Presentation on theme: "Trojan Horse program Back door and remote administration programs: Prepared By : Ibrahim Al qarout Supervisod By: Dr. Lo’ai Tawalbeh New York Institute."— Presentation transcript:
Trojan Horse program Back door and remote administration programs: Prepared By : Ibrahim Al qarout Supervisod By: Dr. Lo’ai Tawalbeh New York Institute of Technology Institute (NYIT)-Jordan
Trojan Horse program Name (Trojan horse) According to legend, the Greeks won the Trojan war by hiding in a huge, hollow wooden horse to sneak into the fortified city of Troy. It was built and filled with Greek warriors to get in troy city and open doors for all warriors out side troy city waiting to enter the city.
However there is another meaning of the term Trojan Horse in the field of computer architecture. Here it basically represents any piece of User Code which makes the Kernel Code access anything it would not have been able to access itself in the first place!. i.e make the OS do something it wasnt supposed to be doing.And such security loopholes are called Trojan Horses In the context of computer software, a Trojan horse is a program that contains or installs a malicious program (sometimes called the payload )
Types of Trojan horse (payloads) Trojan horse payloads are almost always designed to do various harmful things, but could be harmless. They are broken down in classification based on how they breach systems and the damage they cause. The seven main types of Trojan horse payloads are: 1.Remote Access 2. Email Sending 3. Data Destructive 4. FTP trojan (adding or copying data from the infected computer) 5. denial-of-service attack (DoS)
Some examples are: 1.erasing or overwriting data on a computer. 2. Encrypting files in a crypto vital extortion attack. 3. Upload and download files. 4. Allowing remote access to the victim's computer. This is called a RAT. ( Remote administration tool) 5. Installing a backdoor on a computer system. 6. Opening and closing CD-ROM tray. 7. Harvest e-mail addresses and use them for Spam. 8. Restarts the computer whenever the infected program is started
Trojan horse programs are an easy way for intruders to trick you (sometimes referred to as "social engineering") into installing "back door" programs. These can allow intruders easy access to your computer without your knowledge, change your system configurations, or infect your computer with a computer virus. Trojan horse may appear to be useful or interesting programs or very harmless to an unsuspecting user.
There are two common types of Trojan horses. One, is otherwise useful software that has been corrupted by a cracker (it is software remove protection methods:copy prevention, trial/demo version, serial number, hardware key, CD ). inserting malicious code that executes while the program is used.Examples 1.include various implementations of weather alerting programs. 2.computer clock setting software. 3. peer to peer file sharing utilities.
The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives.
How you can know if you are under Trojan horse attack? For example, you download what appears to be a movie or music file, but when you click on it, you unleash a dangerous program that erases your disk, sends your credit card numbers and passwords to a stranger, or lets that stranger hack your computer to commit illegal Denial of service attacks. How do I get rid of Trojans?!? 1.Clean Re-installation: Back up your entire hard disk, format the disk, re-install the operating system and all your applications from original CDs.
2. Anti-Virus Software: anti-virus software is always going to be playing catch up with active virus on the system. Make sure your computer has an anti virus program on it and update it regularly. If you have an auto-update option included in your anti-virus program you should turn it on; that way if you forget to update your software you can still be protected from threats 3. Anti-Trojan Programs: These programs are the most effective against Trojan horse attacks, because they specialize in Trojans instead of general viruses.
4.. Avoid using peer to peer or P2P sharing networks like kazaa,Lime wire Ares, or Guntella because they are generally unprotected from viruses and Trojan Horse viruses spread through them especially easily. Some of these programs do offer some virus protection, but this is often not strong enough. If you insist on using P2P, it would be safe to not download files that claim to be "rare" songs, books, movies, pictures, etc.
Methods of Infection 1.You can be infected by visiting a rogue website. 2.Email: If you use Microsoft Outlook, you're vulnerable to many of the same problems that Internet Explorer has, even if you don't use IE directly. 3.Open ports: Computers running their own servers (HTTP, FTP, or SMTP, for example), allowing Windows file sharing, or running programs that provide filesharing capabilities such as Instant Messengers (AOL's AIM, MSN Messenger, etc.) may have vulnerabilities similar to those described above. These programs and services may open a network port giving attackers a means for interacting with these programs from anywhere on the Internet. Vulnerabilities allowing unauthorized remote entry are regularly found in such programs, so they should be avoided or properly secured.
How do I avoid getting infected with (Trojan horse) in the future? 1.NEVER download blindly from people or sites which you aren't 100% sure about 2. Even if the file comes from a friend, you still must be sure what the file is before opening it 3. NEVER use features in your programs that automatically get or preview files 4. Never blindly type commands that others tell you to type, or go to web addresses mentioned by strangers, or run pre- fabricated programs or scripts
Example of a simple Trojan horse 1.A simple example of a trojan horse would be a program named “waterfalls.scr" claiming to be a free waterfall screensaver which, when run, instead would allow access to the user's computer remotely. 2. AIDS (trojan horse) AIDS, also known as Aids Info Disk or PC Cyborg Trojan, is a trojan horse that replaces the AUTOEXEC.BAT file, which would then be used by AIDS to count the number times the computer has booted. Once this boot count reaches 90, AIDS hides directories and encrypts the names of all files on drive C: (rendering the system unusable). C:
Back door and remote administration programs: On Windows computers, three tools commonly used by intruders to gain remote access to your computer are 1.BackOrifice: Back Orifice (often shortened to BO) is a controversial computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Microsoft BackOffice Server software.
2. Netbus NetBus or Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a backdoor. 3. Sub Seven(help to hack other pc's). Sub7, or Sub Seven, is the name of a popular Trojan or backdoor program. It is mainly used by script kiddies for causing mischief, such as hiding the computer cursor, changing system settings or loading up pornographic websites. However, it can also be used for more serious criminal applications, such as stealing credit card details with a keystroke logger. These back door or remote administration programs, once installed, allow other people to access and control your computer.
A Remote administration programs (tool): is used to remotely connect and manage a single or multiple computers with a variety of tools, such as: 1.Screen/camera capture or control 2. File management (download/upload/execute/etc.) 3. Computer control (power off/on/log off) 4. Registry management (query/add/delete/modify) 5. Shell control (usually piped from command prompt)
we have 2 kind of connection: 1.Direct Connection A direct-connect RAT is a simple set-up where the client connects to a single or multiple servers directly. Stable servers are multi-threaded, allowing for multiple clients to be connected, along with increased reliability.
2. Reverse Connection new technology that came around about the same time that routers became popular. A few advantages of a reverse- connection: 1. No problems with routers blocking incoming data, because the connection is started outgoing for a server 2. Allows for mass-updating of servers by broadcasting commands, because many servers can easily connect to a single client.
RAT (Remote access Trojans )Trojan Horses: (RAT)Malware or malicious software is software designed to infiltrate or damage a computer system without the owner's known. Many Trojans and backdoors now have remote administration capabilities allowing an individual to control the victim's computer. Many times a file called the server must be opened on the victim's computer before the trojan can have access to it. These are generally sent through email, P2P file sharing software, and in internet downloads
They are usually disguised as a legitimate program or file. Many server files will display a fake error message when opened, to make it seem like it didn't open. Some will also kill 1.ant virus software. 2.firewall software. *Fire wall: a logical barrier designed to prevent unauthorized or unwanted communications between sections of a computer network RAT Trojans can generally do the following: 1.Download, upload, delete, and rename files 2. Format drives 3. Open CD-ROM tray 4. Drop viruses and worms
5. Log keystrokes 6. Hack passwords, credit card no. 7. View, kill, and start tasks in task manager 8. Print text, Play sounds 9. Randomly move and click mouse Some RAT Trojans are pranks that are most likely being controlled by a friend or enemy on April Fool's day or a holiday. RATS are generally not harmful, and won't log keystrokes or hack. They usually do whimsical things like flip the screen upside-down, open the CD-ROM tray, and swap mouse buttons.
Example of a Back door and remote administration programs: Name: Remote Administration Tool - RAT Aliases: Backdoor.RAT, RAT, Ports: 2989 (UDP), 1095, 1097, 1098, 1099 Files: Rat10.zip - 823 bytes Rat11.zip - 1.032 bytes Rat20.zip - 6,128 bytes Rat10.exe - 8,192 bytes Rat10akaremote administration tool.exe - 8,192 bytes Rat11.exe - 8,192 bytes Rat20.exe - 12,288 bytes Rat21.exe - 12,288 bytes Set-up.exe - 295,936 bytes.exe - Msgsvr16.exe - Pitcher.exe - 21,504 bytes Send.tags - 616 bytes Message.tags - Rat.c - 9,658 bytes Created: Nov 1999 Requires: N/A
Actions: Remote Access / AOL Trojan Can register under 40 different HKEYs. Versions: 1.0, 1.1, 2.0, 2.1, 5.3, Registers: HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices\ and some 38 other entries !!! Notes: Works on Windows 95, 98, ME and Unix [Linux and FreeBSD]. RAT server 1.1 has IRC support added. Send.tgz is Unix client. ˆ Source code is available. Country: N/A Program: Written in Visual Basic 5.
Check if any unwanted program found in your system Using the process monitor from remote administration programs Tools, you will see whether any foreign programs are running on your computer. If you find some unwanted program, you can terminate it by clicking the 'Terminate Process' button on the Toolbar. So you can find out what programs are started behind your back
The Difference Between a Virus and Trojan Horse A computer virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity: Some viruses cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-mail.
A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.
Added into the mix, we also have what is called a blended threat. A blended threat is a sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses and malicious code into one threat. Blended threats use server and Internet vulnerabilities to initiate, transmit and spread an attack. This combination of method and techniques means blended threats can spread quickly and cause widespread damage. Characteristics of blended threats include: causes harm, propagates by multiple methods, attacks from multiple points and exploits vulnerabilities. To be considered a blended thread, the attack would normally serve to transport multiple attacks in one payload. For example it wouldn't just launch a DoS attack — it would also install a backdoor and damage a local system in one shot.
Additionally, blended threats are designed to use multiple modes of transport. For example, a worm may travel through e-mail, but a single blended threat could use multiple routes such as e-mail, IRC and file- sharing sharing networks. The actual attack itself is also not limited to a specific act. For example, rather than a specific attack on predetermined.exe files, a blended thread could modify exe files, HTML files and registry keys at the same time — basically it can cause damage within several areas of your network at one time. Blended threats are considered to be the worst risk to security since the inception of viruses, as most blended threats require no human intervention to propagate.