Sunteți pe pagina 1din 23

Department of Electronics Engineering

Advanced Networking Technology


VIIth​ ​Semester
A Case Study Report on

All About Trojans 


Submitted in partial fulfillment of
the requirements of the lab work for subject Advanced Networking
Technology

Submitted by

Roll No Names of Students

2015110040 Jay Rana


2015110041 Nihal Raut
2015110042 Sai Prathik

Under the guidance of ​Dr. D. C. Karia


Bharatiya Vidya
Bhavan’s Sardar Patel
Institute of Technology
Munshi Nagar, Andheri(W),
Mumbai-400058 University of
Mumbai
Academic Year 2018 - 19

Acknowledgement

We would like to thank Dr. D. C. Karia, Assistant Professor, Electronics


Engineering Department, Sardar Patel Institute of Technology, for giving us the
opportunity to work on this case study and helping us whenever necessary. Without
his apt suggestions and constructive criticism, we would not have been able to
realize our report to completion.
Contents

1​ ​Introduction
1
1.1 Threats in computer systems . . . . . . . . . . . . . . . . . . . . . . . . . .
. 1
1.1.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
1.2 Trojans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
1.2.1 What are they ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2.2 Why are they used ? . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
1.2.3 Trojan infection methods . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 History of Trojans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
2 Report from Kaspersky
4
2.1 Figures of 2018 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
2.2 Trends of the year . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
2.3 Banking Trojans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
2.4 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
3 Report from Norton (Symantec)
7
3.1 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
​How Trojans impact mobile devices . . . . . . . . . . . . . . . . . .

. . ... 7
​Case - Norton AntiVirus Detects Gatecrasher Trojan Horse . . . . . . .

... 8
4​ ​Report from Sans.org
Deconstructing SubSeven, the Trojan Horse of
Choice................................................. 10
​What is
SubSeven?...................................................................................................... 10
​What does SubSeven

do?........................................................................................... 11
​NetBus 2.1, Is It Still a Trojan Horse or an Actual Valid Remote Control
Administration
Tool?.......................................................................................................... 11
​Acts of terrorism trojan............................................................................................. 14

5​ ​Report from McAfee 15


5.1... McAfee Virus Map....................................................................................................... 15
6 Conclusions
17

List of Figures

2.1 Number of attacks defeated by Kaspersky Lab products, 2018 [1] . . .


. ... 5 2.2 Number of attacked users, 2018 [1] . . . . . . . . . .
. . . . . . . . . . . . . 6
2.3 Number of attacks by mobile banking Trojans, 2017 and 2018 [1] . . . . . . .
6

3.1 Trojans attack unsuspecting users of cell phones and tablets (Source)
https://us.norton.com 8 3.2 Case - Norton Antivirus alert 1 . . . . . . .
. . . . . . . . . . . . . . . . . . 8
3.3 Case - Norton Antivirus alert 2 . . . . . . . . . . . . . . . . . . . . . . . . .
9
3.4 Case - Norton Antivirus Protection steps . . . . . . . . . . . . . . . . . . .
9

Netbus 1.7 Trojan Menu


Screen..................................................................................... 12
​Netbus - Accessing password

settings........................................................................... 13
Netbus - Accessing media

files........................................................................................ 13
​Netbus - Keyboard

logging.............................................................................................. 14
5.1 McAfee Virus
Map....................................................................................................... 15

user behaviors can lead to a Trojan infection. Here are a few examples:
• Downloading cracked applications: Promises of an

ill​Chapter 1 Introduction
Threats in computer systems

Definitions

A threat, in the context of computer security, refers to anything that has the
potential to cause serious harm to a computer system. A threat is something that
may or may not happen, but has the potential to cause serious damage. Threats
can lead to attacks on computer systems, networks and more.
Threats are potentials for vulnerabilities to turn into attacks on computer
systems, net- works, and more. They can put individuals’ computer systems and
business computers at risk, so vulnerabilities have to be fixed so that attackers
cannot infiltrate the system and cause damage.
Threats can include everything from viruses, trojans, back doors to outright
attacks from hackers. Often, the term blended threat is more accurate, as the
majority of threats involve multiple exploits. For example, a hacker might use a
phishing attack to gain information about a network and break into a network.

Trojans

What are they ?


Trojan or Trojan horse is the name given to a computer virus. It is a type of


computer software that is camouflaged in the form of regular software such as
utilities, games and sometimes even antivirus programs. Once it runs on the
computer, it causes problems like killing background system processes, deleting
hard drive data and corrupting file allocation systems.
Mostly Trojans are introduced via email attachments. These emails are
disguised in a way that they look authentic. Once the user downloads the attached
file and runs it, the file starts corrupting the system. A Trojan can also come as a
payload with freeware and shareware available on the Internet.

Why are they used ?


When a Trojan horse becomes active, it puts sensitive user data at risk and can
negatively impact performance. Once a Trojan has been transferred, it can:
•​ G
​ ive the attacker backdoor control over the computing device.

•​ R
​ ecord keyboard strokes to steal the user’s account data and browsing history

•​ D
​ ownload and install a virus or worm to exploit a vulnerability in another program.

•​ ​Install ransomware to encrypt the user’s data and extort money for the decryption
key.

•​ A
​ ctivate the computing device’s camera and recording capabilities.

• Turn the computer into a zombie bot that can be used to carry
out click fraud schemes or illegal actions.
•​ L
​ egally capture information relevant to a criminal investigation for law enforcement.

Trojan infection methods


Trojans can look like just about anything, from free software and music, to
browser adver- tisements to seemingly legitimate apps. Any number of
unwise​egal free copy of a piece of software can be enticing, but the
cracked software or activation key generator may conceal a Trojan
attack.
• Downloading unknown free programs: What looks like a free
game or screensaver could really be a Trojan, especially if you find it
on an untrustworthy site.
• Opening infected attachments: You get a strange email with
what looks like an impor- tant attachment, like an invoice or a delivery
receipt, but it launches a Trojan when you click on it.
• Visiting shady websites: Some sites only need a moment to
infect your computer. Others use tricks like pretending to stream a
popular movie, but only if you download a certain video codec, which is
really a Trojan.
• Any other social engineering that disguises itself by taking
advantage of the latest trends. For example, in December 2017, an
extensive installed base of Intel processors was discovered to be
vulnerable to attack due to hardware issues. Hackers leveraged the
ensuing panic by faking a patch called Smoke Loader, which installed a
Trojan.

History of Trojans

A program called ANIMAL, released in 1975, is generally considered the worldˆas


first example of a Trojan attack. It presented itself as a simple game along the lines
of twenty questions. However, behind the scenes, the game copied itself onto
shared directories where other users could find it. From there, the game could
spread across entire computer networks. For the most part, it was a harmless
prank.

By December 1989, several thousand floppy disks containing the AIDS Trojan,
the first known ransomware, were mailed to subscribers of PC Business World
magazine and a World Health Organization AIDS conference mailing list. This DOS
Trojan would lay dormant for 90 boot cycles, encrypt all filenames on the system,
then display a notice asking the user to send USD189 to a post office box in
Panama in order to receive a decryption program.

In 2000, a Trojan called ILOVEYOU became the most destructive cyberattack in


history at the time, with damages estimated up to USD8.7 billion. Recipients
received an email with what looked like a text attachment named ’ILOVEYOU’. If
they were curious enough to open it, the program would launch a script that would
overwrite their files and send itself to every email in the userˆas contact list.

Through the 2000s, Trojans leveraged the rise of illegal downloading, disguising
malware as music files, movies, or video codecs. In 2002, a Windows-based
backdoor Trojan horse called Beast emerged and was capable of infecting almost
all versions of Windows. Then, in late 2005, another backdoor Trojan called Zlob
was distributed disguised as a required video codec in the form of ActiveX.

The 2000s also saw a rise in the number of Mac users, and cybercriminals
followed suit. In 2006, the discovery of the first-ever malware for Mac OS X, a
low-threat Trojan Horse known as OSX/Leap-A or OSX/Oompa-A, was announced.

In 2007, a Trojan named Zeus targeted Microsoft Windows in order to steal


banking infor- mation by means of a keylogger. In 2008, hackers released Torpig,
also known as Sinowal and Mebroot, which turned off anti-virus applications,
allowing others to access the computer, modify data, and steal confidential
information like passwords and other sensitive data.

Chapter 2

Report from Kaspersky

Figures of 2018

In 2018, Kaspersky Lab products and technologies detected:

• 5,321,142 malicious installation packages

•​ 1
​ 51,359 new mobile banking Trojans

•​ 6
​ 0,176 new mobile ransomware Trojans

Trends of the year


Users of mobile devices in 2018 faced what could be the strongest cybercriminal
onslaught ever seen. Over the course of the year, observed both new mobile device
infection tech- niques (for example, DNS hijacking) and a step-up in the use of
tried-and-tested distribution schemes (for example, SMS spam). Virus writers were
focused on:

•​ D
​ roppers (Trojan-Dropper), designed to bypass detection

•​ A
​ ttacks on bank accounts via mobile devices
•​ A
​ pps that can be used by cybercriminals to cause damage (RiskTool)

•​ A
​ dware apps

Banking Trojans

The number of attacks involving mobile banking Trojans were eye-catching [1]. By
Q2 the situation had radically changed for the worse. New records were set in
terms of both number of mobile banking Trojans detected and number of attacked
users. The root cause of this hike is not clear, but the main culprits are the creators
of the Asacub and Hqwar Trojans. Asacub itself evolved from an SMS Trojan that
was armed from the get-go with tools to counteract deletion and intercept incoming
calls and SMS messages. Later, the creators of the malware beefed up its logic and
began mass distribution using the same attack vector as before: social engineering
via SMS.

However, banking Trojans in 2018 were noteworthy not just in terms of scale, but
mechanics as well. One aspect of this is the increasingly common use of
Accessibility Services in banking threats. This is partly a response to new versions
of Android that make it increasingly difficult to overlay phishing windows on top of
banking apps, and partly the fact that using Accessibility allows the Trojan to lodge
itself in the device so that users cannot remove it by themselves. Whatˆas more,
cybercriminals can use Accessibility Services to hijack a perfectly legitimate
application and force it, say, to launch a banking app to make a money transfer
right there on the victimˆas device.

Statistics

In 2018, Kaspersky detected 5,321,142 malicious mobile installation packages,


which is down 409,774 on last year.
Despite this drop, in 2018 we recorded a doubling of the number of attacks
using malicious mobile software: 116.5 million (against 66.4 million in 2017).
Figure 2.1: Number of attacks defeated by Kaspersky Lab products, 2018 [1]

The number of attacked users also continued its upward trajectory. From the
beginning of January to the end of December 2018, Kaspersky Lab protected
9,895,774 unique users of Android devices: up 774,000 against 2017.

Figure 2.2: Number of attacked users, 2018 [1]


Figure 2.3: Number of attacks by mobile banking Trojans, 2017 and 2018 [1]

Chapter 3

Report from Norton (Symantec)

Problems

Norton Antivirus, like all antivirus software, cannot detect all malware on the
Web. If a workstation becomes victim to a Trojan horse, but Symantec has not
rolled out a patch for the infection, not only will Norton Antivirus not remove the
virus, but it typically won’t even know that the infection exists. To workaround this
shortcoming, educate employees on safe browsing; advise users to download files
only from trusted websites. Norton Antivirus, in rare cases, may also report false
positives. In other words, Norton Antivirus will label a benign program as malicious
if it detects code that matches a string of character in a known virus. If you know the
program is safe, you can report the false positive to Symantec.

How Trojans impact mobile devices


Trojans are not problems for only laptop and desktop computers. They can also
impact your mobile devices, including cell phones and tablets.
In general, a Trojan comes attached to what looks like a legitimate program. In
reality, it is a fake version of the app, loaded up with malware. Cybercriminals will
usually place them on unofficial and pirate app markets for unsuspecting users to
download.
In addition, these apps can also steal information from your device, and
generate revenue by sending premium SMS texts.
One form of Trojan malware has targeted Android devices specifically. Called
Switcher Trojan, it infects usersˆa devices to attack the routers on their wireless
networks. The result? Cybercriminals could redirect traffic on the Wi-Fi-connected
devices and use it to commit various crimes.

Figure 3.1: Trojans attack unsuspecting users of cell phones and tablets (Source)
https://us.norton.com

Case - Norton AntiVirus Detects


Gatecrasher Trojan Horse


You attempt to launch ACT! when a Norton AntiVirus Security Alert appears;
indicating that Norton Internet Worm Protection has detected and blocked an
intrusion attempt. The details of this Security Alert reference a Gatecrasher Trojan
Horse.

Figure 3.2: Case - Norton Antivirus alert 1

Figure 3.3: Case - Norton Antivirus alert 2


Figure 3.4: Case - Norton Antivirus Protection steps

Chapter 4

Report from Sans.org


Deconstructing SubSeven, the Trojan Horse of Choice

Just as computers have evolved from existing as the property of a select few in
corporate and governmental realms to being available to the masses for
professional and private use, so have the methods and desires to misuse the
technology they harness. Trojan horse programs like NetBus, Back Orifice and
SubSeven have democratized hacking such that those who engage in the activity
are no longer required to possess a comprehensive and often esoteric
understanding of multiple operating systems, networking concepts and
programming lan- guages. The largest group of attackers, comprising over 95
percent of the hacker population, is referred to as ”scriptkiddies,” individuals with
limited knowledge of operating systems and networks [2]. They allow precompiled
programs like Trojan horses to do the work for them, which afford hackers access
to other computers to pilfer files, change settings or launch denial of service
attacks.

What is SubSeven?

SubSeven is a Trojan Horse used to attack computers running on a Windows 9.x


platform. Itˆas popularity stems from that fact that it is a remote-control
program which allows an attacker to issue virtually any command imaginable on a
compromised system, and provides
many more options for attack than other Trojans like Back Orifice or NetBus. The
SubSeven download is comprised of three programs: the SubSeven server, client
and server editor.

The server editor (EditServer program) defines the characteristics of infection,


allowing the hacker to specify whether the compromised system should send an
email or ICQ notifi- cation to the attacker when the target is online, whether
the program should ˆamelt server after installationˆa (have the server run once
and then disappear) and which ports the client should use to connect to the server
(and thus which ports the server must ensure remain open while the victim is
online). This customization of settings (which was introduced by Back Orifice 2000)
allows the Trojan more flexibility [3]. The function of the EditServer program is also
useful when detection and/or removal of the server on the victim machine has
become imminent: the hacker can connect to the victim machine and install a
different configuration of the SubSeven server that uses alternate ports, different
techniques for au- tostarting and/or implement a server filename that varies from
that previously used. Once the attacker removes the old version of the server, he or
she is able to unobtrusively continue violating the victim computer. SubSeven can
be sent as an email attachment that, once executed, can display a customized
message to deceive the victim and mask the true intent of the program. Infection
can also occur through unprotected shares of the hard drive, when a user permits
unauthorized read and write access. Such a situation allows an attacker to place
the Trojan into the appropriate directories and edit the registry so that the
SubSeven server is initialized every time the computer reboots. In this scenario, the
end-user is com- pletely unaware that infection has occurred since he or she was
not required to perform any particular action.

What does SubSeven do?


Once SubSeven is installed, hackers can initiate attacks that range from mildly
irritating to extremely detrimental. In the former category, the more notable
capabilities provided by SubSeven are the ability to restart Windows on the
victimˆas computer, reverse mouse buttons, record sound files from the
microphone attached to the compromised machine, record images from an
attached video camera, change desktop colors, open/close the CD- ROM drive,
record screen shots of the victimˆas computer and turn the victimˆas monitor
off/on. An attacker can also glean various information about a victimˆas computer,
including the version of Windows running on the machine, the hard disk size and a
listing of recorded and cached passwords [7].
NetBus 2.1, Is It Still a Trojan Horse or an

Actual Valid Remote Control Administration


Tool?
A Swedish programmer named Carl-Fredrik Neikter developed NetBus around
early 1998. Version 1.2 started out solely as a Trojan horse program intended to go
out and gain remote control over a personˆas computer. V1.2 was soon
displaced by version 1.5 with the same intensions as V1.2. As with most new
code releases, it provided new features and fixed old problems. Now around the
same time V1.5 was released, Back Orifice hit the Internet. The media hype and
problems it created really started the fast evolution of Trojan horse development to
what it is today. As virus detection products began to detect a version of

NetBus, a new one was then developed. V1.5x was displaced by V1.6 and then to
V1.7. Each version of NetBus had an executable sent along with it. All the user
would do is double click on an icon or attachment and
the Trojan horse was off and running in the background without the users
knowledge. Also, all icons could be interchanged to anything an attacker wanted by
using simple icon software (internet freeware). [8]

Figure 4.1: Netbus 1.7 Trojan Menu Screen


Figure 4.2: Netbus - Accessing password settings
Figure 4.3: Netbus - Accessing media files

Figure 4.4: Netbus - Keyboard logging

Acts of terrorism trojan



Chapter 5

Report from McAfee

5.1 McAfee Virus Map


Figure 5.1: McAfee Virus Map

According to McAfee.com Fig.5.1 in the last 30 days 32.41 percent of all


computers using McAfee virus protection had some form of virus infection.

McAfee and Norton virus detection programs consider Trojan horses as virus
infections. Now this is by no means implying that all the infected computers were
Trojan horses viruses.[8] However, it would be safe to say that decent percentages
are. In addition, the current code red bugs propagating around could be padding the
infected computer numbers. Anyway, NetBus v 1.2 to 1.7 are considered Trojan
horses and detectable by McAfee, Norton and other various detection software.
Chapter 6

Conclusions

Software Trojans masquerade as an application or file that entice a user to open


it. A Trojan horse may copy itself on to the compromised computer, but it doesn’t
make copies of itself and spread like a virus which is a key difference between a
Trojan and a virus. While most Trojans only execute their own malicious code,
some Trojans may actually perform the actions of the file they pretend to be, but
then they execute their own malicious code on the compromised computer. Other
Trojans make it appear that they are performing the desired actions, but in reality
do nothing but trigger their malicious routines.

Trojans arrive on to compromised computers in a variety of ways. These


methods dis- tribute the Trojan, often as rapidly as possible, so that the Trojan can
maximize the oppor- tunity to perform its main function in a large user population
before they are detected by antivirus software.

One of the most common methods is for the Trojan to be spammed as an email
attachment or a link in an email. Another similar method has the Trojan arriving as a
file or link in an instant messaging client. These methods often rely on social
engineering techniques to tempt the user to click on the link or open the file since
many of these emails and instant messages appear to come from people the user
knows. These techniques will play on a user’s curiosity about the big new item such
as a celebrity scandal, crisis, catastrophe, or major global event.

Another means of arrival includes a method called drive-by downloads. A


drive-by down- load occurs when a user goes to a web site that is either legitimate,
but compromised and exploited or malicious by design. The download occurs
surreptitiously without the user’s knowledge. Alternatively, the user is asked to
update or add a video codec when at a ma- licious web site. When the user
complies with this request, they inadvertently download a Trojan pretending to be
the video codec.

Finally, a Trojan horse program can be dropped or downloaded by other


malicious software or by legitimate programs that have been compromised or
exploited on the compromised computer.
Just as each Greek warrior had his own task to perform in capturing Troy, there
are several types of Trojans, each with particular functions.

Bibliography

[1]
h​ttps://www.k​asp​ersky.co.in/resource-center/preemptive-safet​y/av​oiding-a-troja
n-virus
[2]
h​ttps://www.sans.org/reading-room/whitepapers/malicious/deconstruc
ting-subsev​en- trojan-horse-choice-953

​ ​ttps://www.sans.org/reading-room/whitepapers/casestudies/pap​er/702
[3]​ h

​ ​ttps://www.symantec.com/securit​y-cen​ter/writeup/2004-021914-2822-99
[4]​ h
[5] https://isc.sans.edu/diary/acts+of+terrorism+trojan/1181

[6]​ ​https://us.norton.com/internetsecurity-malware-what-is-a-trojan.html
[7]
h​ttps://www.sans.org/reading-room/whitepapers/malicious/deconstruc
ting-subsev​en- trojan-horse-choice-953

[8]
h​ttps://www.sans.org/reading-room/whitepapers/malicious/netbus-21
-trojan-horse-​ actual-valid-remote-control-administration-tool-103

S-ar putea să vă placă și