6.2 Trojan Concepts
Financial Loss Due to Trojans
What is a Trojan?
- It is a program in which the malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and cause damage, such as ruining the file allocation table on your hard disk.
- Trojans get activated upon users' certain predefined actions.
- Indications of a Trojan attack include abnormal system and network activities such as disabling of antivirus, redirection to unknown pages, etc.
- Trojans create a covert communication channel between victim computer and attacker for transferring sensitive data.
Comparsion between Overt Channel and Covert Channel
Overt Channel Covert Channel A legitimate communication path within a computer system, or network, for the transfer of data A channel that transfers information within a computer system, or network, in a way that violates the security policy An overt channel can be exploited to create a covert channel by using components of the overt channels that are idle An example of covert channel is the communication between a Trojan and its command and control center
How Hackers Use Trojans
- Delete or replace operating system's critical files.
- Generate fake traffic to create DOS attacks.
- Record screenshots, audio, and video of victim's PC.
- Use victim's PC for spamming and blasting email messages.
- Download spyware, adware, and malicious files.
- Disable firewalls and antivirus.
- Create backdoors to gain remote access.
- Infect victim's PC as a proxy server for replaying attacks.
- Use victim's PC as a botnet to perform DDoS attacks.
- Steal information such as passwords, security codes, credit card information using keyloggers.
Common Ports used by Trojans
How to Infect Systems Using a Trojan (重要)
- Create a new Trojan packet using a Trojan Horse Construction Kit.
- Create a dropper, which is a part in a trojanized packet that installs the malicious code on the target system.
- Example of a Dropper:
- Installation path:
c:\windows\system32\svchosts.exe
- Autostart:
HKLM\Software\Mic...\run\Iexplorer.exe
- Installation path:
- Malicious code:
- Client address: client.attacker.com
- Dropzone: dropzone.attacker.com
- A genuine application:
- File name: chess.exe
- Wrapper data: Executable file
- Example of a Dropper:
- Create a wrapper using wrapper tools to install Trojan on the victim's computer.
- petite.exe, Graffiti.exe, EliteWrap
- bind the Trojan executable to legitimate files
- Propagate the Trojan.
email
- Execute the dropper.
- disguise -> trusted file (executable file)
- extracts the malware components hidden in it and executes them
- serve as a decoy to focus attention away from malicious activities
- Execute the damage routine.
damage routine -> delivers payloads
- wrapper (binder): 不同執行檔打包成一個
Wrappers (重要)
- A wrapper binds a Trojan executable with an innocent looking .EXE application such as games or office applications.
genuine-looking .EXE application
- The two programs are wrapped together into a single file.
- When the user runs the wrapped EXE, it first installs the Trojan in the background and then runs the wrapping application in the foreground.
- Attackers might send a birthday greeting that will install a Trojan as the user watches, for example, a birthday cake dancing across the screen.
Wrappers are a type of "glueware" used to bind other software components together.
Dark Horse Trojan Virus Maker
Trojan Horse Construction Kit
- Construct Trojan: Trojan Horse construction kits help attackers to construct Trojan horses of their choice.
- Trojan Execution: The tools in these kits can be dangerous and can backfire if not executed properly.
- Trojan Horse Construction Kits:
- Trojan Horse Construction Kit
- Progenic Mail Trojan Construction Kit - PMT
- Pandora's Box
Crypters
- Crypter is a software which is used by hackers to hide viruses, keyloggers or tools in any kind of file so that they do not easily get detected by antiviruses.
- AIO UFD Crypter
- Hidden Sight Crypter
- Galaxy Crypter
- Criogenic Crypter
- Heaven Crypter
- SwayzCryptor
加密器:改變病毒的特徵
How Attackers Deploy a Trojan
- Major Trojan Attack Paths:
- User clicks on the malicious link
- User opens malicious email attachments
Exploit Kit
- An exploit kit or crimeware toolkit is a platform to deliver exploits and payloads such as Trojans, spywares, backdoors, bots, buffer overflow scripts, etc. on the target system.
Exploit Kits
- Infinity
- Phoenix Exploit Kit
- Blackhole Exploit Kit
- Bleedinglife
- Crimepack
Evading Anti-Virus Techniques
- Break the Trojan file into multiple pieces and zip them as single file.
- ALWAYS write your own Trojan, and embed it into an application.
- Change Trojan's syntax:
- Convert an EXE to VB script
- Change .EXE extension to .DOC.EXE, .PPT.EXE or .PDF.EXE (Windows hide "known extensions", by default, so it shows up only .DOC, .PPT and .PDF)
- Change the content of the Trojan using hex editor and also change the checksum and encrypt the file.
- Never use Trojans downloaded from the web (antivirus can detect these easily)
Types of Trojans
- VNC Trojan
- HTTP Trojan
- HTTPS Trojan
- ICMP Trojan
- FTP Trojan
- Data Hiding Trojan
- Destructive Trojan
- Botnet Trojan
- Proxy Server Trojan
- Remote Access Trojan
- Defacement Trojan
- E-banking Trojan
- Covert Channel Trojan
- Notification Trojan
- Mobicle Trojan
- Command Shell Trojan
Command Shell Trojans
- Command shell Trojan gives remote control of a command shell on a victim's machine.
- Trojan server is installed on the victim's machine, which opens a port for attacker to connect. The client is installed on the attacker's machine, which is used to launch a command shell on the victim's machine.
- nc: Raw Socket Tool
- C:>
nc <ip> <port>
- Bind Shell: (外至內無法繞過NAT)
- C:>
nc -L -p <port> -t -e cnd.exe
- Windows:
nc -dlp8008 -ecmd.exe
- Linux:
nc -dlp8008 -e/bin/sh
- Reverse Shell: (受害者從內往外連)
nc -nvlp8008
Defacement Trojans
- Resource editors allow to view, edit, extract, and replace strings, bitmaps, logos and icons from any Windows program.
- It allows you to view and edit almost any aspect of a compiled Windows program, from the menus to the dialog boxes to the icons and beyond.
- They apply User-styled Custom Application (UCA) to deface Windows application.
- Example of calc.exe Defaced is shown here.
Defacement Trojans: Restorator
Botnet Trojans
- Botnet Trojans infect a large number of computers across a large geographical area to create a network of bots that is controlled through a Command and Control (C&C) center.
- Botnet is used to launch various attacks on a victim including denial-of-service attacks, spamming, click fraud, and the theft of financial information.
Malware Domain List (MDL): https://www.malwaredomainlist.com/
Tor-based Botnet Torjans: ChewBacca
- ChewBacca Trojan has stolen data on 49,000 payment cards from 45 retailers in 11 countries over a two month span.
Botnet Trojans: Skynet and CyberGate
Proxy Server Trojans
- Proxy Trojan: Trojan Proxy is usually a standalone application that allows remote attackers to use the victim's computer as a proxy to connect to the Internet.
- Hidden Server: Proxy server Trojan, when infected, starts a hidden proxy server on the victim's computer.
- Infection: Thousands of machines on the Internet are infected with proxy servers using this technique.
- Process:
Proxy Server Trojan: W3bPrOxy Tr0j4nCr34t0r (Funny Name)
- W3bPr0Xy Tr0j4n is a proxy server Trojan which support multi connection from many clients and report IP and ports to mail of the Trojan owner.
FTP Trojans
- FTP Trojans install an FTP server on the victim's machine, which opens FTP ports.
- An attacker can then connect to the victim's machine using FTP port to download any files that exist on the victim's computer.
VNC Trojans
- VNC Trojans starts a VNC Server daemon in the infected system (victim).
- Attacker connects to the victim using any VNC viewer.
- Since VNC program is considered a utility, this Trojan will be difficult to detect using anti-viruses.
VNC Trojan: Hesperbot
- Hesperbot is a banking Trojan which features common functionalities, such as keystroke logging, creation of screenshots and video capture, and setting up a remote proxy.
- It creates a hidden VNC server to which the attacker can remotely connect.
- As VNC does not log the user off like RDP, the attacker can connect to the unsuspecting victim's computer while they are working.
HTTP/HTTPS Trojans
- Bypass Firewall: HTTP Trojans can bypass any firewall and work in the reverse way of a straight HTTP tunnel.
- Spawn a Child Program: They are executed on the internal host and spawn a child at a predetermined time.
- Access the Internet: The child program appears to be a user to the firewall so it is allowed to access the Internet.
HTTP Trojan: HTTP RAT
Shttpd Trojan - HTTPS (SSL)
- SHTTPD is a small HTTP Server that can be embedded inside any program.
- It can be wrapped with a genuine program (game chess.exe), when executed it will turn a computer into an invisible web server.
ICMP Tunneling
- Covert channels are methods in which an attacker can hide the data in a protocol that is undetectable.
- They rely on techniques called tunneling, which allow one protocol to be carried over another protocol.
- ICMP tunneling uses ICMP echo-request and reply to carry a payload and stealthily access or control the victim's machine.
ICMP Trojan: icmpsend
Remote Access Trojans
- This Trojan works like a remote desktop access.
- Hacker gains complete GUI access to the remote system.
- Optix Pro, MoSucker, BlackHole RAT, SSH - R.A.T., njRAT, Xtreme RAT, SpyGate - RAT, Punisher RAT, DarkComet RAT, Pandora RAT, HellSpy RAT, ProRAT, Theef, Hell Raiser, Atelier Web Remote Commander
Covert Channel Trojan: CCTT
- Covert Channel Tunneling Tool (CCTT) Trojan presents various exploitation techniques, creating arbitrary data transfer channels in the data streams authorized by a network access control system.
- It enables attackers to get an external server shell from within the internal network and vice-versa.
- It sets a TCP/UDP/HTTP CONNECT|POST channel allowing TCP data streams (SSH, SMTP, POP, etc...) between an external server and a box from within the internal network.
E-banking Trojans
- e-banking Trojans intercept a victim's account information before it is encrypted and sends it to the attacker's Trojan command and control center.
- It steals victim's data such as credit card related card no., CVV2, billing details, etc. and transmits it to remote hackers using email, FTP, IRC, or other methods.
Working of E-banking Trojans
- TAN Grabber:
- Trojan intercepts valid Transaction Authentication Number (TAN) entered by a user.
- It replaces the TAN with a random number that will be rejected by the bank.
- Attacker can misuse the intercepted TAN with the user's login details.
- HTML Injection:
- Trojan creates fake form fields on e-banking pages.
- Additional fields elicit extra information such as card number and date of birth.
- Attacker can use this information to impersonate and compromise victim's account.
- Form Grabber:
- Trojan analyses POST requests and response to victim's browser.
- It compromises the scramble pad authentication.
- Trojan intercepts scramble pad input as user enters Customer Number and Personal Access Code.
E-banking Trojan: ZeuS, SpyEye, Citadel Builder and Ice IX
- The main objective of ZeuS and SpyEye Trojans is to steal bank and credit card account information, ftp data, and other sensitive information from infected computers via web browsers and protected storage.
- SpyEye can automatically and quickly initiate an online transaction.
Destructive Trojans: M4sT3r Trojan
- This Trojan formats all local and network drives.
- M4sT3r is a dangerous and destructive type of Trojan.
- The user will not be able to boot the Operating System.
- When executed, this Trojan destroys the operating system.
Notification Trojans
- Notification Trojan sends the location of the victim's IP address to the attacker.
- Whenever the victim's computer connects to the Internet, the attacker receives the notification.
Data Hiding Trojans (Encrypted Trojans)
- Encryption Trojan encrypts data files in victim's system and renders information unusable.
- Attackers demand a ransom or force victims to make purchases from their online drug stores in return for the password to unlock files.
cryptolocker