News Register Control Panel Private Messages Members List Team Search News Posts About Us
 

Trojan FAQ
  Author: nulldevice
Added: 06/11/2003
Type: Tutorial
Viewed: 1315 time(s)
Average visitor rating of 9.6/10Average visitor rating of 9.6/10Average visitor rating of 9.6/10Average visitor rating of 9.6/10Average visitor rating of 9.6/10Average visitor rating of 9.6/10Average visitor rating of 9.6/10Average visitor rating of 9.6/10Average visitor rating of 9.6/10Average visitor rating of 9.6/10Average visitor rating of 9.6/10
Trojan FAQ

From Where Did The Term Originated?
As per WeboPedia : "The term comes from a story in Homer's Iliad, in which the Greeks give a giant wooden horse to their foes, the Trojans, ostensibly as a peace offering. But after the Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their compatriots to pour in and capture Troy."
How the Definition is Relevant To Computers?
Again from WeboPedia : "A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive."
What is the motive behind installing a Trojan?
The most prominant motive is to let your PC be controlled remotely, or install a backdoor in your box after a hacker has successfully entered it so that he has an ensured access to your box. It let a hacker to carry out his tasks from your IP, thus covering the hacker. Any reason you can think of, why would someone like to control your PC remotely, to see your private life or anything else, is the motive for installing a Trojan on your PC.
What Are Trojans?
Trojans are the programs that seems to do nothing or something constructive .. but actually your machine is being possessed by someone else. Trojans are disguised as a good piece of software ... we will see the various methods of delivering Trojans later in this tutorial. As soon as you execute the Trojan infected file. The Trojan installs itself, without your knowledge, in some hidden place usually say  %system root%. Once installed some of the Trojan starts functioning immediately after installation but most of them become active after the system reboot. Usually all Trojans operate concealed, in "stealth mode" without any indication to the user of their presence. Nothing will be visible in the WINDOWS system tray or will appear if the user activates the "close program" dialog box in windows 9x/me. But there is a utility called "psview" for windows 9x which will show all the processes and opened files. And in windows 2000/XP in task manager -> processes,  you will be able to locate the executable running. once the Trojan is running on a system that system can be controlled remotely

On being active it just sits in the background and waits for the attacker to connect. Usually all Trojans open some specific port for listening the commands from the attacker. Most of Firewalls fails because Trojan will open a port on the computer as soon as it starts up ready and listening for the hacker to connect. As the port is already open when the standard firewall opens, it simply trusts it and ignores the Trojan.

The moment it is executed the hacker will know because these programs often notify the hacker that their victim is online.

Trojan has two parts:

  1. Server
  2. Client.

Server part is installed on the victims computer whereas the client part resides with the attacker to control the the server or that is your computer.

What is the difference between a Trojan and a virus?
Well, there is clear distinction between a virus and a Trojan. The distinction is, Replication. Replication is the first and the foremost requirement for a program to be categorized as virus. Even if a program is totally harmless but if it has the property to replicate itself, it is a Virus. But Trojans don't replicate, they basically let someone else control your box from someother computer without your knowledge.
Can a Trojan do harm to any Data on my PC?
By itself, usually no. Because the Trojans are usually not written with destructive payloads, but technically it not impossible to write such Trojans. So there are minimal chances that a Trojan by itself will so any harm to your data unless the hackers explicitly asks the Trojan to do it or a person has created a variation of the original Trojan to do so.
What A Trojan Can Do?
The various Trojan software provide a common features:
  1. Open and close the CD-ROM drive
  2. Run programs already resident on the "target" system remotely without the user?s intervention.
  3. Capture  user keystrokes in real time without alerting the user so they are able to see your conversations, chat, passwords.
  4. Capture screen shots
  5. Reboot the computer
  6. Upload/Download/Execute programs to the "target" computer without the user?s knowledge
  7. Operate microphones, web camera?s, modems and other peripherals.
  8. Getting cached passwords.
  9. Registry editing.

Look at some of the screen shots of  a famous Trojan "SubSeven" to see what a Trojan can do.

What Would A Hacker Do Of Your Box?
Why would someone install a Trojan on your computer.

There can be many motives for this:

  1. To hide behind your IP to carry Out his operations.
  2. To get some files from your PC.
  3. Probably Hacker needs an email account to use and will use yours after getting the password.

And many other exploits and intentions are also possible including blackmailing also.

What Are The Various Methods To Deliver Trojans?
A Trojan can be distributed in many ways. the objective is to force the user click on the infected file at least once be it downloaded from a site or sent as an email attachment and without triggering any alert. Usually the Server part of the Trojan part come as a executable. In some cases this executable does either nothing or are provided as pretending to be legitimate softwares. Other methods of delivering the Trojan is by hiding it in another executable. This is achieved with the help of softwares called Executable binders. Even the most experienced persons can be tricked by using executable binders. One of excellent binders goes by the name of "Yet Another Binder" also called YAB and can be had from http://www.astalavista.com.
What I 'nsbuttar'  myself Use?
I don't use Trojans because they can be easily detected by antivirus softwares. There are some legal softwares that are ignored by antivirus these tools go by the name of "RAT (Remote Administration Tools)". Most of the new generation of these tools are very much like Trojans or can be configured to act like Trojans. Like 'Remotely Anywhere' allows you to create a customized server executable which can be made exactly like the one with Trojans ... I wonder why they are exceptions and free tools which can be used for so called 'Remote Administration' are categorized as Trojans.

I personally use such a legitimate software binded to some useful softwares using YAB.

What are common Trojans?
BO2k (Back Orifice) from cult of dead cow, SubSeven, NetBus, there are a lot of others.

Read BO2K review

How Do I Know I Am Infected?
Under certain circumstances it may be very difficult. Though we have tools that claim to detect and remove Trojans including anti-viruses, but in reality these tools can only detect and remove only a fraction of existing Trojans. Secondly the source code some of the Trojans is free on net, ready to be compiled. This makes the scenario more worst. As this allows a lot of variations of the Trojan to be created with varied signatures. As most of anti-viruses and other tools rely on Signatures of malicious program, as stated by Anti-Trojan on this FAQ page  http://www.anti-trojan.net/en/faq50001.aspx "Anti-Trojan works with a trojan signature database. ",  so the recompiled variations may go unnoticed. Then we have some softwares which are produced by reputed software companies called RAT tools, can be used in place of Trojans as i explained in What Are The Various Methods To Deliver Trojans?
 
But i won't ask you to abandon these tools wholly, because most of the newbies won't try to recompile these programs or do some tampering with the executable.
 
So what is the best way to know if you are infected. I would say port scan yourself if you find any suspicious ports open probably you have Trojan installed on your box. A comprehensive list of know ports used by common Trojans can be found here:
A port list of common Trojans and a comprehensive list of trojans can be found here http://www.anti-trojan.net/en/trojanlist.aspx
How I can get rid of Trojan If I am infected?
If you are infected with a Trojan, first of all run a good anti-virus like Norton,Macfee or AVG etc. and/or a Trojan cleaner tool, you may be lucky if it detects and remove the Trojan.

But if you are unlucky, then in Windows XP/2000/NT from task manager select process viewer tab and try to locate if any unusual file is running. In windows 98, you can use a tool called 'psview' or 'process viewer' it is a freeware which allows you to see processes are running, even those which don't show up in the 'end program' box also allows you to change the priority of any running process as well as let you see the open files, an indispensable tool for 98 users. Also get a tool which can tell you which application is listening on which port, this may give you the filename of the Trojan, kill the suspicious process and get rid of the file. Or try to locate which processes are started automatically from 'msconfig' or registry key ' HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', you may figure out Trojan executable file.


Article Pages:  1  




How would you rate this article:    Bad Good   Go  


Copyright Linux Advisory 2003. All rights reserved.
We are not responsible for the comment and story contributed by users.