Introduction
Trojans and Backdoors are sorts of Bad-wares which their main purpose is to send and receive data and especially commands through a port to another system. This port can be even a well-known port such as 80 or an out of regular ports like 7777. The Trojans are most of the time defaced and shown as a legitimate and harmless application to encourage the user to execute them. The main characteristic of a Trojan is that first it should be executed by the user, second sends or receive data with another system which is the attacker’s system.
Sometimes the Trojan is combined with another application. This application can be a flash card, flash game, a patch for OS, or even an antivirus. But actually the file is built of two applications which one of them is the harmless application, and the other one is the Trojan file.
Technically defined, a Trojan horse is “a malicious and security-breaking program which is designed as something benign”. Such a program is designed to cause damage, data leakage, or make the victim a medium to attack another system.
A Trojan will be executed with the same privilege level as the user who executes it; nevertheless the Trojan may exploit vulnerabilities and increase the privilege.
An important point is that not only the connection can be online (so that the commands or data are transmitted immediately between the hacker and victim), but also the communication can be offline and performed using emails, HTTP URL transmits or as the like.
Auto Start Methods
One of the actions usually Trojans perform is to make themselves Auto-Start to be executed each time the system reboots. Below are some registry keys Trojan Horses modify for this purpose:
HKLM\Software\Microsoft\Windows\Current Version\Run
HKLM\Software\Microsoft\Windows\Current Version\Runonce
HKLM\Software\Microsoft\Windows\Current Version\RunServices
HKLM\Software\Microsoft\Windows\Current Version\RunServicesOnce
HKLU\Software\Microsoft\Windows\Current Version\Run
HKLU\Software\Microsoft\Windows\Current Version\RunOnce
Types of Trojans
Remote Access TrojansThis sort of Trojans provides full or partial access and control over the victim system. The server application will be sent to the victim and a client listens on the hacker’s system. After the server is started, it establishes the connection with the client through a predefined port. Most of the Trojans are of this kind.
Data Sending TrojansUsing email or a backdoor, this type of Trojan send data such as password, cookies or key strokes to the hacker’s system.
Destructive TrojansThese Trojans are to make destructions such as deleting files, corrupting OS, or make the system crash. If the Trojan is not for fun, usually the purpose of such Trojans is to inactivate a security system like an antivirus or firewall.
DDos Attack TrojansThis Trojans make the victim a Zombie to listen for commands sent from a DDos Server in the internet. There will be numerous infected systems standby for a command from the server and when the server sends the command to all or a group of infected systems, since all the systems perform the command simultaneously, a huge amount of legitimate request flood to a target and make the service stop responding.
Proxy TrojansIn order to avoid leaving tracks on the target, a hacker may send the commands or access the resources via another system so that all the records will show the other system and not the hacker’s identities. This sort of Trojans are to make a system works as a medium for attacking another system and therefore the Trojan transfers all the commands sent to it to the primary target and does not harm the proxy victim.
Security Software Disabler TrojanThis kind of Trojan disables the security system for further attacks. For instance they inactivate the antivirus or make it malfunction or make the firewall stop functioning.
How to find the Trojan activity
The best method to find the Trojan is by monitoring the ports transmitting data on the network adapter. Note that as mentioned above there are Trojans which can transmit the commands and data via standard ports such as 80 or SMPT (email) which this method of inspection is not effective on them.
The command nbtstat is a very powerful tool to check which ports are used to send and receive data. You can use this command with switch –an for a proper result:
netstat –an
If you want to check if a particular port is being used by any application, you can add the findstr to the command:
netstat –an findstr 8080
Wireshark is another application which can show all the data transferred on the Network Interface Card and using it you can see what data are being transmitted out the system, and what is the listener of the port.
Some Trojan Samples
Tini:
This Trojan listens to port 7777 and provides shell access to the victim’s system for the hacker.
ICMD: This application provides shell access, but can accept password and preferred port.
NetBuss: This Trojan has a GUI for controlling the victim’s system. Rather than a serious attack it’s mostly used for fun.
Netcat (Known as NC): A very famous Trojan with many options for different methods of command and data transfer.
Proxy Server Trojan: This Trojan makes the victim a proxy for attacking another system.
VNCAlthough VNC is not a malicious application however since it is not detected by the Antivirus systems it can be used as a means of Trojan horse attack.
Remote By Mail: This Trojan can send and receive commands and data using series of emails. Although compared to a shell session the commands are very limited, however due to the protocol it uses (SMTP) it can bypass and evade most of the firewall systems.
HTTP Rat: This Trojan sends and receives commands by exchanging series of URLs with a server. Since it uses the HTTP protocol, it is a very dangerous Trojan and can evade almost all the firewall systems.
Shttp Trojan: Same as HTTP Rat
Wrappers
Wrapper is an application which can concatenate two executable files and produce an application containing both. Most of the times, the Wrapper is used to attach a Trojan file to a small harmless application such as a flash card to deceive the targeted user and encourage him to execute it.
Some Wrappers are able to make modifications on the Trojan horse such as compressing it or adding blanks to the end of it and hide it to be detected by the Antivirus’.
Some Wrappers Samples
Wrapper Convert Program
One File EXE Maker
Yet Another Builder (Known as YAB and is a very powerful and dangerous application)
Defacing Applications
Defacing application is a very simple and almost harmless application which can be used to change the icon of an executable file.
Whereas the icon of the Trojan is usually the default icon of the executable files, the hacker maybe change the Trojan’s icon and fake it as a harmless application or even another application such as a Microsoft Word document or a text file.