trojan Malicious code masquerading as or replacing legitimate code A Trojan Horse is an apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation,falsification, or destruction of data overt and covert channels overt channel(合法通道):a legitimate communicatin path within a computer system,or network,for the transfer of data covert channel(隱密性通道):a channel that transfers information within a computer system,or network,in a way that violates the security policy ex:trojan會使用covert channel來逃避安全軟體的偵測 ........................... types of trojans : remote access trojans data-sending trojans destructive trojans DOS attack trojans proxy trojans ftp trojans security software disablers ........................... different ways a trojan can get into a system: IM applications IRC via attachments physical access browser and email software bugs netbios fake programs suspicious sites and freeware software downloading files,games,and screensavers from internet sites legitimate "shrink-wrapped" softward packaged by a diagruntled employee ps: 自動執行 將以下放入autorun.inf [autorun] open=setup.exe icon=setup.exe ps: 每次開機時都執行 在以下機碼內新增項目 HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices ........................... indications of trojan attack 電腦變慢,異常的大量讀取 出現異常網路流量與連線 cd-rom會自己開 螢幕上下嵮倒 滑鼠自動移到右上角按close ps:hijacklist, 可偵測是否有異常程式 ........................... ports used by trojans back orifice:udp 31337 or 31338 deep throat:udp 2140 and 3150 netbus:tcp 12345 and 12346 whack-a-mole:tcp 12361 and 12362 netbus2:tcp 20034 grilfriend:tcp 21544 sockets de troie:tcp 5000,5001 or 50505 masters paradise:tcp 3129,40421,40422,40423,and 40426 devil:tcp 65000 evil:ftp 23456 doly trojan:tcp 1011,1012,1015 chargen:udp 9,19 stealth spy phaze:tcp 555 netbios datagram:tcp,udp 138 sub seven:tcp 6711,6712,6713 icq trojan:tcp 1033 mstream:udp 9325 the prayer 1/2:tcp 9999 online keylogger:udp 49301 portal of doom:tcp,udp 10067,10167 senna spy:tcp 13000 trojan cow:tcp 2001 ps:netstat -an可看port state ........................... 經典的trojan tini:a simple and small(3kb) backdoor for windows,it listens at tcp port 777 icmd:可multiple connections,可設password netbus: 早期有名的木馬,在早期算是功能齊全,可開cdrom,讀取系統檔,...等 netcat:網管工具,有backdoor功能 cryptcat:netcat + encryption beast:主要是做遠端管理,此tool會產生server端(木馬)和管理端 mosucker: 控管功能不錯 sars:受害者會把ip傳給攻擊者 proxy server trojan:小型proxy(3kb),放在任一台電腦上當跳板,讓攻擊者上網 tinyftpd:在受害端開ftp讓攻擊者連線 vnc trojan:遠端控管軟體 ........................... wrapper A tool used to bind the Trojan with legitimate file 將木馬與正常程式合在一起 wrapper tool有以下 one file exe maker:將2個程式合併 yet another binder pretator wrapper 其他tool有以下 wordpad remotebymail:使用mail來控制 icon plus:改變程式icon restorator:defacing application tetris ..................................................................................... http tunnel 一種隱藏通訊的技術 常見tool有以下 http rat:http trojan, shttpd trojan:http trojan ps: atelier web remote commander badluck destructive trojan:a dangerous and destructive tool,執行後將破壞作業系統 trojan horse construction kit:木馬產生器,根據選擇產生不同的木馬 ........................... icmp tunneling 一種隱藏通訊的技術 use icmp echo-request and echo-reply icmp backdoor trojan loki:使用icmp,難以被偵測 ps loki countermeasures 1external icmp_echo traffic should be disabled completely 2this does have serious implications to normal network management,since it affects network communication management within the local segment.this is configured to permit internal ping traffic and block and disable the packets coming from outiside 3disable icmp_echo_reply traffic on a cisco router,security implications make this a prudent choice 4ensure that the routers are configured not to send icmp_unreachable error packets to hosts that do not respond to arps ps: loki also has the option to run over udp port 53 ........................... reverse connecting trojans 可反連的木馬 中木馬受害者會連到攻擊者指定port,系統判斷可能正常,因為是由使用者發出 tool有以下 nuclear rat trojan CCTT(covert channel tunneling tool) windows reverse shell perl-reverse-shell winarp_mim:使用arp 攻擊的小木馬 XSS tunneling 在網頁插一段SCRIPT,受害者瀏覽網頁時會被攻擊者控制 tool有: xss shell tunnel:web介面 xss tunnel:使用.net framework ..................................................................................... miscellaneous trojans: backdoor.theef t2w downtroj turkojan trojan.satellite-rat yakoza trojan.hav-rat PI(poison ivy):主要用做遠端管理,可反連,多功能,有plug-in,且修改後很難被偵測到 rapid hacker shark hackerzrat optix pro proagent od client acerat mhacker-ps rubyrat public consoledevil zombierat webcam trojan:專門控制webcam dji rat skiddie rat biohazard rat troya prorat dark girl dacryptic net-devil pokerstealer.a hovdy.a
................................................................................................................................................................ 偵測trojans 1 scan for suspicious open open ports 可用tool netstat fport tcpview currports
2 scan for suspicious running processes 可用tool有 process viewer/process explorer what's on my computer super system helper inzider what's running 3 scan for suspicious registry entries 可用 tool: msconfig autoruns hijack this:可分析開機過程,並將記錄上傳做分析 startup list 4 scan for suspicious network activities 可用 tool:ethereal 5 run trojan scanner to detect trojans 常見anti-trojan軟體有 trojan hunter comodo boclean xsoftspyse spyware doctor spywarefighter 其他還有 trojan guard zonealarm-f winpatrol leaktest kerio personal firewall sub-net tavscan spybot search & destroy anti trojan cleaner vba32:脫殼能力強 ........................ 逃避anti-virus技術 never use trojans from the wild write your own trojan and embed it into an application change trojan's syntax ,ex:convert an exe to doc file change the checksum change the content of the trojan using hex editor break the trojan file into multiple pieces 逃避anti-trojan/anti-virus tool: stealth tools ..................................................................................... countermeasures educate users not to install applications downloaded from the internet and email attachments
use tool: tripwire sigverif.exe:system file verification sfc.exe:system file checker md5sum.exe windows defender |