of the standard FTPD Com m ands Tin yFTPD is a sim ple FTP Trojan which supports m ost of the standard FTPD Com m ands

IP can login 8 tim es sim ultan eously Usage:

• Tin yftpd [Con trolPort] [Bin dPort] [UserNam e] [Password] [H om eDir] [AllowedIP] [Access] [-H ide]
_{Copyright © by}

EC-Counci l VNC Trojan

VNC Trojan starts VNC Server daem on in the backgroun d when in fected It con n ects to the victim usin g an y VNC viewer g y with the password “secret” Sin ce VNC program is con sidered a utility - this Trojan will n ever be detected by An ti Virus _{Copyright © by} EC-Counci l

Webcam Trojan

Webcam Trojan provides an attacker with the capability

Troya

Troya is a rem ote Trojan without Clien t, for con trollin g an other PC from your PC It is a web-based Trojan It i b b d T j After sending and running server in the Rem ote PC, you can put the IP Address of that PC in your web browser an d connect to that PC and take control of it connect to that PC and take control of it _{EC-Counci l}

User : m ohdjase1
Key : 66618 e8 69accfc4f96

DaCryptic Fun ction s: Fun ction s:

Registry access
File il upload/ down load
Keylogger

Trojan : PokerStealer.A

PokerStealer.A is a Trojan that heavily relies on social en gin eerin g PokerStealer A is a Trojan that heavily relies on social en gin eerin g It com es with the filen am e PokerGam e.app as 65 KB Zip archive; un zipped, it is pp 5 p ; pp , 18 0 KB

When it run s, activates ssh on the in fected m achin e, then sen ds the user n am e and password hash, alon g with the IP address of the Mac, to a specified e-m ail d d h h l ith th IP dd f th M t ifi d il address with a subject “H owdy” It asks for an adm in istrator s password after displayin g a dialog sayin g, A It asks for an adm in istrator’s password after displayin g a dialog sayin g “A corrupt preferen ce file has been detected an d m ust be repaired After obtain in g the password the attacker can take con trol on the m achin e an d After obtain in g the password the attacker can take con trol on the m achin e an d delete all the n ecessary files _{Copyright © by} _{EC-Counci l}

Trojan :H ovdy.a

H ovdy.a, is an exploit for the recen tly revealed an d un patched privilege H ovdy.a, is an exploit for the recen tly revealed an d un patched privilege escalation bug in Apple Rem ote Desktop It asks for an adm in istrator’s password by displayin g a dialog sayin g, “A corrupt preferen ce file has been detected an d m ust be repaired

It gathers the usern am e, password an d IP address from the in fected system an d

_{EC-Counci l}

W a rn in g

These are classic outdated tools an d is presen ted here for proof of con cept ( You will n ot be able to fin d the source code for these tools on the In tern et). It is presen ted in this m odule so that you are en couraged to view the source code of these tools to un derstan d the attack en gin eerin g behin d them

Beast

NetBus behin d them

Phatbot Am itis QAZ

SubSeven Netcat

QAZ Back Orifice Back Oriffice 20 0 0

Don ald Dick Let m e rule

Tin i RECUB

Trojan : Tin i

Tin i is a tin y Trojan program that is on ly 3 kb an d program m ed in assem bly lan guage. It takes m inim al d i bl l It t k i i l ban dwidth to get on a victim 's com puter an d it takes a sm all am oun t of disk space Tin i on ly listen s on port 7777 an d run s a com m an d prom pt when som eon e attaches to this port. The port n um ber is fixed an d can n ot be custom ized. This m akes it easier for a victim system to detect by scan n in g for port 7777 From a tin i clien t, the attacker can teln et to tin i server at port 7777

Trojan : NetBus

NetBus is a Win 32-based Trojan program N tB i Wi 32 b d T j Like Back Orifice, NetBus allows a , rem ote user to access and control the victim ’s m achine by way of its Internet lin k It was written by a Swedish program m er n am ed Carl-Fredrik Neikter, in March 1998 This virus is also kn own as Backdoor.Netbus _{Source: http:/ / www.jcw.cc/ n etbus-down load.htm l}

Trojan : Netcat

Netcat is called the “swiss-arm y” kn ife of n etworkin g tools Provides a basic TCP/ UDP networking subsystem th at allows users to in teract m an ually or via script with n etwork application s Outboun d or in boun d con n ection s, TCP or UDP, to or from an y ports Built-in port-scan n in g capabilities with ran dom izer Built-in loose source-routin g capability il i l i bili

y p

Netcat Client/ Server Co n n e ct to th e N e tca t s e rve r S e rve r p u s h e s a “s h e ll” to th e clie n t

Trojan : Beast

Beast is a powerful Rem ote Adm in istration Beast is a powerful Rem ote Adm in istration Tool (AKA Trojan ) built with Delphi 7 One of the distinct features of the Beast is O f th di ti t f t f th B t i that it is an all-in -on e Trojan (clien t, server, an d server editor are stored in the sam e application ) An im portan t feature of the server is that it uses in jecting techn ology j g gy New version has system tim e m anagem ent N i h t ti t _{Copyright © by} _{EC-Counci l}

(www.phrack.com ) (www phrack com ) Loki was written by daem on 9 to provide shell access over ICMP, m aking it m uch m ore difficult to detect than TCP or UDP based backdoors to detect than TCP- or UDP-based backdoors As far as the n etwork is con cern ed, a series of ICMP packets are shot back an d forth: a pin g, pon g respon se. As far as the attacker is con cern ed, com m an ds can be typed in to the Loki clien t an d executed on the server

Loki Counterm easures

Configure firewall to block ICMP or lim it the Configure firewall to block ICMP or lim it the allowable IP’s in com in g an d outgoin g echo packets Blockin g ICMP will disable the pin g request an d m ay cause an in con ven ien ce to users

Atelier Web Rem ote Com m an der

Access to the rem ote com puter desktop Local files can be uploaded to the rem ote system Files can be rem otely zipped or un zipped Allows sen din g or receivin g the Clipboard contents like text, pictures, and Windows contents like text pictures and Windows Clipboard form ats _{Copyright © by} _{EC-Counci l}

Trojan H orse Construction Kit Trojan H orse con struction kits help hackers to Trojan H orse con struction kits help hackers to con struct Trojan horses of their choice The tools in these kits can be dan gerous an d can backfire if n ot executed properly

Som e of the Trojan kits available in the wild are as follows:

The Trojan H orse Construction Kit v2.0
The Progen ic Mail Trojan Con struction Kit - PMT
Pan dora’s Box

H ow to Detect Trojans Scan for suspicious open ports usin g tools such as: p p p g

Netstat • Fport • TCPView

Scan for suspicious run n in g processes usin g :

Process Viewer • What’s on m y com puter
Insider • Insider

Scan for suspicious registry en tries usin g the followin g tools:

What’s run n in g on m y com puter
MS Con fig • MS Con fig

Scan for suspicious n etwork activities:

Ethereal

Tool:Netstat Netstat is used to display active TCP con n ection s, IP routin g tables, Netstat is used to display active TCP con n ection s IP routin g tables an d ports on which the com puter is listen in g _{Copyright © by} EC-Counci l

Tool: fPort fport reports all open TCP/ IP fport can be used to quickly p p p / an d UDP ports, an d m aps them to the own in g application p q y iden tify un kn own open ports an d their associated application s

Tool: TCPView

TCPView is a Win dows program p g that will show the detailed listin gs of all TCP an d UDP en dpoin ts on the system , in cludin g the local an d rem ote addresses an d state of an d rem ote addresses an d state of TCP con n ection s

When TCPView is run , it will When TCPView is run it will en um erate all active TCP an d UDP en dpoin ts, resolvin g all IP addresses to their dom ain n am e version s version s _{Copyright © by} _{EC-Counci l}

CurrPorts Tool

CurrPorts allows you to view y a list of ports that are currently in use an d the application that is usin g it You can close a selected con n ection an d also term in ate the process usin g it, and export all or selected it, and export all or selected item s to an H TML or text report It is a valuable tool for checking your open ports _{Copyright © by} EC-Counci l

Tool: Process Viewer

PrcView is a process viewer utility that displays the detailed in form ation about processes run n in g un der Windows PrcView com es with a com m and line version that allows the user to write scripts to check if a process is run n in g to kill it, and so on The Process Tree shows the process hierarchy for all running processes _{Copyright © by} EC-Counci l

Delete Suspicious Device Drivers

Check for kernel-based device drivers an d rem ove the suspicious drivers an d rem ove the suspicious “sys” files Som etim es, the file is locked when Som etim es the file is locked when the system is running; boot the system in safe m ode and delete the file If still “access denied,” then boot the system in console m ode and delete them View the loaded drivers by going to

S ta rt

Æ All Pro gram s Æ

Acce s s o rie s A i t T l

Æ Sys te m To o ls Æ Æ S Æ

Check for Run n in g Processes: What s on My Com puter What’s on My Com puter It provides addition al in form ation about any file, folder, or program b t fil f ld run n in g on your com puter Allows search of in form ation on the web Keeps out viruses an d Trojan s Keeps your com puter secure p y p _{Copyright © by} EC-Counci l

Super System H elper Tool

The key features of the tool are as follows:

It takes com plete con trol over all run n in g processes
It shows all open ports an d m aps them to run n in g p g processes
It shows all DLLs loaded or Win dows open ed by each process
It term inates or blocks an y y process, an d m an ages start-up application s an d Browser H elper Objects(BH O)
It tweaks an d optim izes Win dows
It schedules a com puter to shut down at a specified tim e

In zider - Tracks Processes an d Ports Ports http:/ / n tsecurity nu/ cgi http:/ / n tsecurity.n u/ cgi- bin / down load/ in zider.exe.pl

This is a useful tool that lists processes in the Win dows system an d the ports each on e listen s on Win dows system an d the ports each on e listen s on For in stan ce, un der Win dows 20 0 0 , Beast in jects itself in to other processes, so it is n ot visible in the Task Man ager as a separate process

Copyright © by ^{EC-Counci l} Tool: What's Run n in g It gives the com plete in form ation about processes, services, IP con n ection s, m odules, and drivers, run n in g on your com puter , , g y p _{Copyright © by} EC-Counci l

Tool: MSCon fig

Microsoft System Con figuration Utility or MSCONFIG is a tool used Check for Trojan startup en tries an d Utility or MSCONFIG is a tool used to troubleshoot problem s with your com puter

Check for Trojan startup en tries an d disable them

This utility shows you what program s are configured to run durin g system bootup or login , and shows the entries in the order Windows processes them . These program s include those in and shows the entries in the order Windows processes them . These program s include those in your startup folder, Run , Run On ce, an d other Registry keys _{Copyright © by} EC-Counci l

Tool: H ijack This (System

An ti-Trojan Software j Copyright © by ^{EC-Counci l} An ti-Trojan Software There are m an y an ti-Trojan software program s available with m an y ven dors Below is the list of som e of the an ti-Trojan softwares that are available for trial: available for trial:

Trojan Guard • Trojan H un ter
Zon eAlarm f Win 98 &up, 4.530 • Zon eAlarm f Win 98 &up 4 530
Win Patrol f Win All, 6.0
LeakTest, 1.2
Kerio Person al Firewall, 2.1.5
Sub-Net
TAVScan
SpyBot Search & Destroy • An ti Trojan • Clean er

Trojan H un ter

Trojan H un ter is an advan ced trojan scan n er j j an d toolbox, that searches for an d rem oves

Trojan s from your system It uses several proven m ethods to fin d a wide variety of Trojan s such as file scan n in g, port scan n in g, m em ory scan n ing, g, p

g, y

Trojan H un ter: Screen shot

^{EC-Counci l}

Features:

Com odo BOClean Com odo BOClean protects your com puter again st trojan s, m alware, an d other threats It con stan tly scan s your system in the backgroun d an d in tercepts an y recogn ized trojan activity The program can ask the user what to do, or run in the un atten ded m ode an d autom atically shutdown s an d rem oves an y suspected Trojan application

Destroys m alware and rem oves registry entries
Does n ot require a reboot to rem ove all traces
Discon n ects the threat without discon necting you
Gen erates option al report an d safe copy of eviden ce
Autom atically sweeps an d detects INSTANTLY in the backgroun d
Updates autom atically from a n etwork file share

Trojan Rem over: XoftspySE Xoftspy detects and rem oves all the spyware trying to install on your PC X ft d t t d ll th t i t i t ll PC It scan s for m ore than 42,0 0 0 differen t Spyware an d Adware parasites It fin ds an d rem oves threats in cludin g: Spyware, worm s, hijackers, Adware, Malware, keyloggers, hacker tools, PC parasites, Trojan H orses, spy program s, an d trackware It gets alerts about poten tially harm ful websites g p y _{Copyright © by} EC-Counci l

CEHv6 Module 08 Trojans and Backdoors pdf pdf

I T

Scen ario

This m odule will fam iliarize you y with:

Module Flow

In troduction

Overt Chan n el Covert Chan n el

Different Types of Trojans

Different Ways a Trojan Can Get in to a System in to a System

In dications of a Trojan Attack

In dications of a Trojan Attack (cont d) (cont’d)

In dications of a Trojan Attack (cont d) (cont’d)

Tro ja n Pro to co l P o rts

H ow to Determ in e which Ports are Listen in g are “Listen in g”

Proxy Server Trojan (con t’d)

Pretator Wrapper

Tool: Icon Plus

Defacin g Application : Restorator

Tetris

H TTP Trojans

A brief list of the fun ction s available:

Features:

Down Troj is a Trojan horse with the followin g features:

Coded in C/ C++ an d also has:

Yakoza

SharK

Features:

Fe a tu re s :

Troya

Trojan : PokerStealer.A

Trojan :H ovdy.a

W a rn in g

NetBus behin d them

Trojan : Tin i

Trojan : NetBus

Trojan : Netcat

Trojan : Beast

Loki Counterm easures

Atelier Web Rem ote Com m an der

Tool: TCPView

CurrPorts Tool

Tool: Process Viewer

Delete Suspicious Device Drivers

Trojan H un ter

Dokumen yang terkait

Big Data and Healthy Analytics pdf pdf

Mobile Networks and Management 2017 pdf pdf

Big Data Management and Processing pdf pdf

Information Security and Privacy 2018 pdf pdf

Biomedical Engineering Systems and Technologies pdf pdf

Big Data and Business Analytics pdf pdf

Database Design and Implementation pdf pdf

Cognitive Networks Applications and Deployments pdf pdf

Plan, Activity, and Intent Recognition Theory and Practice pdf pdf

Computer Architecture and Security pdf pdf

Dokumen yang Anda mencari sudah siap untuk unduhkan