A

On

By

Harshal B Kolambe.

T.E. (Computer)

Trojan Horse Page 1 of 30

ABSTRACT

Many systems have mechanisms for allowing programs written by users to be executed by users.

If these programs are executed in a domain that provides the access rights of the executing user,

the other users may misuse these rights. A text editor program, for example, may include code to

search the file to be edited for certain keywords. If any are found, the entire file may be copied

to a special area accessible to the creator of text editor. A code segment that misuses its

environment is called a TROJAN HORSE.

In our computer world, a Trojan Horse is a malicious security breaking

program that is disguised as something benign. For example, you download what appears to be a

movie or music file, but when you click on it, you unleash a dangerous program (Trojan horse

program is downloaded on your PC )that erases your disk, sends your credit card numbers and

passwords to a stranger, or lets that stranger hijack your computer to commit illegal

attacks.Nowadays there are so many Trojan Horses .These server-trojans are installed on

somebody’s pc and person having that client-trojan can access & control somebody’s pc without

his knowing.This may be dangerous.

KEYWORDS

BO Back Orifice.

CDC Cult of Dead Cow Communications.

Netbus.exe Netbus Client Program

Patch.exe Netbus Server Program

Ports 137,138,139 Active MS File Sharing Ports

Port 25 Used by E-Mail Server

Port 80 Used by Web Server

Trojan Horse Page 4 of 30

INDEX :-

1.0 INTRODUCTION TO TROJAN HORSES……………...……………061.1 What is Trojan horse………………………………………………..………………..……… 061.2 Infection with Trojan Horses………………………………..…………….……….. 082.0 TROJAN ENCYCLOPEDIA… …………………………………..…. 082.1Various Trojans……………………………………………………………………… 083.0 COMMONLY KNOWN TROJANS…… …………………….……... 093.1 Back Orifice……………….……………………………………………….. ……… 093.2 Netbus Trojan……………………………………………………………………….. 123.3 IRC ( Internet Relay Chat )…………………………………………………………..133.4 SubSeven.....................................................................................................................144.0 PRECAUTIONS......................................................................................154.1 Some Capabilities Of Trojans......................................................................................154.2 What Do Trojans Do ?.................................................................................................164.3 Infection With BO Or Netbus......................................................................................164.4 General Precautions……… ………………………………………………………...184.5 Problem Prevention.....................................................................................................194.6 Detection & removal…………………………………………………………..……..194.7 Vitual Port Example…. .…………………………………………...………………...20 5.0 ANTI-TROJANS.....................................................................................275.1AntiTrojan………………………………………………………………………….…305.2 PC DoorGuard 305.3 PestPatrol.....................................................................................................................315.4 Tauscan........................................................................................................................315.5 The Cleaner..................................................................................................................316.0 CONCLUSION........................................................................................32BIBLIOGRAPHY..........................................................................................32

Figure Index :

1. Registry Editor ………………………………..……………………………………...112. Netbus Client …………………………………….……………………………… ….123. Back Orifice RCTH Client………………………….……………………………….

214. Netbus Client 1.70…………………………………….………………………….

….215. Registry Editor Hkeys…………………………………….

………………………….266. Regedit on a machine infected with Netbus…………………………………….…. .277. A typical netstat display…………………………………………………………… ..288. Netstat display on a machine infected with Netbus………………………………… .29

Trojan Horse Page 5 of 30

1.0 INTRODUCTION TO TROJAN HORSES

1.1 What is Trojan Horse?

Trojan horse attacks pose one of the most serious threats to computer security. If you were

referred here, you may have not only been attacked but may also be attacking others

unknowingly.

According to legend, the Greeks won the Trojan war by hiding in a huge, hollow wooden

horse to sneak into the fortified city of Troy. In today's computer world, a Trojan horse is defined

as a "malicious, security-breaking program that is disguised as something benign". For example,

you download what appears to be a movie or music file, but when you click on it, you unleash a

dangerous program that erases your disk, sends your credit card numbers and passwords to a

stranger, or lets that stranger hijack your computer to commit illegal denial of service attacks like

those that have virtually crippled the DALnet IRC network for months on end. The following

general information applies to all operating systems, but by far most of the damage is done

to/with Windows users due to its vast popularity and many weaknesses.

(Note: Many people use terms like Trojan horse, virus, worm, hacking and cracking all

interchangeably, but they really don't mean the same thing. Let's just say that once you are

"infected", trojans are just as dangerous as viruses and can spread to hurt others just as easily!)

Trojans can be far more malicious than viruses and you should care - they're programs that let

someone else remotely administer your computer without your knowing about it. There are

legitimate programs that do this too, systems administrators use them to administer networks, but

Trojans are a different matter. If you're on a network you know it has an administrator to keep

things running smoothly. A Trojan can be planted by anyone, without your permission or

knowledge. And unlike a remote administration program, a Trojan can be highly destructive. So

let's take a quick look at what Trojans do, and more importantly, what you can do to stop them.

Trojans can log every keystroke you type (even when you're offline) and have your e-mail

program send the information to the person who planted the Trojan without your knowing it.

Trojans can get all your passwords, credit card numbers and other information stored on your

computer - or even things that you type into the computer and don't save. They can be used to

read, delete or change all your files, turn your screen upside down, abruptly disconnect you from

the Internet, or direct your browser to only certain web sites and other nuisances. It gets worse -

Trojans can be used to spy on you through your chat and instant message programs, web cam or

microphone, and even destroy your hardware.

Trojan Horse Page 6 of 30

They can damage your reputation as well as your hardware and data. Trojans can be used to get

into your address book and send very convincing looking e-mails saying whatever someone else

likes from you to your employer, bank manager, clients, girlfriend, whomever, and they can

make you seem to say really awful things to people in on-line chats or conferences. You can

imagine some of the consequences - a 'Net conference with important clients and you won't see

the message coming from you saying "screw you, you're all a bunch of lamers anyway," but the

persons you're talking with will. Or someone can plant a Trojan and use your computer to hack

into somebody else's computer. And all kinds of other bad things. Possibly the worst things about

Trojans are that most people don't even know they exist, and most anti-virus scanners do not pick

up or delete them. Trojans are becoming more common, especially as more people have cable

and DSL or other "always on" connections, though you can get them using regular dial-up

connections too. And some of the newer Trojans are harder to detect (this is one reason to be

careful of running .htm or .html files you receive by e-mail - there are Trojans out now that use

HTML code and will bypass firewalls - a couple of examples are NOOB and godmessage). They

are, in short, very easy to plant on your computer without your knowing it until substantial

damage has been done. There are all kinds of script kiddies out there using ICQ and IRC, not to

mention e-mail. Criminals use the Internet, too, and there may be people out there who just plain

don't like you and would do something that vicious to get revenge - the Internet, like the real

world, has its share of crackpots, and most of these programs require no technical expertise to

use. Be aware enough from reading this to realize that Trojans can be a serious threat to your

privacy, reputation, data and computer hardware.

There are some things you can do. Be careful about accepting files over the Internet or opening

e-mail attachments unless you know what they are and who they're from. Get a good firewall,

like Zonealarm, available free from Zonelabs. Even if other firewalls have had you befuddled,

this one won't. It's very powerful and it's also very user- friendly. And head over to the Moosoft

site and pick up a copy of The Cleaner. It's a great anti-trojan scanning and cleaning program,

and it also has a neat little feature called TCActive that you can run at Windows startup. It'll sit

in your system tray, use almost no computer resources, and keep any known Trojans from

activating on your machine. If you do find your machine infected with a Trojan Horse program,

don't panic. Disconnect from the Internet, run your Trojan scanner, and delete the Trojan.

Trojans can't be cleaned, like many viruses can. They can only be deleted, but doing this will in

no way harm your machine or your software.

Trojan Horse Page 7 of 30

1.2 Infection with Trojan Horses .

Trojans are an executable program, which means that when you open the file, it will perform

some action(s). In Windows, executable programs have file extensions like "exe", "vbs", "com",

"bat", etc. Some actual Trojan filenames include: "dmsetup.exe" and "LOVE-LETTER-FOR-

YOU.TXT.vbs" (when there are multiple extensions, only the last one counts, be sure to unhide

your extensions so that you see it). More information on risky file extensions may be found at

this Microsoft document.

Trojans can be spread in the guise of literally ANYTHING people find desirable, such as a free

game, movie, song, etc. Victims typically downloaded the trojan from a WWW or FTP archive,

got it via peer-to-peer file exchange using IRC/instant messaging/Kazaa etc., or just carelessly

opened some email attachment. Trojans usually do their damage silently. The first sign of trouble

is often when others tell you that you are attacking them or trying to infect them!

2.0 TROJAN ENCYCLOPEDIA.

2.1 Various Trojan horses

1. BATCH 2. Backdoor3. D_O_S4. Flooder5. Hoaxes6. IRC7. Macro8. Nuker9. PSW10 TrojanDownloader Family11. TrojanDropper Family12. Windows13. Backdoor.Nethief Family14. Crackers15. JS.Trojan.NoClose16. JS.Trojan.Offiz17. PKZIP300 Trojan18. Trojan.AOL.Buddy19. Trojan.BuggyHidp20. Trojan.Clicker.NetBuie a-b21. Trojan.Downloader Family22. Trojan.Dreb23. Trojan.Durell24. Trojan.FlashKiller25. Trojan.GoHotlist

Trojan Horse Page 8 of 30

26. Trojan.JS.Seeker27. Trojan.Java.Nocheat28. Trojan.Macro.Excel.Taiwanes29. Trojan.Macro.Word.Nikita30. Trojan.NetPatch

3.0 COMMONLY KNOWN TROJANS.

3.1 Back Orifice (B.O.)

"Back Orifice" is a hacker's dream, and a Netizen's nightmare. Back Orifice is not a virus. It is in

essence a remote administration tool. It gives "system admin" type privileges to a remote user by

way of the computer's Internet link.

What does this mean? It means that if Back Orifice is running in your computer, a remote

operator anywhere on the global Internet can gain access and do almost anything you can do on

your computer -- and some things you can't do -- all without any outward indication of his

presence.

Back Orifice is purportedly a remote administration tool that allows system administrators to

control a computer from a remote location (i.e. across the internet). In reality it is a highly

dangerous backdoor designed by a cracking group called the Cult of the Dead Cow

Communications. It is usually distributed by malicious people in the form of a Trojan Horse

attack. During installation, it does not give any indication of what is really going on. Once

installed, the server is intentionally difficult to detect on your machine, yet allows almost

complete control over your computer by the remote attacker.

. Is Back Orifice a virus?

Back Orifice is not a virus. Viruses reproduce on their own. The Back Orifice server has to be

willingly accepted and run by its host before it can be used. However it is usually distributed

claiming to be something else.

Is Back Orifice a trojan horse?

It could be considered a trojan horse. In the case where a user accepts a program, and runs the

program without understanding what it is. The server program gets distributed purporting to be

something else e.g. PAMMY.EXE . People run it and nothing appears to happen so they ignore

it, the server deletes itself as well after running.

Trojan Horse Page 9 of 30

What if I have Back Orifice?

How do I know if I have Back Orifice ?

The most common symptoms are strange things happening, programs closing, opening of their

own accord. The big give away is people on IRC announcing they can control your machine,

then demonstrating this graphically by rebooting it.

How do I get rid of Back Orifice?

There are two fixes we are going to offer here. The first is a program you can download and run

The second is a manual fix. The reason for the two solutions is this : We feel it may be

hypocritical to tell you not to download and run programs from untrusted sources, then provide

a fix for you to download and run :) We therefore give you the choice - you only need to use one

of these methods to remove Back Orifice.

The Automated Fix

This fix program (BODetect) was written by Chris Benson who works for Symantec. It is $20

shareware with 30 day free trial and no nagging or crippling. Download it Chris's own site or

http://www.download.com/ or http://www.hotfiles.com/.

Simply download and run the program, we urge you to read the accompanying README.TXT

The Manual Fix

This fix is for those of you who want to heed our good advice and NOT run programs for

'untrusted' sources. It has been used successfully to remove Back Orifice from an infected

machine but is not as complex as the Automated Fix provided above. It also involves you

making alterations to your registry. We URGE you to make a backup of your registry before you

begin (instructions for doing this can be found in the Appendixes of your Windows 95/98

manual). It should also work for Windows 98 machines but has not been tested on this platform.

 

1. Press the START button.

2. Select RUN , type REGEDIT

3. Using the + to expand the branches, locate the following key :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServi-

ces

Trojan Horse Page 10 of 30

Fig 1 : Registry Editor.

4. On the right hand side, double click on the (default) 'key' . It will bring a box up showing the

key and it's current value ( Value data )  ,which is ' .exe'. Highlight this and press delete (not

backspace make sure the key is empty), then click OK.

5. Close REGEDIT and reboot you machine .

6. Press START

7. RUN , type COMMAND

8. At the DOS prompt type :

del c:\windows\system\exe~1

3.2 Netbus Trojan.

A backdoor is a program that is designed to hide itself inside a target host. It allows the

installing user access to the system at a later time without using normal authorization or

vulnerability exploitation. The Netbus trojan is  one of the most famous trojans around. Its

authored by Carl-Frederik Neikter that is very similar to the "Back Orifice" trojan distributed by

CdC. It allows ANYONE running the client portion to connect and control ANYONE running

the server portion of it, WITH THE SAME RIGHTS AND PRIVILEGES AS THE

CURRENTLY LOGGED ON USER! 

Trojan Horse Page 11 of 30

Fig 2: Netbus Client

The "NetBus-Story" - an introduction

NetBus is a”Trojan Horse"), which has a similar functionality than "Back Orifice". That means, it

opens a "Backdoor" to a PC, so that everybody can access your PC from the network without

your notice. NetBus is much more user-friendly than Back Orifice. It was programmed by a

Swedish guy called Carl-Fredrik Neikter, who published the first version mid of March 1998. Up

to today there are several versions: Version en 1.60, 1.70 and the latest one NetBus 2.01 Pro vor.

NetBus - how it works

NetBus consists of two parts: a client-program ("netbus.exe") and a server-program often named:

"patch.exe" (or "SysEdit.exe" with version 1.5 xs), which is the actual backdoor. Version 1.60

uses the TCP/UDP-Port # "12345" which can't be altered from version 1.70 and higher the port

be configured.

Additional information you find in an original document of the author: Version 1.60 or Version

1.70.

 

Trojan Horse Page 12 of 30

NetBus - how to notice and how to fight…….

The NetBus (Server) can be found in the system directory (also: "\win95" bzw. "\winnt") and is

started simultaneously with windows. The name of the file differs: With NetBus 1.60 it is named

"patch.exe", with "NetBus 1.5x" "SysEdit.exe" and if it is installed by a "game" called

"whackamole" (file name is: "whackjob.zip" (contains the NetBus 1.53 server) it's name is

"explore.exe". There is also a file called whackjob17.zip, which installs the server of NetBus

1.70 and uses the port 12631. Aditionally it is password protected (PW: "ecoli"). The NetBus

Server is installed by "game.exe" during the setup routine; the name of the server actaully is

"explore.exe" located in the windows directory.

Normally all servers use the same icon: .

To start the server automatically, there is an entry in the registry at: "\

HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Run"

normally used with the option "/nomsg". If this entry is deleted, the server won't be started with

windows.

You also can delete the NetBus Server using the client programm selbst. Click "Server Admin" -

"Remove Server" To uninstall the server from your own PC enter the name "localhost" or the ip

address 127.0.0.1.

3.3 IRC Trojans (Internet Relay Chat ).

Here we hope to list some of the more dangerous trojans that seem to play a major part on IRC

(Internet Relay Chat) . Some infect mIRC (A popular windows IRC client program,) Others can

connect to an IRC server all by themselves. These trojans are different than normal trojans in the

way that someone else controls your infected computer. With most other trojans, they open a

port on your system that a hacker needs to connect to (and thus know your systems internet host,

or IP.) IRC related trojans however, will open a hidden connection from your PC to an IRC

server, where it will tell the hacker, or a group of hackers (or possibly even a very large channel

of people) what your infected with, what your IP is, and any other information they program it to

give. Then these users can send commands to the hidden IRC connection, and tell your

computer to do things, similar to other trojans.

These IRC trojans can range anywhere from so simple, that the users on IRC can only

control that IRC connection (Usually using it to harass and abuse other users on IRC.) all the

way to being able to run other programs on your computer, and installing other types of trojans.

Trojan Horse Page 13 of 30

Unfortunately the HackFix project does not specialize in these types of trojans, however we feel

that because of their nature, we should have a section listing them as well as links to removal

information and help. Please keep in mind that most, if not all, of the removal information below

is Not made by IRC producers, nor tested by them, as trojans in the other Categories are. They

will only link to reliable trojan and virus pages, either known and proven antivirus companies, or

groups such as their own with long standing historys of helping others.

Various IRC Trojans:-

Ariel Dm Setup Havoc Round 4 Havoc Round 5 Lifestages

Links.vbs Mirc update Pretty Park Script INI Srvcp.exe

3.4 SubSeven Trojan.

SubSeven was made to fill in the gaps left by NetBus. NetBus was the first

'point and click' Trojan that made it very easy for hackers to abuse an infected system. The

makers of SubSeven wanted to take this even further and give the hackers even more control

than NetBus ever could. SubSeven can do everything that NetBus can do. This includes things

such as

File controls

o Upload / Download

o Move, Copy, Rename, Delete

o Erase hard drives and other disks

o Execute programs

Monitoring

o Can see your screen as you see it

o Log any/all key presses (even hidden passwords)

o Open/close/move windows

o Move mouse

Network control

o Can see all open connections to and from your computer

o Can close connections

o Can 'bounce' or relay from their system to yours, so wherever they connect it

seems as if You are doing it. This is how they prevent getting caught breaking into other

computer systems and get You in trouble!

Trojan Horse Page 14 of 30

The SubSeven Trojan can also be configured to inform someone when its infected

computer connects to the internet, and tells that person all the information about you they need to

use the trojan aginst you.

This notification can be done over an IRC network, by ICQ, or by email.

4.0 PRECAUTIONS

4.1 Some Capabilities of Trojan Horses.

Rebooting, locking up system, listing of passwords etc.

View and edit the registry (create a key, set a value, get a value, delete a key,

delete a value, rename a key, etc.)

List directory, find file, delete file, view file, move file, rename file, copy file,

make directory, remove directory and set file attributes.

Display a message box.

Logging keyboard activities, operations with log file: view, delete.

Adding and removing network shares, mapping of shared devices, listing of active

connections etc.

Playing WAV files.

These are just a few things as a precaution. Another good example: I needed information

about a problem with new hardware (from a well known brand) I bought for my PC. I searched

for documentation on the hardware manufacturer's public FTP site and when opening a

document (Word) from that FTP site I noticed it contained a macro virus. Be careful That's

probably the most important thing you can do against viruses.

4.2 What Do Trojans Do ?

Back to the two Trojan Horses Back Orifice and Netbus... they both run like a server on your

system (a "back door" is opened on an infected PC to make access from outside possible), and

with a client they can be accessed by other people, who can then do virtually anything on your

system, including deleting files. The difference between Back Orifice and Netbus is that Netbus

infects Windows NT as well as 95 and 98. Older versions of Back Orifice are said to be only

capable of infecting Windows 95/98, but the new BackOrifice 2000 (or BO2K) appears to be

capable of infecting Windows NT systems too. As said before, once a system is infected, the

Trojan Horse Page 15 of 30

one accessing your PC can do virtually anything, possibly even turning on your microphone and

listen to what you are doing!

4.3 Infection With BO Or Netbus.

How to find out if you are infected with BO or NetBus

Thse are few methods on how you can possibly find out if you are "infected" by Back Orifice or

Netbus. Note that these detection hints are for older versions of NetBus and Back Orifice only

(not for example for Back Orifice 2000 or BO2K !). If you run these tests and don't find anything

suspicious, this doesn't mean you are not infected. The following methods are just a few

suggestions you can try, and do not guarantee anything. You should try the following methods at

your own risk.

1. Netbus might be found with telnet. Open a dos box and type:

telnet 127.0.0.1 12345

telnet 127.0.0.1 12346

Telnet opens, and in case a line in your telnet window containing "netbus" (excluding "")

you system is infected with Netbus.

2. For both Back Orifice (old version) and Netbus (old version) there is another possible

way to find if you are infected with one of them. Close all your applications, especially

those who point to network-shares. Open a DOS box and run the following command:

netstat -an|more

Back Orifice possibly replies with:

UDP 0.0.0.0:31337 *:*

NetBus possibly replies with:

TCP 0.0.0.0:12345 *:*

TCP 0.0.0.0:12346 *:*

Other "strange" replies from netstat, especially those with higher UDP and TCP ports,

might be suspicious.

3. You can try looking in your system registry with regedit (recommended for advanced

users only!) and take a look at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

RunServices

This contains all files which are run as a service. If you find a service called .exe

(yes, .exe, no name before the dot) or a service with a very very strange name which has

Trojan Horse Page 16 of 30

a file size of about 122 Kb, then it's possible that you are infected with Back Orifice.

"Finding

Your Back Orifice" is a site which shows screenshots of an infected system registry and a

clean system registry.

4. If weird things start happening on your system, for example: missing files/directories,

suddenly opening and closing CD-ROM drive etc. then it's possible your system is

infected with Back Orifice or Netbus.

5. Back Orifice: Another method of finding out if your system is infected by BO (older

version) is to search your WINDOWS/SYSTEM directory for the file windll.dll. If it's

there you are possibly infected.

I found one! What now?

Rumors are that some Netbus/Back Orifice removal applications going around on the Internet

are the trojan horses itself. For that reason you have to be very careful which removal application

you are going to use. Use a well-known brand virus scanner which can detect and remove viruses

like Back Orifice and Netbus. Always check if this is the case before you buy, just to make sure!

Another thing I can recommend is that you always keep your anti-virus software up-to-date. As

an example: McAfee VirusScan has downloadable ".DAT" files which are renewed every month.

PC Help is a site which also shows some methods how to remove Back Orifice from your

system.

Below are a few applications which detect and/or remove Back Orifice and/or Netbus. (Use at

your own risk... also be sure to read the complete instructions of the application before you use

it).

BackWork

The Cleaner

McAfee VirusScan

F-Secure Anti-Virus for Windows 95/98

4.4 General Precautions.

You must be certain of BOTH the source AND content of each file you download! In other

words, you need to be sure that you trust not only the person or file server that gave you the file,

but also the contents of the file itself.

Here are some practical tips to avoid getting infected (again). For more general security

information, please see our main security help page.

Trojan Horse Page 17 of 30

1.NEVER download blindly from people or sites which you aren't 100% sure about. In

other words, as the old saying goes, don't accept candy from strangers. If you do a lot of file

downloading, it's often just a matter of time before you fall victim to a trojan.

2. Even if the file comes from a friend, you still must be sure what the file is before

opening it, because many trojans will automatically try to spread themselves to friends in an

email address book or on an IRC channel. There is seldom reason for a friend to send you a file

that you didn't ask for. When in doubt, ask them first, and scan the attachment with a fully

updated anti-virus program.

3. Beware of hidden file extensions! Windows by default hides the last extension of a file, so

that innocuous-looking "susie.jpg" might really be "susie.jpg.exe" - an executable trojan! To

reduce the chances of being tricked, unhide those pesky extensions.

4. NEVER use features in your programs that automatically get or preview files. Those

features may seem convenient, but they let anybody send you anything which is extremely

reckless. For example, never turn on "auto DCC get" in mIRC, instead ALWAYS screen every

single file you get manually. Likewise, disable the preview mode in Outlook and other email

programs.

5. Never blindly type commands that others tell you to type, or go to web addresses

mentioned by strangers, or run pre-fabricated programs or scripts (not even popular ones).

If you do so, you are potentially trusting a stranger with control over your computer, which can

lead to trojan infection or other serious harm.

6.Don't be lulled into a false sense of security just because you run anti-virus programs.

Those do not protect perfectly against many viruses and trojans, even when fully up to date.

Anti-virus programs should not be your front line of security, but instead they serve as a backup

in case something sneaks onto your computer.

7.Finally, don't download an executable program just to "check it out" - if it's a trojan, the first

time you run it, you're already infected!

4.5 Problem Prevention.

The only sure solution is to refuse to run unknown programs (and update our computers so others

can't do it without our help). Unfortunately, abstinence isn't always practical or desirable. I'll

describe some protective tools you can use but keep in mind that none of them are completely

effective. As newer, more sophisticated and deviant versions of the RCTH programs are

released; these measures will become less and less effective. For that matter, a hostile program

Trojan Horse Page 18 of 30

that succeeds in executing, may simply reconfigure or disable a protective program. As you'll

read later on this page, detection and removal are not simple operations and the more infections

we can prevent, the better. The following prevention measures are listed in order of

effectiveness:

Don't run the programs which means don't run any unknown programs. Be very

careful of email attachments particularly .exe files and documents with macros.

Run a program that firewalls your PC. I looked at McAfee Firewall (then called Conseal

Private Desktop) in 1999 and ZoneAlarm lately and hope that as these and similar products .

Although their theoretical effectiveness is high, general usage mistakes may subvert

that effectiveness. Also, alerts going to the desktop operator may cause either unnecessary

concern or a cavalier attitude. However, they have two major advantages. First, they will protect

against both known and unknown RCTH programs. All other tools require the vendor of the tool

to update their product when a new RCTH program is discovered. This means that this type of

program is the only effective tool for custom RCTH programs. The second advantage of

firewalling software is that it provides secondary advantages unrelated to RCTH programs.

These advantages are derived from the products' firewalling capabilities and generally act to

increase access controls thereby providing extra protection against remote cracking and denial of

service attempts. Keep  in mind, though, that they don't remove the trojan...they only prevent it

from communicating.

Run a program specifically made to prevent RCTH programs. The licenses of a

program called BOClean is sufficient to cover faculty, staff, and students. It was the most

effective tool tested at preventing, detecting, and removing RCTH programs and it does so with

almost no operator input or impact.

Run an up to date virus detector. Check for updates at least once a month. The new

campus installation of Norton Anti-Virus will perform automatic updates. Norton and other

traditional AV products will not protect you unless you elect to run the piece that runs in the

background and checks all files as they're read. That would be File System Realtime Protection

for Norton, WinGuard for Dr. Solomon, VShield for McCaffee, or the equivalent for other

products. If you install the campus provided Norton Anti-Virus package and select all the default

buttons, File System Realtime Protection will be installed to protect you. Installing or updating

any of these virus protection programs after you're infected may result in a failure to remove the

infection unless you enable the background protection and reboot. Traditional AV products were

not even close to the effectiveness or ease of use of BOClean and other dedicated

anti-trojan tools but they now cover the most popular programs. Two online comparisons are at

the Tauscan and Netsplit sites.

Trojan Horse Page 19 of 30

4.6 Problem Detection and Removal

RCTH Program Operation

Before outlining detection and removal procedures, let’s discuss the operation of the RCTH programs.

To solve a problem you must first understand it. More importantly, there is no

absolute solution to these programs and definitely no "tell me what keys to press" solution. A good

understanding of how the RCTH programs work and how they can hide is the best weapon. There are

now hundreds of this type of program. They all consist of two parts...a server that runs on your computer,

and a client that runs on the controlling computer (shown below). They are all freely available on the

Internet. The server silently opens up a virtual network port and listens for requests from clients. People

running the clients can connect to the server from anywhere on the Internet and control your computer

almost like they were sitting in front of it. In fact, some things are easier using these programs than they

would be using your keyboard.

For example, the program automatically decrypts passwords used to protect Microsoft shared directories. 

They can also scan a range of addresses looking for listening servers so once you're infected, anyone can

find you.

Fig : Back Orifice RCTH Client

Trojan Horse Page 20 of 30

Fig 4: Netbus Client 1.70

The server program can be named anything so you can't simply look for a list of names.

Detection

1. Install and run BOClean. The manual procedures below are for people who, for some reason,

don't have access to BOClean.

There are four ways to detect RCTH programs:

1. Check the of running processes for a match against a "Trojan database".

3. Check for programs fingerprint of files for a match against a "Trojan database".

2. Check the fingerprint that are automatically started when you boot your computer.

4. Check for open virtual network ports.

Each has limitations and advantages. The first two methods are traditional virus checking

methods. They depend upon a database of code fragments or patterns that uniquely identify each

of the suspect programs or behavior analysis that leads a file to be suspect. Of course, the

database has to be constantly updated to keep up with new programs. The file check method can

be time consuming because it has to check every file. However, most virus tools now do this

only once when they're installed and then only in the background when a file is read. The process

check only examines running programs so it can be quicker. Note that if the writer of the RCTH

program obfuscated the fingerprint using compression, encryption, overlays, or some other

method, the fingerprint may not be recognizable to the tool as a RCTH program. This possibility

and the lag time associated with updating tools to detect new programs' fingerprints necessitates

multiple checks using each of the detection methods. Keep in mind that "fingerprint tools" only

work if they know the fingerprint. The fingerprint protection tools can find the

Trojan Horse Page 21 of 30

highly publicized or otherwise discovered programs because they know about them. On the other

hand, if someone wanted to target an individual or organization, had the ability to write

their own program, and kept quiet about it, traditional fingerprint tools like virus checkers would

never find it. All the presently identified RCTH programs automatically restart when you boot

your computer. To do this they have an entry in the registry, the win.ini file, the system.ini file,

the autoexec.bat file, the startup folder or similar places. Of course, lots of other programs

automatically start up when you boot so the challenge is identifying the ones that aren't supposed

to be there. Since the RCTH programs can be renamed, this is not a small challenge. If the

programs were installed with their default names, they are easy to spot. If they've been renamed,

we have to verify that the file is actually something we want started. Sometimes there is no way

to do this except to remove the entry and see what breaks. StartupCop is an easy to use tool that

allows you to enable and disable the various startup items as you're investigating.

All the presently identified RCTH programs open a virtual network port to communicate. Every

TCP/IP based system has a set of 131,070 ports it can use to communicate with other computers.

Some ports are dedicated to particular uses. For example port 80 is used by a web server, port 25

by a mail server, and ports 137-139 are used by Microsoft file sharing services. Each of the

RCTH programs also have default ports on which they listen for connections by other machines.

If we find one of these default ports active, we're almost guaranteed that we've detected an

infection. On the other hand, these programs allow the interloper to change the default port. In

that case, we have to verify that any open port has been opened by a program that we authorized

to run. Two tools to perform this task are Foundstone's FPort (free) and Winternal's TCPViewPro

(fee).  Finally, some desktop firewalls will tell you what programs are opening what ports.

Without such a tool, it becomes a matter of stopping services to see what ports close. Another

problem occurs when the RCTH program doesn't hold the port open continuously. At least one

program sits silently until it has some data to send (your passwords), opens a port, sends data,

and closes the port. As you can see there are ways around every detection method. That is why

the only 100% effective solution to this problem is not to get infected in the first place. Of

course, that is not too realistic unless we refuse to run any programs because there is always a

chance, however slight, one of these RCTH programs might get by a big vendor. Besides, there

are many, many useful programs written by shareware and freeware authors that would be a

shame to ignore. However, the need for care has been exponentially increased due to these

RCTH programs. Another option is the ages old unix (and other host) system administration trick

of fingerprinting your critical files and checking them for modifications once in a while using

something like Tripwire.

Trojan Horse Page 22 of 30

Tools

1. Install and run BOClean. The alternate tools below are for people who, for some reason, don't

have access to BOClean.

Running Norton Anti-Virus will detect some of the RCTH programs by their fingerprints. 

Two products with downloadable evaluation versions that are effective across a range of Trojans

are "The Cleaner" which works by examining file fingerprints and ZoneAlarm which works by

blocking virtual port access to unknown applications. Stay away from BOSniffer. It claims to be

a Back Orifice removal tool but it actually installs it. How can you be 100% sure some other

program doesn't do the same thing? You can't. Desktop firewalls, such as Private Desktop and

Zonealarm, are particularly interesting because they would stop all RCTH programs whether

they're known or not. They can do this because they're not looking for particular trojans...only for

unauthorized communications. All the other tools require the maker of the tool to be aware of the

trojan and update their detection algorithm or fingerprint. They ask the operator if they want to

allow any previously unseen types of communications when an application tries to use the

network. Hence, the operator would probably allow netscape.exe or iexplore.exe to go ahead and

use the network but not allow patch.exe or some other unfamiliar file name. It may get a little

trickier if the trojan was named iexplorer.exe or email.exe though. Once again, it would be up to

the operator to properly control access to their computer. Also keep in mind that desktop

firewalls don't remove an RCTH which means if the computer is ever started without starting the

firewall, the RCTH will be active. And it should go without saying that if any malware targets

any desktop resident protective software, all bets are off. Often the client (controlling) portion of

the RCTH programs contain a scanner that helps the interloper locate infected machines. Using

the clients to find out if you're infected is not recommended due to the source of the programs.

Some web sites will offer to scan your computer to see if one of these programs is running.

These sites may not work for JMU computers and may tell you you're not infected even if you

are. If you don't have BOClean installed, I'm going to recommend a manual method to use in

addition to any other tool that you use. This is not a operator friendly, push a button method but

its the only one I trust right now. First, we'll look at the places where these programs are started

up. Then we'll look for the virtual network ports that they use to communicate. As you'll recall,

these are two of the four methods to detect these programs. The other two, fingerprint checks,

aren't feasible to do manually and we'll have to depend upon continually updated virus detector

software and similar tools for these functions. Steps 1a and 2a will quickly detect the presently

most popular programs in their default installation configuration.

Trojan Horse Page 23 of 30

1. Check for programs that are automatically run when you start your computer.

1. Look in the registry for entries that start programs..

2. If you're running Windows NT, look in the Services Control Panel for automatically

started services.

3. Look in autoexec.bat for entries that start programs.

4. Look in win.ini for "run=" entries that start programs

5. Look in the system.ini file for entries that start programs.

6. Look in the startup folder for entries that start programs

7. Check other places commonly used to start trojans.

8.You can use a tool such as StartupCop to help in this process.

2. Check for open virtual ports

1. Use netstat to see what network ports your computer is communicating on. If you

have access to Winternals TCPViewPro, use that instead. It has the advantage of telling

you what program is talking on each port...something netstat doesn't do in the Windows

world. Recently, Foundstone released a similar tool called FPort that is free.

3. Verify all entries and open ports

Removal

1. Install and run BOClean. The manual procedures below are for people who, for some reason,

don't have access to BOClean.Again, if you don't have access to BOClean for automatic removal,

use manual procedure. It is helpful to double-check the effectiveness of any automated program

removal that you may have access to.

1. Remove the entries that automatically start the programs.

2. Reboot.

3. Remove the files associated with the programs.

4. Repeat the detection procedures to ensure that the Trojan is removed and that there are no

others.

Registry Examination

You can use a tool such as StartupCop to help in this process.

Currently, almost all the RCTH programs use the registry to autostart during boot. To examine

the registry, use the 'regedit' tool. You must be careful while editing the registry as it is used to

control the internal operations of your computer. Accidentally deleting or modifying entries may

result in an inoperative machine.

Step 1: Start -> Run

Step 2: Type 'regedit'. Click OK. You are now running the Microsoft Registry Editor.

Trojan Horse Page 24 of 30

Fig 5: Registry Editor HKeys

Step 3: There is an explorer-like operator interface on the left hand side of the screen. You will

traverse down through the tree. Click the following selections in order:

HKEY_LOCAL_MACHINE

SOFTWARE

Microsoft

Windows

CurrentVersion

Now you'll check each of the keys beginning with "Run", sequentially examining them as

described below. For the "Quick Check", Run and RunServices are the default locations for the

most popular programs.In each of the Run* entries, files that are on the right side of the screen

are started when you start your computer. If patch.exe or " .exe" (space dot exe) are listed in the

"data" column, make note of the path name if it exists, right-click on the associated item in the

"name" column, and select "delete". These are the default names of the Netbus and Back Orifice

RCTH programs respectively. They are typically located in the \windows or \windows\system

directory. Deleting the entry will prevent the program from starting when you reboot so you can

delete the associated file.  In the example below, the Netbus RCTH program is indicated by the

presence of the patch.exe entry. If you're performing the Quick Check, reread the entire page.

The patch.exe and " .exe names are the default file names for old versions of Netbus and Back

Orifice and can be changed. You should verify that each entry in the Run* keys belongs there in

case the default name was changed or you have a RCTH other than Back Orifice or Netbus.  Do

this for all the entries in each of the keys beginning with "Run" (i.e. RunOnce, RunServices,

etc.).  A cautious system administrator of a critical or multi-operator machine would probably

Trojan Horse Page 25 of 30

fingerprint these files and check them periodically as part of normal system monitoring to assure

they're the original files.You can use the Start -> Find -> FilesorFolders utility if you have

problems locating the files specified in the registry. After you delete the file, be sure to empty the

Recycle Bin.

Note that the default filename used by Back Orifice is " .exe". Explorer’s default configuration is

to show file names without their extensions. In this mode, you will not see anything except a

blank space in a file list. In addition, the program has no icon, so it will not show up in explorer’s

Fig 6: regedit on a machine infected with Netbus.

 icon view except as a blank space. Other RCTH programs may be similarly hidden.

4.7 Virtual Port Example.

We will use the DOS utility netstat to check for open ports. If you're using Windows NT4 or

Windows 98 you can proceed to the checks below. Unfortunately, the original TCP stack that

comes with Windows 95 doesn't produce accurate reports. It will tell you your computer isn't

vulnerable when it actually is. To fix this problem, upgrade your Windows 95 TCP/IP stack by

downloading and running the Microsoft Winsock2 patch before performing the rest of this

procedure. This has been a rather simple and painless upgrade for everyone I've talked to. It may

also increase your network performance and reliability.

Trojan Horse Page 26 of 30

The Microsoft Dial-up patch 1.3 also installs winsock2 but it is more complicated to install.

If you have access to Winternals TCPViewPro, use that instead. It has the advantage of telling

you what program is talking on each port...something netstat doesn't do in the Windows world.

Recently, Foundstone released a similar tool called FPort that is free.

1. Open an MSDOS window.

2. Close all other programs.

Fig. 7: A typical netstat display.

3. Type netstat -an

4. Examine the second column after the colon. In the listing above, the item of interest in the first

line is "80" and in the second line is "135". These are the virtual port numbers by which

programs communicate with the outside world. Other computers which want to communicate

with your machine must use your IP address plus one of these virtual ports to form the

equivalent of a telephone number to find you. In the example above, a personal web server is

listening on port 80.

Trojan Horse Page 27 of 30

5. If you see the numbers '12345 'or '31337', you almost definitely have one of the programs

installed (Netbus and Back Orifice respectively). The Netbus port is active below.

Fig 8: netstat display on a machine infected with Netbus.

 

6. The list above has many additional ports open which makes it confusing. Most of these ports

were caused by having a web and email browser open. To decrease the number of ports you need

to examine its best to run netstat right after a reboot and before any other applications are started.

Many Windows 95/98 machines will only have ports 137, 138, and 139 active for Microsoft file

sharing use. If you don't use Microsoft file sharing, turn it off in the network control panel so you

don't have those ports open. You can also delete the netbios protocol in the same place.

Otherwise, you have to ensure that all open ports are supposed to be open which requires a

familiarity with network protocols and services. Generally, you'll find that these ports are opened

by programs that are automatically started in the registry. So the process of validating registry

entries is related to the process of validating ports. Sometimes it just boils

down to removing registry entries (after copying the information for restoration if needed) and

seeing what breaks and what ports no longer open. Its a tedious process.

One helpful hint. If you telnet to a port on which Netbus is listening, it will answer "Netbus

v1.x" depending upon the version.

Resources for default port assignments:

Trojan Horse Page 28 of 30

Joakim von Braun's Trojan Database

Network Ice

DosHelp

Internet Assigned Numbers Authority

5.0 ANTI-TROJANS.

AntiTrojan software specifically designed to help detect Trojans (not necessarily

virus/worms). Most can be run along side your chosen antivirus program. However no

trojan scanner is 100% effective as manufactures cannot keep up with the rapid change

of viruses that happens daily. Be sure to update yours regularly!

5.1 Anti-Trojan

Anti-Trojan 5.5 is a powerful trojan scanner and remover which detects more than 9000 different

types of trojan horses. It uses three methods to find them. The first is the portscan which gives

you information if there are open ports on your computer. The second one is the registry scan

which searches through the system registry database for trojans. The third and the most

important part is the disk scan. It scans your harddisks for dangerous trojan files and removes

them safely.

Supports: Win95/98/ME/NT4/2000/XP

Supports many languages.

5.2 PC Door-Guard

A full-featured extensive and thorough intrusion scanner that scans any media on your PC for

backdoors and trojan horses.

Supports: Win95/98/ME/NT/2000

5.3 Pestpatrol

PestPatrol is a utility, similar to anti-virus products, but instead of scanning for viruses it

scans for worms and Trojans, even tools and utilities used by hackers and maybe even trusted

employees. Used along with anti-virus software, PestPatrol will keep you safe from malicious

objects, commonly referred to as Pests. You routinely scan for viruses, why not make PestPatrol

Trojan Horse Page 29 of 30

part of your daily routine?

Supports: Win95/98/ME/NT/2000/XP

5.4 Tauscan

Trojan Horse detection and removal engine capable of detecting every known type of

backdoor that can threaten your system. It works unobtrusively in the background to prevent

attack and uses minimal system resources. Its user-friendly interface, innovative features such as

drag & drop scan, right-click scan and a setup Wizard were designed to enable novice users to

configure the application and use it effectively without the need for any computer literacy on

their part.

Supports: Win95/98/ME/NT/2000/XP

5.5 The Cleaner

A unique program that searches out Trojan Horses and cleans them from your system. The

Cleaner uses an original process to uniquely identify files. They cannot hide by changing their

name or reported file size. They cannot hide by attaching themselves to other programs. They

cannot hide.

Supports Win95/98/ME/NT/2000/XP

6.0 CONCLUSION.

Trojans are malicious programs that claims to be something desirable but they are much more

dangerous than viruses and may steal your data or may damage ,erase your disk. So be careful

Trojan Horse Page 30 of 30

while downloading any document , movie ,music file etc.. from internet. It is evident that there

will soon be some very sophisticated ways to hide this type of program. If you value your

privacy, your computer data, and your reputation, it is imperative to refuse to run unknown

executable programs. It is unfortunate that the publishing of these easily used and abused

programs has made our computing environment less friendly to sharing and open

communication. However, if the programs hadn't been publicized, sneakier people could have

used similar tactics without warning.

Almost every existing operating system allows the sort of features that make RCTH

programs possible. Operators run programs. Programs open sockets. Programs capture

keystrokes. Operating systems provide mechanisms to automatically start programs. The

vulnerability that exists is that we (industry wide) use computers that don't have many internal

controls. They let us do what we want. Without internal controls, it is up to us to control them. If

we don't control them, we'll either have increasingly serious security breaches or the computer

industry will go back to locked down mainframe type processing to force automatic controls. I

suspect this latest threat will hasten the use of "certified applications", increased access controls

to both organizational data and the Internet, locked down desktop configurations, the "Network

Computer/Browser/Application Server architecture, and an  increased level of caution associated

with our computing environment. Maybe hackers will force us back to terminals (static

browsers), mainframes(application servers), and service bureaus(application service providers).

BIBLIOGRAPHY:

www.IRChelp.org

www.cbsoftsolutions.com

www.Pantheon.org

Related CERT advisory on Back Orifice

Trojan Horse Page 31 of 30

Related CERT advisory on generic Trojan Horse Programs.

Report Documentation & Accounting Page

Case study Report Code: Case study Report Number :

Address (Details):Computer Department, Jivram Tukaram Mahajan College of Engineering, Nhavi Marg, Jivram Nagar, P.O. M.S.S.K, Faizpur.Pin – 422 003, Dist: Jalgaon (M.S.) INDIA.E-mail(s): 1) jtmcoef@rediffmail.com 2) principal@jtmcoef.ac.in

Report Title: - “Trojan-Horses “

Author [with Address, phone, Email]:

Address: Pin – 425502, Dist: Jalgaon (M.S.) INDIA.Ph(Mob): E-mail: harschell@gmail.com

Author Details (Name, Year, Branch, Roll No, Batch):Name: Harshal B Kolambe.Year: Third YearBranch: Computer EngineeringRoll: 18.Batch: 2010 - 2012

Type Of Report: FINAL

Time Covered

(From – To)25-feb-2011

TO30-feb-2011

Date Of Report (dd-mm-yy):

Page Count

32

Report Checked By:

Report Checked Date:

Guides Complete Name:

Prof. T.S.Waykole.

Total Copies

Report Abstract:The main aim of this seminar is to give brief introduction About the”Trojan Horses”.The topics covered in this seminar are :What is exactly a ‘Trojan Horse?’ Various Trojans, How they work? Detection & Prevention Methods. Anti-Trojans etc…

Trojan Horse Page 32 of 30