What is a trojan?

Download Report

Transcript What is a trojan?

A Trojan Report and Analysis of BO2K, NetBus
1.7, and Sub7 Legends
Mike Ware 11/30/04
What is a trojan?





Any program that overtly does one thing but covertly does something
else in a malicious manner.
Normally provides remote access to a victim’s computer.
Not considered a virus because it does not self propagate.
Not considered a worm because it does not automatically spread from
one computer to the next over a network.
Back Orifice, NetBus, and Sub7 are three very popular trojan horses.
Why is a trojan a security threat?

A trojan cannot install itself. It must be executed by the user.





Many users are non-technical individuals and are unaware of their system’s activity.
Detection is difficult. Most trojans are designed to run invisible to the victim by
removing itself from the process list and hiding its system “footprint”.
A successful trojan attack opens a virtual channel to the victim’s file system,
registry, process list, service list, and other OS structures.
Anti-virus and other virus monitoring software will only detect and remove the
trojan if its signature is known.
Recovering from information theft and costs due to down time from denial-ofservice attacks is burdensome.
Overview of BO2K, NetBus 1.7, and Sub7 Legends

All three were developed by underground hacking community as RATs (remote
access tools).




All three have same architecture, which consists of a server and client.



Cult of the Dead Cow or CDC developed BO2K (first version released Aug 1998)
Mobman developed Sub7 Legends (first version released May 1999)
Carl-Fredrik Neikter developed NetBus 1.7 (first version released Mar 1998)
Attacker uses client to control any remote machine that has the server installed.
Server is stored on victim’s machine and once installed, waits for a probe from the client to
establish connection.
Victim must execute the malicious trojan file.

The trojan will normally disguise itself as a appealing program (video, music, game, etc.) or
attach itself to a legitimate program that when ran will install both the legitimate application and
the attached trojan without the user’s knowledge. (setup package or self-extracting zip files)
Compare/Contrast Initial Actions

Similarities





All three copy themselves to some other location. Sub7 Legends and NetBus 1.7 will place a
copy in the Windows directory while BO2K places a copy in Windows\System32.
If configured to do so, all three will create registry entries in the auto-run startup keys so
they will execute each time Windows is loaded.
All three disconnect from original file and execute the planted second copy.
All three open some port.
Differences




filename of the server file
number and names of other files created and used by the server
number, type, name, and location of created registry edits
server port usage
Connection Method


Attacker only needs to know IP address of victim.
BO2K


NetBus 1.7



Can password protect server using 3DES or XOR encryption.
Can password protect server.
Can be notified of victim’s connection using a specified SMTP engine.
Sub7 Legends


Can password protect server.
Attacker can be notified by ICQ, IRC, or email.
Operational Capabilities


Once connected, the attacker has full access to victim’s operating system functionality.
File System manipulation




Key Logging ability


BO2K logs to viewable file while Sub7 and NetBus log “real-time”.
Port Redirection


find/delete/view/move/rename/copy files
create/delete directories
download/upload files
Allows attacker to send input to another machine using victim’s machine.
System Functions




View, kill, start processes
View and close active windows
Mouse control (move/hide pointer, enable tails, reverse buttons)
Perform system shutdown, log off, restart, and power off
Other Interesting Features

Sub7 and BO2K:
 registry manipulation:





screen or web/video capture; tap PC microphone
complete server control


change startup method, server filename, port usage, or remove the server entirely.
Sub7




create/delete/rename keys
set/get/delete/rename values
enumerate keys and values
hide/show desktop, start button, and taskbar
flip screen horizontally/vertically
mess with CTRL-ALT-DEL, NUM LOCK, SCROLL LOCK, CAPS LOCK
BO2K:


XOR and 3DES encryption for client/server communication.
ability to enhance its functionality through plug-ins. (has software development kit)
BO2K Attack Footprint on XP SP1



File Mods:
 c:\windows\system32\UMGR32.EXE
 112 KB
 Original trojan file located at original location if it doesn’t delete itself.
Netstat reports:
 TCP 54320 by default
 possibly UDP 54321
Task manager will report name of the running server as a process.
 UMGR32.EXE
NetBus 1.7 Attack Footprint on XP SP1

File Mods:







=> running server
=> key logging functions
=> attacker note-taking
=> host connection log
=> server IP log
=> server configuration info
Registry Mods:




c:\windows\patch.exe (483 KB)
c:\windows\KeyHook.dll (54 KB)
c:\windows\Memo.txt
c:\windows\Hosts.txt
c:\windows\IP.txt
c:\windows\Patch.ini
HKCU\NETBUS
 HKCU\NETBUS\Settings
HKCU\Patch
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 value: “PATCH”=“c:\windows\patch.exe”
Netstat reports two open TCP ports

12345 and 12346
Sub7 Legends Attack Footprint on XP SP1

File Mods:



Registry Mods:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
 value: “WinLoader”=“c:\windows\server.com”
Netstat reports open TCP port


c:\windows\server.com
 364 KB
Original trojan file located at original location if it doesn’t delete itself.
27374 by default
Task manager will report name of the running server as a process.

server.com
Cyberspace Security Implications


Ability to remotely control OS makes a trojan attack far more dangerous than a
typical virus or worm.
Risks of information theft and malicious activity:







theft of passwords
theft of product designs (this can be crucial to a company)
theft of medical, financial, and other personal data
interception of email, chat, and video content
attacker can plant discriminating data on victim’s machine (child pornography!)
attacker can find discriminating data and use it against the victim
Future attacks:



DDOS - Attack high risk targets.
Have already seen first trojan, Brador.a, for PocketPC. Imagine DDOS attack aimed at disabling
a multitude of PocketPC devices.
Electronic Voting (e-voting)
What can be done to combat trojans?

Increase User Security Awareness




President’s third highest priority outlined in “The National Strategy to Secure
Cyberspace” document.
Use updated anti-virus protection.
Properly use software/hardware firewalls.
Periodically scan using specialized trojan horse PC scanners:
 windowsecurity.com/trojanscan
Conclusion




A trojan is any program that overtly does one thing but covertly does something
else in a malicious manner.
The architecture and “footprint” of BO2K, NetBus 1.7, and Sub7 follow a similar
pattern.
BO2K, NetBus 1.7, and Sub7 Legends are a serious and direct threat to current home
computing technologies such as e-commerce and banking as well as future
computing technologies such as e-voting and online surgery procedures.
We can combat trojan attacks through increased user awareness, properly
configured anti-virus software and firewalls, and specialized trojan scanners.