What is Trojan Horse and how to recover from a Trojan Horse Infection

By Chris Martin at 5 November, 2008, 4:54 am

Trojan horse is a type of program that pretends to be something harmless, but has a damaging or otherwise malicious intent. For example, a person may get a program by email or the internet that he or she thinks is a computer game; however, when the person runs the supposed game, the program deletes files on the computer or injects viruses.

 

Trojan horse, also called RAT (remote access trojan, or remote access trapdoor) are examples of file virus. They attack program files (e.g. .exe; .com; .sys, .drv; .ovl; .bin; .scr etc.) by attaching themselves to executable files. The virus waits in memory for users to run another

program and use the event to infect and replicate.

 

Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. It is often referred to as the most elementary form of malicious code. Trojans are basically malicious, security-breaking programs, which cause considerable damage to both the hardware and software of the system.

Working of Trojans 

Trojans work similar to the client-server model. The attacker deploys the client to connect to the server, which runs on the remote machine when the remote user unknowingly executes the Trojan on the machine.

 

The typical protocol used by most Trojans is the TCP/IP & UDP protocol. It will usually try to remain in a stealth mode, or hidden on the computer. When Trojan is activated, the server starts listening on default or configured ports for incoming connections from the attacker. It is usual for Trojans to also modify the registry and/or use some other auto starting method.

 

When the remote machine is on a network with dynamically assigned IP address or when the remote machine uses a dial-up connection to connect to the internet in that case Trojans can configure the features like mailing the victim’s IP, as well as messaging the attacker via instant messaging application or Internet Relay Chat (IRC). DSL users on the other hand, have static IPs so the infected IP is always known to the attacker.

Most of the Trojans use auto-starting methods so that the servers are restarted every time the remote machine reboots or starts. This is also notified to the attacker. Some of the well known system files targeted by Trojans are Autostart Folder, Win.ini, System.ini, Wininit.ini, Winstart.bat, Autoexec.bat, & Config.sys.

 

Modes of Transmission

Trojan can infect the target system with different modes of Transmission. Common transmission mode is as follows

 

  •  Instant Message
  • IRC (Internet Relay Chat)
  • Attachments
  • Physical Access
  • Browser and E-mail Software Bugs
  • NetBIOS (File Sharing)

 

Instant message

People can also get infected while chatting / talking / video messaging over any Instant Messenger Application. It is a risk that the user undertakes when it comes to receiving files no matter from whom or where it comes.

 

IRC

In Internet Relay Chat, the threat comes from exchange of files no matter what they claim to be or where they come from. It is possible that some of these are infected files or disguised files.

 

Attachments

Any attachment, even if it is from a known source should be screened as it is possible that the source was infected earlier and is not aware of it.

 

Physical Access

Physical access to a target machine is perhaps the easiest way for an attacker to infect a machine.

 

Browser and E-mail Software Bugs

Having outdated applications can expose the system to malicious programs such as trojans without any other action on behalf of the attacker.

 

NetBIOS (File Sharing)

If port 139 is opened, the attacker can install trojan.exe and modify some system file, so that it will run the next time the system is rebooted.

 

To block file sharing in Windows version, navigate to:

Start–>Settings–>Control Panel–>Network–>File and Print Sharing and uncheck the boxes there.

 

 

Types of Trojan Horse

Trojan horses are broken down in classification based on how they breach systems and the damage they cause.

 

The seven main types of Trojan horses are:

 

  1. Remote Access Trojans
  2. Data Sending Trojans
  3. Destructive Trojans
  4. Proxy Trojans
  5. FTP Trojans
  6. Denial-of-service attack (DoS) Trojans
  7. Security software disabler Trojans

 

Remote Access Trojans

The attacker gains full control over the systems that the Trojan infects, and gains full access to files, private conversations, accounting data and so on. The remote access Trojans acts as a server, and listens on a port that is not supposed to be available to the internet. Attacker in the same network located behind the firewall can easily access the Trojans. Example: Back Orifice and, NetBus.

 

Data Sending Trojans

Data Sending Trojans provide hackers with passwords or other confidential data such as credit card numbers and audit sheets. This Trojans look for particular information in certain locations.Example:  Badtrans.B email virus

 

Destructive Trojans:

The sole purpose of the Destructive Trojans is to delete files on the target system. Destructive Trojans are generated on the basis of a fixed time and data much like the logic bomb. Example: dll, .ini, or .exe files.

 

Proxy Trojans:

Proxy Trojans convert the user’s computer into a proxy server. This makes the computer accessible to the entire world or only the specified attacker. The attacker has full control over the user’s system, and can also launch attacks on other systems from the affected user’s network. Generally it is used for Telnet, ICQ or IRC in order to purchase goods using stolen credit cards, other illegal activities.

 

FTP Trojans:

FTP Trojans are used for FTP transfers and allowing the attackers to connect to the victim’s system via FTP.

 

Denial-of-Service (DoS) Attack Trojans:

This type of Trojans empowers the attacker to start a distributed Denial of Services (DDoS) attack, if there are a fair number of victims on the network at that specific time. Example: WinTrinoo, CNN, E*Trade

 

Security Software Disablers:

These are designed to disturb the functions of anti-virus software or firewalls. After these programs are disabled, the hacker can easily attack the victim’s system.

 

 

Hazards of Trojan

A botnet also known as a zombie army is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions including spam or viruses to other computers on the Internet such computer is referred to as a zombie - in effect, a computer “robot” or “bot” that serves the wishes of some master spam or virus originator.

 

An increasing number of home users have high speed connections for computers that may be inadequately protected. A zombie or bot is often created through an Internet port that has been left open and through which a small Trojan horse program can be left for future activation. At a certain time, the zombie army “controller” can unleash the effects of the army by sending a single command, possibly from an Internet Relay Channel (IRC) site.

 

The motivation for a zombie master who creates a DDoS attack may be to cripple a competitor or sending spam is in the money to be made. Both of them rely on unprotected computers that can be turned into zombies.

 

Recovering from a Trojan Horse Infection

It can happen to anyone. Once you know that your machine is infected with a Trojan Horse or if your machine is exhibiting unexpected behavior and you suspect that something is wrong, what can you do?

 

The following steps may help save your computer and your files.

 

Step I.  Disconnect your computer from the internet & Scan the

            machine.

Step II.  Back up your important files

Step III. Scan your machine

Step IV. Reinstall your operating system

Step V.  Restore your files

Step VI. Protect your computer

    

Disconnect your computer from the internet & Scan the machine

Depending on what type of Trojan horse  you have, intruders may have access to your personal information and may even be using your computer to attack other computers. The best way to accomplish this is to physically disconnect your cable or phone line. Since your computer including  operating system may be infected with a malicious program, it is safest to scan the machine from a live CD (or rescue CD) rather than a previously installed antivirus program. Another alternative is online virus scan.

 

Back up your important files

It is a good idea to take the time to back up your files. If possible, compile all of your documents and burn them onto a CD/DVD or save them to some other external storage device. These files cannot be trusted, since they are still potentially infected. Good practice is to back up your files on a regular basis so that if they do get infected, you might have an uninfected set you can restore.

 

Reinstall your operating system

If you failed to clean your computer, the most effective option is to  format the hard drive and reinstall the operating system. Although this corrective action will also result in the loss of all your programs and files, it is the only way to ensure your computer is free from backdoors and intruder modifications.

 

Restore your files

Copy the files from backup or placing the files back in directories on your computer, you should scan them with your antivirus software to check them for known viruses.

 

Protect your computer

To prevent future infections, the following points to remember

I)   Do not open unsolicited attachments in email messages.

II)  Do not follow unsolicited links.

III) Maintain updated antivirus software.

IV) Use an Internet firewall.

V)  Secure your web browser.

VI) Keep your system patched.

 

 

Categories : Security


Subscribe to RSS feed. Or, to get latest articles to your email inbox for free, enter your email address in the box below and click "Send me articles".


No comments yet.

Leave a comment

Your Ad Here