All About Trojans ----------------- By klemster (klemster@weed5.org) http://www.weed5.org/ First Written On: 17th November, 2001. 9:48 PM Last Modified On: 18th November, 2001. 1:27 PM ==================================================================== Contents -------- Introduction 01. What is a Trojan Horse? 02. What are the different types of trojans? 03. What does a RAT trojan do? 04. How does a RAT trojan work? 05. How do I get infected? a. IRC b. ICQ/Instant Messengers c. E-Mail d. Floppies/CDs 06. How do I know if I'm infected? >> Port Scanners 07. Info On Some Trojans 08. How does the hacker get my IP Address? 09. How do I protect/disinfect myself? a. Firewalls b. Antivirus 10. Keyloggers 11. Password Retreivers 12. FTP Trojans 13. Binders 14. Why do people do all this? >> Securing your documents(PGP, LuCipher) 15. Does this mean I shouldn't trust any friends? Disclaimer ==================================================================== INTRODUCTION This article explains trojans in brief and tells PC users how to protect themselves from such crackers. Most of them have just a little more knowledge than the victim himself. i.e. they know about handling trojans. The trojan legacy was started in an ancient myth, according to which, during the war, the greeks presented a wooden horse to their enemy and during the night, greek soldiers jumped out of the wooden horse and defeated the enemy. It was restarted in the computing world when CDC(Cult of the Dead Cow) made Back Orifice, which is the most famous trojan ever, and it's port 31337 is one of the most popular numbers. This article was originally written for another website, inactive since about 2001. Read the Disclaimer at the end of the text.. ==================================================================== 01. What is a Trojan Horse? A trojan horse is a program that works against a user, more or less a virus, and is mostly contained in programs that look legitimate, but have a very dark side. These trojans work in the "background", i.e. invisible to you. They do things that can render you almost powerless. All trojans have a specific cause, for which crackers use them. Most of them are RATs(Remote Administration Tools). These programs are used by crackers to attack lamer people. Having most trojans on your computer is harmless. Executing them causes the problem. ==================================================================== 02. What are the different types of trojans? a. Remote Administration Tools(RAT) b. Keyloggers c. Password Retreivers d. FTP Trojans These trojans are explained later in this article. ==================================================================== 03. What does a RAT Trojan do? A RAT trojan runs a server on your computer, that enables the cracker to connect to your computer and execute various functions. Even if you have some idea on these trojans, you most probably won't know that you're infected. This is because newer trojans are being developed everyday, that are better and more effective than the older ones. Powerful trojans give the cracker more control of your computer that you yourself have, sitting in front of it! Others just allow some easy fun functions, and still others have common functions like downloading/uploading. The trojan also restarts everytime you put on your computer. About what a trojan can do, it can at most destroy your computer! ==================================================================== 04. How does a RAT trojan work? A RAT trojan is mostly contained in bigger programs. So, when you run the program, you automatically trigger the trojan. This trojan runs a server on a particular port, which will enable the cracker to connect to the port in your computer with utmost ease and do God Knows What! He now has access to all your system resources, if he's using a powerful trojan, and can do almost anything. There is nothing you can do to stop him, if you don't know which is the trojan and don't have any clue about what it is. The trojan then copies itself to a location on your computer, which, where there is almost 100% possibility that you won't see, and even if you see, you won't realise that it is a trojan. Then, the trojan makes a registry entry or changes the win.ini file, to enable itself to restart everytime you put on your computer. ==================================================================== 05. How do I get infected? a. IRC --- The most common way that you get infected with a trojan is through IRC. Almost all the files that others want to send to you on IRC is a virus or a trojan! b. ICQ/Instant Messengers ---------------------- ICQ is another easy way to get a trojan. There were a million exploits in ICQ, but now most have been rectified, but not all. A friend with whom you are chatting with on ICQ will send you a file, which is the trojan. Before, there was a hole, using which a cracker will send a file, that is an exe/vbs, which appears as an image file/document file. Actually, the filename of the file is too long, and so, if he has renamed the file as "abc.jpg .exe" then, you'll be able to see only abc.jpg. Now, that hole's been rectified and you will see "abc.jp........exe" instead. You'll then execute the .exe file that he's sent you, and just then you might receive a message from him, and he'll distract you. c. E-Mail ------ Nowadays, spam has become very common. You will most probably find your inbox cluttered with dirty junk if you use hotmail. Many e-mails contain attachments and some services have the same problem as ICQ had, i.e. displaying even abc.jpg.exe as abc.jpg. Therefore, there is a high possibility of spam attachments containing trojans and viruses. d. Floppies/CDs ------------ You can also be infected from infected floppies/cds. When you use an infected one and run the infected program, or if the autorun.ini starts the trojan, you are infected. Almost all the time, the cracker tricks you into forgetting about the program that he just gave you, and he is successful in his attempt. Most of the time, you are too busy doing other things, that you'll forget about the program that wasn't running properly. This program is the trojan that has managed to fool you! ==================================================================== 06. How do I know if I'm infected? "I've recieved a file from a friend and double-clicked on it. But, seems it doesn't work as when I clicked on it, nothing happened!" - BOOM you're infected! Quick use an Anti Virus/Firewall! A port scanner scans ports of a specified range of a particular IP and tells those which are open. Another simple and quick way to detect if you're infected is by using netstat. Type "netstat -an" in your command promt and check the results. If "xx.xx.xx.xx:tttt" (xx.xx.xx.xx = your ip; tttt = trojan port) is in state listening, then you're infected. Below is some info on some trojans. You'll know that you're infected if you find the port listening or connected using netsat. ==================================================================== 07. Info On Some Trojans The complete list can be found at http://www.weed5.org/papers/klemster/backdoor-list.txt 01. Netbus 1.x Port(s) used: 12345, 12346, 12361, 12362 Forms: Whackamole(game), the real trojan. 02. Netbus Pro 2.1 Port(s) used: 20034 03. Back Orifice(BO) Port(s) used: 31337, 6001. 04. Sub Seven Port(s) used: 1243 Forms: The real trojan. Can be compiled in different forms(1.7+) 05. Deep Throat Port(s) used: 6670 06. Senna Spy Port(s) used: 11000 07. Ugly FTP / Evil FTP / WhackJob Port(s) used: 23456 08. Netraider Port(s) used: 57341 09. Ugly FTP Port(s) used: 23456 10. Doly Trojan Port(s) used: 1011 11. Blade Runner Port(s) used: 5401, 5402 Forms: The real trojan. 12. ICQ Trojan Port(s) used: 4950 13. Trojan Cow Port(s) used: 2001 14. Shockrave Port(s) used: 1981 15. ICQKiller Port(s) used: 7789 16. Silencer Port(s) used: 1001 17. Stealth Spy Port(s) used: 555 18. Devil 1.03 Port(s) used: 65000 19. Striker Port(s) used: 2565 ==================================================================== 08. How does the cracker get my IP Address? If you use IRC, then even you will know how to get the IP of a person. There are various tools, by which crackers can get your IP address, if you use ICQ or AIM. But, newer trojans nowadays have various features to notify the cracker about your online presence. Some come with ICQ notification, some mail your IP address and date, time to the e-mail of the cracker, some upload your information to an internet website. All of these functions are triggered the moment you go online. By this, a cracker can easily get your IP address. ==================================================================== 09. How do I protect/disinfect myself? a. Firewalls --------- The best way to do this is to get a firewall. Firewalls give you all the protection you need against crackers. They monitor all the ports of the computer. Some good firewalls are Zone Alarm, by Zone Labs(http://www.zonelabs.com) and Lockdown 2000 (http://www.lockdown2000.com). They give you full access to you than to programs. b. Antivirus --------- All the popular trojans can be detected by an antivirus. So, I recommend you get an antivirus software. BO was supposedly the world's first, and was a nightmare some 3-4 years ago, after it was released at defcon 8. Now, netbus is gaining popularity. 90% of the trojans nowadays are netbus. Almost all av's can detect netbus and back orifice. A good antivirus is Noton Antivirus (www.symantec.com). It can detect even low profile and "unheard of" trojans. This is the simplest method. Do the netstat check everytime you connect to the internet. ==================================================================== 10. Keyloggers Keyloggers are trojans, which are mostly not detected by av's and are very dangerous. They save everything you type, anywhere on your computer to a file, usually in a location which is very difficult to find. This file can be viewed by the cracker, if he's got access to your computer, or if he's planted the keylogger using a RAT trojan. A keylogger is used mostly to get your mail passwords, as you most likely will check your e-mail and you have to type the password, which will be logged into a file. ==================================================================== 11. Password Retreivers Password Retrievers search your computer and registry for passwords, usually Internet and ICQ passwords. After finishing the scan, they mail it to the e-mail address of the cracker. This is really simple for the cracker and there is nothing for him to do. ==================================================================== 12. FTP Trojans FTP or File Transfer Protocol is the universally accepted protocol for client-server file exchange. An FTP trojan opens up the default FTP port (21) and runs an FTP server on it, enabling anyone knowing FTP or having an FTP client to connect and upload and download files. ==================================================================== 13. Binders Binders are some programs written by crackers and are used a lot by crackers. These binders can attach many files and executables together into one executable. Using binders, crackers attach a game or some other legitimate program and a trojan. When you execute the game file, the trojan is also run. Binded exes can fool the victims without arousing suspicion in the victim. This makes it even more important for one to get an AV or a Firewall or TPS. ==================================================================== 14. Why do people do all this? They want to show off before you. They are a useless idiots who cannot even become foolish script kiddies. Many times, the people attack the victims for some kind of information, like passwords, etc they want from your computer or they just want get you scared. Most of the time, they just break into your computer and show off to you. Therefore, most of the time they don't cause any harm to your computer, but your passwords and important documents - that's a different story! Securing your documents ----------------------- To secure your documents and important information, you have to use an encryption software that will make the data unreadable by anyone, even you. To read it, you have to decrypt it using the key provided at the encryption time. The best encryption software in the world is PGP(Pretty Good Privacy), written by Phil Zimmerman. ==================================================================== 15. Does this mean I shouldn't trust any friends? Not at all! You can trust them, but always be cautioned. But, To save yourself, you should be paranoid! Also, pl. note "Not to accept any files from strangers or on IRC". Any vbs, exe, scr and com files can contain viruses and trojans. ==================================================================== DISCLAIMER There is no gurantee on the accurateness of this text and this is subject to change anytime. This text is meant only for educational purposes. Following or reading this text is entirely at the choice and risk of the user. I will not be responsible for any damages caused because of reading this directly or indirectly, or abuse/misinterpretation of this paper. ==================================================================== klemster | klemster@weed5.org Copyright 2002 Weed5 Security Group http://www.weed5.org/