Introduction:
A Trojan is a malicious program that, when installed on a system can be used for nefarious purpose by an attacker. Tools that allow remote administration or access to a vulnerable system, RAT’s are called Trojan. That mean after a system has been infected with a Trojan, an attacker can control nearly all hardware and software on the system be remote.
Common type of attacks:
Trojan is very hazardous tools that enables attacker to cause great damage to the target system. Some of the most common malicious attacks that can be carried out by the use of Trojan are listed below:
Trojan are most often use for stealing intellectual property (IP) data from target corporations and playing pranks hapless individuals. By installing a Trojan on a system, the attacker are able to access, delete, upload or download any file from it.Ip theft is not only very expensive but also can be used to damage the good name off corporation. This is because installation of a Trojan gives access to neatly all hardware and software on the system, it becomes open to all kinds of pranks, some listed below:
·Increase or decrease the volume when you are listening music.
·Moving the mouse towards the right when you are trying to move it to left vice-versa.
·When you type ABC, the attacker types XYZ.
·Open and close your CD tray at intervals.
An attacker can easily run malicious commands on an infected system and delete important files or even format your hard disk
Attackers can program Trojan in such a way that they use resources of your system and network to carry out attacks on predefined victim system. That means attacker can put in a Trojan that has been programmed to automatically attack the target system at a pre-fixed time and date. The attack is so planned that the victim’s believes that his own system has carried out the attack, which can involve many legal implications for corporation.
What do Trojan consist of?
Most of the Trojan consists of two parts and their operation is fairly simple to follow. Using them involves very little technical skills. The two parts are:
- The Server part: The part of Trojan opens up a port present on the target computer, which listens for any connections to be initiated by attackers.Obviously, it has to be installed on the victim system through trickery or disguise.
- The Client part: This part gives the attacker complete control over the target system. It is installed on the attacker’s system to connect the server part of the Trojan, which has been installed on victim system.
Trojan attacks can be executed by following the simple steps
1. The most difficult part of executing a Trojan attack is installing the server part of
The Trojan on the victim system .Some of the more common ways to do it is:
i. E-mail: Sending Trojan server file as an attachment to email addressed to victim. The problem with this method is that most often, the victim may not open the infected attachment.
ii. Auto run CD-ROMs: Burn the Trojan onto a CDROM and then use the auto run facility of the CD to automatically execute /install the Trojan, the moment the CD is inserted into the tray.
iii.Instant Messenger: It is also possible to send the Trojan server part disguised as a normal file over IRC or IM.Attackers generally rename the Trojan so that it looks like a normal, legitimate file.
iv.Physical Access: Physical access to victim system gives an opportunity to attacker to install sever part of Trojan manually.
v.EXE Binders: These binders are devices that allow user to bind two .exe Files together into one file, in such a way that there is no effect in working of either two files .So, the attacker binds or conceals the Trojan server part inside a legitimate .EXE file. The container .EXE file is usually chosen to be irresistible to the victim, such as pornography videos or greeting cards .The Trojan gets hidden inside these tempting file and when the victim opens the combined file, while the pornography or greeting card is being shown on screen, the Trojan is being installed in the background.
2. The server part of the Trojan, once installed on victim’s system subsequently binds
Itself to a specific port on victim system and listen for conections.Every Trojan listen for connections at A predefined port number, which is different for each Trojan .For example, the Net bus Trojan listens for connections on the preset port 12345.
3. Next, it is necessary for attacker to locate the IP address of the target system on
Which the server part of the Trojan has been installed .This step enables the attacker to connect to the infected system and control it by remote .Some Trojan are designed in such a way as to automatically mail the IP address of victim to the attacker, every time the target login on Internet.
4. Then, the attacker uses client part of the Trojan tool which installed on his system to connect to the server part of Trojan installed on victim system. The attacker connects to the present port number that Trojan uses. After establishing connection, the victim’s system lies to open to attacker to inflict almost any kind of damage.
Most common type of Trojan Available is as follows
Netbus
Back Orrifice
Girl Friend
Sub seven
Gromozon
Flooder
Droppen-Ev
Downloader-Ev
Cuteqq_Cn.exe
Detection : The following are some of the most common technique of detecting the presence of a Trojan on victim’s computer:
- Suspicious Open ports: Its is actually quite easy to spot the presence of a Trojan on a system. As mentioned above ,the server part of the Trojan automatically binds itself to a predetermined port number.Hence,by going to the command line prompt ass simply typing the netstat –N command, you can spot whether the list of open port numbers matches the list of normally open ports, or if any of them match any of the Trojan ports. If they do, then chances are your system is infected with a Trojan.
- Detection Tools: Many tools allow system administrator to detect Trojans. Most of Anti-virus tool also look for Trojan installation.
- Start-up Files: Trojan proves to be most dangerous if the can get loaded into the memory every time the victim system boots. For this to happen, there has to be a reference to it in some startup files.
- System files: the two system files i.e. win.ini and system.ini have sections where all programs that are referenced get executed.
- Registry Files: There is another place to look for Trojan program reference. All programs are referred to in the Registry key.
Countermeasures
After a Trojan has been detected, the system administrator needs to remove it from system. They can be done in following manner:
- There are many Trojan removal tools that can be downloaded and used to remove most common Trojan. One should not only remove the Trojan but also reference to Trojan from the start-up files.
- Never accept or execute any files sent over mail, chat etc.Also do not experiment too much with Trojan because it is possible that client part of Trojan installed on your computer could turn out to be server part ,thus leaving your system open to attackers.
- Because .EXE allows attacker to join two .EXE files; the harmful Trojan files may be embedded inside a normal harmless .Exe file. This Trojan cannot be detected and only increase the file size by a certain bytes.Therefore is careful and only downloads software from Internet from original developer’s website.
- A more effective countermeasure against Trojan activity is installing a firewall on your computer to monitor and log all port traffic. This enables you to detect and trace Trojan _exploiting attempts. In addition how tempting you should never execute any files sent over you via internet.
0 comments:
Post a Comment