1 / 34

INCS 745: Intrusion Detection and Hackers Exploits Trojan Horse Program

INCS 745: Intrusion Detection and Hackers Exploits Trojan Horse Program. Dr. Lo’ai Tawalbeh Prepared for Arab Academy for Banking and Financial Sciences (AABFS). Introduction.

pomona
Download Presentation

INCS 745: Intrusion Detection and Hackers Exploits Trojan Horse Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. INCS 745: Intrusion Detection and Hackers ExploitsTrojan Horse Program Dr. Lo’ai Tawalbeh Prepared for Arab Academy for Banking and Financial Sciences (AABFS) Eng. Ammar Mahmood

  2. Introduction • Trojan horse is a malicious program that is disguised as or embedded within legitimate software. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed. • The term is derived from the classical myth of the Trojan War. Eng. Ammar Mahmood

  3. Introduction • Trojan horse programs cannot operate autonomously, in contrast to some other types of malware, like viruses or worms. • Trojan horse programs depend on actions by the intended victims. As such, if trojans replicate and even distribute themselves, each new victim must run the program/trojan. Therefore their virulence is of a different nature, depending on successful implementation of social engineering concepts rather than flaws in a computer system's security design or configuration. Eng. Ammar Mahmood

  4. Introduction • There are two common types of Trojan horses: • useful software that has been corrupted by a cracker inserting malicious code that executes while the program is used. Examples include various implementations of weather alerting programs, computer clock setting software, and peer to peer file sharing utilities (Droppers). Eng. Ammar Mahmood

  5. Introduction • The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives. Eng. Ammar Mahmood

  6. Types of Trojan Horses • Trojan horses are almost always designed to do various harmful things, but could be harmless. They are broken down in classification based on how they breach systems and the damage they cause. The seven main types of Trojan horses are: Eng. Ammar Mahmood

  7. Types of Trojan Horses • Remote Access Trojans: • allowing remote access to the victim's computer. This is called a RAT (Remote Administration Tool). they provide the attacker with total control of the victim's machine. • Example:The Bugbear virus that hit the Internet in September 2002, for instance, installed a Trojan horse on the victims' machines that could give the remote attacker access to sensitive data. • Trojans acted as a server and listened on a port that had to be available to Internet attackers. Attackers can now also make use of a reverse connection to reach the backdoored host so that they can reach the server even when it is behind a firewall. Eng. Ammar Mahmood

  8. Types of Trojan Horses • Data Sending Trojans: • spying on the user of a computer and send data back to the hacker with information such as passwords, confidential information such as credit card details, chat logs, address lists, browsing habits to other people, take a screenshot, keystrokes…etc. • The Trojan could look for specific information in particular locations or it could install a key-logger and simply send all recorded keystrokes to the hacker. • An example of this is the Badtrans.B email virus (released in the wild in December 2001) that could log users' keystrokes. Eng. Ammar Mahmood

  9. Types of Trojan Horses • Destructive Trojans: • The only function of these Trojans is to destroy and delete files. This makes them very simple to use. They can automatically delete all the core system files on your machine. • it is similar to a virus, but the destructive Trojan has been created purposely to attack you, and therefore is unlikely to be detected by your anti-virus software. Eng. Ammar Mahmood

  10. Types of Trojan Horses • Proxy Trojans: • These Trojans turn the victim's computer into a proxy server, making it available to the whole world or to the attacker alone. It is used for anonymous Telnet, ICQ, IRC, etc., • activities. This gives the attacker complete anonymity and the opportunity to do everything from YOUR computer, including the possibility to launch attacks from your network. Eng. Ammar Mahmood

  11. Types of Trojan Horses • FTP Trojans: • These Trojans open an FTP server on the victim’s machine that might store and serve illegal software and/or sensitive data, and allow attackers to connect to your machine via FTP. • A Trojan FTP program is a File Transmission Protocol tool that allows an attacker to download, upload and replace files on the affected machine. • often used to host potentially dangerous or illegal content (warez, child porn, etc.) on the compromised computer. • security software disabler Trojans: • These are special Trojans, designed to stop/kill programs such as anti-virus software, firewalls. • Example: Bugbear virus installed a Trojan on the machines of all infected users and was capable of disabling popular anti-virus and firewalls software. • Usually targeted to particular end-user software. Eng. Ammar Mahmood

  12. Types of Trojan Horses • denial-of-service attack (DDoS) Trojans. • Example: WinTrinoo is a DDoS tool that has recently become very popular; through it, an attacker who has infected many ADSL users can cause major Internet sites to shut down; early examples of this date back to February 2000, when a number of prominent e-commerce sites such as Amazon, CNN, E*Trade, Yahoo and eBay were attacked. Eng. Ammar Mahmood

  13. Trojan Technologies • Rootkit Technology: • Rootkit technology involves a piece of malware (a Rootkit) intercepting system calls and altering them in order to conceal other malware. • The purpose of rootkits is usually to hide backdoors, rootkits can hide things such as files, registry keys and processes. • Rootkits also alter system logs in order to hide the activity of an attacker. • There are two main types of Rootkits • Kernel level rootkits normally patch, replace or hook system calls so they can alter them. • Application level rootkits work basically the same, except they may simply inject themselves into an application or replace binaries of the application with fakes. Eng. Ammar Mahmood

  14. Trojan Technologies • Polymorphism • A Polymorphic virus is basically a virus that uses a self encryption technique in order to try and evade Anti-Virus programs. • The Polymorphic virus will alter or encrypt itself each time it infects a different machine. It also encrypt the algorithm they use to encrypt themselves, meaning each time they mutate they change almost completely, or at least it would appear that way to an Anti-Virus program. • it is very difficult to detect some Polymorphic viruses,because you cannot rely on viral signatures since the virus can encrypt itself. • In order for Anti-Virus programs to be able to detect Polymorphic viruses, they must use decryption simulation techniques. Eng. Ammar Mahmood

  15. Trojan Technologies • Firewall Bypass: There are 3 types • FWB (Firewall Bypass) works by simply injecting the Trojan into a process as a DLL. Firewall vendors responded by blocking unknown DLL’s from injecting themselves into trusted applications. • FWB+: Trojans coders then found away around having a DLL, by making the Trojan inject itself into the process with out need for a DLL. Firewall vendors then responded once again by blocking all the API used by Trojan coders to inject their Trojans into known trusted applications. • FWB #:Firewall Bypass Sharp works by finding the address of the function, rather than just simply attempting to call the API. Eng. Ammar Mahmood

  16. Methods of Infection • The majority of Trojan horse infections occur because the user was tricked into running an infected program/file. • There are 3 main way to infected by Trojan horse: Eng. Ammar Mahmood

  17. Methods of Infection • Websites:You can be infected by visiting a rogue website. Internet Explorer is most often targeted by makers of trojans and other pests, because it contains numerousbugs. • improperly handle data (such as HTML or images) by executing it as a legitimate program. • ActiveX objects, and some older versions of Flash or Java Eng. Ammar Mahmood

  18. Methods of Infection • Email: • If you use Microsoft Outlook, you're vulnerable to many of the same problems that Internet Explorer has, even if you don't use IE directly. The same vulnerabilities exist since Outlook allows email to contain HTML and images. • Furthermore, an infected file can be included as an attachment. Eng. Ammar Mahmood

  19. Methods of Infection • Open ports: • Computers running their own servers (HTTP, FTP, or SMTP, for example), allowing Windows file sharing, • or running programs that provide file sharing capabilities such as Instant Messengers (AOL's AIM, MSN Messenger, etc.) may have vulnerabilities similar to those described above Eng. Ammar Mahmood

  20. Precautions against Trojan horses • end-user awareness: • If you receive e-mail from someone that you do not know or you receive an unknown attachment, never open it right away. • make sure that you have the settings so that attachments do not open automatically. • Make sure your computer has an anti-virus program on it and update it regularly • Operating systems offer patches to protect their users from certain threats • Avoid using peer-to-peer or P2P sharing networks like Kazaa , Limewire, Ares, or Gnutella because they are generally unprotected Eng. Ammar Mahmood

  21. Trojan detection • Detecting known/old Trojans that do not specifically designed to attack you is easy job done by security SW (e.g. antivirus) usually. • Detecting unknown Trojans can only be done by manually reviewing the executable. • The process of manually reviewing executables is a tedious and time-intensive job, and can be subject to human error. Therefore it is necessary to tackle this process intelligently and automate part of it. Eng. Ammar Mahmood

  22. Removing the Trojan • Removing Trojan horses can be a difficult task and may require a new installation of the operating system. Sometimes, simply uninstalling the Trojan horse does not solve the problem. The Trojan horse could have made permanent changes or installed backdoors that are unknown to the user. • However most of its signature (of the Trojan) none by the security SW (e.g. antivirus) it can be removed very easy. Eng. Ammar Mahmood

  23. Ex. Of Protection SW • GFI (Trojan and executable analyzer tool): An executable scanner intelligently analyses what an executable does and assigns a risk level. It disassembles the executable and detects in real time what the executable might do. It compares these actions to a database of malicious actions and then rates the risk level of the executable. • This way, potentially dangerous, unknown or one-off Trojans can be detected. • The Trojan and executable scanner deals with advanced hackers who create their own versions of Trojans, the signatures of which are not known by anti-virus software. Eng. Ammar Mahmood

  24. Ex. Of Protection SW Eng. Ammar Mahmood

  25. Example of Trojan SW • SubSeven is a RAT (Remote Administration Tool) For Windows. Executing server.exe on Windows 9x/NTx system will allow full remote access on that system. • It is the most well known Trojan backdoor application available (Remote Access Trojans) to the public. Eng. Ammar Mahmood

  26. Example of Trojan SW • Subseven consists of three main files: 1- Subseven client (R.A.T) 2- Subseven server (Trojan Horse) 3- Subseven server editor Eng. Ammar Mahmood

  27. Example of Trojan SW • How dose it work? 1- We use server editor to configure the server , we specify the startup method that will be used on the victim PC. 2- Then we configure the notification method ICQ, email or IRC channel. That will be used to know the IP address that the victim will use every time he connect to the internet. 3- Then we send the sever file to the victim after we change the icon and the extension of the server file. 4- After executing the file by the victim , the hacker receives the notification which contains the ip address and port number. 5- The hacker use the ip and port number to connect by the client tool. Eng. Ammar Mahmood

  28. Functions: send messages or questions to the victim open the default browser at the specified address hide or show the Start button take a screen shot of the victim's desktop disable keyboard chat with the victim start/stop the victim's PC Speaker restart windows open/close the CD-ROM set the length of the victim's mouse trails set a password for the server get all the active windows on the victim's computer enable/disable a specified window disable the close button on a specified window get a list of all the available drives on the victim's computer turn monitor on/off show/hide the taskbar get more information about the victim's computer change the server name listen for all the pressed keys record sound get the file's size download/upload/execute file set wallpaper play file on the victim's computer reverse/restore mouse buttons set the online notification on/off close the server on the victim's computer Example of Trojan SW Eng. Ammar Mahmood

  29. Eng. Ammar Mahmood

  30. Fake Server icon Eng. Ammar Mahmood

  31. Bind server with EXE file Eng. Ammar Mahmood

  32. Example of Trojan SW • Melt option will delete the server after execution, in fact it will install itself to windows/system folder then it will delete itself. • Bind option allows you to join any EXE file to your server to make sure that the person who runs that server won't feel strange about it. Same thing for fake error msg. Eng. Ammar Mahmood

  33. Eng. Ammar Mahmood

  34. Resources • http://en.wikipedia.org/wiki/Main_Page • http://www.hackpr.net (sub7 official website) • GFI\ The corporate threat posed by email Trojans (white paper) • http://www.pestpatrol.com/zks/pestinfo/s/subseven.asp Eng. Ammar Mahmood

More Related