TECHinforma
Would you like to react to this message? Create an account in a few clicks or log in to continue.

TECHinforma

This is intended to provide knowledge on diverse fields of Science & Technology.
 
HomeSearchLatest imagesRegisterLog in

TECHinforma :: Your first category :: Your first forum
 

 HOW Do Trojans Work ?

Go down 
AuthorMessage
Admin
Admin



Number of posts : 21
Age : 36
Localisation : bbsr,ORISSA,INDIA
Registration date : 2007-05-13

HOW Do Trojans Work ? Empty
PostSubject: HOW Do Trojans Work ?   HOW Do Trojans Work ? Icon_minitimeFri Sep 21, 2007 4:12 am
3.How Do Trojans Work?

--------------------

Trojans come in two parts, a Client part and a Server part. When the victim
(unknowingly) runs the server on its machine, the attacker will then use the
Client to connect to the Server and start using the trojan. TCP/IP protocol
is the usual protocol type used for communications, but some functions of the
trojans use the UDP protocol as well. When the Server is being run on the
victim's computer, it will (usually) try to hide somewhere on the computer,
start listening on some port(s) for incoming connections from the attacker,
modify the registry and/or use some other autostarting method.

It's necessary for the attacker to know the victim's IP address to connect to
his/her machine. Many trojans have features like mailing the victim's IP, as
well as messaging the attacker via ICQ or IRC. This is used when the victim
has dynamic IP which means every time you connect to the Internet you get a
different IP (most of the dial-up users have this). ADSL users have static
IPs so the infected IP is always known to the attacker and this makes it
considerably easier to connect to your machine.

Most of the trojans use Auto-Starting methods so even when you shut down your
computer they're able to restart and again give the attacker access to your
machine. New auto-starting methods and other tricks are discovered all the
time. The variety starts from "joining" the trojan into some executable file
you use very often like explorer.exe, for example, and goes to the known
methods like modifying the system files or the Windows Registry. System files
are located in the Windows directory and here are short explanations of their
abuse by the attackers:

- Autostart Folder
The Autostart folder is located in C:\\Windows\\Start Menu\\Programs\\startup
and as its name suggests, automatically starts everything placed there.
- Win.ini
Windows system file using load=Trojan.exe and run=Trojan.exe to execute
the Trojan
- System.ini
Using Shell=Explorer.exe trojan.exe results in execution of every file
after Explorer.exe
- Wininit.ini
Setup-Programs use it mostly; once run, it's being auto-deleted, which is
very handy for trojans to restart
- Winstart.bat
Acting as a normal bat file trojan is added as @trojan.exe to hide its
execution from the user
- Autoexec.bat
It's a DOS auto-starting file and it's used as auto-starting method like
this -> c:\\Trojan.exe
- Config.sys
Could also be used as an auto-starting method for trojans
- Explorer Startup
Is an auto-starting method for Windows95, 98, ME and if c:\\explorer.exe
exists, it will be started instead of the usual c:\\Windows\\Explorer.exe,
which is the common path to the file.

Registry is often used in various auto-starting methods. Here are some known
ways:

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]
"Info"="c:\\directory\\Trojan.exe"
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce]
"Info"="c:\\directory\\Trojan.exe"
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices]
"Info"="c:\\directory\\Trojan.exe"
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce]
"Info="c:\\directory\\Trojan.exe"
[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]
"Info"="c:\\directory\\Trojan.exe"
[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce]
"Info"="c:\\directory\\Trojan.exe"

- Registry Shell Open

[HKEY_CLASSES_ROOT\\exefile\\shell\\open\\command]
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\command]

A key with the value "%1 %*" should be placed there and if there is some
executable file placed there, it will be executed each time you open a
binary file. It's used like this: trojan.exe "%1 %*"; this would restart
the trojan.

- ICQ Net Detect Method

[HKEY_CURRENT_USER\\Software\\Mirabilis\\ICQ\\Agent\\Apps\\]

This key includes all the files that will be executed if ICQ detects Internet
connection. As you can understand,this feature of ICQ is very handy but it's
frequently abused by attackers as well.

- ActiveX Component

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Active Setup\\Installed Components\\KeyName]
StubPath=C:\\directory\\Trojan.exe

These are the most common Auto-Starting methods using Windows system files, and
the Windows registry.
Back to top Go down
https://techinforma.own0.com
 
HOW Do Trojans Work ?
Back to top 
Page 1 of 1

Permissions in this forum:You cannot reply to topics in this forum
TECHinforma :: Your first category :: Your first forum-
Jump to: