Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trojans, Backdoors, Rootkits Viruses, and Worms

Similar presentations

Presentation on theme: "Trojans, Backdoors, Rootkits Viruses, and Worms"— Presentation transcript:

1 Trojans, Backdoors, Rootkits Viruses, and Worms
Chapter 5 Trojans, Backdoors, Rootkits Viruses, and Worms

2 Definitions Trojans: Programs that hide malicious code
Backdoor: Way of accessing a computer without the security and authentication procedures that are normally required Rootkit: Modify the OS to conceal malicious programs while they run Virus: self-replicating (within a machine) by producing its own code; attach copies of itself to other executable code Worm: infects local and remote machines; spread automatically

3 Some overlap Example: Melisa “Virus” (1999)
Trojan: entered computers by masquerading as an Virus: infected word processing files when opened Worm: used Outlook to spread itself to user’s personal address book

4 Trojans and Backdoors Trojan: Delivered via:
Malicious program disguised as something benign Often delivered as part of a “wrapper” process Examples: BackOrifice: or – “Cult of the Dead Cow” NetBus: 12345, 12346, 20034 Whack-a-mole: or 12362 Delivered via: NetBIOS remote install Fake executables ActiveX controls, VBScript, Java scripts Spyware / Adware

5 Trojans and Backdoors Backdoor Allows access to the system
Often delivered via a Trojan May install a new service, or use an unused existing service Remote Access Trojan (RAT)

6 Overt & Covert Channels
Overt: normal and legitimate use Covert: using programs in unintended way Tunneling is a good way for Trojans to bypass IDS Port redirectors: modify which ports are used Datapipe (Linux) Fpipe (Windows) Port analyzing Fport: Identify unknown open ports and their associated applications Fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications FPipe is a TCP source port forwarder/redirector. It can create a TCP stream with a source port of your choice. This is useful for getting past firewalls that allow traffic with source ports of say 23, to connect with internal servers. Usually a client has a random, high numbered source port, which the firewall picks off in its filter. However, the firewall might let Telnet traffic through. FPipe can force the stream to always use a specific source port, in this case the Telnet source port. By doing this, the firewall 'sees' the stream as an allowed service and let's the stream through. FPipe basically works by indirection. Start FPipe with a listening server port, a remote destination port (the port you are trying to reach inside the firewall) and the (optional) local source port number you want. When FPipe starts it will wait for a client to connect on its listening port. When a listening connection is made a new connection to the destination machine and port with the specified local source port will be made - creating the needed stream. When the full connection has been established, FPipe forwards all the data received on its inbound connection to the remote destination port beyond the firewall. FPipe can run on the local host of the application that you are trying to use to get inside the firewall, or it can listen on a 3rd server somewhere else. Say you want to telnet to an internal HTTP server that you just compromised with MDAC. A netcat shell is waiting on that HTTP server, but you can't telnet because the firewall blocks it off. Start FPipe with the destination of the netcat listener, a listening port and a source port that the firewall will let through. Telnet to FPipe and you will be forwarded to the NetCat shell. Telnet and FPipe can exist on the same server, or on different servers.

7 Types of Trojans Remote Access Trojans (RATs) Data-Sending Trojans
Collect passwords & other confidential data Eg: eBlaster Destructive Trojans: destroy files or OS DoS Trojans: cause DoS attack Proxy Trojans: help hacker hide FTP Trojans: connect via port 21 Security Software Disabler Trojans FireKiller 2000

8 Reverse Connecting Trojans
External attacker accesses internal systems QAZ: 7597 Replaces Notepad.exe with Tini: 7777; Windows Backdoor trojan allowing command prompt to anyone who connects Donald Dick: or 23477 NetBus: 12345, 12346, 20034, 23476 Netcat: allows telnet session Sample command: nc –L –p 5000 –t –e cmd.exe SubSeven BackOrifice 2000: 31337 Firekiller 2000

9 Symptoms of Trojans Programs auto starting and running Screen flips
Sudden reduction in system resources Corrupt or missing files CD-ROM drawer opens and closes Wallpaper, background, etc changes Unexpected/suspicious Web sites Mouse moves by itself or pointer disappears Taskbar disappears Task Manager is disabled

10 Scanning for Trojans netstat –an Back Orifice UDP 31337, 31338
Deep Throat UDP 2140, 3150 NetBus TCP 12345, 12346 Whack-a-Mole TCP 12361, 12362 NetBus 2 TCP 20034 GirlFriend TCP 21544 Sockets de Troie TCP 5000, 5001, 50505 Masters Paradise TCP 3129, 40421, 40422 40423, 40426

11 Scanning for Trojans Devil TCP 65000 Evil TCP 23456
Doly Trojan TCP 1011, 1012, 1015 Chargen UDP 9, 19 Stealth Spy Phaze TCP 555 NetBIOS datagram TCP, UDP 138 Sub Seven TCP 6711, 6712, 6713 ICQ Trojan TCP 1033 MStream UDP 9325

12 Scanning for Trojans The Prayer 1.0 – 2.0 TCP 9999
Online KeyLogger UDP 49301 Portal of Doom TCP,UDP 10067, 10167 Senna Spy TCP Trojan Cow TCP 2001

13 Netcat Features: Command line interface opens TCP and UDP
Firewall testing, port scanning, create backdoor, identify services Command line interface opens TCP and UDP -d: detach from the console -l –p [port]: creates a listening TCP port -z: port scanning -v: verbose mode -e: run at any time -L: auto restart after dropped connection -u: switches to UDP Best reading:

14 Wrappers (Glueware) Three things needed:
Legitimate Program Trojan Program Wrapper Program Bundle Trojans with legitimate software Trojan Man Yet Another Binder Predator Wrapper Graffiti EXE Maker Restorator

15 Trojan Countermeasures
Spyware detectors Malwarebytes Norton Internet Security Fport Tripwire Check file signature, size, integrity Dsniff: contains Trojans, collection of hacking tools Windows Built-in Commands Sigverif SFC (system file checker): sfc /scannow “What’s Running” or “What’s on My Computer?” Be wary of free cleaning applications

16 Viruses and Worms International Computer Security Association (ICSA)
Sets standards for AV software Virus: infects another file and spreads Worm: Does not need a carrier program Often exists inside other files (like Word or Excel) Examples: Nimda, I Love You

17 Virus Types Polymorphic: change signature to avoid detection – eg: Virut (requires reformat) Stealth: hide File: infects files that can load/execute (.exe, .com, .bin, .sys) Armored: encrypted Boot Sector: modifies master boot files System Sector: affect the executable code of the disk Program: infect .BIN, .COM, .EXE, .SYS files - In computer security, a stealth virus is a computer virus that uses various mechanisms to avoid detection by antivirus software. Generally, stealth describes any approach to doing something while avoiding notice. Viruses that escape notice without being specifically designed to do so -- whether because the virus is new, or because the user hasn't updated their antivirus software -- are sometimes described as stealth viruses too. Stealth viruses are nothing new: the first known virus for PCs, Brain (reportedly created by software developers as an anti-piracy measure), was a stealth virus that infected the boot sector in storage. Typically, when an antivirus program runs, a stealth virus hides itself in memory, and uses various tricks to also hide changes it has made to any files or boot records. The virus may maintain a copy of the original, uninfected data and monitor system activity. When the program attempts to access data that's been altered, the virus redirects it to a storage area maintaining the original, uninfected data. A good antivirus program should be able to find a stealth virus by looking for evidence in memory as well as in areas that viruses usually attack. The term stealth virus is also used in medicine, to describe a biological virus that hides from the host immune system.

18 Virus Types Macro: perform a sequence of actions when a particular app is triggered; eg: Excel Tunneling: tunnel under antivirus software and hide Multipartite: affects multiple targets Dual Payload: Eg: Chernobyl: changes 1st MB of HD to zero; replaces code of BIOS to garbage Network: run code on remote systems Source Code: not common, very hard to write due to different compilers and languages

19 Writing a Virus Example: Batch file called Game.bat text @ echo off
delete c:\windows\system32\*.* delete c:\windows\*.* Convert Game.bat to with ‘bat2com’ utility Assign an icon with Windows file properties screen Send as attachment

20 Virus Constructions Kits
Kefi’s HTML Virus Construction Kit Virus Creation Laboratory v1.0 The Smeg Virus Construction Kit Rajaat’s Tiny Flexible Mutator v1.1 Windows Virus Creation Kit v1.00

21 Detecting Viruses & Worms
Scanning with UP TO DATE scanner Use Sheep Dip or SocketShield Isolate one computer from the network and run downloaded software there first Integrity checking Tripwire With MD5 Downside: can’t detect differences made by virus versus a bug Testing antivirus software SocketShield is a Spyware Removal product from, get 4 Stars SoftSea Rating, SocketShield is a dedicated zero-day exploit blocker. Using a combination of research technologies and an understanding of anti-malware techniques, the program is able to block exploits from entering your computer, regardless of how long it takes for the vendors of vulnerable applications to issue patches--or how long it takes for you to install those patches. had fully tested, reviewed and uploaded the install files, SocketShield does not contain any adware or spyware, the latest version is 1.1.1, you can download this spyware removal software (2.36 MB) from special server of The license of this antivirus & security software is Subscription, the price is $29.95, you can free download and get a free trial before you buy. If you want to get a full or nolimited version of SocketShield, you can buy this antivirus & security software.

Download ppt "Trojans, Backdoors, Rootkits Viruses, and Worms"

Similar presentations

Ads by Google