Sunteți pe pagina 1din 30



By Harshal B Kolambe. T.E. (Computer)

Trojan Horse

Page 1 of 30

Many systems have mechanisms for allowing programs written by users to be executed by users. If these programs are executed in a domain that provides the access rights of the executing user, the other users may misuse these rights. A text editor program, for example, may include code to search the file to be edited for certain keywords. If any are found, the entire file may be copied to a special area accessible to the creator of text editor. A code segment that misuses its environment is called a TROJAN HORSE. In our computer world, a Trojan Horse is a malicious security breaking program that is disguised as something benign. For example, you download what appears to be a movie or music file, but when you click on it, you unleash a dangerous program (Trojan horse program is downloaded on your PC )that erases your disk, sends your credit card numbers and passwords to a stranger, or lets that stranger hijack your computer to commit illegal attacks.Nowadays there are so many Trojan Horses .These server-trojans are installed on somebodys pc and person having that client-trojan can access & control somebodys pc without his knowing.This may be dangerous.

BO CDC Netbus.exe Patch.exe Ports 137,138,139 Port 25 Port 80 Back Orifice. Cult of Dead Cow Communications. Netbus Client Program Netbus Server Program Active MS File Sharing Ports Used by E-Mail Server Used by Web Server

Trojan Horse

Page 4 of 30


1.1 What is Trojan horse.... 06

1.2 Infection with Trojan Horses..... 08 2.0 TROJAN ENCYCLOPEDIA ... 08 2.1Various Trojans 08 3.0 COMMONLY KNOWN TROJANS .... 09 3.1 Back Orifice... 09 3.2 Netbus Trojan.. 12 3.3 IRC ( Internet Relay Chat )..13 3.4 SubSeven..........................................................................................................................14 4.0 PRECAUTIONS......................................................................................15 4.1 Some Capabilities Of Trojans..........................................................................................15 4.2 What Do Trojans Do ?.....................................................................................................16 4.3 Infection With BO Or Netbus..........................................................................................16 4.4 General Precautions ...18 4.5 Problem Prevention..........................................................................................................19 4.6 Detection & removal....19 4.7 Vitual Port Example. .......20 5.0 ANTI-TROJANS.....................................................................................27 5.1AntiTrojan.30 5.2 PC DoorGuard 30 5.3 PestPatrol..........................................................................................................................31 5.4 Tauscan.............................................................................................................................31 5.5 The Cleaner......................................................................................................................31 6.0 CONCLUSION........................................................................................32 BIBLIOGRAPHY..........................................................................................32

Figure Index :
1. Registry Editor .....11 2. Netbus Client . .12 3. Back Orifice RCTH Client.. 21 4. Netbus Client 1.70.. .21 5. Registry Editor Hkeys. .26 Regedit on a machine infected with Netbus.. .27 7. A typical netstat display ..28 8. Netstat display on a machine infected with Netbus .29


Trojan Horse

Page 5 of 30

1.0 INTRODUCTION TO TROJAN HORSES 1.1 What is Trojan Horse?

Trojan horse attacks pose one of the most serious threats to computer security. If you were referred here, you may have not only been attacked but may also be attacking others unknowingly. According to legend, the Greeks won the Trojan war by hiding in a huge, hollow wooden horse to sneak into the fortified city of Troy. In today's computer world, a Trojan horse is defined as a "malicious, security-breaking program that is disguised as something benign". For example, you download what appears to be a movie or music file, but when you click on it, you unleash a dangerous program that erases your disk, sends your credit card numbers and passwords to a stranger, or lets that stranger hijack your computer to commit illegal denial of service attacks like those that have virtually crippled the DALnet IRC network for months on end. The following general information applies to all operating systems, but by far most of the damage is done to/with Windows users due to its vast popularity and many weaknesses. (Note: Many people use terms like Trojan horse, virus, worm, hacking and cracking all interchangeably, but they really don't mean the same thing. Let's just say that once you are "infected", trojans are just as dangerous as viruses and can spread to hurt others just as easily!) Trojans can be far more malicious than viruses and you should care - they're programs that let someone else remotely administer your computer without your knowing about it. There are legitimate programs that do this too, systems administrators use them to administer networks, but Trojans are a different matter. If you're on a network you know it has an administrator to keep things running smoothly. A Trojan can be planted by anyone, without your permission or knowledge. And unlike a remote administration program, a Trojan can be highly destructive. So let's take a quick look at what Trojans do, and more importantly, what you can do to stop them. Trojans can log every keystroke you type (even when you're offline) and have your e-mail program send the information to the person who planted the Trojan without your knowing it. Trojans can get all your passwords, credit card numbers and other information stored on your computer - or even things that you type into the computer and don't save. They can be used to read, delete or change all your files, turn your screen upside down, abruptly disconnect you from the Internet, or direct your browser to only certain web sites and other nuisances. It gets worse - Trojans can be used to spy on you through your chat and instant message programs, web cam or microphone, and even destroy your hardware.

Trojan Horse

Page 6 of 30

They can damage your reputation as well as your hardware and data. Trojans can be used to get into your address book and send very convincing looking e-mails saying whatever someone else likes from you to your employer, bank manager, clients, girlfriend, whomever, and they can make you seem to say really awful things to people in on-line chats or conferences. You can imagine some of the consequences - a 'Net conference with important clients and you won't see the message coming from you saying "screw you, you're all a bunch of lamers anyway," but the persons you're talking with will. Or someone can plant a Trojan and use your computer to hack into somebody else's computer. And all kinds of other bad things. Possibly the worst things about Trojans are that most people don't even know they exist, and most anti-virus scanners do not pick up or delete them. Trojans are becoming more common, especially as more people have cable and DSL or other "always on" connections, though you can get them using regular dial-up connections too. And some of the newer Trojans are harder to detect (this is one reason to be careful of running .htm or .html files you receive by e-mail - there are Trojans out now that use HTML code and will bypass firewalls - a couple of examples are NOOB and godmessage). They are, in short, very easy to plant on your computer without your knowing it until substantial damage has been done. There are all kinds of script kiddies out there using ICQ and IRC, not to mention e-mail. Criminals use the Internet, too, and there may be people out there who just plain don't like you and would do something that vicious to get revenge - the Internet, like the real world, has its share of crackpots, and most of these programs require no technical expertise to use. Be aware enough from reading this to realize that Trojans can be a serious threat to your privacy, reputation, data and computer hardware. There are some things you can do. Be careful about accepting files over the Internet or opening email attachments unless you know what they are and who they're from. Get a good firewall, like Zonealarm, available free from Zonelabs. Even if other firewalls have had you befuddled, this one won't. It's very powerful and it's also very user- friendly. And head over to the Moosoft site and pick up a copy of The Cleaner. It's a great anti-trojan scanning and cleaning program, and it also has a neat little feature called TCActive that you can run at Windows startup. It'll sit in your system tray, use almost no computer resources, and keep any known Trojans from activating on your machine. If you do find your machine infected with a Trojan Horse program, don't panic. Disconnect from the Internet, run your Trojan scanner, and delete the Trojan. Trojans can't be cleaned, like many viruses can. They can only be deleted, but doing this will in no way harm your machine or your software.

Trojan Horse

Page 7 of 30

1.2 Infection with Trojan Horses .

Trojans are an executable program, which means that when you open the file, it will perform some action(s). In Windows, executable programs have file extensions like "exe", "vbs", "com", "bat", etc. Some actual Trojan filenames include: "dmsetup.exe" and "LOVE-LETTER-FORYOU.TXT.vbs" (when there are multiple extensions, only the last one counts, be sure to unhide your extensions so that you see it). More information on risky file extensions may be found at this Microsoft document. Trojans can be spread in the guise of literally ANYTHING people find desirable, such as a free game, movie, song, etc. Victims typically downloaded the trojan from a WWW or FTP archive, got it via peer-to-peer file exchange using IRC/instant messaging/Kazaa etc., or just carelessly opened some email attachment. Trojans usually do their damage silently. The first sign of trouble is often when others tell you that you are attacking them or trying to infect them! 2.0 TROJAN ENCYCLOPEDIA. 2.1 Various Trojan horses 1. BATCH 2. Backdoor 3. D_O_S 4. Flooder 5. Hoaxes 6. IRC 7. Macro 8. Nuker 9. PSW 10 TrojanDownloader Family 11. TrojanDropper Family 12. Windows 13. Backdoor.Nethief Family 14. Crackers 15. JS.Trojan.NoClose 16. JS.Trojan.Offiz 17. PKZIP300 Trojan 18. Trojan.AOL.Buddy 19. Trojan.BuggyHidp 20. Trojan.Clicker.NetBuie a-b 21. Trojan.Downloader Family 22. Trojan.Dreb 23. Trojan.Durell 24. Trojan.FlashKiller 25. Trojan.GoHotlist

Trojan Horse

Page 8 of 30

26. Trojan.JS.Seeker 27. Trojan.Java.Nocheat 28. Trojan.Macro.Excel.Taiwanes 29. Trojan.Macro.Word.Nikita 30. Trojan.NetPatch

3.0 COMMONLY KNOWN TROJANS. 3.1 Back Orifice (B.O.)

"Back Orifice" is a hacker's dream, and a Netizen's nightmare. Back Orifice is not a virus. It is in essence a remote administration tool. It gives "system admin" type privileges to a remote user by way of the computer's Internet link. What does this mean? It means that if Back Orifice is running in your computer, a remote operator anywhere on the global Internet can gain access and do almost anything you can do on your computer -- and some things you can't do -- all without any outward indication of his presence. Back Orifice is purportedly a remote administration tool that allows system administrators to control a computer from a remote location (i.e. across the internet). In reality it is a highly dangerous backdoor designed by a cracking group called the Cult of the Dead Cow Communications. It is usually distributed by malicious people in the form of a Trojan Horse attack. During installation, it does not give any indication of what is really going on. Once installed, the server is intentionally difficult to detect on your machine, yet allows almost complete control over your computer by the remote attacker. . Is Back Orifice a virus? Back Orifice is not a virus. Viruses reproduce on their own. The Back Orifice server has to be willingly accepted and run by its host before it can be used. However it is usually distributed claiming to be something else. Is Back Orifice a trojan horse? It could be considered a trojan horse. In the case where a user accepts a program, and runs the program without understanding what it is. The server program gets distributed purporting to be something else e.g. PAMMY.EXE . People run it and nothing appears to happen so they ignore it, the server deletes itself as well after running.

Trojan Horse

Page 9 of 30

What if I have Back Orifice?

How do I know if I have Back Orifice ? The most common symptoms are strange things happening, programs closing, opening demonstrating this graphically by rebooting it. How do I get rid of Back Orifice? There are two fixes we are going to offer here. The first is a program you can download and run The second is a manual fix. The reason for the two solutions is this : We feel it may be hypocritical to tell you not to download and run programs from untrusted sources, then provide a fix for you to download and run :) We therefore give you the choice - you only need to use one of these methods to remove Back Orifice. The Automated Fix This fix program (BODetect) was written by Chris Benson who works for Symantec. It is $20 shareware with 30 day free trial and no nagging or crippling. Download it Chris's own site or or Simply download and run the program, we urge you to read the accompanying README.TXT The Manual Fix This fix is for those of you who want to heed our good advice and NOT run programs for 'untrusted' sources. It has been used successfully to remove Back Orifice from an infected machine but is not as complex as the Automated Fix provided above. It also involves you making alterations to your registry. We URGE you to make a backup of your registry before you begin (instructions for doing this can be found in the Appendixes of your Windows 95/98 manual). It should also work for Windows 98 machines but has not been tested on this platform. 1. Press the START button. 2. Select RUN , type REGEDIT 3. Using the + to expand the branches, locate the following key : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices of their own accord. The big give away is people on IRC announcing they can control your machine, then

Trojan Horse

Page 10 of 30

Fig 1 : Registry Editor. 4. On the right hand side, double click on the (default) 'key' . It will bring a box up showing the key and it's current value ( Value data ) ,which is ' .exe'. Highlight this and press delete (not backspace make sure the key is empty), then click OK. 5. Close REGEDIT and reboot you machine . 6. Press START 7. RUN , type COMMAND 8. At the DOS prompt type : del c:\windows\system\exe~1

Netbus Trojan.
A backdoor is a program that is designed to hide itself inside a target host. It allows the installing user access to the system at a later time without using normal authorization or vulnerability exploitation. The Netbus trojan is one of the most famous trojans around. Its authored by CarlFrederik Neikter that is very similar to the "Back Orifice" trojan distributed by CdC. It allows ANYONE running the client portion to connect and control ANYONE running the server portion

Trojan Horse

Page 11 of 30


Fig 2: Netbus Client The "NetBus-Story" - an introduction NetBus is aTrojan Horse"), which has a similar functionality than "Back Orifice". That means, it opens a "Backdoor" to a PC, so that everybody can access your PC from the network without your notice. NetBus is much more user-friendly than Back Orifice. It was programmed by a Swedish guy called Carl-Fredrik Neikter, who published the first version mid of March 1998. Up to today there are several versions: Version en 1.60, 1.70 and the latest one NetBus 2.01 Pro vor.

NetBus - how it works NetBus consists of two parts: a client-program ("netbus.exe") and a server-program often named: "patch.exe" (or "SysEdit.exe" with version 1.5 xs), which is the actual backdoor. Version 1.60 uses the TCP/UDP-Port # "12345" which can't be altered from version 1.70 and higher the port be configured. Additional information you find in an original document of the author: Version 1.60 or Version 1.70.

Trojan Horse

Page 12 of 30

NetBus - how to notice and how to fight.

The NetBus (Server) can be found in the system directory (also: "\win95" bzw. "\winnt") and is started simultaneously with windows. The name of the file differs: With NetBus 1.60 it is named "patch.exe", with "NetBus 1.5x" "SysEdit.exe" and if it is installed by a "game" called "whackamole" (file name is: "" (contains the NetBus 1.53 server) it's name is "explore.exe". There is also a file called, which installs the server of NetBus 1.70 and uses the port 12631. Aditionally it is password protected (PW: "ecoli"). The NetBus Server is installed by "game.exe" during the setup routine; the name of the server actaully is "explore.exe" located in the windows directory.

Normally all servers use the same icon:

To start the server automatically, there is an entry in the registry at: "\HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Run" normally used with the option "/nomsg". If this entry is deleted, the server won't be started with windows. You also can delete the NetBus Server using the client programm selbst. Click "Server Admin" - "Remove Server" To uninstall the server from your own PC enter the name "localhost" or the ip address

3.3 IRC Trojans (Internet Relay Chat ).

Here we hope to list some of the more dangerous trojans that seem to play a major part on IRC (Internet Relay Chat) . Some infect mIRC (A popular windows IRC client program,) Others can connect to an IRC server all by themselves. These trojans are different than normal trojans in the way that someone else controls your infected computer. With most other trojans, they open a port on your system that a hacker needs to connect to (and thus know your systems internet host, or IP.) IRC related trojans however, will open a hidden connection from your PC to an IRC server, where it will tell the hacker, or a group of hackers (or possibly even a very large channel of people) what your infected with, what your IP is, and any other information they program it to give. Then these users can send commands to the hidden IRC connection, and tell your computer to do things, similar to other trojans.

Trojan Horse

Page 13 of 30

These IRC trojans can range anywhere from so simple, that the users on IRC can only control that IRC connection (Usually using it to harass and abuse other users on IRC.) all the way to being able to run other programs on your computer, and installing other types of trojans. Unfortunately the HackFix project does not specialize in these types of trojans, however we feel that because of their nature, we should have a section listing them as well as links to removal information and help. Please keep in mind that most, if not all, of the removal information below is Not made by IRC producers, nor tested by them, as trojans in the other Categories are. They will only link to reliable trojan and virus pages, either known and proven antivirus companies, or groups such as their own with long standing historys of helping others. Various IRC Trojans:Ariel Links.vbs Dm Setup Mirc update Havoc Round 4 Pretty Park Havoc Round 5 Script INI Lifestages Srvcp.exe

SubSeven Trojan.
SubSeven was made to fill in the gaps left by NetBus. NetBus was the first 'point and click' Trojan that made it very easy for hackers to abuse an infected system. The makers of SubSeven wanted to take this even further and give the hackers even more control than NetBus ever could. SubSeven can do everything that NetBus can do. This includes things such as

File controls
o o o o

Upload / Download Move, Copy, Rename, Delete Erase hard drives and other disks Execute programs Can see your screen as you see it Log any/all key presses (even hidden passwords) Open/close/move windows Move mouse Can see all open connections to and from your computer Can close connections

o o o o

Network control
o o

Trojan Horse

Page 14 of 30

Can 'bounce' or relay from their system to yours, so wherever they connect it

seems as if You are doing it. This is how they prevent getting caught breaking into other computer systems and get You in trouble! The SubSeven Trojan can also be configured to inform someone when its infected computer connects to the internet, and tells that person all the information about you they need to use the trojan aginst you. This notification can be done over an IRC network, by ICQ, or by email.

4.0 PRECAUTIONS 4.1 Some Capabilities of Trojan Horses.

Rebooting, locking up system, listing of passwords etc. View and edit the registry (create a key, set a value, get a value, delete a key, delete a value, rename a key, etc.) List directory, find file, delete file, view file, move file, rename file, copy file, make directory, remove directory and set file attributes. Display a message box. Logging keyboard activities, operations with log file: view, delete. Adding and removing network shares, mapping of shared devices, listing of active connections etc. Playing WAV files.

These are just a few things as a precaution. Another good example: I needed information about a problem with new hardware (from a well known brand) I bought for my PC. I searched for documentation on the hardware manufacturer's public FTP site and when opening a document (Word) from that FTP site I noticed it contained a macro virus. Be careful That's probably the most important thing you can do against viruses.

4.2 What Do Trojans Do ?

Back to the two Trojan Horses Back Orifice and Netbus... they both run like a server on your system (a "back door" is opened on an infected PC to make access from outside possible), and with a client they can be accessed by other people, who can then do virtually anything on your system, including deleting files. The difference between Back Orifice and Netbus is that Netbus infects Windows NT as well as 95 and 98. Older versions of Back Orifice are said to be only capable of

Trojan Horse

Page 15 of 30

infecting Windows 95/98, but the new BackOrifice 2000 (or BO2K) appears to be capable of infecting Windows NT systems too. As said before, once a system is infected, the one accessing your PC can do virtually anything, possibly even turning on your microphone and listen to what you are doing!

4.3 Infection With BO Or Netbus.

How to find out if you are infected with BO or NetBus Thse are few methods on how you can possibly find out if you are "infected" by Back Orifice or Netbus. Note that these detection hints are for older versions of NetBus and Back Orifice only (not for example for Back Orifice 2000 or BO2K !). If you run these tests and don't find anything suspicious, this doesn't mean you are not infected. The following methods are just a few suggestions you can try, and do not guarantee anything. You should try the following methods at your own risk. 1. Netbus might be found with telnet. Open a dos box and type: telnet 12345 telnet 12346 Telnet opens, and in case a line in your telnet window containing "netbus" (excluding "") you system is infected with Netbus. 2. For both Back Orifice (old version) and Netbus (old version) there is another possible way to find if you are infected with one of them. Close all your applications, especially those who point to network-shares. Open a DOS box and run the following command: netstat -an|more Back Orifice possibly replies with: UDP *:* NetBus possibly replies with: TCP *:* TCP *:* Other "strange" replies from netstat, especially those with higher UDP and TCP ports, might be suspicious. 3. You can try looking in your system registry with regedit (recommended for advanced users only!) and take a look at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\R unServices

Trojan Horse

Page 16 of 30

This contains all files which are run as a service. If you find a service called .exe (yes, .exe, no name before the dot) or a service with a very very strange name which has a file size of about 122 Kb, then it's possible that you are infected with Back Orifice. "Finding Your Back Orifice" is a site which shows screenshots of an infected system registry and a clean system registry. 4. If weird things start happening on your system, for example: missing files/directories, suddenly opening and closing CD-ROM drive etc. then it's possible your system is infected with Back Orifice or Netbus.

Back Orifice: Another method of finding out if your system is infected by BO (older version) is to search your WINDOWS/SYSTEM directory for the file windll.dll. If it's there you are possibly infected. I found one! What now? Rumors are that some Netbus/Back Orifice removal applications going around on the Internet are the trojan horses itself. For that reason you have to be very careful which removal application you are going to use. Use a well-known brand virus scanner which can detect and remove viruses like Back Orifice and Netbus. Always check if this is the case before you buy, just to make sure! Another thing I can recommend is that you always keep your anti-virus software up-to-date. As an example: McAfee VirusScan has downloadable ".DAT" files which are renewed every month. PC Help is a site which also shows some methods how to remove Back Orifice from your system. Below are a few applications which detect and/or remove Back Orifice and/or Netbus. (Use at your own risk... also be sure to read the complete instructions of the application before you use it).

BackWork The Cleaner McAfee VirusScan

F-Secure Anti-Virus for Windows 95/98

4.4 General Precautions.

You must be certain of BOTH the source AND content of each file you download! In other words, you need to be sure that you trust not only the person or file server that gave you the file, but also the contents of the file itself. Here are some practical tips to avoid getting infected (again). For more general security information, please see our main security help page.

NEVER download blindly from people or sites which you aren't 100% sure about. In other words, as the old saying goes, don't accept candy from strangers. If you do a lot of file downloading, it's often just a matter of time before you fall victim to a trojan.

Trojan Horse

Page 17 of 30


Even if the file comes from a friend, you still must be sure what the file is before opening it, because many trojans will automatically try to spread themselves to friends in an email address book or on an IRC channel. There is seldom reason for a friend to send you a file that you didn't ask for. When in doubt, ask them first, and scan the attachment with a fully updated anti-virus program.


Beware of hidden file extensions! Windows by default hides the last extension of a file, so that innocuous-looking "susie.jpg" might really be "susie.jpg.exe" - an executable trojan! To reduce the chances of being tricked, unhide those pesky extensions.


NEVER use features in your programs that automatically get or preview files. Those features may seem convenient, but they let anybody send you anything which is extremely reckless. For example, never turn on "auto DCC get" in mIRC, instead ALWAYS screen every single file you get manually. Likewise, disable the preview mode in Outlook and other email programs.


Never blindly type commands that others tell you to type, or go to web addresses mentioned by strangers, or run pre-fabricated programs or scripts (not even popular ones). If you do so, you are potentially trusting a stranger with control over your computer, which can lead to trojan infection or other serious harm.


Don't be lulled into a false sense of security just because you run anti-virus programs. Those do not protect perfectly against many viruses and trojans, even when fully up to date. Anti-virus programs should not be your front line of security, but instead they serve as a backup in case something sneaks onto your computer.

7.Finally, don't download an executable program just to "check it out" - if it's a trojan, the first time you run it, you're already infected!

4.5 Problem Prevention.

The only sure solution is to refuse to run unknown programs (and update our computers so others can't do it without our help). Unfortunately, abstinence isn't always practical or desirable. I'll describe some protective tools you can use but keep in mind that none of them are completely effective. As newer, more sophisticated and deviant versions of the RCTH programs are released; these measures will become less and less effective. For that matter, a hostile program that succeeds in executing, may simply reconfigure or disable a protective program. As you'll read later on this page, detection and removal are not simple operations and the more infections we can prevent, the better. The following prevention measures are listed in order of effectiveness:

Trojan Horse

Page 18 of 30

Don't run the programs which means don't run any unknown programs. Be very careful of email attachments particularly .exe files and documents with macros. Run a program that firewalls your PC. I looked at McAfee Firewall (then called Conseal Private Desktop) in 1999 and ZoneAlarm lately and hope that as these and similar products . Although their theoretical effectiveness is high, general usage mistakes may subvert

that effectiveness. Also, alerts going to the desktop operator may cause either unnecessary concern or a cavalier attitude. However, they have two major advantages. First, they will protect against both known and unknown RCTH programs. All other tools require the vendor of the tool to update their product when a new RCTH program is discovered. This means that this type of program is the only effective tool for custom RCTH programs. The second advantage of firewalling software is that it provides secondary advantages unrelated to RCTH programs. These advantages are derived from the products' firewalling capabilities and generally act to increase access controls thereby providing extra protection against remote cracking and denial of service attempts. Keep in mind, though, that they don't remove the trojan...they only prevent it from communicating.

Run a program specifically made to prevent RCTH programs. The licenses of a program called BOClean is sufficient to cover faculty, staff, and students. It was the most effective tool tested at preventing, detecting, and removing RCTH programs and it does so with almost no operator input or impact.

Run an up to date virus detector. Check for updates at least once a month. The new campus installation of Norton Anti-Virus will perform automatic updates. Norton and other traditional AV products will not protect you unless you elect to run the piece that runs in the background and checks all files as they're read. That would be File System Realtime Protection for Norton, WinGuard for Dr. Solomon, VShield for McCaffee, or the equivalent for other products. If you install the campus provided Norton Anti-Virus package and select all the default buttons, File System Realtime Protection will be installed to protect you. Installing or updating any of these virus protection programs after you're infected may result in a failure to remove the infection unless you enable the background protection and reboot. Traditional AV products were not even close to the effectiveness or ease of use of BOClean and other dedicated

anti-trojan tools but they now cover the most popular programs. Two online comparisons are at the Tauscan and Netsplit sites.

Trojan Horse

Page 19 of 30

4.6 Problem Detection and Removal

RCTH Program Operation Before outlining detection and removal procedures, lets discuss the operation of the RCTH programs. To solve a problem you must first understand it. More importantly, there is no absolute solution to these programs and definitely no "tell me what keys to press" solution. A good understanding of how the RCTH programs work and how they can hide is the best weapon. There are now hundreds of this type of program. They all consist of two parts...a server that runs on your computer, and a client that runs on the controlling computer (shown below). They are all freely available on the Internet. The server silently opens up a virtual network port and listens for requests from clients. People running the clients can connect to the server from anywhere on the Internet and control your computer almost like they were sitting in front of it. In fact, some things are easier using these programs than they would be using your keyboard. For example, the program automatically decrypts passwords used to protect Microsoft shared directories. They can also scan a range of addresses looking for listening servers so once you're infected, anyone can find you.

Fig : Back Orifice RCTH Client

Trojan Horse

Page 20 of 30

Fig 4: Netbus Client 1.70

The server program can be named anything so you can't simply look for a list of names. Detection 1. Install and run BOClean. The manual procedures below are for people who, for some reason, don't have access to BOClean. There are four ways to detect RCTH programs: 1. Check the of running processes for a match against a "Trojan database". 3. Check for programs fingerprint of files for a match against a "Trojan database". 2. Check the fingerprint that are automatically started when you boot your computer. 4. Check for open virtual network ports. Each has limitations and advantages. The first two methods are traditional virus checking methods. They depend upon a database of code fragments or patterns that uniquely identify each of the suspect programs or behavior analysis that leads a file to be suspect. Of course, the database has to be constantly updated to keep up with new programs. The file check method can be time consuming because it has to check every file. However, most virus tools now do this only once when they're installed and then only in the background when a file is read. The process check only examines running programs so it can be quicker. Note that if the writer of the RCTH program obfuscated the fingerprint using compression, encryption, overlays, or some other method, the fingerprint may not be recognizable to the tool as a RCTH program. This possibility and the lag time associated with updating tools to detect new programs' fingerprints necessitates multiple checks using each of the detection methods. Keep in mind that "fingerprint tools" only work if they know the fingerprint. The fingerprint protection tools can find the

Trojan Horse

Page 21 of 30

highly publicized or otherwise discovered programs because they know about them. On the other hand, if someone wanted to target an individual or organization, had the ability to write their own program, and kept quiet about it, traditional fingerprint tools like virus checkers would never find it. All the presently identified RCTH programs automatically restart when you boot your computer. To do this they have an entry in the registry, the win.ini file, the system.ini file, the autoexec.bat file, the startup folder or similar places. Of course, lots of other programs automatically start up when you boot so the challenge is identifying the ones that aren't supposed to be there. Since the RCTH programs can be renamed, this is not a small challenge. If the programs were installed with their default names, they are easy to spot. If they've been renamed, we have to verify that the file is actually something we want started. Sometimes there is no way to do this except to remove the entry and see what breaks. StartupCop is an easy to use tool that allows you to enable and disable the various startup items as you're investigating. All the presently identified RCTH programs open a virtual network port to communicate. Every TCP/IP based system has a set of 131,070 ports it can use to communicate with other computers. Some ports are dedicated to particular uses. For example port 80 is used by a web server, port 25 by a mail server, and ports 137-139 are used by Microsoft file sharing services. Each of the RCTH programs also have default ports on which they listen for connections by other machines. If we find one of these default ports active, we're almost guaranteed that we've detected an infection. On the other hand, these programs allow the interloper to change the default port. In that case, we have to verify that any open port has been opened by a program that we authorized to run. Two tools to perform this task are Foundstone's FPort (free) and Winternal's TCPViewPro (fee). Finally, some desktop firewalls will tell you what programs are opening what ports. Without such a tool, it becomes a matter of stopping services to see what ports close. Another problem occurs when the RCTH program doesn't hold the port open continuously. At least one program sits silently until it has some data to send (your passwords), opens a port, sends data, and closes the port. As you can see there are ways around every detection method. That is why the only 100% effective solution to this problem is not to get infected in the first place. Of course, that is not too realistic unless we refuse to run any programs because there is always a chance, however slight, one of these RCTH programs might get by a big vendor. Besides, there are many, many useful programs written by shareware and freeware authors that would be a shame to ignore. However, the need for care has been exponentially increased due to these RCTH programs. Another option is the ages old unix (and other host) system administration trick of fingerprinting your critical files and checking them for modifications once in a while using something like Tripwire.

Trojan Horse

Page 22 of 30

Tools 1. Install and run BOClean. The alternate tools below are for people who, for some reason, don't have access to BOClean. Running Norton Anti-Virus will detect some of the RCTH programs by their fingerprints. Two products with downloadable evaluation versions that are effective across a range of Trojans are "The Cleaner" which works by examining file fingerprints and ZoneAlarm which works by blocking virtual port access to unknown applications. Stay away from BOSniffer. It claims to be a Back Orifice removal tool but it actually installs it. How can you be 100% sure some other program doesn't do the same thing? You can't. Desktop firewalls, such as Private Desktop and Zonealarm, are particularly interesting because they would stop all RCTH programs whether they're known or not. They can do this because they're not looking for particular trojans...only for unauthorized communications. All the other tools require the maker of the tool to be aware of the trojan and update their detection algorithm or fingerprint. They ask the operator if they want to allow any previously unseen types of communications when an application tries to use the network. Hence, the operator would probably allow netscape.exe or iexplore.exe to go ahead and use the network but not allow patch.exe or some other unfamiliar file name. It may get a little trickier if the trojan was named iexplorer.exe or email.exe though. Once again, it would be up to the operator to properly control access to their computer. Also keep in mind that desktop firewalls don't remove an RCTH which means if the computer is ever started without starting the firewall, the RCTH will be active. And it should go without saying that if any malware targets any desktop resident protective software, all bets are off. Often the client (controlling) portion of the RCTH programs contain a scanner that helps the interloper locate infected machines. Using the clients to find out if you're infected is not recommended due to the source of the programs. Some web sites will offer to scan your computer to see if one of these programs is running. These sites may not work for JMU computers and may tell you you're not infected even if you are. If you don't have BOClean installed, I'm going to recommend a manual method to use in addition to any other tool that you use. This is not a operator friendly, push a button method but its the only one I trust right now. First, we'll look at the places where these programs are started up. Then we'll look for the virtual network ports that they use to communicate. As you'll recall, these are two of the four methods to detect these programs. The other two, fingerprint checks, aren't feasible to do manually and we'll have to depend upon continually updated virus detector software and similar tools for these functions. Steps 1a and 2a will quickly detect the presently most popular programs in their default installation configuration.

Trojan Horse

Page 23 of 30

1. Check for programs that are automatically run when you start your computer. 1. Look in the registry for entries that start programs.. 2. If you're running Windows NT, look in the Services Control Panel for automatically started services. 3. Look in autoexec.bat for entries that start programs. 4. Look in win.ini for "run=" entries that start programs 5. Look in the system.ini file for entries that start programs. 6. Look in the startup folder for entries that start programs 7. Check other places commonly used to start trojans. 8. You can use a tool such as StartupCop to help in this process. 2. Check for open virtual ports 1. Use netstat to see what network ports your computer is communicating on. If you have access to Winternals TCPViewPro, use that instead. It has the advantage of telling you what program is talking on each port...something netstat doesn't do in the Windows world. Recently, Foundstone released a similar tool called FPort that is free. 3. Verify all entries and open ports Removal 1. Install and run BOClean. The manual procedures below are for people who, for some reason, don't have access to BOClean.Again, if you don't have access to BOClean for automatic removal, use manual procedure. It is helpful to double-check the effectiveness of any automated program removal that you may have access to. 1. Remove the entries that automatically start the programs. 2. Reboot. 3. Remove the files associated with the programs. 4. Repeat the detection procedures to ensure that the Trojan is removed and that there are no others.

Registry Examination
You can use a tool such as StartupCop to help in this process. Currently, almost all the RCTH programs use the registry to autostart during boot. To examine the registry, use the 'regedit' tool. You must be careful while editing the registry as it is used to control the internal operations of your computer. Accidentally deleting or modifying entries may result in an inoperative machine. Step 1: Start -> Run Step 2: Type 'regedit'. Click OK. You are now running the Microsoft Registry Editor.

Trojan Horse

Page 24 of 30

Fig 5: Registry Editor HKeys Step 3: There is an explorer-like operator interface on the left hand side of the screen. You will traverse down through the tree. Click the following selections in order: HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Now you'll check each of the keys beginning with "Run", sequentially examining them as described below. For the "Quick Check", Run and RunServices are the default locations for the most popular programs.In each of the Run* entries, files that are on the right side of the screen are started when you start your computer. If patch.exe or " .exe" (space dot exe) are listed in the "data" column, make note of the path name if it exists, right-click on the associated item in the "name" column, and select "delete". These are the default names of the Netbus and Back Orifice RCTH programs respectively. They are typically located in the \windows or \windows\system directory. Deleting the entry will prevent the program from starting when you reboot so you can delete the associated file. In the example below, the Netbus RCTH program is indicated by the presence of the patch.exe entry. If you're performing the Quick Check, reread the entire page. The patch.exe and " .exe names are the default file names for old versions of Netbus and Back Orifice and can be changed. You should verify that each entry in the Run* keys belongs there in case the default name was changed or you have a RCTH other than Back Orifice or Netbus. Do this for all the entries in each of the keys beginning with "Run" (i.e. RunOnce, RunServices, etc.). A cautious system administrator of a critical or multi-operator machine would probably fingerprint these files and

Trojan Horse

Page 25 of 30

check them periodically as part of normal system monitoring to assure they're the original files.You can use the Start -> Find -> FilesorFolders utility if you have problems locating the files specified in the registry. After you delete the file, be sure to empty the Recycle Bin. Note that the default filename used by Back Orifice is " .exe". Explorers default configuration is to show file names without their extensions. In this mode, you will not see anything except a blank space in a file list. In addition, the program has no icon, so it will not show up in explorers

Fig 6: regedit on a machine infected with Netbus. icon view except as a blank space. Other RCTH programs may be similarly hidden.

4.7 Virtual Port Example.

We will use the DOS utility netstat to check for open ports. If you're using Windows NT4 or Windows 98 you can proceed to the checks below. Unfortunately, the original TCP stack that comes with Windows 95 doesn't produce accurate reports. It will tell you your computer isn't vulnerable when it actually is. To fix this problem, upgrade your Windows 95 TCP/IP stack by downloading and running the Microsoft Winsock2 patch before performing the rest of this procedure. This has been a rather simple and painless upgrade for everyone I've talked to. It may also increase your network performance and reliability. The Microsoft Dial-up patch 1.3 also installs winsock2 but it is more complicated to install.

Trojan Horse

Page 26 of 30

If you have access to Winternals TCPViewPro, use that instead. It has the advantage of telling you what program is talking on each port...something netstat doesn't do in the Windows world. Recently, Foundstone released a similar tool called FPort that is free. 1. Open an MSDOS window. 2. Close all other programs.

Fig. 7: A typical netstat display. 3. Type netstat -an 4. Examine the second column after the colon. In the listing above, the item of interest in the first line is "80" and in the second line is "135". These are the virtual port numbers by which programs communicate with the outside world. Other computers which want to communicate with your machine must use your IP address plus one of these virtual ports to form the equivalent of a telephone number to find you. In the example above, a personal web server is listening on port 80.

Trojan Horse

Page 27 of 30

5. If you see the numbers '12345 'or '31337', you almost definitely have one of the programs installed (Netbus and Back Orifice respectively). The Netbus port is active below.

Fig 8: netstat display on a machine infected with Netbus. 6. The list above has many additional ports open which makes it confusing. Most of these ports were caused by having a web and email browser open. To decrease the number of ports you need to examine its best to run netstat right after a reboot and before any other applications are started. Many Windows 95/98 machines will only have ports 137, 138, and 139 active for Microsoft file sharing use. If you don't use Microsoft file sharing, turn it off in the network control panel so you don't have those ports open. You can also delete the netbios protocol in the same place. Otherwise, you have to ensure that all open ports are supposed to be open which requires a familiarity with network protocols and services. Generally, you'll find that these ports are opened by programs that are automatically started in the registry. So the process of validating registry entries is related to the process of validating ports. Sometimes it just boils down to removing registry entries (after copying the information for restoration if needed) and seeing what breaks and what ports no longer open. Its a tedious process. One helpful hint. If you telnet to a port on which Netbus is listening, it will answer "Netbus v1.x" depending upon the version. Resources for default port assignments:

Trojan Horse

Page 28 of 30

Joakim von Braun's Trojan Database Network Ice DosHelp Internet Assigned Numbers Authority

AntiTrojan software specifically designed to help detect Trojans (not necessarily virus/worms). Most can be run along side your chosen antivirus program. However no trojan scanner is 100% effective as manufactures cannot keep up with the rapid change of viruses that happens daily. Be sure to update yours regularly!

5.1 Anti-Trojan
Anti-Trojan 5.5 is a powerful trojan scanner and remover which detects more than 9000 different types of trojan horses. It uses three methods to find them. The first is the portscan which gives you information if there are open ports on your computer. The second one is the registry scan which searches through the system registry database for trojans. The third and the most important part is the disk scan. It scans your harddisks for dangerous trojan files and removes them safely. Supports: Win95/98/ME/NT4/2000/XP Supports many languages.

5.2 PC Door-Guard
A full-featured extensive and thorough intrusion scanner that scans any media on your PC for backdoors and trojan horses. Supports: Win95/98/ME/NT/2000

5.3 Pestpatrol
PestPatrol is a utility, similar to anti-virus products, but instead of scanning for viruses it scans for worms and Trojans, even tools and utilities used by hackers and maybe even trusted employees. Used along with anti-virus software, PestPatrol will keep you safe from malicious objects, commonly referred to as Pests. You routinely scan for viruses, why not make PestPatrol

Trojan Horse

Page 29 of 30

part of your daily routine? Supports: Win95/98/ME/NT/2000/XP

5.4 Tauscan
Trojan Horse detection and removal engine capable of detecting every known type of backdoor that can threaten your system. It works unobtrusively in the background to prevent attack and uses minimal system resources. Its user-friendly interface, innovative features such as drag & drop scan, right-click scan and a setup Wizard were designed to enable novice users to configure the application and use it effectively without the need for any computer literacy on their part. Supports: Win95/98/ME/NT/2000/XP

5.5 The Cleaner

A unique program that searches out Trojan Horses and cleans them from your system. The Cleaner uses an original process to uniquely identify files. They cannot hide by changing their name or reported file size. They cannot hide by attaching themselves to other programs. They cannot hide. Supports Win95/98/ME/NT/2000/XP

Trojans are malicious programs that claims to be something desirable but they are much more dangerous than viruses and may steal your data or may damage ,erase your disk. So be careful while downloading any document , movie ,music file etc.. from internet. It is evident that there will soon be some very sophisticated ways to hide this type of program. If you value your privacy,

Trojan Horse

Page 30 of 30

your computer data, and your reputation, it is imperative to refuse to run unknown executable programs. It is unfortunate that the publishing of these easily used and abused programs has made our computing environment less friendly to sharing and open communication. However, if the programs hadn't been publicized, sneakier people could have used similar tactics without warning. Almost every existing operating system allows the sort of features that make RCTH programs possible. Operators run programs. Programs open sockets. Programs capture keystrokes. Operating systems provide mechanisms to automatically start programs. The vulnerability that exists is that we (industry wide) use computers that don't have many internal controls. They let us do what we want. Without internal controls, it is up to us to control them. If we don't control them, we'll either have increasingly serious security breaches or the computer industry will go back to locked down mainframe type processing to force automatic controls. I suspect this latest threat will hasten the use of "certified applications", increased access controls to both organizational data and the Internet, locked down desktop configurations, the "Network Computer/Browser/Application Server architecture, and an increased level of caution associated with our computing environment. Maybe hackers will force us back to terminals (static browsers), mainframes(application servers), and service bureaus(application service providers).

BIBLIOGRAPHY: Related CERT advisory on Back Orifice Related CERT advisory on generic Trojan Horse Programs.

Trojan Horse

Page 31 of 30

Report Documentation & Accounting Page Case study Report Code: Case study Report Number :

Address (Details): Computer Department, Jivram Tukaram Mahajan College of Engineering, Nhavi Marg, Jivram Nagar, P.O. M.S.S.K, Faizpur. Pin 422 003, Dist: Jalgaon (M.S.) INDIA. E-mail(s): 1) 2) Report Title: Trojan-Horses Author Details (Name, Year, Branch, Roll No, Batch): Name: Harshal B Kolambe. Year: Third Year Branch: Computer Engineering Roll: 18. Batch: 2010 - 2012 Date Of Report Page Count (dd-mm-yy): 32

Author [with Address, phone, Email]: Address: Pin 425502, Dist: Jalgaon (M.S.) INDIA. Ph(Mob): E-mail: Time Covered Type Of Report: (From To) FINAL 25-feb-2011 TO 30-feb-2011 Report Checked By: Report Checked Date:

Guides Complete Name: Prof. T.S.Waykole.

Total Copies

Report Abstract: The main aim of this seminar is to give brief introduction About theTrojan Horses. The topics covered in this seminar are : What is exactly a Trojan Horse? Various Trojans, How they work? Detection & Prevention Methods. Anti-Trojans etc

Trojan Horse

Page 32 of 30