Malicious Mobile Code: Virus Protection for Windows (OReilly Computer Security)
6.4 Types of Trojans The following paragraphs talk about the different types of Trojans in order of decreasing importance. Those at the top are more popular with hacker groups or pose a more significant risk in the future. 6.4.1 Remote Administration Trojans
Remote administration Trojans (RATs) allow a hacker to have complete control of a PC and are one of the top reasons to take malicious mobile code seriously. Hackers can read what you are reading, record your keystrokes, capture screens you are viewing, record video and sound, manipulate devices, copy and delete files, play practical jokes on you, and a host of other options. One RAT claims to have over 200 different remote control features. RATs have two parts : server and client. The server portion is uploaded to the victim's PC where it then sends communications back to general hacker channels (Email, IRC, ICQ, etc.). Alternatively, the hacker can scan across entire subnets looking for Trojan TCP/IP ports. The waiting hacker then knows the IP address of the newly compromised system and can feed it into his client program. The client program contacts the server, and now the hacker can do whatever the RAT allows them to do. Some hackers download files and steal passwords. Others spend their time playing practical jokes on their victims. They may create fake error messages, open and close the CD-ROM tray, play sounds or video, invert the screen, or lock up the PC. Several RATs are frequently found in the wild, including Back Orifice, NetBus, Subseven, and DeepThroat. The most popular RAT is Back Orifice. Released by a hacker group called Cult of the Dead Cow (http://www.cultdeadcow.com) in August 1998, it quickly became the most used Trojan program in history (I'll cover it in more detail later). It's so famous, with the latest release, that its creators have attempted to portray it as legitimate remote control program aimed at corporate use. And while it certainly has the capability to be used legitimately, it contains too many pure hacking features, is too buggy , and has no technical support, so it can't be considered a legitimate program. Back Orifice 2000 comes with a software development kit so other programmers can write add-ons for it. There are at least a dozen add-ons, called plug-ins (older plug-ins were called butt plugs ). It comes with an impressive list of features, which, except for the blatant hacker features (stealth, lockup , insidious mode, etc.), could have backed up their claims to legitimacy . It comes with an easy to install GUI, Triple-DES communication encryption, file transfers, HTTP browsing, remote upgrading, file compression, an open-source license, and it's free. That said, it is historically a hacker program, and will probably always be a hacker program. Even its initial release at the Def Con hacker convention showed its true origins. All copies given away or early betas downloaded contained the CIH virus, which the hacking group never claimed was accidental. The SubSeven (or Backdoor-G) Trojan copies its code as KERNE1.EXE (or NODLL.EXE or WATCHING.DLL or LMDRK_33.DLL ) and loads itself by adding a new RUN= entry in WIN.INI . It then displays a fake error message: " Error, Out of system resources, " which tricks most users into rebooting, and thus loading the Trojan into memory. The latest versions implement proxy mechanisms in order to better hide the originating hacker traffic from investigators . It notifies the originating hacker via ICQ, IRC, or email. SubSeven can perform over 113 tasks for the hacker. It includes a port scanner in the client portion, which enables the hacker to look for compromised clients on a particular subnet. While all RATs are also backdoor programs, not all backdoor programs are RATs. 6.4.2 Backdoor Programs
In March 2001, the FBI and Secret Service revealed that a group of Eastern European hackers had spent more than a year systematically exploiting an NT vulnerability and installing a backdoor Trojan to steal more than a million credit cards from over 40 top e-commerce and e-banking web sites. In some cases they tried to ransom the credit card information back to the victim company. When they were not paid, they sold the credit card information to organized crime groups. The scary part is that installing a backdoor program is so easy that almost anyone can do it. Internet Security Systems (http://www.iss.net), a leading Internet security vendor, has documented over 120 backdoor programs widely available all over the Web. A backdoor Trojan opens up a new entry point for hackers by installing a new TCP/IP service (daemon) or mapping a new drive share. The Trojan service can be a new type of program created specifically for the hacker, or a corrupted version of a common TCP/IP service, like an FTP or Telnet server. Windows drive shares, which can be accessed across the Internet, can easily be opened up with read and write permissions. A backdoor program might be installed to simply allow the hacker to download or modify files, or as gateway to install more services. The tHing Trojan is a perfect example of a gateway program. The Trojan installs itself as the file NETLOG1.EXE and adds the following line to the SYSTEM.INI file: shell=explorer.exe netlog1.exe. This command loads the Trojan every time Windows starts. It notifies the originating hacker via ICQ with the phrase, " Victim is online! " and allows the hacker to upload other files and then run them (spawn). It is intentionally written to be small (8KB) and easy to spread. It has often been spread using Visual Basic scripting on web pages. Using it, hackers can install more sophisticated programs after already assuring themselves of the harder to get initial compromise. 6.4.3 Network Redirect
Many Trojans, including the most successful RATs, allow network redirection. This technology allows a hacker to redirect specific attacks through a compromised intermediate host machine toward a new target. Network redirection, along with another technique called port mapping , can allow Trojans to subvert filtering firewalls. In the event that the redirected network attack is noticed by the new victim, trackers will have a difficult time reconstructing the attacker's true origins. Many of the hack attacks these days are coming from people who barely know how to log into AOL and use email, much less initiate a covert hack attack. 6.4.4 Distributed Attacks
A new type of network redirect Trojan is beginning to appear, one that is well thought out and patient. Distributed Attack Trojans spread to as many machines as they can and then wait for predefined commands to initiate their dirty work. More often than not, the exploit isn't directed toward the machine invaded, but toward another central target. The Trojan is either spread using traditional Trojan mechanisms or placed individually by hackers. Hundreds to thousands of these malicious utilities can be spread over a period of months. They can be used to attack a common target, or simply to gather information that can be used later on in other exploits. Distributed attacks, like Trin00 Flood and RingZero, are dangerous because of their scale and their lack of accountability. The Win32.TrinZombie Trojan is a Windows port of the original Unix Trin00 Flood tool. It can be delivered via email and hidden within a joke program. Once active, it opens port number 34555 and listens for predefined commands from the client program. Zombie copies itself as SERVICE.EXE into the Windows System directory and autoloads itself via the registry. It awaits specific keywords, like msize , mtimer , mdos , mdie , and mping . When activated, it will start sending multiple malformed data packets to a designated target in an attempt to overwhelm the host. The host spends so much time responding to the rogue UDP packets, that legitimate service is affected, and the host becomes unresponsive . The US government and Internet security groups have responded with a large number of tools (mostly Unix-oriented) to specifically detect Trin00 Flood attacks and programs. Another Trojan, called RingZero, scans web proxy servers and relays its findings back to hackers. The System Administration, Networking, and Security (SANS) group identified over 1000 copies of RingZero in October 1999. These Trojans get on networks and install themselves inside the semiprotective wall of a proxy server. Proxy servers provide limited protection to machines within the local network by forcing all Internet traffic to be filtered by its protective software. Ring Zero installs itself in the Windows system directory as PST.EXE or ITS.EXE (along with RING0.VXD and ITS.DAT ) and loads itself from within the registry. It registers itself as a Windows service and thus isn't visible on the task list. The RingZero Trojan will look for proxy servers and send the proxy server's IP address and port number to a remote Internet address using port numbers 8080 (a common proxy server port) or 3128. The remote address is often a data collection script running on other hacked machines, so finding the original culprit is nearly impossible . When the network traffic that RingZero generates was first noticed, SANS sent out a request to its 65,000 members requesting that they monitor TCP/IP port 3128 and report back findings. It was discovered that over 1,000 hosts were compromised around the world, and until that SANS message, the security world was clueless about the Trojan. Distributed attack Trojans are one of the biggest threats to the Internet. 6.4.5 Denial of Service
Standalone Trojans can be used to cause denial of service (DoS) attacks on the machine they have invaded, or on the compromised machine as a base from which to attack other machines. As stated earlier, the latter type of Trojan is becoming ever more popular because tracing the attack back to the original hacker is more difficult. DoS attacks overwhelm (flood) a targeted host by sending too much of something: mail, pings , UDP or ICMP packets. Some DoS Trojans attack a specific port number to exploit a weakness within a particular operating system. There are several documented cases where sending invalid data or a single malformed request to a particular Windows 9x or NT port number will cause the machine to stop responding, display a blue screen, or cause a buffer overflow. Some common MMC flooders are BattlePong, Kaput, Hak Tek, Mutilate, ICMP Bomber, and Sonar. Mailbombers are also popular within the hacker crowd . A mail-bombing program sends large amounts of email to a particular destination email address in an attempt to overwhelm the recipient's email program and computer. Hundreds to thousands of messages can arrive in minutes. A hacker can preconfigure a mail-bombing Trojan to attack a particular address on startup. They then get other people to accidentally run the Trojan, and all the mail bombing occurs from the secondary victim's machine. Common mail- bombing Trojans are MBT, Rembomb, and the Postman. Other denial of service Trojans will fill up your hard drive with thousands of small files until you either run out of room or run out of file directory entries. Your machine eventually crashes, and to clean up the mess you either have to delete thousands of files or format the drive. Some of these Trojans are able to get past disk space limitations imposed by different network file servers, and can bring down a whole network. 6.4.6 Direct Action
Direct Action Trojans, which most early Trojans were, are the bane of Trojan writers. They are too easy to write and aren't creative. A user runs them and they go off, immediately causing some sort of unrecoverable malicious damage (erases all files, formats drive, etc.). There is no cute little program hiding the Trojan; all code is 100 percent malicious. It might print a taunting message as it nukes the hard drive, and the user immediately knows what caused it. These sorts of Trojans were popular in the past, but because they don't spread far, aren't a real threat to most users today. Even Trojan and virus writers don't respect programmers of direct action Trojans. 6.4.7 Audio and Video Capturing
This new genre of Trojans is garnering lots of media attention. Today, most PCs come with multimedia soundcards installed and activated. Many even have Internet-enabled video cameras . Hackers are creating tools that remotely turn on these devices to capture audio and video feeds, and transmit them back to the hacker. To most of us, this is the ultimate invasion of privacy. Hackers are not only messing with our computers, but they are now invading our personal privacy outside the PC. RATs like Back Orifice and Netbus already have this capability built-in among their many features, while other Trojans specifically target this sort of attack. There have been several reports and warnings from the military branches of the U.S. government about potential audio and video invasions since February 1999, although to date, no specific case has been publicized. 6.4.8 Phone Dialing Trojans
Catching the Federal Trade Commission's attention, are several Trojans programmed to specifically call long distance and international numbers without the permission of the user. Some have been prank programs that randomly dial 1-900 numbers late at night while the PC is idle to surprise the victim with high long distance bills. Others have been implemented by shady commercial sites in an attempt to bilk users out of dollars. The first publicized case was in 1997. Users on a particular porno site were told to download a special program that would give them better video and picture viewing software. If ran, unbeknownst to the user, it would disconnect the user's modem from their local ISP and silently dial a long distance number, while allowing the user to think they were still connected to the local Internet connection. Even worse , the Trojan would dial the long distance porno number even after the user disconnected. The fraudulent site was hoping that bilked customers would be too embarrassed to complain. But customers did complain and the site was shut down 31 days after it opened. Since then, however, there have been dozens of similar cases. 6.4.9 Password Stealers
A large percentage of Trojans are programmed to steal passwords, including Windows dialup networking, AOL, company network, banking, email, or secure site passwords. They can do it by emailing a known password file to the hacker (in Windows 9x, it's any file with the extension .PWL ), capturing the clear text password from a memory cache, or creating a fake error message. The DUNPassword Trojan is an example of the last type. It waits until you have connected to the Internet using Windows Dialup Networking. It then generates a fake disconnect message that asks for your login and password again to reconnect . Once the user has typed in the appropriate logon information, it is emailed in the background to the hacker. Once a cracker has your password, they can manipulate your system, send email on your behalf , or attack other systems using your credentials. There are password-stealing Trojans for every platform, including Windows 3.x, Windows 9x, Windows NT, Novell, and Linux. In the case of NT, the user logon information is stored in a heavily encrypted form in the SAM. Windows NT has the ability to lock out an account after the password has been incorrectly entered a few times. Crackers will download the entire SAM (actually a backup copy) to their machine and run brute-force password crackers against it, without setting off a single alarm. Or they can grab a less encrypted password copy that NT stores to allow Windows 9x machines to log on to NT networks. But trying to crack encrypted passwords is much harder than simply recording the password off the screen as the user types it in, as most password-stealing Trojans allow. 6.4.10 Keyloggers
Keyloggers are often a part of larger Trojan programs, that record all the keystrokes and mouse clicks on a particular machine to a file. The file can then be downloaded to the hacker and inspected for important information. Standalone keyloggers are often placed on systems where their smaller size allows them to go unnoticed. 6.4.11 Parasites
It has always been the case that legitimate companies that we should be able to trust place programs on our systems that have hidden agendas . These are not hacker Trojans and will not show up on most antivirus scanners , but they are something you should be aware of. Most of the time these programs collect system, trending, habit, and personal information and upload it to a demographic database for internal use or for sale to interested parties. Other companies have taken it upon themselves to modify user's systems in inappropriate ways. The Internet has made these types of programs easier to make and multiply. Trusted companies such as Lotus Corp I also mention these types of programs because these programs have Trojan-like behaviors. They sneak on your system, open up TCP/IP ports, install themselves in your startup directories, and transmit information to and from the Internet off your PC without your knowledge. I've had cases where clients have reported machine slowness and Trojan-like symptoms that later turned out to be a program from a trusted company. Although not built to be malicious, the parasite inadvertently slowed the system down to a crawl because it could not contact its home web server. |
| |
Team-Fly |
Top |