Computer Trojan Url Web

Table of Contents 01. What Is This Paper About 02. What Is A Trojan Horse 03. How Do Trojans Work 04.

Trojans Variations -Remote Access Trojans-Password Sending Trojans-Key logging Trojans -Destructive Trojans-Denial Of Service (DoS) Attack Trojans-Proxy/Wingate Trojans-FTP Trojans-Detection Software Killers 05. The Future Of Windows Trojans 06. How Can I Get Infected-Via ICQ-Via IRC-Via Attachments-Via Physical Access-Via Browser And E-mail Software Bugs-Via Netbios (File Sharing) 07. Fake Programs 08.

Untrusted Sites And FreeWare Software 09. How Are They Detecting My Internet Presence 10. What Is The Attacker Looking For 11. Intelligence With Trojans 12.

Trojan Ports 13. How Do I Know I’m Infected 14. Anti-Virus (AV) Scanners 15. Anti-Trojan Software 16. After You Clean Yourself 17. Online Scanning Services 18.

Advice 19. Links Section 20. Final Words 1. What is this paper about? The Complete Trojans Text is a paper about Windows Trojans, how they work, their variations and, of course, strategies to minimise the risk of infection. Links to special detection software are included as well as many other topics never discussed before. This paper is not only intended to be for the average Internet/Windows user who wants to know how to protect his / her machine from Trojan Horses or just want to know about their usage, variations, prevention and future, but will also be interesting for the advanced user, to read another point of view.

Windows Trojans are just a small aspect of Windows Security but you will soon realise how dangerous and destructive they could be while reading the paper. 2. What Is A Trojan Horse? A Trojan horse is: – An unauthorised program contained within a legitimate program. This unauthorised program performs functions unknown (and probably unwanted) by the user.

– A legitimate program that has been altered by the placement of unauthorised code within it; this code performs functions unknown (and probably unwanted) by the user. – Any program that appears to perform a desirable and necessary function but that (because of unauthorised code within it that is unknown to the user) performs functions unknown (and definitely unwanted) by the user. The Trojan Horse got its name from the old mythical story about how the Greeks gave their enemy a huge wooden horse as a gift during the war. The enemy accepted this gift and they brought it into their kingdom, and during the night, Greek soldiers crept out of the horse and attacked the city, completely overcoming it. 3. How Do Trojans Work? Trojans come in two parts, a Client part and a Server part.

When the victim (unknowingly) runs the server on its machine, the attacker will then use the Client to connect to the Server and start using the trojan. TCP/IP protocol is the usual protocol type used for communications, but some functions of the trojans use the UDP protocol as well. When the Server is being run on the victim’s computer, it will (usually) try to hide somewhere on the computer, start listening on some port (s) for incoming connections from the attacker, modify the registry and / or use some other auto starting method. It’s necessary for the attacker to know the victim’s IP address to connect this / her machine. Many trojans have features like mailing the victim’s IP, a swell as messaging the attacker via ICQ or IRC.

This is used when the victim has dynamic IP which means every time you connect to the Internet you get a different IP (most of the dial-up users have this). ADSL users have static IPs so the infected IP is always known to the attacker and this makes it considerably easier to connect to your machine. Most of the trojans use Auto-Starting methods so even when you shut down your computer they ” re able to restart and again give the attacker access to your machine. New auto-starting methods and other tricks are discovered all the time. The variety starts from ‘joining’ the trojan into some executable file you use very often like explorer. eye, for example, and goes to the known methods like modifying the system files or the Windows Registry.

System files are located in the Windows directory and here are short explanations of their abuse by the attackers: – Autostart Folder The Autostart folder is located in C: Windows Start MenuProgramsstartupand as its name suggests, automatically starts everything placed there. – Win. ini Windows system file using load = Trojan. eye and run = Trojan. eye to execute the Trojan- System. ini Using Shell = Explorer.

eye trojan. eye results in execution of every file after Explorer. eye- Win init. ini Setup-Programs use it mostly; once run, it’s being auto-deleted, which is very handy for trojans to restart- Winstar t.

bat Acting as a normal bat file trojan is added as @trojan. eye to hide its execution from the user- Auto exec. batIt’s a DOS auto-starting file and it’s used as auto-starting method like this -> c: Trojan. eye- Config. sys Could also be used as an auto-starting method for trojans- Explorer Startup Is an auto-starting method for Windows 95, 98, ME and if c: explorer. , it will be started instead of the usual c: Windows Explorer.

eye, which is the common path to the file. Registry is often used in various auto-starting methods. Here are some known ways: [HKEY LOCAL MACHINESoftwareMicrosoftWindowsCurrentVersionRun]’Info’ = ‘c: directoryTrojan. eye’ [HKEY LOCAL MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce] ‘Info’ = ‘c: directoryTrojan.

eye'[HKEY LOCAL MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices]’Info’ = ‘c: directoryTrojan. eye'[HKEY LOCAL MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce]’Info = ‘c: directoryTrojan. eye’ [HKEY CURRENT USERSoftwareMicrosoftWindowsCurrentVersionRun]’Info’ = ‘c: directoryTrojan. eye’ [HKEY CURRENT USERSoftwareMicrosoftWindowsCurrentVersionRunOnce]’Info’ = ‘c: directoryTrojan. eye’- Registry Shell Open[HKEY CLASSES ROOTexefileshellopencommand][HKEY LOCAL MACHINESOFTWAREClassesexefileshellopencommand]A key with the value ‘%1 % ‘s could be placed there and if there is some executable file placed there, it will be executed each time you open a binary file.

It’s used like this: trojan. eye ‘%1 % ‘; this would restart the trojan. – ICQ Net Detect Method[HKEY CURRENT USERSoftwareMirabilisICQAgentApps]This key includes all the files that will be executed if ICQ detects Internet connection. As you can understand, this feature of ICQ is very handy but it’s frequently abused by attackers as well.

– ActiveX Component[HKEY LOCAL MACHINESoftwareMicrosoftActive Setup Installed ComponentsKeyName]Stub Path = C: directoryTrojan. exe These are the most common Auto-Starting methods using Windows system files, and the Windows registry. 4. Trojans Variations There are so many variations out there, it will be hard to list and describe each and every one of them, but most are a combination of all the trojan features you will read about below, or have many other functions still not, and probably will never be known to the public.

Remote Access Trojans These are probably the most publicly used trojans, just because they give the attackers the power to do more things on the victim’s machine than the victim itself, while standing in front of the machine. Most of these trojans are often a combination of the other variations you ” ll read below. The idea of these trojans is to give the attacker a COMPLETE access to someone’s machine, and therefore access to files, private conversations, accounting data, etc. Password Sending Trojans The purpose of these trojans is to rip all the cached passwords and also look for other passwords you ” re entering then send them to a specific mail address, without the user noticing anything.

Passwords for ICQ, IRC, FTP, HTTP or another application that require a user to enter a login+password are being sent back to the attacker’s e-mail address, which in most cases is located at some free web based e-mail provider. Most of them do not restart when Windows is loaded, as the idea is to gather as much info about the victim’s machine as passwords, m IRC logs, ICQ conversations and mail them; but it depends on the needs of the attacker and the specific situation. Keyloggers These trojans are very simple. The only one thing they do is to log the keystrokes of the victim and then let the attacker search for passwords or other sensitive data in the log file. Most of them come with two functions like online and offline recording. Of course they could be configured to send the log file to a specific e-mail address on a daily basis.

Destructive The only function of these trojans is to destroy and delete files. This makes them very simple and easy to use. They can automatically delete all your core system files (for example: . dull, . in or. eye files, possibly others) on your machine.

The trojan is being activated by the attacker or sometimes works like logic bomb and starts on a specific day and at specific hour. Denial Of Service (DoS) Attack Trojans These trojans are getting very popular these days, giving the attacker power to start DDoS if having enough victims of course. The main idea is that if you have 200 ADSL users infected and start attacking the victim simultaneously, this will generate a LOT of traffic (more then the victim’s bandwidth, in most cases) and its the access to the Internet will be shut down. WinTrinoo is ddos tool that has become really popular recently, and if the attacker has infected many ADSL users, major Internet sites could be shut down as a result, as we ” ve seen it happen in the past few months. Another variation of a DoS trojan is the mail-bomb trojan, whose main aim is to infect as many machines as possible and simultaneously attack specific-mail address / addresses with random subjects and contents which cannot be filtered. Proxy/Wingate Trojans Interesting feature implemented in many trojans is turning the victim’s computer into a proxy / win gate server available to the whole world or to the attacker only.

It’s used for anonymous Telnet, ICQ, IRC, etc. , and also to register domains with stolen credit cards and for many other illegal activities. This gives the attacker complete anonymity and the chance to do everything from YOUR computer and if he / she gets caught the trace leads back to you. FTP Trojans These trojans are probably the most simple ones and are kind of outdated as the only thing they do is to open port 21 (the port for FTP transfers) and let EVERYONE connect to your machine or just the attacker.

Newer versions are password protected so only the one that infected you may connect to your computer. Software Detection Killers There are such functionalities built into some trojans, but there are also separate programs that will kill Zone Alarm, Norton Anti-Virus and many other (popular anti-virus / firewall) programs, that protect your machine. When the yare disabled, the attacker will have full access to your machine, to perform some illegal activity, use your computer to attack others and often disappear. Even though you may notice that these programs are not working or functioning properly, it will take you some time to remove the trojan, install the new software, configure it and get back online with some sense of security. I would like you to look at a list created by Snake Byte (nice work dude! ): web it out and you will get my point how easily these programs could be disabled. It’s a list of Anti-Virus detection software with its Window Names, associated files and many more things that attackers found as a way to disable certain protection software.

I’ve seen only several anti-trojan packages that let the user specify another location of the program (installation) files, different from the default one, also Window names and many other features that will make it harder for the attacker to disable the software. 5. The Future Of Windows Trojans Windows users will always be targets of malicious attackers because most of them don’t know the real meaning of the word security, and think that some firewall is the only solution they need for protection but they actually don’t have a clue how it works, or how to configure it properly. Windows Trojans will be a big security problem in the future and I’m sure attackers realise that, and many more unique functions will be implemented into their trojans but will mostly be used for the attacker’s private purposes. Programmable ‘automated hacking’ functions will be used to solve various attacker’s problems starting from anonymous port scanning and going up to Distributed Denial Of Service Attacks (DDoS). A recommended resource related to the subject is web about distributed cracking of password files like on all of these contests around the world but in that case a network created by attacker / attackers for their own purposes? Has anyone ever thought of ‘spamming’ function, built into trojans, similar to all of these spam programs out there, crawling around the Internet, searching for e-mails? And these are just small examples, but trust me, there are much more advanced features, built into Windows Trojans, that probably will never be released to the public.

At this year’s Defcon the security company Sense Post made a demonstration with trojan, called Set iri, bypassing all the firewalls and IDS’s giving access to the attacker even the machine was in a restricted environment. More info is available at: web Can I Get Infected? A lot of people out there can’t differ various ways of infection just because in their minds the only way of getting infected is by downloading and running server. eye and they will never do it as they say. As you ” ll read here, there are many more ways for malicious attackers to infect your machine and start using it for illegal activities. Please take all of these topics I’m reviewing here really seriously; read them carefully and remember that prevention is way better than the cure! 6. 1 ICQ 6.

2 IRC 6. 3 Attachments 6. 4 Physical Access 6. 5 Browser And E-mail Software Bugs 6. 6 Netbios (File Sharing) 6. 1 Via ICQ People don’t understand that they can also get infected while talking via ICQ or any other Instant Messenger Application.

It’s all risky when it’s about receiving files no matter from who, and no matter from where. Believe it or not, there are still guys out there, using really old versions of ICQ and it’s all because they can see the IP of the person they ” re talking to. The older versions of ICQ had such functionality and it was useful for everyone capable of using win nuke and other DoS tools, but really how hard its to click with the mouse? These people are often potential victims of someone that is more knowledgeable on Windows Trojans and takes advantage of their old ICQ versions. Let’s review various ways of getting infected via ICQ: – You can never be 100% sure who’s on the other side of the computer at the particular moment. It could be someone that hacked your friend’s ICQ UIN (Unique Identification Number) and wants to spread some trojans over his / her friends. You ” ll definitely trust your best dude Bob if he offers you something interesting, but is it really Bob on the other side? – Old versions of ICQ had bugs in the Web Server feature, that creates a site on your computer, with your info from the ICQ database.

The bug consists in that the attacker can have access to EVERY file on your machine and if your ead the previous sections carefully and know the auto-start methods, you ” ll probably realise what could happen if someone has access to your win. in or other system file, namely a trojan installed in a few minutes. – Trojan. eye is renamed like Trojan… (150 spaces). txt.

eye, icon changed to areal. txt file and this will definitely get you infected. This bug must be fixed in the newer versions for sure. No matter which Instant Messenger Application you ” re using, you could always get yourself infected by certain program bug you never had the chance to hear about, and never took care of checking for newer versions of the application, also when it’s about receiving files no matter where, and no matter from who, take that very seriously and realise the dangers of your naivety. 6.

2 Via IRC So many people LIVE on IRC and this is another place where you can get yourself infected. Trust is vital no matter what you ” re doing. No matter who is sending you files, pretending to be free porn archive, software for ‘free internet’, hacking Hotmail program, DO NOT get any of these files. Newbies are often targets of these fakes, and believe me, many people are still newbies about their security. Users get infected from porn-trade channels, and, of course, warez channels, as they don’t think about the risk, but how to get free porn and free programs instead. Here are several scenarios of you getting infected while using IRC: – You ” re talking with someone, a ‘girl’ probably, have great time and, of course, you want to see the person you ” re talking to.

You ask for a picture or the ‘girl’ offers you her pictures and I’m sure you ” ll definitely want to see them. The ‘girl’s ays that she has just created her first screensaver, using some known free or commercial software to do this, and offers it to you, but how about if ‘she’ mentions several pictures are naked ones? ! You have been talking to ‘her’ for a week or so, you get this screensaver. eye, you run it and, yeah, VERY nice pics, some are naked and she didn’t lie to you so nothing bad or suspicious has happened BUT think again what really has happened! – Trojan. eye could also be renamed into Trojan. scr like a screensaver extension and will again run properly when you execute it so pay attention about these file extensions. – Trojan.

eye is being renamed like Trojan… (150 spaces). txt. eye you ” ll get the file over IRC in the DCC it will appear as. TXT and you won’t get worried about anything, run it and get yourself infected again.

In all of these examples the icon of the file is changed, of course, because it needs to be the same icon as a normal. TXT and this fools victims very often. Most people don’t notice in their Explorer that the Type of the file is Application BUT with a. TXT icon. So BEFORE you run something, even if it’s with a. TXT icon, check its extension and make sure it’s really a text file.

6. 3 Via AttachmentsI’m always amazed how many people got themselves infected by an attachment, sent into their mailboxes. Most of these users are new to the Internet and are pretty naive. When they receive a mail, containing an attachment, saying they will get free porn, free Internet access etc. , they run it without completely understanding the risks for their machines. Check the following scenario: you know your friend Alex is a very skilled Visual Basic programmer.

You also know he’s coding his latest program but you ” re curious what it is all about, and you wait for an e-mail from him with the attachment when he finishes coding the application. Yeah, but the person targeting YOU also knows that. The attacker also knows your friend’s e-mail address. Then the attacker will simply code some program or get some freeware one, use some relaying mail server to fake the e-mail’s FROM field and make it look like your friend ” sone; Alex’s e-mail address is so the attacker’s FROM field will be changed to and, of course, it will include theTROJANED attachment… You ” ll check your mail, see that Alex finally got his program ready and sent it, you ” ll download and run it without thinking that it might be a trojan or something else, because, hey, Alex wouldn’t do something like that to me, he’s my friend, and you ” ll get yourself infected. Information Is Power! Just because the attacker knew you were waiting for some particular file, he found Alex’s e-mail address and got you infected…

the right moment assumes importance here. And it all happened just because you were naive, just because you saw in the FROM field, and just because you didn’t check the mail headers to see that the mail came from some. jp mail server relaying e-mails and, has been used from spammers for several months. Many people got themselves infected by the famous ‘Microsoft Internet Explorer Update’s ent directly to their mailboxes, by the nonexistent Microsoft Updates Staff. I understand you felt great because Microsoft are paying attention especially to you, and sent you the latest updates, but these ‘updates’ are definitely trojans. Microsoft will NEVER send you updates of their software via e-mail no matter you see the FROM field is and as you ” ve noticed in the previous example the FROM field could and IS faked.

If you ever notice some mail in your mailbox with subjects like ‘Microsoft IEUpdate’ and such, delete WITHOUT viewing or reading the e-mail, because some-Mail clients like Outlook Express and others, have bugs that automatically execute the file being attached in the e-mail WITHOUT you even touching it. As you can imagine this is a extremely dangerous problem that requires you to be always up to date with the latest version of any software you ” re using. 6. 4 Physical Access Physical access is vital for your computer’s security. Imagine what can an attacker do while having physical access on your machine, and let’s not mention if you ” re always connected to the Internet and leave the room for several minutes… long enough to get you infected.

Here I’ll point you several scenarios, often used by attackers to infect your computer while they ” re having physical access to your machine. There are some very smart people out there that keep thinking of new ways of getting physical access to someone’s computer. Here are some tricks that are interesting: – Your ‘friend’ wants to infect you with a trojan and he / she has physical access to your machine. Let’s say you were at home surfing the net, chatting or whatever. Suddenly your ‘friend’ asks you for a glass of water, knowing that you ” ll go in another room and will be away for 1 or 2 minutes. While you do that he / she takes out a diskette of the pocket and infects your unprotected PC.

You came back and everything is OK because your ‘friend’ is doing exactly the same thing before you left… surfing the net. – The next example is when 2 guys want to take revenge on you cause of something and are supporting each other to accomplish the task. Again you are at home with your ‘friend’, surfing, chatting, whatever you ” re doing; suddenly the telephone rings and a ‘friend’ of yours wants to speak with you for something that is really important. He / she (it’s better to be shein this case) asks ‘Is there anyone around you? If so, please move somewhere away from him / her (after knowing it is him or her, of course). I don’t want anyone to listen what I’m going to tell you’.

The victim is again lured away from the computer, leaving the attacker to do whatever he / she wants on the target computer. – Other approaches like the previous ones might be sudden ring on the bell, a swell as other variations of phone calls and conversations leaving the attacker alone with the victim’s computer. There are so many other possible approaches; just think for a while and you ” ll see what I mean and how easily you could be tricked, and it’s because you ” re not suspicious enough when its about your sensitive computer data. – Another way of infecting while having physical access is the Auto-Starting CD function. You ” ve probably noticed that when you place a CD in your CDROM, it automatically starts with some setup interface; here’s an example of the Autorun. inf file that is placed on such CD’s: [auto run]open = setup.

= setup. exe So you can imagine that while running the real setup program a trojan could be run VERY easily, and as most of you probably don’t know about this CD function they will get infected and won’t understand what happened and how it’s been done. Yeah, I know it’s convenient to have the setup. eye security is what really matters here, that’s why you should turn off the Auto-Start functionality by doing the following: Start Button->Settings->Control Panel->System->Device Manager->CDROM->Properties->Settings and there you ” ll see a reference to Auto Insert Notification. Turn it off and you won’t have any problems with that function anymore. I know MANY other variations of physical access infections but these are the most common ones so pay attention and try to make up several more by yourself.

When the victim IS connected to the Internet: Here we have many variations; again, I’ll mention the most common ones. While the attacker is having physical access he / she may download the trojan. eye, using various ways just by knowing how various Internet protocols work. – A special IRC bot known only to the attacker is staying in IRC with the only function to DCC the trojan. eye back to the attacker whenever he / she messages the bot with a special command.

The victim will probably be away from the computer. – The attacker wants to download some specific software like new version of some programs infected with trojan (s), of course, and visit some URL, known to him / her only, and download the trojan. – The attacker pretends he / she wants to check his / her (web based) mail (for example, at Yahoo! or Hot Mail) but in fact has the trojan. eye stored in his / her mailbox and just downloads and executes the file, hereby infecting the computer. The mail service is used as a storage area, in this case. There are many more ways of infecting the victim while connected to the Net, as you can imagine.

Any of these examples will succeed but it all depends on the victim’s knowledge of the Internet and how advanced his / her skills are, so the attacker needs to check these things somehow before doing any of these activities I pointed here. After that, the attacker will be able to choose the best variant for infecting the victim and doing the job. 6. 5 Browser And E-mail Software Bugs Users do not update their software versions as often as they should be, and a lot of the attackers are taking advantage of this well known fact. Imagine you are using an old version of Internet Explorer and you visit a (malicious) site that will check and automatically infect your machine without you downloading or executing any programs. The same scenario goes when you check your E-mail with Outlook Express or some other software with well known problems, again you will be infected without downloading the attachment.

Make sure you always have the latest version of your Browser and E-mail Software, and reduce the ways of these variations to minimum. Here are some links about Browser andE-mail Software bugs, check them out and understand how dangerous these bugs are, and it’s all because of you using an old version of the software. web Netbios (File Sharing) If port 139 on your machine is opened, you ” re probably sharing files and this is another way for someone to access your machine, install trojan. eye and modify some system file, so it will run the next time you restart your PC.

Sometimes the attacker may use DoS (Denial Of Service Attack) to shut down your machine and force you to reboot, so the trojan can restart itself immediately. To block file sharing in WinME version, go to: Start->Settings->Control Panel->Network->File And Print Sharing and un check the boxes there. That way you won’t have any problems related to Netbios abuse. 7. Fake Programs Imagine a Freeware Simple Mail program that’s very suitable for your needs, and very handy with its features like address book, option to check several POP 3 accounts and many other functions that make it even better then your E-mail client and the best thing for you is that it’s free. You use Zone Alarm or another similar protection software, and mark the program as a TRUSTED Internet server so none of your programs will ever bother you about that program as you are using it probably every day because it’s working very well, no problems ever occurred, you ” re happy, but a lot of things are going in the background.

Every mail you send and all your passwords for the POP 3 accounts are being mailed directly into the attacker’s mailbox without you noticing anything. Cached passwords and your keystrokes could be also mailed and the idea here is to gather as much info as possible and send it to the attacker. This info includes credit card numbers, passwords for various applications and many other things. In some cases the attacker may have complete access to your machine but it depends on his / her ideas about the hidden program’s functions. When sending-mails and using port 25 or 110 for POP 3, these could be used for connections from the attacker’s machine (not at home, of course, but again from another hacked one) to connect and use the hidden functions he / she implemented in the Freeware Simple Mail. The attacker’s idea here is to offer you a program that requires a connection to be established with some server; let’s say at the top of the Simple Mail there’s a banner that’s auto-refreshing every few minutes, because the programmer ‘needs to pay the bills too’ as he said in the About section, so nothing seems suspicious to you as it’s a normal thing, and your logical conclusion is completely right as the only way for that guy to keep offering this cool freeware program for free is to use banners.

You ” ve already marked the program as TRUSTED so the attacker can have complete access to your machine because he / she fooled you into thinking it’s a TRUSTED program. Even if you notice some connection to your machine on some strange port, you won’t consider this as a suspicions event, as the banners section needs to get these banners from somewhere, and this is the place your machine is connected all the time to keep them refreshing. The only thing the attacker needs is creativity, and most of them do have it. Think of a fake Audio Galaxy (software for mp 3’s sharing) but, of course, with different name. The attacker would create it, will free 15 GB disk space on his machine and place a large archive of mp 3’s… then, of course, the same will be done on several other machines to fool you that you are downloading from other people located all over the world, but it’s not necessary as the program’s interface may never show you where you ” re actually downloading the mp 3’s from.

The software will again be backdoor ed as in the previous example, and will get thousands of naive users, probably using ADSL connections, infected. Fake programs that have hidden functions, often have professional looking websites, links to various anti-trojan software mentioned as affiliates, and make you trust the site; read me. txt is included in the setup and many other things to fool you it’s a trusted one. Pay attention to freeware tools you download, consider them extremely dangerous and a very useful and easy way for attackers to infect your machine with a Trojan.

8. Untrusted Sites And Freeware Software A site located at some free web space provider or just offering some programs for illegal activities can be considered as un trusted one. As you know, there are thousands of ‘hacking / security ‘ archives on these free web space providers like Room, Tripod, Geocities and many many others. These sites have archives full with ‘hacking’ programs, scanners, mail-bombers, flooder’s and many other tools. Often several, if not all of these programs are infected by the guy who created the site. It’s highly risky to download any of the programs and the tools located on such un trusted sites; no matter which software you use are, you ready to take the risk? There are some un trusted sites, looking REALLY professional and having huge archives, full with Internet related software, feedback form, links to other popular sites.

I think if you take some time, look deeper, scan all the files you download you can decide on your own whether the site you are downloading your software from is a trusted or one. Software like m IRC, ICQ, PGP or any other popular software MUST be downloaded from its original (or official dedicated mirror site) and not from any of these I told you about. Sometimes such sites claim there’s a new version of, let’s say, m IRC 7. 0, and you know your current version is 6.

0 and, yeah, it ” shandy to click on the URL and download the. eye in 1 minute and take advantage of the latest version, but will definitely get yourself infected. A possible variation of this method will again be claiming for a new version, BUT the site would include info on nonexistent security bugs, found in the previous one (which is of course the latest you have), and again it is handy for you to download it, instead of visiting m IRC’s main site, and see if there is really an updated version or check for any of these security bugs you ” ve read about on the fake site. Webmasters of well known Security Portals, that have HUGE archive with various ” hacking’ programs, should be responsible for the files they provide and OFTEN scan them with Anti-Virus and Anti-Trojan software to guarantee their visitors download ‘free of trojans and viruses’.

A known method is that attackers send some program created by them, let’s say a UDP flooder, to the webmaster like a submission for the archive, but infect the program with some trojan and later have visitors downloading the program and getting themselves infected. Some attackers may use the webmaster’s irresponsibility and infect their files, and have the site distribute the trojan. I know of another story regarding this problem. It’s about a Gaming Magazine that used to include a CD with free demo versions of the latest games in each new edition. The editors made a contest to find new talents and give the people programming games the chance their productions by sending them to the Editors.

An attacker infected his game with a new and private trojan and sent it to the Magazine. In the next edition the ‘game’ appeared on the CD and you can imagine the chaos that set in. And it’s all because of the Editors, having not so much knowledge on the topic and as I’ve told you, in the old days Anti-Virussoftware were detecting only a small part of the public trojans (and what about all the private ones). In this particular case they were using only an Anti Virus scanner to protect their readers from such attacks.

Webmasters and everyone having some sort of software archive on his / her portal, MUST scan it very often, and before adding a new file it should be well examined; if it’s suspicious in any way, it must be sent to your software detection labs for further analysis. Do care about your visitors / readers if you want them to care about you. Freeware programs could be considered suspicious and extremely dangerous, due to the fact that it’s a very easy and useful way for the attacker to infect your machine with some freeware program. No matter how suitable you find the program, remember that ‘free is not always the best’ and it’s very risky to use any of these programs. My advice is: before using Freeware program, do search for some reviews on it, check popular search engines, and try to lookup for some info about it. If you find any reviews written by respected sites, that means they ” ve used and tested it and the chance of infection is hereby, minimise d.

If no reviews or comments about the software are found via the search engines, then it may be highly risky to start using it. 9. How Are They Detecting My Internet Presence? People new to the Internet often ask this question as they can’t understand why someone will want to attack especially them, because they never did any harm to anyone and never did something that might get them into trouble. While reading the previous sections, I hope you understood that sometimes you only need to visit a web site with your un patched browser and get yourself infected.

I will explain several scenarios on how attackers may discover your Internet presence: – When visiting a web page, the attacker might have created a script that will automatically check your Browser for known bugs, and if any are detected, install a trojan on your machine or notify the attacker to have a deeper look. Make sure you ” re always using the latest version of your Browser for maximal protection. Check for (security) patches and apply these often! – When joining an IRC channel, an IRC bot might be configured to scan everyone joining for specific trojan ports opened or File Sharing (Netbios) enabled. If the attacker is smart, the script will scan you several minutes after you join the channel and, of course, use an IP number not belonging to anyone in the channel. – Attackers often attempt IP blocks scanning, looking default trojan ports and of course File Sharing (Netbios). After infection, your machine could also be used for such scans, as well as an IRC bot, scanning those joining some big and full with people IRC channel.

These are some of the most common ways attackers use to search for new victims, suitable for their illegal activities. If someone is targeting especially you, the attacker won’t be using any of these methods I reviewed above; instead your Browser version will be found as well as the Operation System you ” re using, and the attacker will make a personal contact with you via IRC, ICQ, etc. , and fool you somehow and get you infected. 10. What Is The Attacker Looking For? Some of you may think that trojans are used for damages only. Well, they can also be used for spying on someone’s machine and taking a lot of private and sensitive information (industrial espionage).

The attacker’s interests would include but are not limited to the following: – Credit Card Information (often used for domain registration, shopping with your credit card) – Any accounting data (E-mail passwords, Dial-Up passwords, WebServices passwords, etc. ) – Email Addresses (Might be used for spamming, as explained above) – Work Projects (Steal your presentations and work related papers) – Children’s names / pictures, Ages (pedophile attacker? ! ) – School work (steal your papers and publish them with his / her name on it) I’ll mention again several scenarios about the attacker’s mode of thinking: – Once infected, your computer might be used as a Warez Archive. No matter how much or little free disk space you have, you ” ll probably have enough for the attacker’s needs. He / she won’t use all of your bandwidth; there will be some limit for connections to your computer, so you ” ll still be able to do your work without knowing that your computer is used as a pirated software FTP Server and it is known to people worldwide who keep downloading software from YOU.

– Kiddie-Porn traders will also use your computer for storing their archives and again turning your machine into a well known place for traders of nasty and above all illegal pictures. You ” ll again do your work and have no clue there are illegal activities going in your computer. – The attacker might just want to have fun with you, open / close the CD tray, play with your mouse, annoy you somehow; that’s stupid and useless but a lot of people do it. – Your computer might be used for other illegal purposes like the attacker’s usage of your IP address to hack, scan, flood, infiltrate other machines on the Internet; so the victims will see your machine is doing it, and this will definitely get you in trouble. 11.

Intelligence With Trojans Think for a while about how much your life depends on your computer, your ICQ, your chat program, your e-mail address and think how vulnerable your life is just because you ” re infected with a Trojan Horse. They can, and they have been used for intelligence for a very long time. Just by reading your e-mails, keeping track of your contacts, reading your private conversations, the websites you visit, ICQ history, m IRC log files with your private conversations and a log of everything you do online, a psychological profile could be created in several hours (depends of the skills of course) and your life, mode of thinking, reactions on specific future situations and needs will be revealed to some geek, wanting to recruit and / or manipulate you. This is food for thought and another topic, but just think how a combination of psychology, social engineering and computer security knowledge makes you a really powerful guy.

And remember that people reveal their REAL personalities, wishes, mode of thinking, interests only when they think nobody is watching them… 12. Trojan Ports Trojans use specific ports to communicate with the client. In the old days the well known trojan ports were mostly used, but today it’s possible to change the port every time the trojan is restarted.

Here is a link to the best and probably including all of the public trojans Ports List I’ve come across. web Do I Know I’m Infected? Sometimes you think it’s normal Windows behaviour when there are 500 MB or so missing on your HDD, because some software is using it, or you have installed a game you forgot about and many other reasons but not the real one. Here are some things which are very suspicious, and no matter how much your Anti-Virussoftware tells you that you aren’t infected, dig a little deeper and see what really happened. One thing that will help you is to know the main features of the public trojans, so you ” ll be able to react if you notice such activity on your PC.

I have included links to various Trojan Databases that you should visit if you want to know the main features of the public ones. – Its normal to visit a web site and several more pop-ups to appear with the one you ” ve visited. But when you do completely nothing and suddenly your browser directs you to some page unknown to you, take that serious. – A strange and unknown Windows Message Box appears on your screen, asking you some personal questions. – Your Windows settings change by themselves like a new screensaver text, date / time, sound volume changes by itself, your mouse moves by itself, CD-ROM drawer opens and closes.

Please note that most advanced attackers will just spy on you and use your infected machine for some specific reason, and not perform any of the above ” tricks’s o as not to cause any suspicious activity on the target system (as this would probably mean they could get easily detected). Someone that just wants to have fun with you is more likely to perform these actions. 14. Anti-Virus (AV) Scanners In the old days Virus Scanners used to detect only viruses and just a small part of the public trojans on the Internet. Realising how dangerous and popular Trojans are becoming today most, if not all of these scanners detect probably all of the public ones out there.

As always people, think they are safe and secure when using Virus Scanner but it’s a false sense of security. This type of software relies mainly on ‘signatures’ of each trojan’s server executable and also its common auto-starting methods, but that is not the perfect solution by far for protection yourself against trojans, as they use many other methods to hide inside the machine, most of which are undetected by Anti-Virus Software. When trojans became a big security breach, specific Anti-Trojan packages were released to the public and it was necessary for the AVs to start detecting not only viruses, but also trojans if they wanted new users. As a result, most of them became really advanced trojan scanning and detection systems, but for your maximal protection it’s recommended to use both Anti-Virus and Anti-Trojans software. Public trojans appear online almost every day and the detection software is updated every day for maximal protection of its customers. One very big problem is that the users do not update their signature files as often as they should be, thus having detection software that’s not detecting several more trojans or viruses.

Users MUST update their software’s signature files everyday, and it will take them only several minutes. Each and every time a new file is downloaded, it MUST be scanned BEFORE being opened with Anti-Virus and Anti-Trojan software. If you think the file is suspicious due to some reasons, do NOT run it, but send it to your detection software labs for analysis. 15.

Anti-Trojan Software Here are reviews of the most popular Anti-Trojan packages. The list also includes various applications (freeware) to help you monitor your computer for ongoing Trojan activities. I suggest you visit the site of every product and decide which one best fits to your needs. Check the links section at the end of the paper to see various sites, providing reviews of the software below. — TDS-3 — Trojan Defence Suite (TDS) is a indispensable, must-have software package for protection against trojans. It has many unique functions never seen in other Anti-Trojan packages.

The program has really advanced features and if you ” re a newbie, it will probably take some time before you are able to use the software at its full capacity (read the excellent help files). You can get TDS from web Lock Down 2000 — This is really good Anti-Trojan package that detects a LOT of trojans and other known as ‘hacking tools’ programs. It will help you monitor your system files for changes, processes and registry modification. More info at its home page. You can get Lock Down 2000 from web TFAK 5 — Trojans First Aid Kit is a trojan-scanner developed by Snake Byte. It has many other unique features; it could be used as a Client for various public trojans as well.

Download TFAK 5 from web Trojan Remover — Anti-Trojan software detecting 5468 trojans / worms (including variants) as at 15 th August 2002. Systems files and registry monitoring functions are also implemented. More info at its home page: web Pest Patrol — A tool that scans for trojans as well as programs known as ‘hacking tools’ and spyware. More info at its official page: web — Anti-Trojan 5. 5 — Trojans detection package that is able to remove most of the public trojans out there. More info at its official page: web Taus can — Trojan scanner that has unique features and is a must have.

It’s also able to detect new and never released to the public trojans. More info at its official page: web The Cleaner — Very popular Anti-Trojan software, known by everyone. Check its home page at: web PC Door Guard — Trojan detection software, detecting a lot of trojans, and a monitor of files and directories is also included. More info at: web Trojan Hunter — Trojan detection package with a lot of functions. It’s very handy. More info at web Log Monitor — Log Monitor is a file and directory monitoring tool.

The program periodically checks a selected file’s modification time and executes an external program if file’s time was changed or not changed. For directories it handles such events as files change, addition or removal. I recommend this tool as it’s vary handy and will help you a lot. Home page: web Prc View — Prc View is a freeware process viewer utility that shows detailed information about running processes. This information includes such details as the create date / time, the version and full path for each DLL used by a selected process, a list of all threads, memory blocks and heaps.

Prc View also allows you to kill and attach a debugger to a selected process. Prc View runs on both Windows 95/98 and Windows NT platforms and includes Windows and command-line versions of the program. Get Prc View from web X NetStat — GUI based net stat tool for Windows. It will help you monitor you machine for open ports. Download it from: web Con Seal PC FIREWALL — A really good firewall for advanced users using Windows having basic knowledge of TCP/IP and other protocols; this software will help you to secure your PC a lot.

It has some major advantages over other Win based firewalls. For the full range of specifications, check its official web page at: web You Clean Yourself Your machine has been compromised and probably a lot of sensitive data stolen, files have been modified and illegal activities have been preformed on your computer. Here I’ll give you recommendations about what to do after you are 100% clean of trojans. – Accounting Data such as ISP passwords, ICQ, m IRC, FTP, web site passwords, e-mail address passwords are definitely known to the attacker. Contact your ISP about changing your dial-up password if you ” re using such connection.

Immediately change your ICQ, m IRC passwords of course if they ” re still the same. (Often attackers won’t change any of your accounting data to fool you everything is OK so there is a big chance you will still be able to recover from the compromise). Change your web based e-mail passwords and do check your information stored there, as password retrieval services for various-mail providers such as Yahoo and Hotmail use this info combined with a’Secret Question’ for password retrieval. Attackers often change the info, the answer to the secret question and many other things that will get them easily back into your mailbox, whether you ” ve changed your pass or not. – If you ” re taking advantage of the handy Address Book feature in your e-mail service, and have a list full of e-mails of friends, colleagues, etc.

there is a real possibility that the attacker has sent them a trojan and possibly infected them too. Mail all of these people and ask them about receiving any files from your mailbox, inform them someone else might know your e-mail password so they ” ll be able to take appropriate actions like checking their machines for Trojans. Do the same with the people from your ICQ contact list as they might be targeted too. – Check your HDD for abnormal activities like a lot of free space missing etc. Search for warez software and, as I mentioned, kiddie-porn archives. – Think for a while about the sensitive information you had on your machine before the compromise, and if you are absolutely sure the attacker may know it too, then take appropriate action, like informing the any institutions the sensitive data belong to.

– Scan your machine with Anti-Virus scanner, as the attacker could have placed some virus or infected macro documents on your machine to do destructive things even there’s no access for him / her to your machine. – Monitor your processes BEFORE and AFTER connecting to the Internet, as some trojans start when they detect Internet connection. Don’t get fooled again, be very suspicious. 17. Online Scanning Services These services are very popular these days and they are very handy for users who haven’t got much knowledge on all of the holes they ” re checking for, but wanting to ensure they are protected from all of them.

This section is placed at the end of the paper with a specific reason. If you have read the paper, you should know a LOT about trojans by now, their principles of working and detection techniques, therefore you can decide whether these online scanners are useful or if they give a false sense of safety. There are several types of Online Scanners: Trojan Scanner, Port Scanner and Bugs Checker. – Trojan Scanner It’s using a list with predefined ports, associated with the name of the trojan responding to its default port, like Girl Friend = 21544, and if this port is in ‘listening’s tate on your machine it will inform you that you ” ve been infected with the GirlFriend Trojan. As you already know, trojans have functions like changing their default port to ANY of the attacker’s choice. That makes these Trojan Scanners kind of useless, because serious attackers do change the default port for sure.

– Port Scanner This service has two options like well-known ports scan and all ports scan. The first feature is scanning for well known ports, again associated with the appropriate service related to the port like port 21-FTP, 23-Telnet, 25-SMTP. The second feature is rarely seen on a free one, because of the bandwidth it would generate to scan all of the 65, 535 ports. It will again associate ports with services like I mentioned above, and if it finds any unknown ports not associated with any service, it will also report it, like Port 34525 State: Listening, which means this port is waiting for connections from the outside. – Bugs Checker Its purpose is to check your Browser or your E-mail Software for well known bugs and security related problems. If any are detected, it will point you to a site containing the patches for these bugs or a site with the latest updated versions of the software.

It’s strongly recommended to close any other Internet related application on your machine before being scanned by Online Trojan Scanner and Port Scanner. You decide which service is best for you, which one will be able to detect trojan infections on your machine, and which won’t; you now know the main principles and the answers too, I hope. Links to several online scanning services I know of are included in the Links Section. 18. Advice This is a very useful section, full of tips and advice on how to protect yourself from trojans using various ways you ” ve already read about, here for faster reading and hopefully better understanding. [01] Never accept a file even it is from some friend.

You ” re never sure who ” son the other side of the computer at the moment. If you really need this file, let’s say some presentation or a work paper, find other ways, like the phone, and verify the file is from your friend. Yeah it will take you some time and slow you a bit, but be paranoid about attachments you may receive and don’t get infected. [02] When executing files, first check their type. Is it really a. doc or it ” some executable with a.

doc icon. [03] Update your Anti-Virus and Anti-Trojan package signature files regularly, if possible EVERY day for maximal protection, as new trojans and viruses are discovered every day. Most of the detection software have functions like scheduling scans so if you are away from your machine during the night but you leave it switched on, why not consider to schedule a scan and update every night? Doing so will ensure your maximal protection. [04] Make sure you always have the latest version of the software you ” re using as new bugs appear very often and programs are regularly updated. Check often to see if there are bugs and / or other problems found in software that may potentially expose your system to risk – and patch / update your system (s) accordingly. Some software have an option to check for the latest version of the software from the vendor web site; make use of it.

[05] Take several minutes and regularly check the processes on your machine with the software I reviewed above. You ” ll be surprised what you may detect sometimes. [06] It’s vital to understand the risk of getting software from someone you just met, or had only several ICQ, IRC conversations with. [07] Consider freeware programs as very risky software to download, and try searching for some reviews of the program before running it. [08] Carefully read the help files coming with your detection software to be able to use them to their full capacity. [09] Download software ONLY from its official page (s) or dedicated mirror website.

Never get the latest version of m IRC or ICQ from some site you ” ve never heard about like from some free web space provider like Geocities. Consider it as an un trusted site and do NOT download anything from there. [10] If you are playing with trojans you can also get infected as there are trojans or other software that are already infected and is waiting for someone with not so much knowledge on the topic to download and use it. [11] Don’t be so naive on everything you see on the Internet or what various sites offer you – don’t download some software you ” ve never heard about.

19. Links Section This section will be very useful for everyone interested in reading various papers about trojans written by other people, anti-trojan software reviews sites, trojans archives, trojan protection portals and many other sites related to the topic. If you want me to add your link in the next update mail me and if the site is somehow related to the topic, I will definitely include it in the list. Please don’t forget that you can find these and many other security related links at our extensive web links directory at Frame 4 Security Systems; check it out at: web Links — Trojan Portals and Archives — URL: web: Excellent, well-known security portal providing many trojan resources and information regarding the topic URL: web: Security portal, huge trojans archive and other unique features URL: web: Mega security portal having huge trojans archive and well sorted library on the subject URL: web: Trojans portal, news, archive, unique programs URL: web: Trojans portal, trojans archive, documents, www-board URL: web: Packetstorm’s trojans section URL: web: Security portal providing various functions as browser tests, remote trojan scanning URL: web: Site showing results of actual (functional comparison) tests performed with various trojan detection programs — Trojan Database Libraries — URL: web: Huge, detailed and well sorted list of trojans and their functions URL: web: Comprehensive list and analysis of probably all the public trojans URL: web: Trojans / worms library database provided by Black Code — Anti Trojan Sites — URL: web: Site with resources related to trojan protection and helping newbies URL: web: The no hack project helps newbies clean their PCs and protect themselves URL: web: IRC channel related to virus and trojans protection URL: web DESC: Anti-trojan help site — Detection Software Reviews — URL: web trojans. htm DESC: Site providing reviews of anti-trojan software URL: web: German site providing reviews of various anti-virus and anti-trojan software, and many other information (site language is German) URL: web: Site providing reviews of detection software URL: web: Site providing various security related services and reviews — Papers Regarding Windows Trojans — URL: web: Interesting paper about windows trojans URL: web index. html DESC: Detailed information about windows trojans URL: web: Windows trojans URL: web: Another must read paper URL: web gentle art of trojan horsing under windows.

txtDESC: Windows trojans URL: web: Snakebyte’s tips about trojan detection URL: web trojan. pdf DESC: Paper about windows trojans URL: web reversing. txtDESC: Interesting reading — Online Scanners — URL: web: A must visit vulnerability checker with unique features URL: web: Vulnerability assessment scanner URL: web: Security scanner — Browser and E-mail Software — URL: web DESC: Internet Explorer security centre URL: web: Browser and active content researcher a must visit URL: web: Whitepaper about active content security — Misc — URL: web Virus/Trojans/DESC: Google’s trojans directory URL: web: Risky file extensions URL: web: Review of the WinTrinoo trojan URL: web: Very detailed paper on m IRC backdoor’s 20. Final Words I really hope you ” ve realised how big security problem Windows Trojan Horses are, and you ” ve become a little paranoid about your security. If you ” ve ever found yourself infected, I also hope that while reading the paper, you have understood how you may have gotten infected the last time and I’m sure you won’t make the same mistake again.

The paper will be regularly updated with the latest info regarding the topic, as new variations of trojans and ways of infection appear very often. If you think I’ve missed something, please do not hesitate to contact me and contribute to it. Your feedback, ideas, comments, suggestions and everything related to the paper and the topic will be gratefully appreciated. I can be contacted at t of the Frame 4 Security Systems Publications Archive, this paper can be located at web Please visit the archive to get the latest updates to this paper and many other security related documents. This paper is a Frame 4 Security Systems publication, all rights reserved. You may (re-) distribute the text as long as the content is not changed in any way and with this header text intact.

If you wan.