Know your enemy - Trojans
Results 1 to 9 of 9

Thread: Know your enemy - Trojans

  1. #1
    Flash M0nkey
    Join Date
    Sep 2001
    Posts
    3,447

    Know your enemy - Trojans

    What is a Backdoor Trojan?
    Backdoor Trojans are prolly one of the most common ways of gaining access to someone’s computer remotely. Notice I did not say hack as many people do not view gaining access in this way as hacking as it requires no skill except in some cases some social engineering to get the victim to install the server on their own PC.

    The Trojan part refers to the fact that it normally masquerades as another program. It maybe bound to something useful so that when ran it appears to be a perfectly normal program but in actual fact the backdoor part of the package installs itself on your system in secret and begins to dial home as soon as you are connected to the internet.

    There are several different types of backdoors with new ones appearing all the time but by far the most well known are BO2K and sub7.

    For the purposes of this tutorial I will mainly talk about mobman’s sub7 as it has the highest level of infections.

    What happens if I get infected?
    Although regarded as a virus sub7 really isn’t – it does not attempt to spread itself and relies on the kiddie using it to spread the infection himself.

    If you become infected sub7 creates multiple copies of itself as well as installing several hooks so that it is ran on each and every start-up of your computer.

    Once you go online it then attempts to contact the owner with such details as ::
    1. Your IP
    2. Port server is listening on
    3. The server Username
    4. The server password
    5. The server name


    These details can be sent to the kiddies email, ICQ or via a preset IRC chan/server.
    The kiddie can then use these details to connect to the server. By default the newer versions of sub7 listen on port 27374 but this can be changed by the kiddie before he starts to distribute the server.

    What happens one connected?
    Once the kiddie has connected to the server there are many possibilities open to him as to what he can do. Some of these include ::

    1. Stealing user/pass for internet connections, email etc
    2. Harvesting of CC details if stored on machine in likes of gator
    3. Viewing IM conversations
    4. Keylogging
    5. Viewing webcam if connected
    6. Viewing victims desktop
    7. Control of mouse/keyboard
    8. Moving/copying/deleting of files
    9. Set up your pc as an ftp server
    10. Port redirect (turning your PC into a proxy server)
    11. Upload and installation of files


    basically what they can do is not limited – they might as well be sitting in front of your computer in person.

    How do I stop myself getting infected?
    Always verify any download sources. If downloading something try wherever possible to get it from the manufactures website. Always scan all downloads with an updated antivirus prog. Also just because you have received an attachment from someone you know do not automatically trust it. They may have been infected themselves and the kiddie could be using their email account to spread the Trojan to people in the victims address book.
    When receiving email attachments from friends always ask yourself was it something you were expecting? Does it look like something they would send you?

    If you receive an email from your grandma saying “Wow you gotta see these hot britney nude pics” there maybe something a tad odd going on (depends on who your grandma is I suppose )

    Locking out the Trojans
    First thing you need to do is get an antivirus program and keep it updated – new virii and Trojans are produced daily so there is no point in protecting yourself against the old ones while allowing the new ones to roam free through your HD.

    I also suggest doing a full scan with something like the cleaner (www.moosoft.com) to check for any Trojans present on your computer.

    Get a firewall – this can help block the Trojan from dialling home or accepting a connection from its owner. Plus if your firewall starts going nuts when you go online with some prog looking to make an outgoing connection it may alert you that something is going on.

    What other Trojans are there?
    There is no way I could go through them all here
    But a very good site to take a look at is http://www.simovits.com/trojans/trojans.html
    It gives a listing of known Trojans and default ports as well s information on each

    v_Ln

  2. #2
    Member
    Join Date
    Jul 2003
    Posts
    53
    Very nice post

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    i think its important to state for those who are learning so they're not confused later that all trojans are not backdoors they can be used for anthing like stealing passwords for internet accounts or any other malicious purpose and all backdoors are not trojans. a back door can be put in place remotly or locally without the victims knowledge but as you say valhallen the most common are the backdoor trojans
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    Flash M0nkey
    Join Date
    Sep 2001
    Posts
    3,447
    good point Tedob :::

    just to reinforce what you were saying - not all backdoors are there for malicous purposes. Mobman the creator of sub7 claims he wrote it as a remote adminstrative tool (why an admin would need to flip the screen etc remotely i dont know )

    but some admins do use backdoors as a way of dealing with computer probs etc without having to be seated in front of the machine.

    v_Ln

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    100
    when i was in IT class me and a friend created a backdoor/trojan similar to sub7, but as a remote admin tool, (using visual basic!!) to learn more on the subject. it was a class project but we kept going. (btw no i wont post it caz theres enuf on them already) but we did all the usual stuff including a good little gimmick that send an encoded winpopup message through our servers to all the computer (on our network) with the ip in it saying its online and so on.
    But we did also do the flip screen, open cd rom thing, but only because we could.
    I mean if its there and fun can be had, why not?

    Modderfokker

  6. #6
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,836
    hey check this out: http://www.glocksoft.com/trojan_port.htm

    There you'll find a list of ports and some trojans that infect those ports. Just some information you could use related to the subject .

  7. #7
    Member
    Join Date
    Oct 2003
    Posts
    35
    I recently installed norton internet security 2004 ,every time im on the net i always get a messege saying that there is someone scanning the port that a trojan uses ,it's mainly the subseven program that i get anyone else had this with there firewall .

  8. #8
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Yep... Norton pretty much assumes that any attempt to connect to that port is coming from a sub7 client. I don't know if anything else uses that port, but either way, there's still a lot of scanning out there for it. Unless you have sub7 installed you need not worry.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  9. #9
    Senior Member
    Join Date
    Jun 2002
    Posts
    311
    I recently installed norton internet security 2004 ,every time im on the net i always get a messege saying that there is someone scanning the port that a trojan uses ,it's mainly the subseven program that i get anyone else had this with there firewall .
    If the alert is really bugging you, you can set it so you dont get alerts, and block the scans at the same time.

    Val -
    Your tutorial is great, but it might be a good idea to tell how most trojans are used-
    - First the kiddie downloads the trojan (the trojan comes with a client and server)
    - The kiddie sends the server to the victim, and convinces him/her to run the server
    - The kiddie gets the victim's IP address, and uses the client to connect to the server, and starts screwing around with the victim.

    Just a suggestion.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •