Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Version 5
Module VI
Trojans and Backdoors
Scenario
Zechariah works for an Insurance firm. Though being a top
performer for his branch, he never got credit from his Manager,
Ron. Ron was biased to a particular sect of employees. On Rons
birthday all employees including Zechariah greeted him.
Zechariah personally went to greet Ron and asked him to check his
email as a birthday surprise was awaiting him! Zechariah had
planned something for Ron.
Unknown of Zechariahs evil intention Ron opens the bday.zip file.
Ron extracts the contents of the file and runs the bday.exe and
enjoys the flash greeting card.
Zechariah had Ron infect his own computer by a Remote Control
Trojan.
What harm can Zechariah do to Ron?
Is Zechariahs intention justified?
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Security News
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objective
This module will familiarize you with the following:
~
Trojans
Wrappers
ICMP Tunneling
Anti-Trojans
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Flow
Introduction to
Trojans
Types and
Working of a Trojan
Different Trojans
Indications of
Trojan Attack
Wrappers
ICMP Tunneling
Countermeasures
Anti-Trojan
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Introduction
~ Malicious
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Effect on Business
~
EC-Council
Hacker
Office User
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
What is a Trojan?
~A
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Covert Channel
~A
channel is a Trojan
Keylogger.exe
Chess.exe
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Working of Trojans
Trojaned System
Attacker
Internet
~
~
EC-Council
Access Trojans
~Data-Sending
Trojans
~Destructive Trojans
~Denial-of-Service
~Proxy
~FTP
Trojans
Trojans
~Security
EC-Council
Software Disablers
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Confidential documents
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Attachments
Physical access
NetBIOS (FileSharing)
Fake programs
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
~ Computer
inverts
~ Wallpaper
~ Documents
~ Computer
~ Windows
~ Screensaver
EC-Council
functions
~ Mouse
pointer disappears
~ Mouse
~ Windows
~ Strange
computer
~ The
computer is IP scanning
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
~ Computer
itself
~ Taskbar
disappears
~ The
~ Strange
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Protocol
Ports
Back Orifice
UDP
31337 or 31338
Deep Throat
UDP
NetBus
TCP
Whack-a-mole
TCP
NetBus 2 Pro
TCP
20034
GirlFriend
TCP
21544
Masters Paradise
TCP
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Beast
Phatbot
Amitis
QAZ
Back Orifice
Back Oriffice 2000
Tini
NetBus
SubSeven
Netcat
Donald Dick
Let me rule
RECUB
EC-Council
Warning
These are classic outdated tools and
is presented here for proof of
concept ( You will not be able to find
the source code for these tools on the
Internet). It is presented in this
module so that you are encouraged to
view the source code of these tools to
understand the attack engineering
behind them.
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Trojan: Tini
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Trojan: iCmd
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Trojan: NetBus
~ NetBus
is a Win32-based
Trojan program
~ Like
~ NetBus
was written by a
Swedish programmer named
Carl-Fredrik Neikter, in March
1998
~ This
Source: http://www.jcw.cc/netbus-download.html
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Trojan: Netcat
~ Netcat is called the swiss-army knife of networking tools
~ Provides a basic TCP/UDP networking subsystem that allows users to interact manually or
via script with network applications
~ Outbound or inbound connections, TCP or UDP, to or from any ports
~ Built-in port-scanning capabilities, with randomizer
~ Built-in loose source-routing capability
~ Cryptcat tool: Netcat with encryption
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Netcat Client/Server
Netcat client
C:> nc <ip> <port>
EC-Council
Netcat server
C:> nc L p <port> -t e cmd.exe
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Netcat Commands
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Trojan: Beast
~Beast
is a powerful Remote
Administration Tool (AKA Trojan)
built with Delphi 7
~One
~An
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
MoSucker Trojan
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
This tool, when infected, starts a hidden proxy server on the victims
computer
Thousands of machines on the Internet are infected with proxy servers
using this technique
ATTACKER
TARGET
PROXY
INTERNET
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Attacker
ICQ Notification
Notifies the attacker using ICQ channels
PHP Notification
Sends the data by connecting to PHP server on the attacker's
server
E-Mail Notification
Notification is sent through email
Net Send
Notification is sent through net send command
CGI Notification
IRC notification
Notifies the attacker using IRC channels
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Wrappers
~ How
~A
Chess.exe 90k
Trojan.exe 20k
~ The
~ The
Chess.exe 110k
Attackers might send a birthday greeting that will install a Trojan as the user watches, for
example, a birthday cake dancing across the screen.
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Graffiti.exe is an example
of a legitimate file that can
be used to drop the Trojan
into the target system
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Wrapping Tools
~
Customizable options
Pretator Wrapper
EC-Council
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Icon
Execution commands
3
5
EC-Council
4
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
RemoteByMail
~
Remote Control a
computer by sending
email messages
It is an easier and
more secure way of
accessing files or
executing programs
Attacker
EC-Council
Victim
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Icon Plus is a
conversion program
for translating icons
between various
formats
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Powerful find-and-grab
functions let the user retrieve
resources from all files on their
disks
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Tetris
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
HTTP Trojans
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Internet
Victim
EC-Council
Server
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Generate server.exe
EC-Council
n
Co
ne
ct t
IP
he
t
o
s
dre
d
a
g
sin
u
s
e
ws
o
r
ab
0
rt 8
o
p
r to
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
SHTTPD is a very small HTTP Server that can easily be embedded inside any
program
Even though shttpd is NOT a trojan, it can easily be wrapped with a chess.exe
and turn a computer into an invisible Web Server
Attacker
IP: 10.0.0.5:443
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
INTERNET
Rebecca
Victim
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
ICMP Tunneling
~
ICMP tunneling is a method of using ICMP echo-request and echoreply as a carrier of any payload an attacker may wish to use in an
attempt to stealthily access, or control, a compromised system
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
ICMP Server
ICMP Client
Commands are
sent using ICMP
protocol
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Trojan: Phatbot
~
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Trojan: Amitis
It has more than 400 readyto-use options
~ It is the only Trojan that has
a live update
~ The server copies itself to
the Windows directory, so,
even if the main file is deleted,
the victims computer is still
infected
~ The server automatically
sends the requested
notification as soon as the
victim gets online
~
Source: http://www.immortal-hackers.com
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
~Senna
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Trojan: QAZ
~
~
~
~
~
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
~Back
~BO
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Trojan: SubSeven
~SubSeven
is a Win32 Trojan
~The
~Its
~SubSeven
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
~
~
~
~
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Trojan: RECUB
~
~
~
~
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
~As
far as the network is concerned, a series of ICMP packets are shot back
and forth: a ping, pong response. As far as the attacker is concerned,
commands can be typed into the Loki client and executed on the server
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Loki Countermeasures
~
Loki also has the option to run over UDP port 53 (DNS
queries and responses)
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
~
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
2.
3.
EC-Council
5.
Process Viewer
Whats on my computer
Insider
4.
Netstat
Fport
TCPView
Ethereal
Tool:Netstat
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: fPort
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: TCPView
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
CurrPorts Tool
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
PrcView is a process
viewer utility that displays
detailed information about
processes running under
Windows
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
~
~
~
Tool: Whats on My
Computer
It provides additional
information about any
file, folder, or program
running on your
computer
Allows search of
information on the web
Keeps out viruses and
Trojans
Keeps your computer
secure
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
It gives complete
information about
processes, services,
IP connections,
modules, and
drivers, running
on your computer
Screenshot showing list of processes running
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: MSConfig
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: Autoruns
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Anti-Trojan Software
~
Trojan Guard
Trojan Hunter
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Trojanclient.java
EC-Council
Trojanserver.java
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
~ Its
features include
adding bytes, bind,
changing strings, creating
VBS, scramble/pack files,
split/join files
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Backdoor Countermeasures
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: Tripwire
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
MD5sum.exe
~
~
~
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
It features Real-Time
Protection, a monitoring
system that recommends
actions against spyware when
it's detected
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Do not download blindly from people or sites that you arent 100%
sure about
Even if the file comes from a friend, be sure what the file is before
opening it
Do not blindly type commands that others tell you to type; go to web
addresses mentioned by strangers, or run pre-fabricated programs or
scripts
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Filter and scan all content at the perimeter defenses that could
contain malicious content
Run local versions of anti-virus, firewall, and intrusion detection
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Summary
~
Trojans are used primarily to gain and retain access on the target
system
Trojans often reside deep in the system and make registry changes
that allow it to meet its purpose as a remote administration tool
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited