Trojans

1
Trojans

• Christine Edgmon
• Forensics II Presentation

2
Trojans

• Back Orifice Subseven
• What is it?
• How do I know if I have it?
• How do I remove it?

3
What is Back Orifice?

• Back Orifice(BO) is a remote
• Administration system which allows a
• user to control a computer across a
• TCP/IP connection using a simple console
• or GUI application. On a local LAN or
• across the internet, BO gives its user
• more control of the remote Windows
• machine than the person at the keyboard
• of the remote machine.

4
Back Orifice Creators

• Back Orifice was created by a group
• of well known hackers who call themselves the
  CULT OF THE DEAD COW.
• Hacktivism is a special operations group
  sponsored by the CULT OF THE DEAD COW (cDc).
• Hacktivism isn't any sort of cyberterrorism ...
  or trying to make things harder for a repressive
  regime by taking down a Web server, hacktivism is
  part of a balanced, disciplined program to use
  data and technology to improve human rights.

5
Cult of the Dead Cow

• MOTTO We view access to information as a basic
  human right. We are also interested in keeping
  the Internet free of state-sponsored censorship
  and corporate chicanery so all opinions can be
  heard.
• They typically meet with other hackers at an
  important conference for hackers called the Def
  Con hacker conference.

6
About Back Orifice

• BO is small, and entirely self installing. Simply
  executing the server on any windows machine
  installs the server, moving the executable into
  the system where it will not interfere with other
  running applications.
• To ease distribution, BO can also be attached to
  any other windows executable which will run
  normally after installing the server.
• Once running, BO does not show up in the task
  list or close-program list, and is rerun every
  time the computer is started. The filename that
  it runs as is configurable before it is
  installed, and it's as easy to upgrade as
  uploading the new version and running it.

7
More about Back Orifice

• The claim is that Back Orifice is not a threat to
  any computers personal, business or government
  that are not on a network. Back Orifice only
  works if computers can be accessed remotely.It
  was not designed to destroy information like a
  computer virus, rather it allows the user to
  steal information secretly and manipulate
  computers by invisible puppet strings.

8
What Can BO do? (page1)

• Spawn a text based application on a tcp port.
• Stops an application from listening for
  connections.
• Lists the applications currently listening for
  connections.
• Creates a directory. Lists files and directory.
  You must specify a wildcard if you want more than
  one file to be listed. Removes a directory.
• Creates an export on the server. Deletes an
  export.
• Lists current shared resourses (name, drive,
  access, password).
• devices.
• Plays a wav file on the server machine.
• Lists current incomming and outgoing network
  connections.
• Disconnects the server machine from a network
  resource. Connects the server machine to a
  network resource.

9
What Can BO do? (page2)

• Views all network interfaces, domains, servers,
  and exports visable from the server machine.
• Pings the host machine.
• Returns the machine name and the BO version
  number.
• Executes a Back Orifice plugin. Tells a specific
  plugin to shut down. Lists active plugins or the
  return value of a plugin that has exited.
• Terminates a process. Lists running processes.
  Runs a program. Otherwise it will be executed
  hidden or detached.
• Redirects incomming tcp connections or udp
  packets to another ip address. Stops a port
  redirection.
• Lists active port redirections.

10
What Can BO do? (page3)

• Creates a key in the registry. Deletes a key from
  the registry. Deletes a value from the registy.
  Lists the sub keys of a registry key. Lists the
  values of a registry key. Sets a value for a
  registry key.
• Resolves the ip address of a machine name
  relative to the server machine.
• Creates a dialog box on the server machine with
  the supplied text and an 'ok' button.
• Copys a file.
• Deletes a file.
• Searches a directory tree for files that match a
  wildcard specification.

11
What Can BO do? (page4)

• Compresses a file. Decompresses a file.
• Views the contents of a text file.
• Disables the http server. Enables the http
  server.
• Logs keystrokes on the server machine to a text
  file. Ends keyboard logging. To end keyboard
  logging from the text client, use 'keylog stop'.
• Captures video and audio (if available) from a
  video input device to an avi file.
• Displays system information for the server
  machine.
• Locks up the server machine.

12
What Can BO do? (page5)

• Displays cached passwords for the current user
  and the screen saver password.
• Shuts down the server machine and reboots it.
• Connects the server machine and saves any data
  recieved from that connection to the specified
  file. Connects the server machine and sends the
  contents of the specified file, then disconnects.
  
• Captures a frame of video from a video input
  device to a bitmap file.
• Captures an image of the server machine's screen
  to a bitmap file.
• Lists video input

13
The Press on BO 98

• "Due to the lovely MIME mishandlings of Outlook
  and Netscape Messenger, the required Back Orifice
  executable need only be emailed to a targeted
  individual for it to be installed, The user no
  longer needs to click on an attachment for Back
  Orifice to install. Receiving the mail is enough
  for the plant to occur."
• "Again and again, Microsoft claims in its
  advisory that Back Orifice needs to be installed
  by the user"

14
How do I Know if I Have it?

• BO typically requires an entry in the Windows
  Registry in order to be invoked on startup. It
  can be set up to start other ways, but it always
  makes that entry anyway, every time it is run.
  The exact entry can vary, but it is always in one
  place.
• This is true for all of the versions of BO(1998
  2000), but the specifics are
• not exactly the
• same for detecting BO.

15
Detection(old version)

• open REGEDIT and look for the values under this
  key
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr
  entVersion\RunServices
• If it looks like this

then you're Orifice-free.
16
Detection(continued)

• If there is anything there at all, anything other
  than "(value not set)," -- note it will NOT have
  quotes around it -- then you may possibly be
  hosting Back Orifice. It's time to find out for
  sure.
• Bear in mind multiple copies of BO can coexist.
  There may be more than one.
• Before you actually change the Registry, make
  sure you know what you're doing. Whatever file
  name (or names) you found in the Registry, look
  for those files in the C\WINDOWS\SYSTEM
  directory or in the directory specified.

17

• See if the file looks like this

18

• Note the icon next to the file... there isn't
  one! The BO server icon is transparent - a
  blank.The filename might be anything at all. If
  it ends in .exe or has no extension, the icon
  will be blank. But it can be named literally
  anything, and if it has a recognized extension,
  Windows will assign it an appropriate icon.
• The BO program on your computer may contain
  information that could be useful in assessing the
  damage and/or revealing of its point of origin.
• Many of the Orifices out there are simply in
  their default configuration, with no password and
  no special options. But some of them, probably
  most of them, have been configured by the
  originator and will contain potentially useful
  information. That configuration is rather easy to
  read from the file. If you have an editor that
  will read the file (Notepad/Wordpad won't do it),
  you'll find the config parameters at the very
  end.

19
More on Detection

• If the BO program in your computer is in its
  default configuration it will be exactly 124,928
  bytes long
• It will be named " .exe"
• In this case, go ahead and delete it. It contains
  no information of any value.
• Once you have deleted the executable reboot your
  computer.
• Now delete the DLL that it uses WINDLL.DLL

20
Subseven

• Subseven is a similar trojan to BO
• SubSeven victims currently(99) outnumber Back
  Orifice victims by 100-to-1,
• The credited author of this trojan is Mobman.
• He began his trojan writing days with a copy of
  Delphi 4, and was planning on learning it. He was
  currently using netbus at the time with friends,
  he thought of trying to make a netbus clone, and
  that's how it started.
• After 1 month of work sub7 1.0 was out.
• Surprisingly this author is only in his early
  20s.

21
What Can Subseven do? (page1)

• send messages or questions to the victim
• open the default browser at the specified address
  
• hide or show the Start button
• take a screen shot of the victim's desktop
• disable keyboard
• chat with the victim
• start/stop the victim's PC Speaker
• restart windows
• open/close the CD-ROM

22
What Can Subseven do? (page2)

• set the length of the victim's mouse trails
• set a password for the server
• get all the active windows on the victim's
  computer
• enable/disable a specified window
• disable the close button on a specified window
• get a list of all the available drives on the
  victim's computer
• turn monitor on/off
• show/hide the taskbar

23
What Can Subseven do? (page3)

• get more information about the victim's computer
• change the server name
• listen for all the pressed keys
• record sound
• get the file's size
• download/upload/execute file
• set wallpaper
• play file on the victim's computer
• reverse/restore mouse buttons
• set the online notification on/off
• close the server on the victim's computer

24
When it is run, BackDoor Subseven makes the
following changes to the system

• Drops (adds) a copy of itself and a randomly
  named executable file, such as Eutccec.exe, to
  the \Windows or \Windows\System folder.
• Adds the dropped file to the load and run lines
  of the Win.ini file.
• Adds the dropped file name to the
  shellexplorer.exe line of the System.ini file.

25
How does Subseven effect my system?

• Creates the WinLoader value and sets it equal to
  the dropped file name in the following registry
  keys.
• Modifies the (Default) value from "1" to, for
  example, eutccec.exe "1" in the following
  registry keys
• HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\
  open\command
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
  entVersion\Run

26
Detection Removal

• The detection and Removal of this trojan is very
  similar to the Removal of the BO trojan.
• There are many websites
• that can offer step by
• directions on such
• information.

27
Protection Against

• There are no sure ways to protect yourself from
  these unless you never download anything from the
  internet.
• Even then it is still possible to get these on
  your machine.
• There are however, many steps you can take to
  make yourself less vulnerable to them.
• There are many ant virus soft wares that can aid
  in the detection of these Trojans.
• Doing a routine check all on your own might even
  be a good idea.
• There seems to a commonality among many Trojans
  that they will update your registry with values
  in the same area. Check that often.

28
The best way to protect yourself is to know your
computer as well as or better than a Hacker!
29
Sources

• http//www.safersite.com/PestInfo/S/SubSeven.asp
• http//www.safersite.com/pestinfo/b/backorifice.as
  p
• http//www.cultdeadcow.com
• http//www.irchelp.org/irchelp/security/bo.html
• http//www.nwinternet.com/pchelp/bo/bo.html
• http//www.symantec.com/avcenter/warn/backorifice.
  html
• http//news.com.com/2100-1001-254164.html?legacyc
  net
• http//www.lockdowncorp.com/bots/mobman.html