Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: allabt.txt

All About Trojans





All About Trojans

First Written On: 17th November, 2001. 9:48 PM
Last Modified On: 18th November, 2001. 1:27 PM

====================================================================
Contents
--------

Introduction

01. What is a Trojan Horse?
02. What are the different types of trojans?
03. What does a RAT trojan do?
04. How does a RAT trojan work?
05. How do I get infected?
a. IRC
b. ICQ/Instant Messengers
c. E-Mail
d. Floppies/CDs
06. How do I know if I'm infected?
>> Port Scanners(SPS, TPS)
07. Info On Some Trojans
08. How does the hacker get my IP Address?
09. How do I protect/disinfect myself?
a. Firewalls
b. Antivirus
10. Keyloggers
11. Password Retreivers
12. FTP Trojans
13. Binders
14. Why do the crackers do all this?
>> Securing your documents(PGP, kRypt)
15. Does this mean I shouldn't trust any friends?

Disclaimer

====================================================================
INTRODUCTION

The hacker population is growing day-by-day. But, the cracker
population is growing at an amazing rate! There isn't a single
system in the world that cannot be hacked into! Personal Computers
are the easiest targets, and the cracker doesn't have to know
anything about hacking to do it! So, the crackers don't need to
have any computer skills. This is the reason the cracker population
is increasing at a very fast rate. Hackers write the trojans, to
test themselves, and crackers make the fullest use of the trojans.
This article explains trojans in brief and tells PC users how to
protect themselves from such crackers. Most of them have just a
little more knowledge than the victim himself. i.e. they know about
handling trojans.
The trojan legacy was started in an ancient myth, according to
which, during the war, the greeks presented a wooden horse to their
enemy and during the night, greek soldiers jumped out of the wooden
horse and defeated the enemy. It was restarted in the computing
world when CDC(Cult of the Dead Cow) made Back Orifice, which is
the most famous trojan ever, and it's port 31337 is one of the most
popular numbers.
Read the Disclaimer at the end of the text..
Please feel free to e-mail me at klemd@infoprince.net for any help
or tips or suggestions or corrections.

====================================================================
01. What is a Trojan Horse?

A trojan horse is a program that works against a user, more or
less a virus, and is mostly contained in programs that look
legitimate, but have a very dark side. These trojans work in the
"background", i.e. invisible to you. They do things that can render
you almost powerless. All trojans have a specific cause, for which
hackers use them. Most of them are RATs(Remote Administration
Tools).
These programs are used by hackers to attack lamers.
Having most trojans on your computer is harmless. Executing them
causes the problem.

====================================================================
02. What are the different types of trojans?

a. Remote Access Tools(RAT)
b. Keyloggers
c. Password Retreivers
d. FTP Trojans

These trojans are explained later in this article.

====================================================================
03. What does a RAT Trojan do?

A RAT trojan runs a server on your computer, that enables the
hacker to connect to your computer and execute various functions.
Even if you have some idea on these trojans, you most probably won't
know that you're infected. This is because newer trojans are being
developed everyday, that are better and more effective than the
older ones. Powerful trojans give the hacker more control of your
computer that you yourself have, sitting in front of it! Others
just allow some easy fun functions, and still others have common
functions like downloading/uploading. The trojan also restarts
everytime you put on your computer.
About what a trojan can do, it can at most destroy your computer!

====================================================================
04. How does a RAT trojan work?

A RAT trojan is mostly contained in bigger programs. So, when
you run the program, you automatically trigger the trojan. This
trojan runs a server on a particular port, which will enable the
hacker to connect to the port in your computer with utmost ease and
do God Knows What! He now has access to all your system resources,
if he's using a powerful trojan, and can do almost anything. There
is nothing you can do to stop him, if you don't know which is the
trojan and don't have any clue about what it is.
The trojan then copies itself to a location on your computer,
which, where there is almost 100% possibility that you won't see,
and even if you see, you won't realise that it is a trojan. Then,
the trojan makes a registry entry or changes the win.ini file, to
enable itself to restart everytime you put on your computer.

====================================================================
05. How do I get infected?

a. IRC
---
The most common way that you get infected with a trojan is
through IRC. Almost all the files that others want to send to
you on IRC is a virus or a trojan!

b. ICQ/Instant Messengers
----------------------
ICQ is another easy way to get a trojan. There were a million
exploits in ICQ, but now most have been rectified, but not all.
A friend with whom you are chatting with on ICQ will send you
a file, which is the trojan. Before, there was a hole, using
which a hacker will send a file, that is an exe/vbs, which
appears as an image file/document file. Actually, the filename
of the file is too long, and so, if he has renamed the file as
"abc.jpg .exe" then, you'll be able to see
only abc.jpg. Now, that hole's been rectified and you will see
"abc.jp........exe" instead. You'll then execute the .exe file
that he's sent you, and just then you might receive a message
from him, and he'll distract you.

c. E-Mail
------
Nowadays, spam has become very common. You will most probably
find your inbox cluttered with dirty junk if you use hotmail.
Many e-mails contain attachments and some services have the
same problem as ICQ had, i.e. displaying even abc.jpg.exe as
abc.jpg. Therefore, there is a high possibility of spam
attachments containing trojans and viruses.

d. Floppies/CDs
------------
You can also be infected from infected floppies/cds. When you
use an infected one and run the infected program, or if the
autorun.ini starts the trojan, you are infected.

Almost all the time, the hacker tricks you into forgetting about the
program that he just gave you, and he is successful in his attempt.
Most of the time, you are too busy doing other things, that you'll
forget about the program that wasn't running properly. This program
is the trojan that has managed to fool you!

====================================================================
06. How do I know if I'm infected?

"I've recieved a file from a friend and double-clicked on it.
But, seems it doesn't work as when I clicked on it, nothing
happened!" - BOOM you're infected! Quick use an Anti Virus/Firewall!
A port scanner scans ports of a specified range of a particular
IP and tells those which are open.
By using a port scanner like SPS, you can do scans. SPS can be
downloaded from http://www.infoprince.com/downloads/portscanner/sps/
TPS is a port scanner, that scans all trojan ports known to
it and returns the results. TPS can be downloaded from
http://www.infoprince.com/download/portscanner/tps/
The best way to check if you're infected is by using a port
scanner like TPS.
Another simple and quick way to detect if you're infected is
by using netstat.
To know how to use netstat, see the article on netstat at
http://www.infoprince.com. You'll find all the explanations on using
netstat there.
Below is some info on some trojans. You'll know that you're
infected if you find the port listening or connected using netsat.

====================================================================
07. Info On Some Trojans

The complete list of trojans, ports and forms can be downloaded at
http://www.infoprince.com/computing/

01. Netbus 1.x
Port(s) used: 12345, 12346, 12361, 12362
Forms: Whackamole(game), the real trojan.

02. Netbus Pro 2.1
Port(s) used: 20034
Forms: The real trojan.

03. Back Orifice(BO)
Port(s) used: 31337, 6001.
Forms: The real trojan.

04. Sub Seven
Port(s) used: 1243
Forms: The real trojan. Can be compiled in different forms(1.7+)

05. Deep Throat
Port(s) used: 6670
Forms: The real trojan.

06. Senna Spy
Port(s) used: 11000
Forms: The real trojan.

07. ASTRAD 1.x
Port(s) used: 27327
Forms: The real trojan.

08. Netraider
Port(s) used: 57341
Forms: The real trojan.

09. Ugly FTP
Port(s) used: 23456
Forms: The real trojan.

10. Doly Trojan
Port(s) used: 1011
Forms: The real trojan.

11. Blade Runner
Port(s) used: 5401, 5402
Forms: The real trojan.

12. ICQ Trojan
Port(s) used: 4950
Forms: The real trojan.

13. Trojan Cow
Port(s) used: 2001
Forms: The real trojan.

14. Shockrave
Port(s) used: 1981
Forms: The real trojan.

15. ICQKiller
Port(s) used: 7789
Forms: The real trojan.

16. Silencer
Port(s) used: 1001
Forms: The real trojan.

17. Stealth Spy
Port(s) used: 555
Forms: The real trojan.

18. Devil 1.03
Port(s) used: 65000
Forms: The real trojan.

19. Striker
Port(s) used: 2565
Forms: The real trojan.

The complete list of trojans, ports and forms can be downloaded at
http://www.infoprince.com/computing/

====================================================================
08. How does the hacker get my IP Address?

If you use IRC, then even you will know how to get the IP
of a person. There are various tools, by which hackers can get your
IP address, if you use ICQ or AIM.
But, newer trojans nowadays have various features to notify the
hacker about your online presence. Some come with ICQ notification,
some mail your IP address and date, time to the e-mail of the
hacker, some upload your information to an internet website. All of
these functions are triggered the moment you go online. By this, a
hacker can easily get your IP address.

====================================================================
09. How do I protect/disinfect myself?

a. Firewalls
---------
The best way to do this is to get a firewall. Firewalls give you
all the protection you need against crackers. They monitor all
the ports of the computer. Some good firewalls are Zone Alarm,
by Zone Labs(http://www.zonelabs.com) and Lockdown 2000
(http://www.lockdown2000.com). They give you full access to you
than to programs.

b. Antivirus
---------
All the popular trojans can be detected by an antivirus. So, I
recommend you get an antivirus software. BO was supposedly the
world's first, and was a nightmare some 3-4 years ago. Now,
netbus is gaining popularity. 90% of the trojans nowadays are
netbus. Almost all av's can detect netbus and back orifice. A
good antivirus is Noton Antivirus (www.symantec.com). It can
detect even low profile and "unheard of" trojans. This is the
simplest method.

Do the netstat check everytime you connect to the internet.
But, if you have any problems, please feel free to mail me @
klemd@infoprince.net and i'll tell you what to do.

====================================================================
10. Keyloggers

Keyloggers are trojans, which are mostly not detected by av's
and are very dangerous. They save everything you type, anywhere on
your computer to a file, usually in a location which is very
difficult to find. This file can be viewed by the hacker, if he's
got access to your computer, or if he's planted the keylogger
using a RAT trojan. A keylogger is used mostly to get your mail
passwords, as you most likely will check your e-mail and you have
to type the password, which will be logged into a file.

====================================================================
11. Password Retreivers

Password Retrievers search your computer and registry for
passwords, usually Internet and ICQ passwords. After finishing
the scan, they mail it to the e-mail address of the hacker. This is
really simple for the hacker and there is nothing for him to do.

====================================================================
12. FTP Trojans

FTP or File Transfer Protocol is the universally accepted
protocol for client-server file exchange. An FTP trojan opens up
the default FTP port (21) and runs an FTP server on it, enabling
anyone knowing FTP or having an FTP client to connect and upload
and download files.

====================================================================
13. Binders

Binders are some programs written by hackers and are used a lot
by crackers. These binders can attach many files and executables
together into one executable. Using binders, crackers attach a game
or some other legitimate program and a trojan. When you execute the
game file, the trojan is also run. Binded exes can fool the victims
without arousing suspicion in the victim. This makes it even more
important for one to get an AV or a Firewall or TPS.

====================================================================
14. Why do the crackers do all this?

Mostly, they try to hack lamers or friends, to spread some
paranoia in them. They want to show their power to you, and what
they can do to you. Many times, the crackers attack the victims
for some kind of information, like passwords, etc. they want from
your computer or they just want get you scared. Most of the time,
they just hack into your computer and show off to you. Therefore,
most of the time they don't cause any harm to your computer, but
your passwords and important documents - that's a different story!

Securing your documents
-----------------------
To secure your documents and important information, you have
to use an encryption software that will make the data unreadable by
anyone, even you. To read it, you have to decrypt it using the key
provided at the encryption time. The best encryption software in
the world is PGP(Pretty Good Privacy), written by Phil Zimmerman.
A very simple encryption program is kRypt, which is the easiest to
use and asks you for a password, using which it encrypts your data.
The same password can be used for decrypting. The advantage of this
program is that it is really simple, and is very easy to use, as
the password that you have encrypted it with can be easily retained
in your memory. kRypt can be downloaded at:
http://www.infoprince.com/downloads/krypt/

====================================================================
15. Does this mean I shouldn't trust any friends?

Not at all! You can trust them, but always be cautioned. But, To
save yourself, you should be paranoid! Also, pl. note "Not to accept
any files from strangers or on IRC". Any vbs, exe, scr and com files
can contain viruses and trojans.

====================================================================
DISCLAIMER

There is no garuntee on the accurateness of this article and
this is subject to change anytime. This text is meant only for
educational purposes, not anything else. Following or reading this
article is entirely the user's choice and at the user's risk. I will
not be responsible for any damages caused directly or indirectly to
anyone or anything.

====================================================================

- klemd | Srish Chander | klemd@infoprince.net
Copyright 2001 Srish Chander - InfoPrince.com
http://www.infoprince.com

********************************************************************
* Can be distributed freely, but the text shouldn't be changed *
********************************************************************

Credits

By klemd | Srish Chander | klemd@infoprince.net
http://www.infoprince.com


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH