Professional Documents
Culture Documents
Processes Has a lot of functionality A program that appears to be legitimate Unauthorized code performs unknown
Client Donald Dick functions
Registry Two parts
Keylogging
Normally have a client/server model
TCP/IP or IPX/SPX Attacker gains access to the trojaned system Sometimes the trojaned system notifies
Server the attacker when they are online
Workings on Trojans when the trojaned system goes online
Provides full access to the file system
Attacker normally has access to
Remote access trojan multiple trojaned systems
File controls Provide remote access of the infected
Monitoring Functionality machine to the attacker
Remote Access Trojans
Network control Very prevalent and often reported on by the media
Talks over TCP and UDP with strong encryption The trojan makes the machine a proxy
server
Client is GUI or CLI Client/Server application Installs a simple web proxy on the machine
Proxy Trojans
The machine can then be used to launch
Client is 500kb Server code is 100Kb web attacks against other victims
Attacker has complete control over the Back Orifice 2000 Enables an FTP server on the victim
system Normally used to transfer large files or
Once server is installed FTP Trojans
Server must be installed on the target system a FTP Bounce scan
Subtopic
BO2K functionality can be improved with plug-ins
Complete remote control Software that can kill software running on the
BoPeep
box
Encryption Sometimes included with other virus functions
Plug Ins Software Detection Killers
Provides stealth capabilities by using Kill Zone Alarm
ICMP rather than TCP or UDP BOSOCK32 Certified Ethical Examples
Kill AV Product
Can totally modify the application to hide the trojan Supports Windows 2000
Windows XP
Simple came where you have to hit a mole fPort
Whack-A-Mole Shows what ports are open and what
Installs NetBus in the background
applications are listening on them
BoSniffer is an application that claims Windows CLI application
to check for the BO server
Displays very detailed information
it actually infects the machine with BO BoSniffer about open ports
Countermeasures Tools
Then announces itself on IRC channel #BO_OWNED TCPView
Similar to fPort but a lot more powerful
Kills any resident protection software
PrcView
Works with all major AV vendors Firekiller 2000 Process Viewer Displays detailed information about
Handy to use before you infect with a trojan processes running on your machine