1 / 15

CIS 442 Chapter 4

CIS 442 Chapter 4. Trojan Horses. Trojan Horses and Backdoors. A Trojan Horse is a seemingly innocent application that contains malicious code that is hidden somewhere inside it. ‡ Trojans are often useful programs that have unnoticeable, yet harmful, side effects .

kiona
Download Presentation

CIS 442 Chapter 4

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIS 442 Chapter 4 Trojan Horses

  2. Trojan Horses and Backdoors • A Trojan Horse is a seemingly innocent application that contains malicious code that is hidden somewhere inside it.‡ • Trojans are often useful programs that have unnoticeable, yet harmful, side effects. • The history of the name • Characteristics • Differences from Viruses and Worms

  3. Applications of Trojans • Trojans do not replicate • Main difference from worms and viruses, but today many trojans are spread by virus‐like mechanisms • SSH • Ways to counter against key loggers • Passwords encryption

  4. Installing Trojans • Applications that can be used to include trojans with [ free or utility software]

  5. Typical purposes of Malware • Backdoor access: Attacker gains unlimited access to the machine. • ‡Denial-of-service (DoS) attacks: Infect a huge number of machines to try simultaneously to connect to a target server in hope of overwhelming it and making it crash. • ‡Vandalism: E.g., defacing a web site. • ‡Resource Theft: E.g., stealing other users computing and network resources, such as using your neighbors¶ Wireless Network. • ‡Information Theft: E.g., stealing other users credit card numbers

  6. Trojan horses: Operation (1) • Embed a malicious element inside anotherwise benign program.‡ • The victim:1.receives the infected program,2.launches it,3.remains oblivious of the fact that the system has been infected. • The application continues to operate normally to eliminate any suspicion.

  7. Fool users into believing that a file containing a malicious program is really an innocent file such as a video clip or an image.‡This is easy to do on MS Windows because file types are determined by their extension as opposed to examining the file headers.‡ e.g., A Great Picture.jpg .exe. • The .exe might not be visible in the browser. • The Trojan author can create a picture icon that is the default icon of MS Windows for .jpg files.

  8. Backdoors • A backdoor is malware that creates a covert access channel that the attacker can use for: • connecting, ±controlling, ±spying, ±or otherwise interacting with the victims system. • Backdoors can be embedded in actual programs that, when executed, enable the attacker to connect to and to use the system remotely.‡Backdoors may be planted into the source code by rogue software developers before the product is released. • This is more difficult to get away with if the program is open source.

  9. A trivial example of a backdoor is default BIOS, router or switch passwords set either by careless manufacturers or security administrators. • A hacker could simply add a new user account with administrator privileges and this would be a sort of backdoor, but far less sophisticated and easy detectable. • Adding a new service is the most common technique to disguise backdoors in the Windows operating system. This requires involving tools such as Srvany.exe and Srvinstw.exe that comes with the Resource Kit utility and also with Netcat.exe [1].

  10. The principle of this operation is that the srvany.exe tool is installed as a service and then permits netcat.exe to run as a service. The latter, in turn, listens on an appropriate port for any connection. Once connected, it will have spawned a remote shell on the server (using cmd.exe) and from this moment onwards, a hacker has free reign. • http://www.windowsecurity.com/articles-tutorials/windows_os_security/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html

  11. Trojan example • Buffer overflow in BIND to get root on Lockheed • Martin’s DNS server, install password sniffer • – Sniffer logs stored in directory called /var/adm/ … • • Excite@Home employees connect via dialup; • attacker installs remote access trojans on their • machines via open network shares, sniffs IP • addresses of promising targets • – To bypass anti‐virus scanners, use commercial • remote‐access software, modified to make it • invisible to user

  12. 1987: Login program on NASA computers hacked • by Chaos Computer Club, steals passwords • • 1999: Hacked login program at U. of Michigan • steals 1534 passwords within 23 hours • • 2003: AOL employees tricked into accepting • Trojans via AIM, hackers get complete remote • control over their machines via IRC • – Also social engineering to steal passwords • • 2003: Badtrans worm installs keystroke‐logging • Trojan, sends log to one of 22 email accounts

  13. Remote Administration Tools • Legitimate tools are often abused • – Citrix MetaFrame, WinVNC, PC Anywhere • • Complete remote control over the machine • • Easily found by port scan (e.g., port 1494 – Citrix) • – Bad installations, crackable password authentication • • “The Art of Intrusion” – breaking into a cash transfer • company, a bank’s IBM AS/400 server • • Semi‐legitimate tools • – Back Orifice, NetBus • – Can hide their presence, log keystrokes, etc. • – Considered malicious by anti‐virus software

  14. Modern Backdoors • SSH daemon on a high port • – Communication encrypted, hard for networkbased • intrusion detector to recognize • – Hide SSH activity from the host by patching • netstat • • UDP listener • • Passively sniff the network for master’s • commands • • All sorts of standard and non‐standard covert • tunnels

  15. Night Dragon Attacks • Started in November 2009 • • Targets: oil, energy, petrochemical companies • • Install customized RAT tools, steal internal • documents, deliver them to China • • Propagation vectors • – SQL injection on external Web servers to harvest • account credentials • – Targeted emails to company executives (spearfishing) • – Password cracking and “pass the hash” attacks • • See http://www.mcafee.com/us/resources/whitepapers/ • wp‐global‐energy‐cyberattacks‐nightdragon. • pdf

More Related