Trojan Horse program Back door and remote administration programs:

1
Trojan Horse programBack door and remote
administration programs

• Prepared By
• Ibrahim Al qarout
• Supervisod By
• Dr. Loai Tawalbeh
• New York Institute of Technology Institute
  (NYIT)-Jordan

2
Trojan Horse program  Name (Trojan horse)
According to legend , the Greeks won the Trojan
war by hiding in a huge, hollow wooden horse to
sneak into the fortified city of Troy. It
was built and filled with Greek warriors to get
in troy city and open doors for all warriors out
side troy city waiting to enter the city.
3
However there is another meaning of the term
Trojan Horse in the field of computer
architecture. Here it basically represents any
piece of User Code which makes the Kernel Code
access anything it would not have been able to
access itself in the first place!. i.e make the
OS do something it wasnt supposed to be doing.And
such security loopholes are called Trojan
Horses  In the context of computer software,
a Trojan horse is a program that contains or
installs a malicious program (sometimes called
the payload )
4
Types of Trojan horse (payloads)Trojan horse
payloads are almost always designed to do various
harmful things, but could be harmless. They are
broken down in classification based on how they
breach systems and the damage they cause. The
seven main types of Trojan horse payloads
are1.Remote Access2. Email Sending3. Data
Destructive4. FTP trojan (adding or copying data
from the infected computer)5. denial-of-service
attack (DoS)
5
Some examples are1.erasing or overwriting data
on a computer.2. Encrypting files in a crypto
vital extortion attack.3. Upload and download
files.4. Allowing remote access to the victim's
computer. This is called a RAT. ( Remote
administration tool)5. Installing a backdoor on
a computer system.6. Opening and closing CD-ROM
tray.7. Harvest e-mail addresses and use them
for Spam.8. Restarts the computer whenever the
infected program is started  
6
Trojan horse programs are an easy way for
intruders to trick you (sometimes referred to as
"social engineering") into installing "back door"
programs. These can allow intruders easy access
to your computer without your knowledge, change
your system configurations, or infect your
computer with a computer virus.  Trojan
horse may appear to be useful or interesting
programs or very harmless to an unsuspecting
user.
7
There are two common types of Trojan
horses. One, is otherwise useful software that
has been corrupted by a cracker (it is software
remove protection methodscopy prevention,
trial/demo version, serial number, hardware key,
CD ) . inserting malicious code that
executes while the program is used.Examples
1.include various implementations of weather
alerting programs.2.computer clock setting
software. 3. peer to peer file sharing
utilities.
8
The other type is a standalone program that
masquerades as something else, like a game or
image file, in order to trick the user into some
misdirected complicity that is needed to carry
out the program's objectives.
9
How you can know if you are under Trojan horse
attack?  For example, you download what
appears to be a movie or music file, but when you
click on it, you unleash a dangerous program that
erases your disk, sends your credit card numbers
and passwords to a stranger, or lets that
stranger hack your computer to commit illegal
Denial of service attacks . How do I get rid of
Trojans?!?1.Clean Re-installationBack up your
entire hard disk, format the disk, re-install the
operating system and all your applications from
original CDs. 
10
2. Anti-Virus Softwareanti-virus software is
always going to be playing catch up with active
virus on the system. Make sure your computer has
an anti virus program on it and update it
regularly. If you have an auto-update option
included in your anti-virus program you should
turn it on that way if you forget to update your
software you can still be protected from
threats 3. Anti-Trojan ProgramsThese programs
are the most effective against Trojan horse
attacks, because they specialize in Trojans
instead of general viruses.
11
4.. Avoid using peer to peer or P2P sharing
networks like kazaa,Lime wire Ares, or Guntella
because they are generally unprotected from
viruses and Trojan Horse viruses spread through
them especially easily. Some of these programs
do offer some virus protection, but this is often
not strong enough. If you insist on using P2P, it
would be safe to not download files that claim to
be "rare" songs, books, movies, pictures, etc.
12
Methods of Infection 1.You can be infected by
visiting a rogue website.2.Email If you use
Microsoft Outlook, you're vulnerable to many of
the same problems that Internet Explorer has,
even if you don't use IE directly.3.Open ports
Computers running their own servers (HTTP, FTP,
or SMTP, for example), allowing Windows file
sharing, or running programs that provide
filesharing capabilities such as Instant
Messengers (AOL's AIM, MSN Messenger, etc.) may
have vulnerabilities similar to those described
above. These programs and services may open a
network port giving attackers a means for
interacting with these programs from anywhere on
the Internet. Vulnerabilities allowing
unauthorized remote entry are regularly found in
such programs, so they should be avoided or
properly secured.
13
How do I avoid getting infected with (Trojan
horse) in the future? 1.NEVER download blindly
from people or sites which you aren't 100 sure
about 2. Even if the file comes from a friend,
you still must be sure what the file is before
opening it 3. NEVER use features in your
programs that automatically get or preview
files 4. Never blindly type commands that
others tell you to type, or go to web addresses
mentioned by strangers, or run pre-fabricated
programs or scripts
14
Example of a simple Trojan horse 1.A simple
example of a trojan horse would be a program
named waterfalls.scr" claiming to be a free
waterfall screensaver which, when run, instead
would allow access to the user's computer
remotely. 2. AIDS (trojan horse)AIDS, also
known as Aids Info Disk or PC Cyborg Trojan, is a
trojan horse that replaces the AUTOEXEC.BAT file,
which would then be used by AIDS to count the
number times the computer has booted. Once this
boot count reaches 90, AIDS hides directories and
encrypts the names of all files on drive C
(rendering the system unusable).
15
Back door and remote administration programs
16
Back door and remote administration
programs   On Windows computers, three tools
commonly used by intruders to gain remote access
to your computer are 1.BackOrificeBack Orifice
(often shortened to BO) is a controversial
computer program designed for remote system
administration. It enables a user to control a
computer running the Microsoft Windows operating
system from a remote location. The name is a pun
on Microsoft BackOffice Server software. 
17
2. NetbusNetBus or Netbus is a software program
for remotely controlling a Microsoft Windows
computer system over a network. It was created in
1998 and has been very controversial for its
potential of being used as a backdoor.3. Sub
Seven(help to hack other pc's).Sub7, or Sub
Seven, is the name of a popular Trojan or
backdoor program. It is mainly used by script
kiddies for causing mischief, such as hiding the
computer cursor, changing system settings or
loading up pornographic websites. However, it can
also be used for more serious criminal
applications, such as stealing credit card
details with a keystroke logger. These back
door or remote administration programs, once
installed, allow other people to access and
control your computer.
18
A Remote administration programs (tool) is used
to remotely connect and manage a single or
multiple computers with a variety of tools, such
as 1.Screen/camera capture or control2. File
management (download/upload/execute/etc.)3.
Computer control (power off/on/log off)4.
Registry management (query/add/delete/modify)5.
Shell control (usually piped from command prompt)
19
we have 2 kind of connection1.Direct
Connection A direct-connect RAT is a simple
set-up where the client connects to a single or
multiple servers directly. Stable servers are
multi-threaded, allowing for multiple clients to
be connected, along with increased reliability.
20
2. Reverse Connection new technology that came
around about the same time that routers became
popular. A few advantages of a reverse-connection
1. No problems with routers blocking incoming
data, because the connection is started outgoing
for a server  2. Allows for mass-updating of
servers by broadcasting commands, because many
servers can easily connect to a single client.
21
RAT (Remote access Trojans )Trojan
Horses (RAT)Malware or malicious software is
software designed to infiltrate or damage a
computer system without the owner's known.Many
Trojans and backdoors now have remote
administration capabilities allowing an
individual to control the victim's computer. Many
times a file called the server must be opened on
the victim's computer before the trojan can have
access to it. These are generally sent through
email, P2P file sharing software, and in internet
downloads
22
They are usually disguised as a legitimate
program or file. Many server files will display a
fake error message when opened, to make it seem
like it didn't open. Some will also kill
1.ant virus software. 2.firewall
software. Fire wall a logical barrier designed
to prevent unauthorized or unwanted
communications between sections of a computer
network   RAT Trojans can generally do the
following 1.Download, upload, delete, and
rename files 2. Format drives 3. Open
CD-ROM tray 4. Drop viruses and worms
23
5. Log keystrokes 6. Hack passwords, credit
card no. 7. View, kill, and start tasks in
task manager 8. Print text, Play sounds 9.
Randomly move and click mouseSome RAT Trojans
are pranks that are most likely being controlled
by a friend or enemy on April Fool's day or a
holiday. RATS are generally not harmful, and
won't log keystrokes or hack. They usually do
whimsical things like flip the screen
upside-down, open the CD-ROM tray, and swap mouse
buttons.
24
Example of a Back door and remote administration
programs Name Remote Administration Tool -
RATAliases Backdoor.RAT, RAT, Ports 2989
(UDP), 1095, 1097, 1098, 1099Files Rat10.zip -
823 bytes Rat11.zip - 1.032 bytes Rat20.zip -
6,128 bytes Rat10.exe - 8,192 bytes
Rat10akaremote administration tool.exe - 8,192
bytes Rat11.exe - 8,192 bytes Rat20.exe - 12,288
bytes Rat21.exe - 12,288 bytes Set-up.exe -
295,936 bytes .exe - Msgsvr16.exe - Pitcher.exe -
21,504 bytes Send.tags - 616 bytes Message.tags -
Rat.c - 9,658 bytes Created Nov 1999Requires
N/A
25
Actions Remote Access / AOL Trojan Can
register under 40 different HKEYs. Versions
1.0, 1.1, 2.0, 2.1, 5.3, Registers
HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\ HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices\ and some 38 other entries !!!Notes
Works on Windows 95, 98, ME and Unix Linux and
FreeBSD. RAT server 1.1 has IRC support added.
Send.tgz is Unix client. Source code is
available.Country N/AProgram Written in
Visual Basic 5.
26
Check if any unwanted program found in your
systemUsing the process monitor from remote
administration programs Tools, you will see
whether any foreign programs are running on your
computer. If you find some unwanted program, you
can terminate it by clicking the 'Terminate
Process' button on the Toolbar. So you can find
out what programs are started behind your back
27
END.
28
Extra information.
29
The Difference Between a Virus and Trojan
HorseA computer virus attaches itself to a
program or file so it can spread from one
computer to another, leaving infections as it
travels. Much like human viruses, computer
viruses can range in severity Some viruses cause
only mildly annoying effects while others can
damage your hardware, software or files. Almost
all viruses are attached to an executable file,
which means the virus may exist on your computer
but it cannot infect your computer unless you run
or open the malicious program. It is important to
note that a virus cannot be spread without a
human action, (such as running an infected
program) to keep it going. People continue the
spread of a computer virus, mostly unknowingly,
by sharing infecting files or sending e-mails
with viruses as attachments in the e-mail.
30
A Trojan Horse is full of as much trickery as the
mythological Trojan Horse it was named after. The
Trojan Horse, at first glance will appear to be
useful software but will actually do damage once
installed or run on your computer. Those on the
receiving end of a Trojan Horse are usually
tricked into opening them because they appear to
be receiving legitimate software or files from a
legitimate source. When a Trojan is activated on
your computer, the results can vary. Some Trojans
are designed to be more annoying than malicious
(like changing your desktop, adding silly active
desktop icons) or they can cause serious damage
by deleting files and destroying information on
your system. Trojans are also known to create a
backdoor on your computer that gives malicious
users access to your system, possibly allowing
confidential or personal information to be
compromised. Unlike viruses and worms, Trojans do
not reproduce by infecting other files nor do
they self-replicate.
31
Added into the mix, we also have what is called a
blended threat. A blended threat is a
sophisticated attack that bundles some of the
worst aspects of viruses, worms, Trojan horses
and malicious code into one threat. Blended
threats use server and Internet vulnerabilities
to initiate, transmit and spread an attack. This
combination of method and techniques means
blended threats can spread quickly and cause
widespread damage. Characteristics of blended
threats include causes harm, propagates by
multiple methods, attacks from multiple points
and exploits vulnerabilities.To be considered a
blended thread, the attack would normally serve
to transport multiple attacks in one payload. For
example it wouldn't just launch a DoS attack it
would also install a backdoor and damage a local
system in one shot.
32
Additionally, blended threats are designed to use
multiple modes of transport. For example, a worm
may travel through e-mail, but a single blended
threat could use multiple routes such as e-mail,
IRC and file-sharing sharing networks. The actual
attack itself is also not limited to a specific
act. For example, rather than a specific attack
on predetermined .exe files, a blended thread
could modify exe files, HTML files and registry
keys at the same time basically it can cause
damage within several areas of your network at
one time.Blended threats are considered to be
the worst risk to security since the inception of
viruses, as most blended threats require no human
intervention to propagate.