What is a Trojan?

A Trojan is a program that pretends to be legitimate program, while It is malicious in nature

and is infecting the system in background and provides access of that system to the
Attacker.

Objectives Of Trojans:
There can be different type of objective:

Using the Trojaned machine as part of a Botnet to stage another attack like DDOS
etc.

Trojans can install Softwares so that they can upload or download files and data
directly from your computer.

Trojans can modify or delete your files.

Trojans also supports Keystroke logging and they can monitor people without their
knowledge.

Wasting computer storage space.

Crashing the computer.

Overt Channel & Covert Channel:

Overt Channel:
Overt channel simply means that the Data which is being transmitting on the network is a
legitimate connection which is following the security policy
An overt channel can be used to create a Tunnel(covert channel) to transmit the data
carefully on the network, which does raise any alarm .
Covert Channel:
Covert channel is simply the connection in which data is being transmitting over the network
that violates the security policy.
The simplest form of covert channel is
1.

Trojan

2.

Backdoors etc.

3.

Http tunnelling to access some restricted data.

Working of Trojans:
An attacker can get access to the system in multiple way.

If the Trojan is direct connecting Trojan then attacker can connect to the victim
directly and can get access to the victim machine, but the scenario is not always that easy.
Victim can be behind a Firewall, in that case direct connection Trojans will not any provide
any access to the victim computer even if the victim is infected.

Here comes the Reverse Connecting Trojans into the scene, In Reverse Connection
Scenario, attacker need to connect to the victim instead reverse connecting Trojan
themselves tries to create and maintain the connection between the victim and attacker
which can bypass firewall if the trojan is using that protocol and port which is allowed from
inside network.

Different Types of Trojan

Remote Access Trojans: Remote Access Trojans provides the whole access of the
machine.

Destructive Trojans: Some trojans are created with a purpose that they will destruct
the normal working or booting procedure of the victim machine.

Denial-of-Service (DoS) Attack: Some trojans works a dump zombies and they wait
for the attacker to give commands and usually they are being used for DDOS attacks.

Proxy Trojans: Proxy Trojans are provides the access of the victim machine in the
same way as the Remote access trojan does , but it gives the additional functionality that
attacker can use the victims machine as a proxy server which will hide the attacker from
being logged.

FTP Trojans: FTP trojans are those which open the ftp port 21 on the victim machine
and allows attackers to access it through ftp client

Security Software Disablers: Some trojans are designed to check and disable the anti
virus, internet security tools on the victim machine thus making them vulnerable to attacks
and prevent themselves from being detected.

Target Data Types of Trojans

Trojans are not restricted to target only the following contents but this what they
actually look for:

Login credentials like Username-password combination and information like credit

card details which may be used by the victim.

Trojans looks for Confidential documents, official documents and personal

documents.

Trojans can also retrieve data like bank account numbers, social security numbers,
insurance information etc.

Trojans can also access calendar information like important meetings and other
notes concerning the victims presence or activity.

Trojans can also stage the victim machine to hack further for some illegal cause and
leave the victim for consequences.

Different Modes of Trojan Infection

Trojans can be spread by any means, some of them are listed here:

Through Internet Relay Chats and messengers like gtalk and yahoo.

Through mail attachments

Trojans can also infect the system through a physical access of the system

Browser and email software security bugs can allow attackers to compromise
machine and then infect it with trojans for future access.

Trojans can also replicate while sharing data within a domain network.
Untrusted sites and freeware software site also transmits the trojans in an affective
manner.

Auto Run Trojan

The AUTORUN.INF file must start with the following line:

[autorun]

For example to create a CD or pen drive that will autorun the program server.exe
would require an AUTORUN.INF file similar to:

[autorun] open=server.exe icon=setup.exe to create a CD that will autorun to open

the html file index.htm would require:

[autorun] ShellExecute=index.htm icon=index.htm However, since some older

versions of Windows do not support ShellExecute a less elegant alternative would be:

[autorun] open=command /c start index.htm icon=index.htm Be aware that the use of

command and start restrict this to machines running Windows.
So, By using Auto run feature you can spread your trojan very easily

Symptoms of a Trojan Infection

Common symptoms of a trojan infected machines:

CD-ROM drawer opens and closes by itself

Computer screen flips upside down or inverts

Wallpaper or background settings change by themselves

Documents or messages print from the printer by themselves

Computer browser goes to a strange or unknown web page by itself

Windows color settings change by themselves

Screensaver settings change by themselves

These are common effects that user experience after infected by a trojans like beast and
prorat.

Ports Used by Trojans

Trojan

Ports

==================
Deepthroat

6670

Netbus

6666

Prorat

5110

Secret agent

11223

Asylum

23456

Binder and wrappers:

Wrapper or binder is an application which combines a trojans application with a non

malicious file like an image or any other executable file.

This reduces the suspicion level of the victim over attacker and it also helps in
convincing the victim to execute that wrapped file

Using wrappers, we have combined two different applications as a single file, now
when victim executes that file single wrapped file, it first installs the trojan in the
background and then run the legitimate application after it.

Victim only see the later legitimate application on the foreground.

How to Detect Trojans?

There are several method by which we can scan the presence of a trojan which are as
follows:

By scanning the system for suspicious open ports using tools such as netstat &
TCPview
By scanning for suspicious running processes using process Viewer.

By scanning for suspicious registry entries using the following tools such as
MSConfig.

By scanning what type network connection are being established by using wireshark
and save that data packets capture and analysis them to see to which IP address they are
connecting to.

Avoiding Trojan Infection:

Do not download blindly from any websites that you are visiting.

Do not trust the file even if the file coming from a friend, there may be a possibility
that your friends system is also infected and it might also your system as well, so be sure
what the file is before opening it.

Disable the autopreview or autoplay option from the media that you are connecting to
your computer.

Do not type commands that you have received in a mail from someone or not type
anything in the browser that can a malicious script that may further infect your computer.

Prorat: