Trojan Horse Attacks

1
Trojan Horse Attacks
By Carmen Nigro
2
Definition

• Malicious, security breaking program that is
  disguised as useful software
• Can be attached to legitimate software by a
  cracker
• Cannot replicate itself (unlike worms and
  viruses)

3
How can you be infected?

• Emails, instant messages, websites
• Trojans are executable programs with file
  extensions like exe, vbs, com, bat,
  scr, pif
• Windows by default hides file extensions so the
  file new.txt.exe will appear to the user as
  new.txt

4
Why is this important?

• Trojans are used to
• Steal secure information such as passwords,
  credit card numbers, or important files
• Allow an intruder to take control of a users
  machine
• Erase or corrupt files
• Deactivate or interfere with anti-virus or
  firewall programs
• Spread other malware

5
Types of Trojans

• Remote Access Trojans- give intruder complete
  control of a victims system
• Example Back Orifice
• Data Sending Trojans- steal sensitive information
  and send to an intruder
• Key loggers
• Destructive Trojans- can destroy important files
  or ruin entire hard-drive

6
Types of Trojans

• Proxy Trojans- uses the victims computer as a
  proxy server making it available to everyone
• FTP Trojans- opens system port (port 21) for FTP
  transfer and allows attacker to connect to
  victims computer
• Security Software Disabler Trojans

7
Types of Trojans

• Denial of Service Attacks (DoS)- make a resource
  unavailable to its users
• Usually implemented by consuming resources of a
  server so that it can no longer work correctly or
  obstructing communication between users and the
  server

8
Trojan.Gletta.A

• 1.)Copies itself toSystem\Wmiprvse.exeSystem
  \Ntsvc.exeWindir\Userlogon.exe
• 2.)Creates the file, System\Rsasec.dll, which
  is a key logger.Creates the file,
  System\rsacb.dll, which is actually a text
  file.
• 3.) 3. Adds the value"wmiprvse.exe""system\wm
  iprvse.exe" , to the registry keyHKEY_LOCAL_MACH
  INE\Software\Microsoft\Windows\CurrentVersion\Run,
  so that the Trojan runs when you start Windows

9
Trojan.Gletta.A

• 4.) Watches Internet explorer for popular banking
  URLs
• 5.) Captures all the keystrokes entered when the
  user is on one of the specified sites and enters
  them into the log file
• 6.) Uses its own SMTP engine to email the log
  file to the attacker

10
Facebook Trojans

• Court Jester Trojan
• Spread through message on facebook user walls
• Use caution when downloading facebook apps

11
Back Orifice

• Word play on Microsoft BackOffice Server software
• Remote system administration program
• Intended to exploit windows security flaws
• Server can be installed without
• user interaction and can be
• attached as a Trojan

12
Prevention

• Exercise caution and use common sense
• Turn off/ remove unneeded services
• Check file extensions

13
Future Work

• Active Content
• Data objects have the knowledge necessary to
  present themselves
• Example Java applets do not allow contamination
  of hard drive

14
References

• http//www.soft2secure.com/2008/03/trojan-horse-1-
  introduction.html
• http//www.research.ibm.com/antivirus/SciPapers/Sm
  oke/smoke.html
• http//en.wikipedia.org/wiki/Back_Orifice_(trojan_
  horse)