All About Trojan Horse

Posted at Friday, May 16, 2008

All About Trojan Horse


WHAT IS A TROJAN HORSE?
———————
A program that appears desirable but actually contains something harmful.The contents of a trojan can be a virus or a worm.

A program that comes in secretly and quietly, but it carries a destructive payload. Once you become infected by the worm or virus that the Trojan carries into your computer, it can be very difficult to repair the damage. Trojans often carry programs that allow someone else to have total and complete access to your computer. Trojans usually come attached to another file, such as a .avi, or .exe, or even a .jpg. Many people do not see full file extensions, so what may appear as games.zip in reality could be games.zip.exe. Once the person opens up this file, the Trojan goes to work, many times destroying the computer’s funcionability.

Scary, eh?

Your best line of defense is to NEVER accept files from someone you don’t know, and if you have any doubts, then do NOT open the file. Get and use a virus detection program, such as Inoculate and keep it updated regularly.

A Trojan (also called a Trojan horse) is a software program in which harmful or malicious code is contained within another (seemingly harmless) program. When this program executes, the Trojan performs a specific set of actions, usually working toward the goal of allowing itself to persist on the target system. Trojans can allow hackers to open backdoors on your system, giving them access to your files and even network connectivity.

TYPES OF TROJANS
—————–

Remote Access Trojans
———————-
These trojans are the most popular trojans now.Everyone wants to have such trojan because can have access to their victim’s hard drive.The RAT’S (remote access trojans)are very simple to use.Just make someone run the server and you get the victim’s IP and you have FULL access to his or her computer.They you can almost everything .It depends of the trojan you use.

But the RAT’S have the common remote access trojan functions like: keylogger, upload and download function,make a screenshot and so on. Some people use the trojans for malicious purposes.All these sick minds want to do is crash the hard disk.

This is lame..

There are many programs out there that detects the most commontrojans,but new trojans are coming every day and these programs are not the maximum deffence. The trojans mostly have the same options.These trojan restart every time Windows is loaded. That
means it has got in the registry or in win.ini or in other system file so the trojan can restart.
Also the trojans create some file in the WINDOWS\SYSTEM directory. The file is always looking to be something that the victim will think is a normal WINDOWS executable. Most trojans hide from the Alt+Ctrl+Del menu.This is not good because there are people

who use only this way to see
which process are running.There are programs that will tell you
exactly the process and the
file from where it comes.Yeah but some trojans as I told you use fake
names and it’s a little hard
for some people to understand which process should they kill.The
remote
access trojans opens
a port on your computer letting everyone to connect.Some trojans has
options like change the
port
and put a password so only the H@acker that infect you will be able
to use
the computer.The changed
port option is very good because I’m sure you don’t want your victim
to
see that port 31337 is open
on their computer.Remote access trojans are appearing every day and
they will continue to appear.
For those that use such trojans: BE CAREFULL you can infect yourself
and they the victim you
want destroyed will revange and you’ll be sorry.If you don’t know

anything about trojans
DON’T USE THEM.

ONCE AGAIN I SAY DO NOT USE THEM UNTILL U PERFECTLY KNOW WHAT U R
DOING.
———————————————————————-
-
2) Password Sending Trojans

—————————

The purpose of these trojans is to rip all cached passwords and send
them to specified e-mail
without letting the victim about the e-mail.Most of these trojans
don’t
restart every time Windows
is loaded and most of them use port 25 to send the e-mail.There are
such trojans that e-mail
other information too like ICQ number computer info and so on.These
trojans are dangerous if
you have any passwords cached anywhere on your computer.
———————————————————————-
-
3) Keyloggers
———-

These trojans
are very simple.The only one thing they do is to log the
keys that the victim is pressing
and then check for passwords in the log file.In the most cases these
trojans restart every
time Windows is loaded.They have options like online and offline
recording.In the online recording
they know that the victim is online and they record everything.But in
the offline recording
everything writen after Windows start is recorded and saved on the
victims disk waiting for

to be transfered.

———————————————————————-
-

4) Desctructive

————

The only one fuction of these trojans is to destroy and delete
files.This makes them very simple
and easy to use.They can automatically delete all your .dll or .ini
or
.exe files on your computer.
These are very dangerous trojans and once you’re infected be sure if
you don’t desinfect your
computer information will no longer exist.

———————————————————————-
-

5) FTP trojans
———–

These trojans open port 21 on your computer letting EVERYONE
that has a
FTP client to connect
to your computer without password and will full upload and download
options.

These are the most common trojans.They all are dangerous and you
should
be carefull using them.

———————————————————————-
-

PORTS USED BY DIFFERENT TROJANS
——————————-

Satanz Backdoor|666
Silencer|1001
WebEx|1001
Doly Trojan|1011
Psyber Stream Server|1170
Ultors Trojan|1234
VooDoo Doll|1245
FTP99CMP|1492
Shivka-Burka|1600
SpySender|1807
Shockrave|1981
BackDoor|1999
Trojan Cow|2001
Ripper|2023
Bugs|2115
Deep Throat|2140
The Invasor|2140
Phineas Phucker|2801
Masters Paradise|30129
Portal of Doom|3700
WinCrash|4092
ICQTrojan|4590
Sockets de Troie|5000
Sockets de Troie 1.x|5001
Firehotcker|5321
Blade Runner|5400
Blade Runner 1.x|5401
Blade Runner 2.x|5402
Robo-Hack|5569
DeepThroat|6670
DeepThroat|6771
GateCrasher|6969
Priority|6969
Remote Grab|7000
NetMonitor|7300
NetMonitor 1.x|7301
NetMonitor 2.x|7306
NetMonitor 3.x|7307
NetMonitor 4.x|7308
ICKiller|7789
Portal of Doom|9872
Portal of Doom 1.x|9873
Portal of Doom 2.x|9874
Portal of Doom 3.x|9875
Portal of Doom 4.x|10067
Portal of Doom 5.x|10167
iNi-Killer|9989
Senna Spy|11000
Progenic
trojan|11223
Hack?99 KeyLogger|12223
GabanBus|1245
NetBus|1245
Whack-a-mole|12361
Whack-a-mole 1.x|12362
Priority|16969
Millennium|20001
NetBus 2 Pro|20034
GirlFriend|21544
Prosiak|22222
Prosiak|33333
Evil FTP|23456
Ugly
FTP|23456
Delta|26274
Back Orifice|31337
Back Orifice|31338
DeepBO|31338
NetSpy DK|31339
BOWhack|31666
BigGluck|34324
The Spy|40412
Masters Paradise|40421
Masters Paradise 1.x|40422
Masters Paradise 2.x|40423
Masters Paradise 3.x|40426
Sockets
de Troie|50505
Fore|50766
Remote Windows Shutdown|53001
Telecommando|61466
Devil|65000
The tHing|6400
NetBus 1.x|12346
NetBus Pro 20034
SubSeven|1243
NetSphere|30100
Silencer |1001
Millenium |20000
Devil
1.03 |65000
NetMonitor| 7306
Streaming Audio Trojan| 1170
Socket23 |30303
Gatecrasher |6969
Telecommando | 61466
Gjamer |12076
IcqTrojen| 4950
Priotrity |16969
Vodoo | 1245
Wincrash | 5742
Wincrash2| 2583
Netspy |1033
ShockRave | 1981
Stealth Spy |555
Pass Ripper |2023
Attack FTP |666
GirlFriend | 21554
Fore, Schwindler| 50766
Tiny Telnet Server| 34324
Kuang |30999
Senna Spy Trojans| 11000
WhackJob | 23456
Phase0 | 555
BladeRunner | 5400
IcqTrojan | 4950
InIkiller | 9989
PortalOfDoom | 9872
ProgenicTrojan | 11223

Prosiak 0.47 | 22222
RemoteWindowsShutdown | 53001
RoboHack |5569
Silencer | 1001
Striker | 2565
TheSpy | 40412
TrojanCow | 2001
UglyFtp | 23456
WebEx
|1001
Backdoor | 1999
Phineas | 2801
Psyber Streaming Server | 1509
Indoctrination | 6939
Hackers Paradise | 456
Doly Trojan | 1011
FTP99CMP | 1492
Shiva Burka | 1600
Remote Windows Shutdown | 53001
BigGluck, | 34324
NetSpy DK | 31339
Hack?99 KeyLogger | 12223
iNi-Killer | 9989
ICQKiller | 7789
Portal of Doom | 9875
Firehotcker | 5321
Master Paradise |40423
BO jammerkillahV
| 121

———————————————————————-
-
DETECTION OF TROJANS
——————–

Trojons are malicous programs that can and do, do damage to your
system. There are basically
two main types that we will deal with :

1. The Remote-Access or ‘backdoor’ trojon, eg NetBus or BackOriface
and the most famous BEAST –
by tataye
2. The ‘evil application’, i.e logic bombs .

First off, have you actually anything to be worried about? If you
suspect that you have
a trojon horse on your PC because of strange occurences (eg programs
not working now, or
devices failing) have you installed any new software that could have
overwritten existing
system files that are needed? This combined with uninstalling
programs
by simply
deleting them,
can account for a lot of messed up activity on your PC. Also, ask
youself have you downloaded any
files from strange or illict sources. Many FUCKED UP hacker sites,
wrap
trojons around popular programs.
To be sure virus scan everything you download.

If you cant think of anything that you have done or downloaded that
may
cause all this mess up
on your machine then you can start to search for a
trojon residing on
your PC. The first step
to take is to virus scan you whole PC. Many new AV programs check for
trojons and Norton can
detect a good amount of the popular backdoors, although its down to
persoanl preference as to what
software you use.

If this draws a blank, or your AV software doesnt support Trojon
Detection then your going to have
to find it yourself. We’ll deal with backdoors for
the moment.

Finding BackDoors:
——————

Backdoors work by setting one of the ports on your PC to listen
status.
so the would be attacker,
armed with the client software and your IP, simply has to conect to
your IP address on the port
specified. So the best way to find if you have a trojon is to connect
to your own machine and play
with it! How do we do this? We need two tools :

1. A port scanner (any will do but try and make it FAST)
2. An IP tool

Use the IP tool to deterimine you own IP address. IP Query works
well.
Now that you have your own
IP address, charge up your port scanner and bang in the IP address.
Now
here is the problem, your
trojon horse can reside on any port, and the are abour 64,000
potentially accessible ports on your
machine. This means that your portscan is going to take a long time,
but it will find ANY port that
is open or listening.

*WARNING !
Portscanning is a risky buisness, simply because there is usually no
justifaction in doing a portscan
on a machine.
Your ISP may terminate your service, but if they ask, you can always
try and explain to them what you

where doing.

Most newbie ‘hackers’ dont even bother to change the default port
setting on their brand new push and
click backdoor, so we can signifigantly reduce the amount of work and
time we would spend searching
for backdoors by just scanning for these default ports. You can get
Trojon Scanners, but for those
of you without one, or too lazy to go find one, here are the default
ports for the most
popular backdoors
(9 times out of 10 the trojon is either Netbus,SubSeven or
BackOrfiace)
:

Trojon Name Default Port
============================================
Attack FTP 666
BackOriface 31337
Backdoor 1999
BladeRunner 5400
Deep Throat 6670
DeltaSource (DarkStar) 6883
Devil 1.03 65000
Fore 50766
Gatecrasher 6969
GirlFriend 21554
Gjamer 12076
IcqTrojan 4950
IcqTrojen 4950
InIkiller 9989
Kuang
30999
Master Paradise 31
Millenium 20000
NetMonitor 7306
Netbus 1.x 12346
Netbus Pro 20034
Netsphere 30100
Netspy 1033
Pass Ripper 2023
Phineas Nikhil G. 2801
PortalOfDoom 9872
Priotrity
16969
ProgenicTrojan 11223
Prosiak 0.47 22222
PsyberStreamingServer Nikhil G. 1509
RemoteWindowsShutdown
53001
RoboHack 5569
SennaSpyTrojans 11000
ShockRave 1981
Silencer 1001
Silencer 1001
Socket23 5000
Socket25
30303
Stealth Spy 555
Streaming Audio Trojan 1170
Striker 2565
SubSeven 2 27374
Telecommando 61466
The tHing 6400
TheSpy
40412
Tiny Telnet Server 34324
TrojanCow 2001
UglyFtp 23456
Vodoo 1245
WebEx 1001
Wincrash 5742
Wincrash2 2583
Wingate (Socks-Proxy) 1080

Many of these trojons aren’t used, but this list is here anyway for
completeness. If you find that
a port is listening that matches one of these above, then go find the
software needed to operate it,
eg if you find port 5742 listening, chances are that you have
Wincrash
on your system. Now, following

the instructions, connect to your own IP address and you now have
connected to your own machine from
the net. Many trojons come with the option of removing or melting the
server. Select this to remove
it. If the trojon you have is passworded, your in trouble.
THE BEST WAY OUT OF THIS ALTHOUGH IS JUST TO JAM THE PORT OR BLOCK
THE PORT .
Genius is a set of software utilites for network
protection. Get that and see what it
can do for you.

The above technique will let you remove at least 90% of the trojons
you
could land yourself with.
The other 10% are the cause for concern, but by being sensible, you
should have nothing to worry about.

Now on to the section (which is much shorter) on EVIL PROGRAMS :
————————————————————–

Evil programs are typically logic bombs or a more simple disk crasher.

These are very difficult to protect
against as soon as they are on the machine. Scanning downloaded
programs before you run them offers little
protection due to the lack of tagged code within the program. If a
virus scanner reported a trojon in everything
that deleted a file, you would soon get annoyed. First off, as with
back doors, can you trust the source?
If not then why are you even running the file? If you think that
someone has dumped a logic bomb on your

PC, it will need to be called everytime the machine is run to find
out
if it should ‘detonate’ or not.
There are a number of ways to achieve this. First and easiest is by
adding a line to the AutoExec.Bat
file located in the root directory. If near the end there is a line
to
some file you dont know about
or have never heard of then try commenting it out by putting a quote
mark before it (’). Example:

cd \windows\system32 ‘change directory
revenge ‘call the program revenge

This only works for DOS programs, which covers most disk bombs
anyhow.
If this isnt there then its not being
called via this method. At my school once, this idiot called a load
of
viruses every time the machine booted,
and this is how he was caught, since when I checked the system files
it
was calling ‘nazi’ and ‘diskkill’.
Knowing that he was on the machine earlier, it didnt take long until
he
was banned from going near the PC.
Another method of auto-running programs is to use the registry on
windows machines, but Ill keep this short.
Check the StartUp folder for strange programs, or new items. A quick
check is to search for all modified or
created programs since whenever you think you may have got the
trojon.
This list may be big, but will
reduce
guess work significantly.

Last but not least, if you reckon you got a bad prog, open it up in a
HexEditor preferably or else just
a text editor, not Word. Scan through it for text strings and
anything
that may cause concern, or not
be what you would call normal for a porgram. Heres part of a trojon I
wrote to place a massive file on
the desktop of my friends PC when I wanted to annoy him. It’s likely
that any trojon you would receive
would contain similar text.

ÿ t[1]òv[1]5 You are an arsehole, I hate you. I think you are
a
moron
²[1]ò´[1] c:\windows\desktop\nialls.txt
€?V Ñ [1]@V

———————————————————————-
———-

–C 4C ? z

Thats about it for this ’short’ file. Hope it has helped you to at
least get an idea of what to look for. Thanx
for reading.

SOFTWARE USED FOR DETECTION OF TROJANS
—————————————
There are many
softwares which are used for trojan detection and also
remover you can get one of them from www.anti-trojan.net/

0 comments: