Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mike Ware 11/30/04 A Trojan Report and Analysis of BO2K, NetBus 1.7, and Sub7 Legends.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Mike Ware 11/30/04 A Trojan Report and Analysis of BO2K, NetBus 1.7, and Sub7 Legends."— Presentation transcript:

1 Mike Ware 11/30/04 A Trojan Report and Analysis of BO2K, NetBus 1.7, and Sub7 Legends

2 What is a trojan? What is a trojan? Any program that overtly does one thing but covertly does something else in a malicious manner. Any program that overtly does one thing but covertly does something else in a malicious manner. Normally provides remote access to a victim’s computer. Normally provides remote access to a victim’s computer. Not considered a virus because it does not self propagate. Not considered a virus because it does not self propagate. Not considered a worm because it does not automatically spread from one computer to the next over a network. Not considered a worm because it does not automatically spread from one computer to the next over a network. Back Orifice, NetBus, and Sub7 are three very popular trojan horses. Back Orifice, NetBus, and Sub7 are three very popular trojan horses.

3 Why is a trojan a security threat? Why is a trojan a security threat? A trojan cannot install itself. It must be executed by the user. A trojan cannot install itself. It must be executed by the user. Many users are non-technical individuals and are unaware of their system’s activity. Many users are non-technical individuals and are unaware of their system’s activity. Detection is difficult. Most trojans are designed to run invisible to the victim by removing itself from the process list and hiding its system “footprint”. Detection is difficult. Most trojans are designed to run invisible to the victim by removing itself from the process list and hiding its system “footprint”. Anti-virus and other virus monitoring software will only detect and remove the trojan if its signature is known. Anti-virus and other virus monitoring software will only detect and remove the trojan if its signature is known. A successful trojan attack opens a virtual channel to the victim’s file system, registry, process list, service list, and other OS structures. A successful trojan attack opens a virtual channel to the victim’s file system, registry, process list, service list, and other OS structures. Recovering from information theft and costs due to down time from denial-of- service attacks is burdensome. Recovering from information theft and costs due to down time from denial-of- service attacks is burdensome.

4 How security aware are users? How security aware are users? Results from America Online/National Cyber Security Alliance survey of 329 users completed during October 2004: Results from America Online/National Cyber Security Alliance survey of 329 users completed during October 2004: 77% believed their systems were well protected 77% believed their systems were well protected 4 out of 5 (80%) had spyware or adware running on their systems 4 out of 5 (80%) had spyware or adware running on their systems 2/3 currently had one or more virus infections 2/3 currently had one or more virus infections 15% were not using anti-virus protection 15% were not using anti-virus protection 67% were using anti-virus apps that had not been updated in the past week 67% were using anti-virus apps that had not been updated in the past week 72% were not using a properly configured firewall 72% were not using a properly configured firewall 38% of wireless users did not use WEP or WPA-SK network encryption 38% of wireless users did not use WEP or WPA-SK network encryption

5 Overview of BO2K, NetBus 1.7, and Sub7 Legends Overview of BO2K, NetBus 1.7, and Sub7 Legends All three were developed by underground hacking community as RATs (remote access tools). All three were developed by underground hacking community as RATs (remote access tools). Cult of the Dead Cow or CDC developed BO2K (first version released Aug 1998) Cult of the Dead Cow or CDC developed BO2K (first version released Aug 1998) Mobman developed Sub7 Legends (first version released May 1999) Mobman developed Sub7 Legends (first version released May 1999) Carl-Fredrik Neikter developed NetBus 1.7 (first version released Mar 1998) Carl-Fredrik Neikter developed NetBus 1.7 (first version released Mar 1998) All three have same architecture, which consists of a server and client. All three have same architecture, which consists of a server and client. Attacker uses client to control any remote machine that has the server installed. Attacker uses client to control any remote machine that has the server installed. Server is stored on victim’s machine and once installed, waits for a probe from the client to establish connection. Server is stored on victim’s machine and once installed, waits for a probe from the client to establish connection. Victim must execute the malicious trojan file. Victim must execute the malicious trojan file. The trojan will normally disguise itself as a appealing program (video, music, game, etc.) or attach itself to a legitimate program that when ran will install both the legitimate application and the attached trojan without the user’s knowledge. (setup package or self-extracting zip files) The trojan will normally disguise itself as a appealing program (video, music, game, etc.) or attach itself to a legitimate program that when ran will install both the legitimate application and the attached trojan without the user’s knowledge. (setup package or self-extracting zip files)

6 BO2K Initial Actions on XP SP1 BO2K Initial Actions on XP SP1 Drops a copy of itself into the Windows/System32 folder. Default name is UMGR32.EXE but can be anything the attacker configures it to be during server setup. Drops a copy of itself into the Windows/System32 folder. Default name is UMGR32.EXE but can be anything the attacker configures it to be during server setup. Creates registry entries in any auto-run key. Name of value created and name of file the value points to are both specified by the attacker. Creates registry entries in any auto-run key. Name of value created and name of file the value points to are both specified by the attacker. On NT environments, it can install itself as a system service. This means it does not have to be an.EXE file. This ensures that it will be neglected by anti-virus programs. On NT environments, it can install itself as a system service. This means it does not have to be an.EXE file. This ensures that it will be neglected by anti-virus programs. On NT or Windows 2000, it can hijack a legitimate process (normally EXPLORER.EXE ) and creates a thread within its memory space. This allows it to run on the CPU stack without showing up in the process list. On NT or Windows 2000, it can hijack a legitimate process (normally EXPLORER.EXE ) and creates a thread within its memory space. This allows it to run on the CPU stack without showing up in the process list. On Win95 and Win98, it will remove itself from the process list by altering the OS kernel function export table, which stores data on all active processes. On Win95 and Win98, it will remove itself from the process list by altering the OS kernel function export table, which stores data on all active processes. Once executed, the trojan disconnects itself from the original file (which may delete itself), and executes the copy planted in the Windows/System32 folder. Once executed, the trojan disconnects itself from the original file (which may delete itself), and executes the copy planted in the Windows/System32 folder. Opens TCP port 5430 (by default) but may be changed by attacker. Opens TCP port 5430 (by default) but may be changed by attacker.

7 NetBus 1.7 Initial Actions on WIN 98 NetBus 1.7 Initial Actions on WIN 98 The server file (by default Patch.exe ) will copy itself to Windows\System32 directory. The server file (by default Patch.exe ) will copy itself to Windows\System32 directory. Creates registry entries in the auto-start keys. Creates registry entries in the auto-start keys. Creates two other registry keys, one to store information about the server and one to store application settings for the trojan itself. Creates two other registry keys, one to store information about the server and one to store application settings for the trojan itself. Places a DLL file named KeyHook.dll in the Windows\System32 directory for key logging. Places a DLL file named KeyHook.dll in the Windows\System32 directory for key logging. Once communication with server is established, it creates Hosts.txt and Memo.txt in same directory as running server. Once communication with server is established, it creates Hosts.txt and Memo.txt in same directory as running server. If server is configured to log its activity, IP.txt is created in the Windows\System32 directory. If server is configured to log its activity, IP.txt is created in the Windows\System32 directory. If server is pre-configured in any way, PATCH.ini will always be placed in the Windows\System32 directory. If server is pre-configured in any way, PATCH.ini will always be placed in the Windows\System32 directory. Opens TCP port 12345 and 12346 (by default) but may be changed by attacker. Opens TCP port 12345 and 12346 (by default) but may be changed by attacker.

8 Sub 7 Legends Initial Actions on XP SP1 Sub 7 Legends Initial Actions on XP SP1 Copies itself to the Windows directory. Default name is server.com but can be anything attacker configures it to be. Copies itself to the Windows directory. Default name is server.com but can be anything attacker configures it to be. Creates registry entries in the auto-run keys. Registry entry names and values are both specified by the attacker during server setup. Creates registry entries in the auto-run keys. Registry entry names and values are both specified by the attacker during server setup. Original trojan file can be configured to “melt” itself. This means it will delete itself after placing a copy of itself in the Windows directory. Original trojan file can be configured to “melt” itself. This means it will delete itself after placing a copy of itself in the Windows directory. Opens TCP port 27374 (by default) but may be changed by attacker. Opens TCP port 27374 (by default) but may be changed by attacker.

9 Compare/Contrast Initial Actions Compare/Contrast Initial Actions Similarities Similarities All three copy themselves to some other location. Sub7 Legends and NetBus 1.7 will place a copy in the Windows directory while BO2K places a copy in Windows\System32. All three copy themselves to some other location. Sub7 Legends and NetBus 1.7 will place a copy in the Windows directory while BO2K places a copy in Windows\System32. If configured to do so, all three will create registry entries in the auto-run startup keys so they will execute each time Windows is loaded. If configured to do so, all three will create registry entries in the auto-run startup keys so they will execute each time Windows is loaded. All three disconnect from original file and execute the planted second copy. All three disconnect from original file and execute the planted second copy. All three open some port. All three open some port. Differences Differences filename of the server file filename of the server file number and names of other files created and used by the server number and names of other files created and used by the server number, type, name, and location of created registry edits number, type, name, and location of created registry edits server port usage server port usage

10 Connection Method Connection Method Attacker only needs to know IP address of victim. Attacker only needs to know IP address of victim. BO2K BO2K Can password protect server using 3DES or XOR encryption. Can password protect server using 3DES or XOR encryption. NetBus 1.7 NetBus 1.7 Can password protect server. Can password protect server. Can be notified of victim’s connection using a specified SMTP engine. Can be notified of victim’s connection using a specified SMTP engine. Sub7 Legends Sub7 Legends Can password protect server. Can password protect server. Attacker can be notified by ICQ, IRC, or email. Attacker can be notified by ICQ, IRC, or email.

11 Operational Capabilities Operational Capabilities Once connected, the attacker has full access to victim’s operating system functionality. Once connected, the attacker has full access to victim’s operating system functionality. File System manipulation File System manipulation find/delete/view/move/rename/copy files find/delete/view/move/rename/copy files create/delete directories create/delete directories download/upload files download/upload files Key Logging ability Key Logging ability BO2K logs to viewable file while Sub7 and NetBus log “real-time”. BO2K logs to viewable file while Sub7 and NetBus log “real-time”. Port Redirection Port Redirection Allows attacker to send input to another machine using victim’s machine. Allows attacker to send input to another machine using victim’s machine. System Functions System Functions View, kill, start processes View, kill, start processes View and close active windows View and close active windows Mouse control (move/hide pointer, enable tails, reverse buttons) Mouse control (move/hide pointer, enable tails, reverse buttons) Perform system shutdown, log off, restart, and power off Perform system shutdown, log off, restart, and power off

12 Other Interesting Features Other Interesting Features Sub7 and BO2K: Sub7 and BO2K: registry manipulation: registry manipulation: create/delete/rename keys create/delete/rename keys set/get/delete/rename values set/get/delete/rename values enumerate keys and values enumerate keys and values screen or web/video capture; tap PC microphone screen or web/video capture; tap PC microphone complete server control complete server control change startup method, server filename, port usage, or remove the server entirely. change startup method, server filename, port usage, or remove the server entirely. Sub7 Sub7 hide/show desktop, start button, and taskbar hide/show desktop, start button, and taskbar flip screen horizontally/vertically flip screen horizontally/vertically mess with CTRL-ALT-DEL, NUM LOCK, SCROLL LOCK, CAPS LOCK mess with CTRL-ALT-DEL, NUM LOCK, SCROLL LOCK, CAPS LOCK BO2K: BO2K: XOR and 3DES encryption for client/server communication. XOR and 3DES encryption for client/server communication. ability to enhance its functionality through plug-ins. (has software development kit) ability to enhance its functionality through plug-ins. (has software development kit)

13 BO2K Attack Footprint on XP SP1 BO2K Attack Footprint on XP SP1 File Mods: File Mods: c:\windows\system32\UMGR32.EXE c:\windows\system32\UMGR32.EXE 112 KB 112 KB Original trojan file located at original location if it doesn’t delete itself. Original trojan file located at original location if it doesn’t delete itself. Netstat reports: Netstat reports: TCP 54320 by default TCP 54320 by default possibly UDP 54321 possibly UDP 54321 Task manager will report name of the running server as a process. Task manager will report name of the running server as a process. UMGR32.EXE UMGR32.EXE

14 NetBus 1.7 Attack Footprint on XP SP1 NetBus 1.7 Attack Footprint on XP SP1 File Mods: File Mods: c:\windows\patch.exe (483 KB)=> running server c:\windows\patch.exe (483 KB)=> running server c:\windows\KeyHook.dll(54 KB)=> key logging functions c:\windows\KeyHook.dll(54 KB)=> key logging functions c:\windows\Memo.txt=> attacker note-taking c:\windows\Memo.txt=> attacker note-taking c:\windows\Hosts.txt=> host connection log c:\windows\Hosts.txt=> host connection log c:\windows\IP.txt=> server IP log c:\windows\IP.txt=> server IP log c:\windows\Patch.ini=> server configuration info c:\windows\Patch.ini=> server configuration info Registry Mods: Registry Mods: HKCU\NETBUS HKCU\NETBUS HKCU\NETBUS\Settings HKCU\NETBUS\Settings HKCU\Patch HKCU\Patch HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value: “PATCH”=“c:\windows\patch.exe” value: “PATCH”=“c:\windows\patch.exe” Netstat reports two open TCP ports Netstat reports two open TCP ports 12345 and 12346 12345 and 12346

15 Sub7 Legends Attack Footprint on XP SP1 Sub7 Legends Attack Footprint on XP SP1 File Mods: File Mods: c:\windows\server.com c:\windows\server.com 364 KB 364 KB Original trojan file located at original location if it doesn’t delete itself. Original trojan file located at original location if it doesn’t delete itself. Registry Mods: Registry Mods: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices value: “WinLoader”=“c:\windows\server.com” value: “WinLoader”=“c:\windows\server.com” Netstat reports open TCP port Netstat reports open TCP port 27374 by default 27374 by default Task manager will report name of the running server as a process. Task manager will report name of the running server as a process. server.com server.com

16 Cyberspace Security Implications Cyberspace Security Implications Ability to remotely control OS makes a trojan attack far more dangerous than a typical virus or worm. Ability to remotely control OS makes a trojan attack far more dangerous than a typical virus or worm. Risks of information theft and malicious activity: Risks of information theft and malicious activity: theft of passwords theft of passwords theft of product designs (this can be crucial to a company) theft of product designs (this can be crucial to a company) theft of medical, financial, and other personal data theft of medical, financial, and other personal data interception of email, chat, and video content interception of email, chat, and video content attacker can plant discriminating data on victim’s machine (child pornography!) attacker can plant discriminating data on victim’s machine (child pornography!) attacker can find discriminating data and use it against the victim attacker can find discriminating data and use it against the victim Future attacks: Future attacks: DDOS - Attack high risk targets. DDOS - Attack high risk targets. Have already seen first trojan, Brador.a, for PocketPC. Imagine DDOS attack aimed at disabling a multitude of PocketPC devices. Have already seen first trojan, Brador.a, for PocketPC. Imagine DDOS attack aimed at disabling a multitude of PocketPC devices. Electronic Voting (e-voting) Electronic Voting (e-voting)

17 What can be done to combat trojans? What can be done to combat trojans? Increase User Security Awareness Increase User Security Awareness President’s third highest priority outlined in “The National Strategy to Secure Cyberspace” document. President’s third highest priority outlined in “The National Strategy to Secure Cyberspace” document. Use updated anti-virus protection. Use updated anti-virus protection. Properly use software/hardware firewalls. Properly use software/hardware firewalls. Periodically scan using specialized trojan horse PC scanners: Periodically scan using specialized trojan horse PC scanners: windowsecurity.com/trojanscan windowsecurity.com/trojanscan

18 Conclusion Conclusion A trojan is any program that overtly does one thing but covertly does something else in a malicious manner. A trojan is any program that overtly does one thing but covertly does something else in a malicious manner. The architecture and “footprint” of BO2K, NetBus 1.7, and Sub7 follow a similar pattern. The architecture and “footprint” of BO2K, NetBus 1.7, and Sub7 follow a similar pattern. BO2K, NetBus 1.7, and Sub7 Legends are a serious and direct threat to current home computing technologies such as e-commerce and banking as well as future computing technologies such as e-voting and online surgery procedures. BO2K, NetBus 1.7, and Sub7 Legends are a serious and direct threat to current home computing technologies such as e-commerce and banking as well as future computing technologies such as e-voting and online surgery procedures. We can combat trojan attacks through increased user awareness, properly configured anti-virus software and firewalls, and specialized trojan scanners. We can combat trojan attacks through increased user awareness, properly configured anti-virus software and firewalls, and specialized trojan scanners.

Download ppt "Mike Ware 11/30/04 A Trojan Report and Analysis of BO2K, NetBus 1.7, and Sub7 Legends."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Week 6-1 Week 6: Trojans and Backdoors What is a Trojan Horse? Overt and Covert.

Week 6-1 Week 6: Trojans and Backdoors What is a Trojan Horse? Overt and Covert.
AVG Internet Security 7.5 Product presentation.

AVG Internet Security 7.5 Product presentation.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.

What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
CS 450 - Nathan Digangi.  Secret, undocumented routine embedded within a useful program  Execution of the program results in execution of secret code.

CS Nathan Digangi.  Secret, undocumented routine embedded within a useful program  Execution of the program results in execution of secret code.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
Protecting Yourself Online. VIRUSES, TROJANS, & WORMS Computer viruses are the common cold of modern technology. One e-mail in every 200 containing.

Protecting Yourself Online. VIRUSES, TROJANS, & WORMS Computer viruses are the "common cold" of modern technology. One in every 200 containing.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.

INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.

MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Similar presentations

Ads by Google