ALL ABOUT TROJAN


What is trojan horse ?


Trojan horse is a malicious peace of software that is disguised as legitimate software. Trojan horse can not replicate itself like viruses and worms. Trojan mostly attached with popular softwares.

What a trojen can do?

  • It can erase, overwrite & corrupt data
  • Spread other malware such as viruses in this case the Trojan horse is called dropper.
  • Set up networks of zombies in order to launch DDOS attack.
  • Log key keystrokes and steal your sensitive information like passwords.
  • Phish you by servings fake banking login page.
  • Install backdoor to control your PC whenever hacker wants.

Types of Trojan?


Well know trojans

Acebot is a tremendous backdoor Trojan, which was designed for performing many destructive actions. It can detect, terminate and completely disable antivirus. It can connect to IRC network for remote control, also it can connect to many malicious servers and download other malicious software from there.

Secup this type of Trojan displays fake security related messages when the user clicks on it user will be redirected to the malicious website that quietly installs malicious software. It also serves advertisement.

Dymsys is a dangerous Trojan that specialized in infecting various instant messager and stealing users confidential data. It log's the keystrokes to the file then sends it to the attacker.


How can you get infected ?

  • Visiting malicious website with old unpatched internet explorer.
  • JavaScript enabled browser also have chances to get infected by malicious software.
  • Many users get infected by files sent through messengers due to lack of security in messenger.
  • Many people get email when user clicks on that link  or opens files received in mail he/she gets infected.

How Trojan delivery happens ?


Attackers will attach Trojan to an email with an attractive header. Trojan horse typically is a windows executable program file, and must have extensions like .Exe .Com .scr .Bat .pif.

Since windows is configured by default to hide extensions so the Trojan horse's extension might be masked like Readme.txt.exeThe user would only see Readme.txt and could mistake it for harmless text file.

Also SFX compressed file could be used to compress trogan or payload with some hot images so when the user extracts the sfx compressed file malware runs automatically and user will get infected.

Attacker can change malwares ICON to trick users believing that it is a word document.

Attacker can inject malware into legitimate software using tool like shellter so when users runs that software user gets infected.


Where do they live ?


Autostart folder 
C:\windows\startmenu\programs\startup
Everything is that is placed here automatically starts when the system boots up.

Win.ini 
Win.ini file loads setting each time when system boots up. Attacker can set load=trojen.exe and run=trojen.exe to execute Trojan into win.ini file

System.ini
Initializes system setting, using shell=Explorer.exe trogen.exe results in execution of every file after Explorer.exe

Wininit.ini
Contains updated system info runs once on the next boot, setup programs use it mostly.
Once run, it is auto deleted, which is very handy for trojens to restart.

Winstart.bat
Contains set of system commands to manipulate files. Acting as a normal batch file Trojan is added as @trojen.exe to hide it's execution from the user

Autoexe.bat
It's a dos auto starting file and it uses an auto starting method like this -> c:\Trojen.exe

Config.sys
Could also be used as an auto starting method for trojens.

Explorer startups 
Is an auto starting method for older windows system. Starts from c:\trojen.exe


MORE LOCATIONS HERE

What attacker wants ?

  • Credit card info (often used for domain registration and shopping with your card)
  • Accounting data (email, passwords from malicious perposes)
  • Work Projects (to steal your work related presentation and papers)
  • Use your system as launching pad to perform other hacks.
  • Make it a zombie to launch DDOS attack.

Are you infected ?


It is normal to visit website and pop up comes up but when you don't do anything and your browser redirects you to some unknown page you need to take that seriously.

Strange and unknown windows message box asking for personal info.

Windows setting change by themselves like wallpaper, screensaver, date, time , sound. Mouse moves itself. Something unusual happens without doing anything.


Countermeasures

  • Do not open malicious files/links in email
  • Use good antivirus
  • Always show extension in windows setting
  • Often scan drives with AV, Malware scanner, rootkit scanner
  • Educate yourself about cyber security
  • Update your system, antivirus and programs regularly
  • Only download software from trusted sources
  • Implement data-backup and recovery plan
TOOLS USED TO DETECT TROJANS

Autorun
RootkitRevealer
Process Explorer
Procmon
Process Hacker 2
Hashmyfiles
ADSSpy
TCP View
TCP Log View

More readings :
https://www.slideshare.net/mobile/naMasood/common-malware-and-countermeasures


https://www.foregenix.com/blog/penetration-testing-the-quest-for-fully-undetectable-malware

No comments:

Post a Comment

Popular Posts