trojan
Malicious code masquerading as or replacing legitimate code
A Trojan Horse is an apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation,falsification, or destruction of data
overt and covert channels
overt channel(合法通道):a legitimate communicatin path within a computer system,or network,for the transfer of data
covert channel(隱密性通道):a channel that transfers information within a computer system,or network,in a way that violates the security policy
ex:trojan會使用covert channel來逃避安全軟體的偵測
………………………
types of trojans :
remote access trojans
data-sending trojans
destructive trojans
DOS attack trojans
proxy trojans
ftp trojans
security software disablers
………………………
different ways a trojan can get into a system:
IM applications
IRC
via attachments
physical access
browser and email software bugs
netbios
fake programs
suspicious sites and freeware software
downloading files,games,and screensavers from internet sites
legitimate “shrink-wrapped” softward packaged by a diagruntled employee
ps:
自動執行
將以下放入autorun.inf
[autorun]
open=setup.exe
icon=setup.exe
ps:
每次開機時都執行
在以下機碼內新增項目
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services
………………………
indications of trojan attack
電腦變慢,異常的大量讀取
出現異常網路流量與連線
cd-rom會自己開
螢幕上下嵮倒
滑鼠自動移到右上角按close
ps:hijacklist, 可偵測是否有異常程式
………………………
ports used by trojans
back orifice:udp 31337 or 31338
deep throat:udp 2140 and 3150
netbus:tcp 12345 and 12346
whack-a-mole:tcp 12361 and 12362
netbus2:tcp 20034
grilfriend:tcp 21544
sockets de troie:tcp 5000,5001 or 50505
masters paradise:tcp 3129,40421,40422,40423,and 40426
devil:tcp 65000
evil:ftp 23456
doly trojan:tcp 1011,1012,1015
chargen:udp 9,19
stealth spy phaze:tcp 555
netbios datagram:tcp,udp 138
sub seven:tcp 6711,6712,6713
icq trojan:tcp 1033
mstream:udp 9325
the prayer 1/2:tcp 9999
online keylogger:udp 49301
portal of doom:tcp,udp 10067,10167
senna spy:tcp 13000
trojan cow:tcp 2001
ps:netstat -an可看port state
………………………
經典的trojan
tini:a simple and small(3kb) backdoor for windows,it listens at tcp port 777
icmd:可multiple connections,可設password
netbus: 早期有名的木馬,在早期算是功能齊全,可開cdrom,讀取系統檔,…等
netcat:網管工具,有backdoor功能
cryptcat:netcat + encryption
beast:主要是做遠端管理,此tool會產生server端(木馬)和管理端
mosucker: 控管功能不錯
sars:受害者會把ip傳給攻擊者
proxy server trojan:小型proxy(3kb),放在任一台電腦上當跳板,讓攻擊者上網
tinyftpd:在受害端開ftp讓攻擊者連線
vnc trojan:遠端控管軟體
………………………
wrapper
A tool used to bind the Trojan with legitimate file
將木馬與正常程式合在一起
wrapper tool有以下
one file exe maker:將2個程式合併
yet another binder
pretator wrapper
其他tool有以下
wordpad
remotebymail:使用mail來控制
icon plus:改變程式icon
restorator:defacing application
tetris
………………………………………………………………………….
http tunnel
一種隱藏通訊的技術
常見tool有以下
http rat:http trojan,
shttpd trojan:http trojan
ps:
atelier web remote commander
badluck destructive trojan:a dangerous and destructive tool,執行後將破壞作業系統
trojan horse construction kit:木馬產生器,根據選擇產生不同的木馬
………………………
icmp tunneling
一種隱藏通訊的技術
use icmp echo-request and echo-reply
icmp backdoor trojan
loki:使用icmp,難以被偵測
ps
loki countermeasures
1external icmp_echo traffic should be disabled completely
2this does have serious implications to normal network management,since it affects network communication management within the local segment.this is configured to permit internal ping traffic and block and disable the packets coming from outiside
3disable icmp_echo_reply traffic on a cisco router,security implications make this a prudent choice
4ensure that the routers are configured not to send icmp_unreachable error packets to hosts that do not respond to arps
ps:
loki also has the option to run over udp port 53
………………………
reverse connecting trojans
可反連的木馬
中木馬受害者會連到攻擊者指定port,系統判斷可能正常,因為是由使用者發出
tool有以下
nuclear rat trojan
CCTT(covert channel tunneling tool)
windows reverse shell
perl-reverse-shell
winarp_mim:使用arp 攻擊的小木馬
XSS tunneling
在網頁插一段SCRIPT,受害者瀏覽網頁時會被攻擊者控制
tool有:
xss shell tunnel:web介面
xss tunnel:使用.net framework
………………………………………………………………………….
miscellaneous trojans:
backdoor.theef
t2w
downtroj
turkojan
trojan.satellite-rat
yakoza
trojan.hav-rat
PI(poison ivy):主要用做遠端管理,可反連,多功能,有plug-in,且修改後很難被偵測到
rapid hacker
shark
hackerzrat
optix pro
proagent
od client
acerat
mhacker-ps
rubyrat public
consoledevil
zombierat
webcam trojan:專門控制webcam
dji rat
skiddie rat
biohazard rat
troya
prorat
dark girl
dacryptic
net-devil
pokerstealer.a
hovdy.a
…………………………………………………………………………………………………………………………………………….
偵測trojans
1
scan for suspicious open open ports
可用tool
netstat
fport
tcpview
currports
2
scan for suspicious running processes
可用tool有
process viewer/process explorer
what’s on my computer
super system helper
inzider
what’s running
3
scan for suspicious registry entries
可用 tool:
msconfig
autoruns
hijack this:可分析開機過程,並將記錄上傳做分析
startup list
4
scan for suspicious network activities
可用 tool:ethereal
5
run trojan scanner to detect trojans
常見anti-trojan軟體有
trojan hunter
comodo boclean
xsoftspyse
spyware doctor
spywarefighter
其他還有
trojan guard
zonealarm-f
winpatrol
leaktest
kerio personal firewall
sub-net
tavscan
spybot search & destroy
anti trojan
cleaner
vba32:脫殼能力強
……………………
逃避anti-virus技術
never use trojans from the wild
write your own trojan and embed it into an application
change trojan’s syntax ,ex:convert an exe to doc file
change the checksum
change the content of the trojan using hex editor
break the trojan file into multiple pieces
逃避anti-trojan/anti-virus tool:
stealth tools
………………………………………………………………………….
countermeasures
educate users not to install applications downloaded from the internet and email attachments
use tool:
tripwire
sigverif.exe:system file verification
sfc.exe:system file checker
md5sum.exe
windows defender