Documente Academic
Documente Profesional
Documente Cultură
Submitted by
Acknowledgement
1 Introduction
1
1.1 Threats in computer systems . . . . . . . . . . . . . . . . . . . . . . . . . .
. 1
1.1.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
1.2 Trojans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
1.2.1 What are they ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2.2 Why are they used ? . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
1.2.3 Trojan infection methods . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 History of Trojans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
2 Report from Kaspersky
4
2.1 Figures of 2018 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
2.2 Trends of the year . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
2.3 Banking Trojans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
2.4 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
3 Report from Norton (Symantec)
7
3.1 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
How Trojans impact mobile devices . . . . . . . . . . . . . . . . . .
. . ... 7
Case - Norton AntiVirus Detects Gatecrasher Trojan Horse . . . . . . .
... 8
4 Report from Sans.org
Deconstructing SubSeven, the Trojan Horse of
Choice................................................. 10
What is
SubSeven?...................................................................................................... 10
What does SubSeven
do?........................................................................................... 11
NetBus 2.1, Is It Still a Trojan Horse or an Actual Valid Remote Control
Administration
Tool?.......................................................................................................... 11
Acts of terrorism trojan............................................................................................. 14
List of Figures
3.1 Trojans attack unsuspecting users of cell phones and tablets (Source)
https://us.norton.com 8 3.2 Case - Norton Antivirus alert 1 . . . . . . .
. . . . . . . . . . . . . . . . . . 8
3.3 Case - Norton Antivirus alert 2 . . . . . . . . . . . . . . . . . . . . . . . . .
9
3.4 Case - Norton Antivirus Protection steps . . . . . . . . . . . . . . . . . . .
9
Screen..................................................................................... 12
Netbus - Accessing password
settings........................................................................... 13
Netbus - Accessing media
files........................................................................................ 13
Netbus - Keyboard
logging.............................................................................................. 14
5.1 McAfee Virus
Map....................................................................................................... 15
user behaviors can lead to a Trojan infection. Here are a few examples:
• Downloading cracked applications: Promises of an
illChapter 1 Introduction
Threats in computer systems
Definitions
A threat, in the context of computer security, refers to anything that has the
potential to cause serious harm to a computer system. A threat is something that
may or may not happen, but has the potential to cause serious damage. Threats
can lead to attacks on computer systems, networks and more.
Threats are potentials for vulnerabilities to turn into attacks on computer
systems, net- works, and more. They can put individuals’ computer systems and
business computers at risk, so vulnerabilities have to be fixed so that attackers
cannot infiltrate the system and cause damage.
Threats can include everything from viruses, trojans, back doors to outright
attacks from hackers. Often, the term blended threat is more accurate, as the
majority of threats involve multiple exploits. For example, a hacker might use a
phishing attack to gain information about a network and break into a network.
Trojans
When a Trojan horse becomes active, it puts sensitive user data at risk and can
negatively impact performance. Once a Trojan has been transferred, it can:
• G
ive the attacker backdoor control over the computing device.
• R
ecord keyboard strokes to steal the user’s account data and browsing history
• D
ownload and install a virus or worm to exploit a vulnerability in another program.
• Install ransomware to encrypt the user’s data and extort money for the decryption
key.
• A
ctivate the computing device’s camera and recording capabilities.
• Turn the computer into a zombie bot that can be used to carry
out click fraud schemes or illegal actions.
• L
egally capture information relevant to a criminal investigation for law enforcement.
Trojans can look like just about anything, from free software and music, to
browser adver- tisements to seemingly legitimate apps. Any number of
unwiseegal free copy of a piece of software can be enticing, but the
cracked software or activation key generator may conceal a Trojan
attack.
• Downloading unknown free programs: What looks like a free
game or screensaver could really be a Trojan, especially if you find it
on an untrustworthy site.
• Opening infected attachments: You get a strange email with
what looks like an impor- tant attachment, like an invoice or a delivery
receipt, but it launches a Trojan when you click on it.
• Visiting shady websites: Some sites only need a moment to
infect your computer. Others use tricks like pretending to stream a
popular movie, but only if you download a certain video codec, which is
really a Trojan.
• Any other social engineering that disguises itself by taking
advantage of the latest trends. For example, in December 2017, an
extensive installed base of Intel processors was discovered to be
vulnerable to attack due to hardware issues. Hackers leveraged the
ensuing panic by faking a patch called Smoke Loader, which installed a
Trojan.
History of Trojans
By December 1989, several thousand floppy disks containing the AIDS Trojan,
the first known ransomware, were mailed to subscribers of PC Business World
magazine and a World Health Organization AIDS conference mailing list. This DOS
Trojan would lay dormant for 90 boot cycles, encrypt all filenames on the system,
then display a notice asking the user to send USD189 to a post office box in
Panama in order to receive a decryption program.
Through the 2000s, Trojans leveraged the rise of illegal downloading, disguising
malware as music files, movies, or video codecs. In 2002, a Windows-based
backdoor Trojan horse called Beast emerged and was capable of infecting almost
all versions of Windows. Then, in late 2005, another backdoor Trojan called Zlob
was distributed disguised as a required video codec in the form of ActiveX.
The 2000s also saw a rise in the number of Mac users, and cybercriminals
followed suit. In 2006, the discovery of the first-ever malware for Mac OS X, a
low-threat Trojan Horse known as OSX/Leap-A or OSX/Oompa-A, was announced.
Chapter 2
Figures of 2018
• 1
51,359 new mobile banking Trojans
• 6
0,176 new mobile ransomware Trojans
Users of mobile devices in 2018 faced what could be the strongest cybercriminal
onslaught ever seen. Over the course of the year, observed both new mobile device
infection tech- niques (for example, DNS hijacking) and a step-up in the use of
tried-and-tested distribution schemes (for example, SMS spam). Virus writers were
focused on:
• D
roppers (Trojan-Dropper), designed to bypass detection
• A
ttacks on bank accounts via mobile devices
• A
pps that can be used by cybercriminals to cause damage (RiskTool)
• A
dware apps
Banking Trojans
The number of attacks involving mobile banking Trojans were eye-catching [1]. By
Q2 the situation had radically changed for the worse. New records were set in
terms of both number of mobile banking Trojans detected and number of attacked
users. The root cause of this hike is not clear, but the main culprits are the creators
of the Asacub and Hqwar Trojans. Asacub itself evolved from an SMS Trojan that
was armed from the get-go with tools to counteract deletion and intercept incoming
calls and SMS messages. Later, the creators of the malware beefed up its logic and
began mass distribution using the same attack vector as before: social engineering
via SMS.
However, banking Trojans in 2018 were noteworthy not just in terms of scale, but
mechanics as well. One aspect of this is the increasingly common use of
Accessibility Services in banking threats. This is partly a response to new versions
of Android that make it increasingly difficult to overlay phishing windows on top of
banking apps, and partly the fact that using Accessibility allows the Trojan to lodge
itself in the device so that users cannot remove it by themselves. Whatˆas more,
cybercriminals can use Accessibility Services to hijack a perfectly legitimate
application and force it, say, to launch a banking app to make a money transfer
right there on the victimˆas device.
Statistics
The number of attacked users also continued its upward trajectory. From the
beginning of January to the end of December 2018, Kaspersky Lab protected
9,895,774 unique users of Android devices: up 774,000 against 2017.
Chapter 3
Problems
Norton Antivirus, like all antivirus software, cannot detect all malware on the
Web. If a workstation becomes victim to a Trojan horse, but Symantec has not
rolled out a patch for the infection, not only will Norton Antivirus not remove the
virus, but it typically won’t even know that the infection exists. To workaround this
shortcoming, educate employees on safe browsing; advise users to download files
only from trusted websites. Norton Antivirus, in rare cases, may also report false
positives. In other words, Norton Antivirus will label a benign program as malicious
if it detects code that matches a string of character in a known virus. If you know the
program is safe, you can report the false positive to Symantec.
Trojans are not problems for only laptop and desktop computers. They can also
impact your mobile devices, including cell phones and tablets.
In general, a Trojan comes attached to what looks like a legitimate program. In
reality, it is a fake version of the app, loaded up with malware. Cybercriminals will
usually place them on unofficial and pirate app markets for unsuspecting users to
download.
In addition, these apps can also steal information from your device, and
generate revenue by sending premium SMS texts.
One form of Trojan malware has targeted Android devices specifically. Called
Switcher Trojan, it infects usersˆa devices to attack the routers on their wireless
networks. The result? Cybercriminals could redirect traffic on the Wi-Fi-connected
devices and use it to commit various crimes.
Figure 3.1: Trojans attack unsuspecting users of cell phones and tablets (Source)
https://us.norton.com
Chapter 4
Just as computers have evolved from existing as the property of a select few in
corporate and governmental realms to being available to the masses for
professional and private use, so have the methods and desires to misuse the
technology they harness. Trojan horse programs like NetBus, Back Orifice and
SubSeven have democratized hacking such that those who engage in the activity
are no longer required to possess a comprehensive and often esoteric
understanding of multiple operating systems, networking concepts and
programming lan- guages. The largest group of attackers, comprising over 95
percent of the hacker population, is referred to as ”scriptkiddies,” individuals with
limited knowledge of operating systems and networks [2]. They allow precompiled
programs like Trojan horses to do the work for them, which afford hackers access
to other computers to pilfer files, change settings or launch denial of service
attacks.
What is SubSeven?
Once SubSeven is installed, hackers can initiate attacks that range from mildly
irritating to extremely detrimental. In the former category, the more notable
capabilities provided by SubSeven are the ability to restart Windows on the
victimˆas computer, reverse mouse buttons, record sound files from the
microphone attached to the compromised machine, record images from an
attached video camera, change desktop colors, open/close the CD- ROM drive,
record screen shots of the victimˆas computer and turn the victimˆas monitor
off/on. An attacker can also glean various information about a victimˆas computer,
including the version of Windows running on the machine, the hard disk size and a
listing of recorded and cached passwords [7].
NetBus 2.1, Is It Still a Trojan Horse or an
NetBus, a new one was then developed. V1.5x was displaced by V1.6 and then to
V1.7. Each version of NetBus had an executable sent along with it. All the user
would do is double click on an icon or attachment and
the Trojan horse was off and running in the background without the users
knowledge. Also, all icons could be interchanged to anything an attacker wanted by
using simple icon software (internet freeware). [8]
McAfee and Norton virus detection programs consider Trojan horses as virus
infections. Now this is by no means implying that all the infected computers were
Trojan horses viruses.[8] However, it would be safe to say that decent percentages
are. In addition, the current code red bugs propagating around could be padding the
infected computer numbers. Anyway, NetBus v 1.2 to 1.7 are considered Trojan
horses and detectable by McAfee, Norton and other various detection software.
Chapter 6
Conclusions
One of the most common methods is for the Trojan to be spammed as an email
attachment or a link in an email. Another similar method has the Trojan arriving as a
file or link in an instant messaging client. These methods often rely on social
engineering techniques to tempt the user to click on the link or open the file since
many of these emails and instant messages appear to come from people the user
knows. These techniques will play on a user’s curiosity about the big new item such
as a celebrity scandal, crisis, catastrophe, or major global event.
Bibliography
[1]
https://www.kaspersky.co.in/resource-center/preemptive-safety/avoiding-a-troja
n-virus
[2]
https://www.sans.org/reading-room/whitepapers/malicious/deconstruc
ting-subseven- trojan-horse-choice-953
ttps://www.sans.org/reading-room/whitepapers/casestudies/paper/702
[3] h
ttps://www.symantec.com/security-center/writeup/2004-021914-2822-99
[4] h
[5] https://isc.sans.edu/diary/acts+of+terrorism+trojan/1181
[6] https://us.norton.com/internetsecurity-malware-what-is-a-trojan.html
[7]
https://www.sans.org/reading-room/whitepapers/malicious/deconstruc
ting-subseven- trojan-horse-choice-953
[8]
https://www.sans.org/reading-room/whitepapers/malicious/netbus-21
-trojan-horse- actual-valid-remote-control-administration-tool-103