Admin Admin
Number of posts : 21 Age : 36 Localisation : bbsr,ORISSA,INDIA Registration date : 2007-05-13
| Subject: HOW Do Trojans Work ? Fri Sep 21, 2007 4:12 am | |
| 3.How Do Trojans Work?
--------------------
Trojans come in two parts, a Client part and a Server part. When the victim (unknowingly) runs the server on its machine, the attacker will then use the Client to connect to the Server and start using the trojan. TCP/IP protocol is the usual protocol type used for communications, but some functions of the trojans use the UDP protocol as well. When the Server is being run on the victim's computer, it will (usually) try to hide somewhere on the computer, start listening on some port(s) for incoming connections from the attacker, modify the registry and/or use some other autostarting method.
It's necessary for the attacker to know the victim's IP address to connect to his/her machine. Many trojans have features like mailing the victim's IP, as well as messaging the attacker via ICQ or IRC. This is used when the victim has dynamic IP which means every time you connect to the Internet you get a different IP (most of the dial-up users have this). ADSL users have static IPs so the infected IP is always known to the attacker and this makes it considerably easier to connect to your machine.
Most of the trojans use Auto-Starting methods so even when you shut down your computer they're able to restart and again give the attacker access to your machine. New auto-starting methods and other tricks are discovered all the time. The variety starts from "joining" the trojan into some executable file you use very often like explorer.exe, for example, and goes to the known methods like modifying the system files or the Windows Registry. System files are located in the Windows directory and here are short explanations of their abuse by the attackers:
- Autostart Folder The Autostart folder is located in C:\\Windows\\Start Menu\\Programs\\startup and as its name suggests, automatically starts everything placed there. - Win.ini Windows system file using load=Trojan.exe and run=Trojan.exe to execute the Trojan - System.ini Using Shell=Explorer.exe trojan.exe results in execution of every file after Explorer.exe - Wininit.ini Setup-Programs use it mostly; once run, it's being auto-deleted, which is very handy for trojans to restart - Winstart.bat Acting as a normal bat file trojan is added as @trojan.exe to hide its execution from the user - Autoexec.bat It's a DOS auto-starting file and it's used as auto-starting method like this -> c:\\Trojan.exe - Config.sys Could also be used as an auto-starting method for trojans - Explorer Startup Is an auto-starting method for Windows95, 98, ME and if c:\\explorer.exe exists, it will be started instead of the usual c:\\Windows\\Explorer.exe, which is the common path to the file.
Registry is often used in various auto-starting methods. Here are some known ways:
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run] "Info"="c:\\directory\\Trojan.exe" [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce] "Info"="c:\\directory\\Trojan.exe" [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices] "Info"="c:\\directory\\Trojan.exe" [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce] "Info="c:\\directory\\Trojan.exe" [HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run] "Info"="c:\\directory\\Trojan.exe" [HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce] "Info"="c:\\directory\\Trojan.exe"
- Registry Shell Open
[HKEY_CLASSES_ROOT\\exefile\\shell\\open\\command] [HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\command]
A key with the value "%1 %*" should be placed there and if there is some executable file placed there, it will be executed each time you open a binary file. It's used like this: trojan.exe "%1 %*"; this would restart the trojan.
- ICQ Net Detect Method
[HKEY_CURRENT_USER\\Software\\Mirabilis\\ICQ\\Agent\\Apps\\]
This key includes all the files that will be executed if ICQ detects Internet connection. As you can understand,this feature of ICQ is very handy but it's frequently abused by attackers as well.
- ActiveX Component
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Active Setup\\Installed Components\\KeyName] StubPath=C:\\directory\\Trojan.exe
These are the most common Auto-Starting methods using Windows system files, and the Windows registry. | |
|