***Trojans explained.....

[sting]

**** A trojan horse could be either:

a)
Unauthorized instructions contained within a legitimate program. These
instructions perform functions unknown to (and probably unwanted by) the user.
b)
A legitimate program that has been altered by the placement of anauthorized
instructions within it. These instructions perform functions unknown to (and
probably unwanted by) the user.
c)
Any program that appears to perform a desirable and necessary function but
that (because of unauthorized instructions within it) performs functions
unknown to (and probably unwanted by) the user.

Under a restricted environment (a restricted Unix shell or a restricted
Windows computer), malicious trojans can't do much, since they are restricted
in their actions.

But on a home PC, trojans can be lethal and quite DESTRUCTIVE

**** Remote Administration Trojans

These trojans are the most popular trojans now. Everyone wants to have
them trojan because they let you have access to your victim's hard
drive, and also perform many functions on his computer (open and close his
CD-ROM drive, put message boxes on his computer etc'), which will scare off
most computer users and are also a hell lot of fun to run on your friends or
enemies.
Modern RAT'S (remote administration trojans) are very
simple to use. They
come packaged with two files - the server file and the client file (if you
don't know which is which, look for a help file, a FAQ, a readme or
instructions on the trojan's homepage). Just fool someone into runnig the
server file and get his IP and you have FULL
control over his/her computer
(some trojans are limited by their functions, but more functions also mean
larger server files. Some trojans are merely ment for the attacker to use them
to upload another trojan to his target's computer and run it, hence they take
very little disk space). You can also bind trojans into other programs
which appear to be legitimate.
RAT'S have the common remote access trojan functions like:
keylogging
(logging the target's keystrokes (keyboard functions) and sometimes even
interfering with them, thus being able to use your keyboard to type
instead of the target and say weird things in chatrooms or scare the
hell out of people), upload and download function, make a screenshot of the
target's monitor and so on.
Some people use the trojans for malicious purposes. They either use them to
irritate, scare or harm their enemies, scare the hell out of their friends or
enemies and seem like a "super hacker" to them, getting information about
people and spying on them or just get into people's computers and delete
stuff. This is considered very lame.
There are many programs out there that detects the most common trojans , but new trojans are
released every day and it's pretty hard to
keep track of things.
Trojans would usually want to automatically start whenever you boot-up your
computer. Under Unix, we
suggest getting some sort of an IDS (Intrusion Detection System) programs to
monitor your system.
Most Windows trojans hide
from the Alt+Ctrl+Del menu (we havn't seen any Unix
program that had the ability to hide itself from the processes list yet, but
you can never know - one day someone might discover a way to do so. Hell,
someone might have already did). This is bad because there are people who use
the task list to see
which process are running. There are programs that will
tell me you exactly what processes are running on your computer (such as
Wintop, which is the Windows version of the popular Unix program called top).
Some trojans, however, use fake names and it's a little harder for certain
people to realize that they are infected.
Also, some trojans might simply open an FTP server on your computer (usually
NOT on port 21, the default FTP port, in order to be less noticable). The FTP
server is, of course, unpassworded, or has a password which the attacker has
determined, and allows the attacker to download, upload and execute files
quickly and easily.

*** How RATs work
-------------
Remote administration trojans open a port on your computer and bind themselves
to it (make the server file listen to incoming connections and data going
through these ports). Then, once someone runs his client program and
enters the victim's IP, the trojan starts receiving commands from the
attacker and runs them on the victim's computer.
Some trojans let you
change this port
into any other port and also put a password so only the person
that infect this specific computer will be able to use the trojan. However,
some of these password protections can be cracked due to bugs in the trojan
(people who program RATs usually don't have much knowledge in the field of
programming), and in some cases the creator of the trojan would also put a
backdoor (which can be sometimes detected, under certain conditions) within
the server file itself so he'll be able to access any computer running his
trojan without the need to enter a password. This is called "a backdoor within
a backdoor".

The most popular RATs are Netbus (because of it's simplicity), BO (has many
functions and hides itself pretty good) and Sub7 (lots of functions and easy
to use). These are all Windows RATs.
If you havn't done so already, it is advised to get some RAT and play around
with it, just to see how the whole thing works.


*** Password Trojans
Yes, password trojans. Password trojans scour your computer for password and
then send them to the attacker or the author of the trojan. Whether it's your
Internet password, your Hotmail password, your ICQ password or your IRC
passwords, there is a trojan for every passsword.
These trojans usually send the information back to the attacker via Email.

*** Priviledges-Elevating Trojans
These trojans would usually be used to fool system administrators. They can
either be binded into a common system utility or pretend to be something
unharmful and even quite useful and appealing. Once the administrator runs it,
the trojan will give the attacker more priviledges on the system.
These trojans can also be sent to less-priviledges users and give the attacker
access to their account.

*** Keyloggers
These trojans are very simple. They log all of your keystrokes (including
passwords), and then either save them on a file or Email them to the attacker
once in a while.
Keyloggers usually don't take much disk space and can masquerade as important
utilities, thus making them very hard to detect.
Some keyloggers can also highlight passwords found in text boxes with titles
such as 'enter password' or just the word password somewhere within the title
text.

**** Destructive Trojans
These little fellows do nothing but damaging your computer. These trojans can
destroy your entire hard drive, encrypt or just scramble important files and
basically make you feel very unpleasent. I wouldn't want to bump into one in a
dark alley.
Some might seem like joke programs, while they are actually tearing every file
they encounter to pieces.

Not all virus scanners will find trojan horses, but help is availiable.
http://www.moosoft.com
http://www.tauscan.com

I see many pc problems every day and some cant be explained until you look at the possibility of a trojan being present.

just thought Id pass this along.......
ty Raven..........

------------------
"Onward Through the fog"
VDR SEARCH

Stings Shack™



[This message has been edited by sting (edited 08-30-2001).]

[HKEd]

Sting (and others), you may be interested in my my experience in deliberately installing a trojan:

Britney Spears Nudempg.exe (not a double extension) contains the Win32.SubSeven.214.B trojan. This one really hard-wires itself to your system:

1) It dropped two randomly-named executables in the Windows folder

2) It wrote the path of one of these executables after the load= line in win.ini

3) It also appended the name of the same executable after the shell=explorer.exe line in system.ini

4) It inserted the executable file name in the registry path to open EXE files (HKEY_CLASSES_ROOT\exefile\shell\open\command)

5) Just to make 100% sure it loaded, it also wrote a string to the registry RunServices key

With my browser closed, it opened two ports, one of which immediately made itself available to the remote server.

One of the executables had to be deleted in true DOS, even though I hadn't restarted the computer to activate the installation. It had already hooked itself into Windows!

(Originally posted at SAF).

---------

The message is - update your AV definitions on a regular basis, and keep practicing safe email.


[This message has been edited by HKEd (edited 08-30-2001).]