Results 1 to 6 of 6

Thread: Hiding Places for Trojans

  1. #1

    Hiding Places for Trojans

    The following was posted by aladin168 to the security focus incidents mailing list and looked useful enough to share.
    ****************************************************
    In-Reply-To: <20030417230836.23848.qmail@web41603.mail.yahoo.com>

    By Kyle Lai, CISSP, CISA, KLC Consulting, Inc., www.klcconsulting.net Where are Trojans hiding in your systems? In any cases of virus/worm/Trojan infections, we should not automatically assume that HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key is the only place Trojans try to tamper, otherwise we would be in a false sense of security TRAP. There are many other places on a Windows system that Trojans can add scripts and shortcuts to startup Trojan processes: · [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] · [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] · [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] · [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOn ce] · [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] · [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] Note: For the following registry keys, the key value should be exactly "% 1 %*" . Any programs that are added to the key value will get executed every time a binary file (.exe, .com) is executed, i.e."Trojan.exe %1 %*". · [HKEY_CLASSES_ROOT\exefile\shell\open\command] · [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command] Also, check: · Startup folder: to go to this folder, click on Start->Programs- >Startup, and right click on Startup and select "Open" from the menu. Check every file in this folder and make sure you know what they are. These files will startup automatically every time you login to your systems. · Windows Scheduler - check if any programs are scheduled to startup at any specific time. Some Trojans use scheduler as a mean for program execution. o For Windows NT, 2000 and XP systems, use AT command to verify. Go to command prompt and type "at" and if there is any scheduled tasks, it will display "Status, ID, Day of execution, Time of execution, and Command line to be executed" o For Windows 9x/ME systems, use Windows Explorer and go to Task Scheduler, which is under My Computer. · Win.ini (load=Trojan.exe or run=Trojan.exe) · system.ini (Shell=Explorer.exe trojan.exe) · autoexec.bat - look for added Trojan files, may be in the following file extensions: .exe, .scr, .pif, .com, .bat · config.sys - look for added Trojan files · Any suspicious or new batch files (.BAT), which might call the actual Trojan. Also, watch out for social engineering... Social engineering? Yes. Don't be fooled by processes or programs with similar and/or exactly the same filename as the legitimate Windows system programs. Many known Trojans have included programs with exact same name as Windows system programs, but put them into different folders. Many people lower their guard when they see familiar Windows system programs, and some Trojans did successfully create deceptions and exploit this human vulnerability. If you just use the Windows Task Manager to check processes, you might be fooled if you don't examine them carefully. You might want to use some other tools for detailed examination i.e. pstools from www.systeminternals.com. Here are some sample filename of files included in recent Trojans: · Explorer.exe - a legitimate program exists in \Windows or \Winnt folder, NOT \Windows\system32 or \Winnt\system32, or anywhere else · Rundll32.exe - a legitimate program exists in \Windows\system32 or \Winnt\system32 folder, not anywhere else · taskmngr.exe - the legitimate program is called "taskmgr.exe", not taskmngr.exe" Let's be vigilant about the files and registries and different places that Trojan can touch. Reference: · Ocxdll.exe/mIRC Virus Analysis by KLC Consulting: http://www.klcconsulting.net/mirc_virus_analysis.htm · Deloder worm / IRC worm/Trojan Analysis by KLC Consulting: http://www.klcconsulting.net/deloder_virus_analysis.htm · The Complete Windows Trojans Paper By Dancho Danchev: http://www.frame4.com/ · "Where are Trojans hiding?" by KLC Consulting: http://www.klcconsulting.net/trojan/...tification.htm Kyle Lai, CISSP, CISA KLC Consulting, Inc. klai@klcconsulting.net www.klcconsulting.net >Les, > >> I say it has never executed because contained >> in the rar file is a .reg file that adds the trojan >> to the >> HKLM\Software\Microsoft\Windows\CurrentVersion\Run >> key and that key is empty. > >What about the running processes on the system? If >the key is empty, it may simply have not been able to >write to the key. Keep in mind that the IIS web >server runs as a guest on the system. > >> The folder that that registry entry points to does >> not exist either. Also contained in the rar file is >> a txt file that lists users and which groups to add >> them to, none of these users exist on the system. > >Again...permissions. > >> If anyone has had experience with this trojan of >> knows where I can find info on it I would be >> greatful. > >Sounds like you have everything available to write an >analysis. Since it looks as if no one has written one >yet... ;-) > >Harlan > >__________________________________________________ >Do you Yahoo!? >The New Yahoo! Search - Faster. Easier. Bingo >http://search.yahoo.com > >-------------------------------------------------------------------------- -- >Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the >world's premier event for IT and network security experts. The two-day >Training features 6 hand-on courses on May 12-13 taught by professionals. >The two-day Briefings on May 14-15 features 24 top speakers with no vendor >sales pitches. Deadline for the best rates is April 25. Register today to >ensure your place. http://www.securityfocus.com/BlackHat-incidents >-------------------------------------------------------------------------- -- > >
    ----------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor
    sales pitches. Deadline for the best rates is April 25. Register today to
    ensure your place. http://www.securityfocus.com/BlackHat-incidents
    ----------------------------------------------------------------------------

  2. #2
    any chance of sorting it out so we can read it???or is it a magic eye picture?

  3. #3
    Junior Member
    Join Date
    Dec 2002
    Posts
    22
    Trojans hiding in your systems?
    In any cases of virus/worm/Trojan infections, we should not automatically assume that

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    registry key is the only place Trojans try to tamper, otherwise we would be in a false sense of security TRAP. There are many other places on a Windows system that Trojans can add scripts and shortcuts to startup Trojan processes: ·

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

    rentVersion\Run] · [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
    rentVersion\RunOnce] · [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
    rentVersion\RunServices] · [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
    rentVersion\RunServicesOn ce] · [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr
    entVersion\Run] · [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr
    entVersion\RunOnce] Note: For the following registry keys, the key value should be exactly "% 1 %*" .
    Any programs that are added to the key value will get executed every time a binary file (.exe, .com) is executed, i.e."Trojan.exe %1 %*". ·

    [HKEY_CLASSES_ROOT\exefile\shell\open\command] ·

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command] Also, check: ·

    Startup folder: to go to this folder, click on Start->Programs- >Startup, and right click on Startup and select "Open" from the menu. Check every file in this folder and make sure you know what they are. These files will startup automatically every time you login to your systems. · Windows Scheduler - check if any programs are scheduled to startup at any specific time. Some Trojans use scheduler as a mean for program execution. o For Windows NT, 2000 and XP systems, use AT command to verify.
    Go to command prompt and type "at" and if there is any scheduled tasks, it will display "Status, ID, Day of execution, Time of execution, and Command line to be executed" o For Windows 9x/ME systems, use Windows Explorer and go to Task Scheduler, which is under My Computer. ·
    Win.ini (load=Trojan.exe or run=Trojan.exe) ·
    system.ini (Shell=Explorer.exe trojan.exe) ·
    autoexec.bat - look for added Trojan files, may be in the following file extensions: .exe, .scr, .pif, .com, .bat · config.sys - look for added Trojan files · Any suspicious or new batch files (.BAT), which might call the actual Trojan.

    Also, watch out for social engineering... Social engineering? Yes. Don't be fooled by processes or programs with similar and/or exactly the same filename as the legitimate Windows system programs. Many known Trojans have included programs with exact same name as Windows system programs, but put them into different folders. Many people lower their guard when they see familiar Windows system programs, and some Trojans did successfully create deceptions and exploit this human vulnerability. If you just use the Windows Task Manager to check processes, you might be fooled if you don't examine them carefully.
    You might want to use some other tools for detailed examination i.e. pstools from www.systeminternals.com. Here are some sample filename of files included in recent Trojans:

    · Explorer.exe - a legitimate program exists in \Windows or \Winnt folder, NOT \Windows\system32 or \Winnt\system32, or anywhere else ·

    Rundll32.exe - a legitimate program exists in \Windows\system32 or \Winnt\system32 folder, not anywhere else ·

    taskmngr.exe - the legitimate program is called "taskmgr.exe", not taskmngr.exe" Let's be vigilant about the files and registries and different places that Trojan can touch.
    Reference: · Ocxdll.exe/mIRC Virus Analysis by KLC Consulting: http://www.klcconsulting.net/mirc_virus_analysis.htm ·
    Deloder worm / IRC worm/Trojan Analysis by KLC Consulting: http://www.klcconsulting.net/deloder_virus_analysis.htm ·
    The Complete Windows Trojans Paper By Dancho Danchev: http://www.frame4.com/ ·
    "Where are Trojans hiding?" by KLC Consulting: http://www.klcconsulting.net/trojan...ntification.htm Kyle Lai, CISSP, CISA KLC Consulting, Inc. klai@klcconsulting.net www.klcconsulting.net

  4. #4
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Good info here. But dont rely on it too much. These are well the default places, but many people will create or makeup new places to hide malicous code.

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  5. #5
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883
    what it said is that anything in [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run* will run when the computer is started.
    anything in [HKEY_CLASSES_ROOT\exefile\shell\open\command]
    or [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
    will run whenever an executabe file is double clicked.

    Also check .bat, .exe, .scr, .pif, and .com files for trojans/virii/worms.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  6. #6
    Junior Member
    Join Date
    Apr 2003
    Posts
    17
    For anyone unfortunate to get zapped with a trojan there are some useful programmes here
    http://home.earthlink.net/~rmbox/Ret...d/Only_IE.html

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •