What is trojan horse ?
Trojan horse is a malicious peace of software that is disguised as legitimate software. Trojan horse can not replicate itself like viruses and worms. Trojan mostly attached with popular softwares.
What a trojen can do?
- It can erase, overwrite & corrupt data
- Spread other malware such as viruses in this case the Trojan horse is called dropper.
- Set up networks of zombies in order to launch DDOS attack.
- Log key keystrokes and steal your sensitive information like passwords.
- Phish you by servings fake banking login page.
- Install backdoor to control your PC whenever hacker wants.
Types of Trojan?
Acebot is a tremendous backdoor Trojan, which was designed for performing many destructive actions. It can detect, terminate and completely disable antivirus. It can connect to IRC network for remote control, also it can connect to many malicious servers and download other malicious software from there.
Secup this type of Trojan displays fake security related messages when the user clicks on it user will be redirected to the malicious website that quietly installs malicious software. It also serves advertisement.
Dymsys is a dangerous Trojan that specialized in infecting various instant messager and stealing users confidential data. It log's the keystrokes to the file then sends it to the attacker.
How can you get infected ?
- Visiting malicious website with old unpatched internet explorer.
- JavaScript enabled browser also have chances to get infected by malicious software.
- Many users get infected by files sent through messengers due to lack of security in messenger.
- Many people get email when user clicks on that link or opens files received in mail he/she gets infected.
How Trojan delivery happens ?
Since windows is configured by default to hide extensions so the Trojan horse's extension might be masked like Readme.txt.exe. The user would only see Readme.txt and could mistake it for harmless text file.
Also SFX compressed file could be used to compress trogan or payload with some hot images so when the user extracts the sfx compressed file malware runs automatically and user will get infected.
Attacker can change malwares ICON to trick users believing that it is a word document.
Attacker can inject malware into legitimate software using tool like shellter so when users runs that software user gets infected.
Where do they live ?
C:\windows\startmenu\programs\startup
Everything is that is placed here automatically starts when the system boots up.
Win.ini
Win.ini file loads setting each time when system boots up. Attacker can set load=trojen.exe and run=trojen.exe to execute Trojan into win.ini file
System.ini
Initializes system setting, using shell=Explorer.exe trogen.exe results in execution of every file after Explorer.exe
Wininit.ini
Contains updated system info runs once on the next boot, setup programs use it mostly.
Once run, it is auto deleted, which is very handy for trojens to restart.
Winstart.bat
Contains set of system commands to manipulate files. Acting as a normal batch file Trojan is added as @trojen.exe to hide it's execution from the user
Autoexe.bat
It's a dos auto starting file and it uses an auto starting method like this -> c:\Trojen.exe
Config.sys
Could also be used as an auto starting method for trojens.
Explorer startups
Is an auto starting method for older windows system. Starts from c:\trojen.exe
MORE LOCATIONS HERE
What attacker wants ?
- Credit card info (often used for domain registration and shopping with your card)
- Accounting data (email, passwords from malicious perposes)
- Work Projects (to steal your work related presentation and papers)
- Use your system as launching pad to perform other hacks.
- Make it a zombie to launch DDOS attack.
Are you infected ?
Strange and unknown windows message box asking for personal info.
Windows setting change by themselves like wallpaper, screensaver, date, time , sound. Mouse moves itself. Something unusual happens without doing anything.
Countermeasures
- Do not open malicious files/links in email
- Use good antivirus
- Always show extension in windows setting
- Often scan drives with AV, Malware scanner, rootkit scanner
- Educate yourself about cyber security
- Update your system, antivirus and programs regularly
- Only download software from trusted sources
- Implement data-backup and recovery plan
Autorun
RootkitRevealer
Process Explorer
Procmon
Process Hacker 2
Hashmyfiles
ADSSpy
TCP View
TCP Log View
More readings :
https://www.slideshare.net/mobile/naMasood/common-malware-and-countermeasures
https://www.foregenix.com/blog/penetration-testing-the-quest-for-fully-undetectable-malware
No comments:
Post a Comment