Introduction

Just how much of your computer belongs to you and how what are the rights of others to have control over your system when you are connecting it to the global or business network has been a question that has been around for some time. It is understandable to expect privacy when connected to a public network, and it is not an unreasonable expectation. However, with this comes with the concerns of security on the network. The largest difference between a secure and a non-secure network is the motivation and creativity of attackers.

Though some networks are not worth the attack efforts, some are. What if even the most secure network known could be breached by simple attacking efforts?

Trojan Horses

Trojan Horse Defined

Trojan A program that appears to perform desirable and necessary functions but also performs other functions that the end user does not know about and most probably doesn't need is known as a Trojan Horse.

This type of malware usually has two parts, the client and the server. The victim host will act as a server that provides data such as keylogging files, screen shots or packet captures. This data is sent back to the to a client that is being controlled by an attacker.

A broad category that includes rootkits, illicit servers, viruses, worms or a combination of all of these is better known as malicious code. One of the many means to deliver such a payload to the target host is known as a Trojan Horse.

Another important aspect of malware infections is to define the target or objective of the attacker. Though most of the concepts are the same, they can have completely different techniques. If the target is a single host, then as single attack that provides a backdoor access is all that is needed. If the target is of a larger scale, then the attacker must cast a wider net of exploits that are persistent and over time until enough of the victims are collected. Then, these hosts act as Zombies that do what the attacker commands them to do.

The reasoning behind robot networks, better known as botnets is to ether steal information or to set up a distribution network for other malware or pirated materials.

Trojan Types

There are eight classical types of Trojan Horses. These are:

  • Remote Access
  • Data Sending
  • Destructive
  • Denial of Service
  • proxy
  • FTP
  • Security Software Disablers
  • Document

Remote Access Trojans - Installs an illicit server with enough features to allow the attacker complete control of the system. Since the compromised host is acting as a server, the attacker must connect to it via a client. Firewalls might prevent this. This leave two options: Find a port the firewall will pass and configure the server to listen to that port or to get behind the firewall and run the client from there.

Data Sending Trojans - Collects data about usage of the system and then send it back to the attacker.

Destructive Trojans - Destroy files on the system. It might also target system files such as .dll or .ini files. It might go after data files like office documents. These Trojans may also activate a Logic Bombs. A logic bomb is a malicious code that activates on the trigger of an event such as a date and time or keystroke combination.

Denial of Service Trojans - Requires a cooperative effort from other infected hosts to attack a single target with excessive traffic. By doing so, enough traffic is used that drains the available bandwidth.

Proxy Trojans - Make requests on behalf of a client. They are used to initiate new connections to the target. Attackers also use a proxy server to hid the point of origin of the real attack.

FTP Trojans - Are ideal for transfers of large files.

Security Software Disablers - Target anti-malware tools and personal firewalls. Some even replace the icon in the system tray to appear as if the software is running normally.

Document Trojans - Malware is delivered as attachments in office documents, emails, web pages or media files. The attacker takes advantage of the tendency that users have to update their operating systems but not the applications used every day.

Infection Vectors

Many attack vectors are possible in delivering malware. Most of them are a combination of social engineering, carelessness of the user and vulnerability exploitation. These vectors are:

  • Instant Messenger Applications
  • Internet Relay Chat (IRC)
  • Peer to Peer, Bit Torrent, File Sharing and Usenet
  • Email Attachments
  • Physical Access
  • Browser Drive-By's
  • File Sharing
  • Fake Programs
  • Free Stuff

Instant Messenger Applications - Are used commonly for social engineering attacks. If a contact masquerades or if the user opens their IM to accept invitations for strangers, the acceptance of download opens them to risks.

IRC (Internet Relay Chat) - This protocol, a Direct Client to Client (DCC) can be used to transfer files over IRC. The acceptance of downloads leads to risks.

Peer to Peer, Bit Torrent, File Sharing and Usenet - Here common file sharing networks are still popular because of their ease of use. Most people here don't know what they are doing and by not being cautious can open themselves up to many risks.

Email Attachments - Email itself presents many risks. Some email systems completely block all executable codes but this causes users to share files that are even more risky.

Physical Access - Using this type of media, users can easily transfer risks from one computer to another. USBs can be configured to auto run the same way a CD or DVD can and could launch attacking tools automatically to an unsuspecting system.

Browser Drive-By's - Since many home users operate their systems as administrator, they are unknowing opening themselves up to security risks. If the browser has an unpatched vulnerability and they visit a malicious site, the exploit will have administrator rights when it runs.

File Sharing - Some peer to peer or older domains have the default hidden file share for the root of a system drive available to every group with write-able permissions. The attacker simply uploads a script to the share file and then sets it to start whenever the machine is rebooted.

Fake Programs - Since placing Google Ads on a website allows the site to be placed higher in the search rankings, some attackers may use ads that users might click to run their malicious code. It is possible to place a Trojan Horse into the bogus ad that will launch after it has been downloaded to a victim's computer.

Free Stuff - Everyone likes free stuff and the attacker knows this. Users looking for hardware drivers, clip art, music files, screensavers ... the list goes on ... can find themselves downloading malicious code along with their "free stuff." Just remember, nothing is really free as everything has a price in one way or another.

Once the malicious has been accepted, it must be launched without the attacker having to interact with the target. The first access is usually not the best way to sustain control of the target host so a backdoor that will allow the attacker in will be installed.

Linux Startup

Scripts for a Linux bootup can be located in different parts of the operating system, most commonly in a directory called "rc#.d" where # represents the run level number. The full path to the directory that contains the scripts for runlevel 3 would then be /etc/rc3.d/*.

If malicious code were to be copied to a system with the same file name as common tools, then attackers can attempt to place the file in a directory that is earlier in the path system variable. When a user executes a command, such as "ls", the shell looks in all the directories mentioned in the $PATH variable and the first one encountered will execute.

Windows Startup

Depending on the version of Windows, there are different places for the startup configuration to be placed. The most common locations are:

  • Auto-start
  • Win.ini
  • System.ini
  • Wininit.ini
  • Winstart.bat
  • Autoexec.bat
  • Config.sys
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Info"=[path to the executable]"
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Info"="[path to the executable]"
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ActiveSetup\InstalledComponents\KeyName] "StubPath"="[path to the executable]"
  • [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps] "Info"="[path to the executable]"

Installed applications that create registry keys with auto-start capabilities are a common target for malware. Keys that masquerade as incomplete installations are another method for doing it.

Building A Trojan Horse

Illicit Server Process Overview

The following steps are involved with a typical illicit server attack:

  1. The attacker finds a server generator on the Internet and downloads it.
  2. The attacker uses this tool to configure the settings and capabilities of the server and compile it.
  3. The malicious server is then "wrapped" into another program that will seem like a legitimate file. This creates the Trojan.
  4. The attacker then spreads the Trojan, whether targeted to one individual or to randomly spread across hundreds or thousands of targets.
  5. The infected machines announce their presence by connecting to a chat room, sending an email or an instant message. On an inside job, the attacker might scan for targets.
  6. The attacker uses the client portion of the illicit server to connect to infected targets or communicates with them through the chat rooms or instant messages.
  7. At this point the attacker has taken control and is only limited by what the illicit server can do.

These are some common ports used by Trojans:

  • Back Orifice - 31337 or 31338
  • Sub Seven - 27374 or 6711, 6712, 6713
  • ICQ Trojan - 1033
  • Tini - 7777
  • Senna Spy - 13000
  • MStream - 9325
  • Deep Throat - 2140 or 3150
  • Netbus - 12345 or 12346
  • Whack-a-mole - 12361 or 12362
  • Netbus Pro - 20034
  • Girlfriend - 21544
  • Qaz - 7597

Binding Or Wrapping Malicious Code

Many applications have a legitimate reason to combine data and executable files into a single file that can be used during the installation of a program. Since these programs could have many data, library and executable files, users should not be asked to work with each one of them separately and have to follow an elaborate process for installation. A script is usually included in the package to perform all of these steps for the user.

A Trojan Horse is a tool that wraps or binds a number of files into a packetfile to combine together legitimate and illicit server binaries into a believable application. One example of such a tool that makes this task easy is elitewrap.exe. Some illicit server tools have binders in them and attackers can create their own Trojans all in one step.

Illicit Server Features

Trojan generators or illicit servers all act a little differently, however they do possess a lot in common. Here are a list of features that are typical with an illicit server.

  • Command Interface
  • Documentation
  • Lamer Tools
  • Social Engineering
  • File Browsers and Reverse Shells
  • Desktop Control
  • Notification and Chat
  • Bots

Command Interface - This sometimes is offered in a Trojan. It can be more flexible and could be accessed easier from a pivot point in a multistage attack.

Documentation - There will be documentation to follow, maybe. It most probably will only be a simple readme file with a few hints.

Lamer Tools - These are very common features of illicit servers. They contain functions like opening the CD-ROM tray, changing the screen resolution, replacing the desktop with a fake background image, switching the mouse buttons and disabling the task bar.

Social Engineering - Some servers allow the attacker to configure dialog boxes with the OK or Close buttons. This makes the installation of the server more believable when the victim accepts the file and tries to run it.

File Browsers and Reverse Shells - These features allow an attacker to search the file system of the target. The Reverse Shell connects back to a listening port on the attacker's host creating a TCP session that overcomes stateful inspection firewalls.

Desktop Control - A Virtual Network Computing (VNC) server might be established on the target machine that allows the attacker full control and access to the target's desktop.

Notification and Chat - After the target is infected, the attacker needs to know about it, so the server can be configured to send an email, initiate an ICQ or other instant messaging sessions.

Bots - The illicit server might be accessed from both its corresponding client application. The use of a simple telnet command shell or through commands in a chatroom will accomplish this correspondence.

It is important not to leave any default settings as this would be considered the ultimate script kiddie mistake. By leaving settings as default, the attacker has an easy entrance into the system.

How To Detect An Infection

Attackers usually know exactly what their tools are going to do, but as a White Hat, you probably will not, so that is where staging an attack is necessary. This staging teaches how to perform the attack, how to verify how it may work and exactly what did work and lastly, how to defend against it.

Using a methodical approach, your results will be more effective than just to poke around, however this method is sometimes useful as well.

You start by building two baseline hosts. One will be the worst case scenario and the other will be the best case scenario. You can use VMs, unless the Trojan looks for VMs and alters its behavior accordingly. To save time, the uses of snapshots can easily keep back ups for reducing initial build times.

The worst case scenario machine is vulnerable and the attack should work against it. Get an idea as to how to perform the attack and try it. At this point use the trial and error approach. Make notes about the information gained during failures. Hacking is the process of figuring things out be it better or worse. Just pay attention and be creative in your attempts.

The use of marker strings when building an illicit server when you are intentionally infecting a host machine for forensic purposes. An example, the server creation tool might let you configure what the name of the process will be when it runs. Name it something that will stand out and not be used as a name of a process that is normally running.

After the attack is successful, explore the target machine and see what might have been affected. For instance, on a Windows machine, look for the following:

  • Processes and Dependencies
  • Windows on the Desktop
  • Open Ports
  • Registry Entries
  • Look through startup methods and things that might affect DNS resolution.
  • Have a sniffer running and sample traffic.