Download What is a trojan?

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
Document related concepts

Cracking of wireless networks wikipedia , lookup

Malware wikipedia , lookup

Cross-site scripting wikipedia , lookup

Windows Update wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Mobile security wikipedia , lookup

Microsoft Security Essentials wikipedia , lookup

Denial-of-service attack wikipedia , lookup

Unix security wikipedia , lookup

Transcript 
A Trojan Report and Analysis of BO2K, NetBus
1.7, and Sub7 Legends
Mike Ware 11/30/04
What is a trojan?





Any program that overtly does one thing but covertly does something
else in a malicious manner.
Normally provides remote access to a victim’s computer.
Not considered a virus because it does not self propagate.
Not considered a worm because it does not automatically spread from
one computer to the next over a network.
Back Orifice, NetBus, and Sub7 are three very popular trojan horses.
Why is a trojan a security threat?

A trojan cannot install itself. It must be executed by the user.





Many users are non-technical individuals and are unaware of their system’s activity.
Detection is difficult. Most trojans are designed to run invisible to the victim by
removing itself from the process list and hiding its system “footprint”.
A successful trojan attack opens a virtual channel to the victim’s file system,
registry, process list, service list, and other OS structures.
Anti-virus and other virus monitoring software will only detect and remove the
trojan if its signature is known.
Recovering from information theft and costs due to down time from denial-ofservice attacks is burdensome.
Overview of BO2K, NetBus 1.7, and Sub7 Legends

All three were developed by underground hacking community as RATs (remote
access tools).




All three have same architecture, which consists of a server and client.



Cult of the Dead Cow or CDC developed BO2K (first version released Aug 1998)
Mobman developed Sub7 Legends (first version released May 1999)
Carl-Fredrik Neikter developed NetBus 1.7 (first version released Mar 1998)
Attacker uses client to control any remote machine that has the server installed.
Server is stored on victim’s machine and once installed, waits for a probe from the client to
establish connection.
Victim must execute the malicious trojan file.

The trojan will normally disguise itself as a appealing program (video, music, game, etc.) or
attach itself to a legitimate program that when ran will install both the legitimate application and
the attached trojan without the user’s knowledge. (setup package or self-extracting zip files)
Compare/Contrast Initial Actions

Similarities





All three copy themselves to some other location. Sub7 Legends and NetBus 1.7 will place a
copy in the Windows directory while BO2K places a copy in Windows\System32.
If configured to do so, all three will create registry entries in the auto-run startup keys so
they will execute each time Windows is loaded.
All three disconnect from original file and execute the planted second copy.
All three open some port.
Differences




filename of the server file
number and names of other files created and used by the server
number, type, name, and location of created registry edits
server port usage
Connection Method


Attacker only needs to know IP address of victim.
BO2K


NetBus 1.7



Can password protect server using 3DES or XOR encryption.
Can password protect server.
Can be notified of victim’s connection using a specified SMTP engine.
Sub7 Legends


Can password protect server.
Attacker can be notified by ICQ, IRC, or email.
Operational Capabilities


Once connected, the attacker has full access to victim’s operating system functionality.
File System manipulation




Key Logging ability


BO2K logs to viewable file while Sub7 and NetBus log “real-time”.
Port Redirection


find/delete/view/move/rename/copy files
create/delete directories
download/upload files
Allows attacker to send input to another machine using victim’s machine.
System Functions




View, kill, start processes
View and close active windows
Mouse control (move/hide pointer, enable tails, reverse buttons)
Perform system shutdown, log off, restart, and power off
Other Interesting Features

Sub7 and BO2K:
 registry manipulation:





screen or web/video capture; tap PC microphone
complete server control


change startup method, server filename, port usage, or remove the server entirely.
Sub7




create/delete/rename keys
set/get/delete/rename values
enumerate keys and values
hide/show desktop, start button, and taskbar
flip screen horizontally/vertically
mess with CTRL-ALT-DEL, NUM LOCK, SCROLL LOCK, CAPS LOCK
BO2K:


XOR and 3DES encryption for client/server communication.
ability to enhance its functionality through plug-ins. (has software development kit)
BO2K Attack Footprint on XP SP1



File Mods:
 c:\windows\system32\UMGR32.EXE
 112 KB
 Original trojan file located at original location if it doesn’t delete itself.
Netstat reports:
 TCP 54320 by default
 possibly UDP 54321
Task manager will report name of the running server as a process.
 UMGR32.EXE
NetBus 1.7 Attack Footprint on XP SP1

File Mods:







=> running server
=> key logging functions
=> attacker note-taking
=> host connection log
=> server IP log
=> server configuration info
Registry Mods:




c:\windows\patch.exe (483 KB)
c:\windows\KeyHook.dll (54 KB)
c:\windows\Memo.txt
c:\windows\Hosts.txt
c:\windows\IP.txt
c:\windows\Patch.ini
HKCU\NETBUS
 HKCU\NETBUS\Settings
HKCU\Patch
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 value: “PATCH”=“c:\windows\patch.exe”
Netstat reports two open TCP ports

12345 and 12346
Sub7 Legends Attack Footprint on XP SP1

File Mods:



Registry Mods:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
 value: “WinLoader”=“c:\windows\server.com”
Netstat reports open TCP port


c:\windows\server.com
 364 KB
Original trojan file located at original location if it doesn’t delete itself.
27374 by default
Task manager will report name of the running server as a process.

server.com
Cyberspace Security Implications


Ability to remotely control OS makes a trojan attack far more dangerous than a
typical virus or worm.
Risks of information theft and malicious activity:







theft of passwords
theft of product designs (this can be crucial to a company)
theft of medical, financial, and other personal data
interception of email, chat, and video content
attacker can plant discriminating data on victim’s machine (child pornography!)
attacker can find discriminating data and use it against the victim
Future attacks:



DDOS - Attack high risk targets.
Have already seen first trojan, Brador.a, for PocketPC. Imagine DDOS attack aimed at disabling
a multitude of PocketPC devices.
Electronic Voting (e-voting)
What can be done to combat trojans?

Increase User Security Awareness




President’s third highest priority outlined in “The National Strategy to Secure
Cyberspace” document.
Use updated anti-virus protection.
Properly use software/hardware firewalls.
Periodically scan using specialized trojan horse PC scanners:
 windowsecurity.com/trojanscan
Conclusion




A trojan is any program that overtly does one thing but covertly does something
else in a malicious manner.
The architecture and “footprint” of BO2K, NetBus 1.7, and Sub7 follow a similar
pattern.
BO2K, NetBus 1.7, and Sub7 Legends are a serious and direct threat to current home
computing technologies such as e-commerce and banking as well as future
computing technologies such as e-voting and online surgery procedures.
We can combat trojan attacks through increased user awareness, properly
configured anti-virus software and firewalls, and specialized trojan scanners.
Related documents
Data Security
Data Security
Beginnings of Ancient Greek Civilization
Beginnings of Ancient Greek Civilization
Nick Zibbideo God/Goddess Role in Greek Society Artemis Ruled
Nick Zibbideo God/Goddess Role in Greek Society Artemis Ruled
IT Security in Schools
IT Security in Schools
Background Information PowerPoint
Background Information PowerPoint
MYCENAEANS AND Dorian *Dark Ages*
MYCENAEANS AND Dorian *Dark Ages*
Bell Ringer 3 - Laing Middle School
Bell Ringer 3 - Laing Middle School
Greek Mythology Unit English 1 CP
Greek Mythology Unit English 1 CP
trojan war test - Paintsville Independent Schools
trojan war test - Paintsville Independent Schools
Nomen Dies Hora - Eugene Kobielnik
Nomen Dies Hora - Eugene Kobielnik
Slide 1
Slide 1
Basic Marketing, 16e
Basic Marketing, 16e
File unit 3 part 1 jeopardy
File unit 3 part 1 jeopardy
Document
Document
Hands on Demonstration for Testing Security in Web Applications
Hands on Demonstration for Testing Security in Web Applications