How Reverse-Connecting Trojans Work

Reverse-connecting Trojans let an attacker access a machine on the internal network from the outside. The hacker can install a simple Trojan program on a system on the internal network, such as the reverse WWW shell server. On a regular basis (usually every 60 seconds), the internal server tries to access the external master system to pick up commands. If the attacker has typed something into the master system, this command is retrieved and executed on the internal system. The reverse WWW shell server uses standard HTTP. It's dangerous because it's difficult to detect: it looks like a client is browsing the Web from the internal network.

Types of Trojans

Trojans can be created and used to perform different attacks. Here are some of the most common types of Trojans:
  • Remote Access Trojans (RATs) Used to gain remote access to a system.
  • Data-Sending Trojans Used to find data on a system and deliver data to a hacker.
  • Destructive Trojans Used to delete or corrupt files on a system.
  • Denial-of-Service Trojans Used to launch a denial-of-service attack.
  • Proxy Trojans Used to tunnel traffic or launch hacking attacks via other systems.
  • FTP Trojans Used to create an FTP server in order to copy files onto a system.
  • Security Software Disabler Trojans Used to stop antivirus software.

Overt and Covert Channels

An overt channel is the normal and legitimate way that programs communicate within a computer system or network. A covert channel uses programs or communications paths in ways that were not intended.
Trojans can use covert channels to communicate. Some client Trojans use covert channels to send instructions to the server component on the compromised system. This sometimes makes Trojan communication difficult to decipher and understand. An unsuspecting intrusion detection system (IDS) sniffing the transmission between the Trojan client and server would not flag it as anything unusual. By using the covert channel, the Trojan can communicate or "phone home" undetected, and the hacker can send commands to the client component undetected.
Some covert channels rely on a technique called tunneling, which lets one protocol be carried over another protocol. Internet Control Message Protocol (ICMP) tunneling is a method of using ICMP echo-request and echo-reply to carry any payload an attacker may wish to use, in an attempt to stealthily access or control a compromised system. Theping command is a generally accepted troubleshooting tool, and it uses the ICMP protocol. For that reason, many router, switches, firewalls, and other packet filtering devices allow the ICMP protocol to be passed through the device. Therefore, ICMP is an excellent choice of tunneling protocols.

Trojans and Backdoors

Trojans and backdoors are types of malware used to infect and compromise computer systems. A Trojan is a malicious program disguised as something benign. In many cases the Trojan appears to perform a desirable function for the user but actually allows a hacker access to the user's computer system. Trojans are often downloaded along with another program or software package. Once installed on a system, they can cause data theft and loss, as well as system crashes or slowdowns. Trojans can also be used as launching points for other attacks, such as distributed denial of service (DDoS). Many Trojans are used to manipulate files on the victim computer, manage processes, remotely run commands, intercept keystrokes, watch screen images, and restart or shut down infected hosts. Sophisticated Trojans can connect themselves to their originator or announce the Trojan infection on an Internet Relay Chat (IRC) channel.
Trojans ride on the backs of other programs and are usually installed on a system without the user's knowledge. A Trojan can be sent to a victim system in many ways, such as the following:
  • An instant messenger (IM) attachment
  • IRC
  • An email attachment
  • NetBIOS file sharing
  • A downloaded Internet program
Many fake programs purporting to be legitimate software such as freeware, spyware-removal tools, system optimizers, screensavers, music, pictures, games, and videos can install a Trojan on a system just by being downloaded. Advertisements on Internet sites for free programs, music files, or video files lure a victim into installing the Trojan program; the program then has system-level access on the target system, where it can be destructive and insidious.
Table 1 lists some common Trojans and their default port numbers.
Table 1: Common Trojan programs 
31337 or 31338
Deep Throat
2140 and 3150
12345 and 12346
12361 and 12362
NetBus 2
Master's Paradise
3129, 40421, 40422, 40423, and 40426
backdoor is a program or a set of related programs that a hacker installs on a target system to allow access to the system at a later time. A backdoor can be embedded in a malicious Trojan. The objective of installing a backdoor on a system is to give hackers access into the system at a time of their choosing. The key is that the hacker knows how to get into the backdoor undetected and is able to use it to hack the system further and look for important information.
Adding a new service is the most common technique to disguise backdoors in the Windows operating system. Before the installation of a backdoor, a hacker must investigate the system to find services that are running. Again the use of good information-gathering techniques is critical to knowing what services or programs are already running on the target system. In most cases the hacker installs the backdoor, which adds a new service and gives it an inconspicuous name or, better yet, chooses a service that's never used and that is either activated manually or completely disabled.
This technique is effective because when a hacking attempt occurs the system administrator usually focuses on looking for something odd in the system, leaving all existing services unchecked. The backdoor technique is simple but efficient: the hacker can get back into the machine with the least amount of visibility in the server logs. The backdoored service lets the hacker use higher privileges—in most cases, as a System account.
Remote Access Trojans (RATs) are a class of backdoors used to enable remote control over a compromised machine. They provide apparently useful functions to the user and, at the same time, open a network port on the victim computer. Once the RAT is started, it behaves as an executable file, interacting with certain Registry keys responsible for starting processes and sometimes creating its own system services. Unlike common backdoors, RATs hook themselves into the victim operating system and always come packaged with two files: the client file and the server file. The server is installed in the infected machine, and the client is used by the intruder to control the compromised system.
RATs allow a hacker to take control of the target system at any time. In fact one of the indications that a system has been exploited is unusual behavior on the system, such as the mouse moving on its own or pop-up windows appearing on an idle system.

Covering Your Tracks and Erasing Evidence

Once intruders have successfully gained administrator access on a system, they try to cover their tracks to prevent detection of their presence (either current or past) on the system. A hacker may also try to remove evidence of their identity or activities on the system to prevent tracing of their identity or location by authorities. To prevent detection, the hacker usually erases any error messages or security events that have been logged. Disabling auditing and clearing the event log are two methods used by a hacker to cover their tracks and avoid detection.
The first thing intruders do after gaining administrator privileges is disable auditing. Windows auditing records certain events in a log file that is stored in the Windows Event Viewer. Events can include logging into the system, an application, or an event log. An administrator can choose the level of logging implemented on a system. Hackers want to determine the level of logging implemented to see whether they need to clear events that indicate their presence on the system.
Intruders can easily wipe out the security logs in the Windows Event Viewer. An event log that contains one or just a few events is suspicious because it usually indicates that other events have been cleared. It's still necessary to clear the event log after disabling auditing, because using the Auditpol tool places an entry in the event log indicating that auditing has been disabled. Several tools exist to clear the event log, or a hacker can do so manually in the Windows Event Viewer.

Understanding Steganography Technologies

Steganography is the process of hiding data in other types of data such as images or text files. The most popular method of hiding data in files is to utilize graphic images as hiding places. Attackers can embed any information in a graphic file using steganography. The hacker can hide directions on making a bomb, a secret bank account number, or answers to a test. Any text imaginable can be hidden in an image. In Exercise you will use Image Hide to hide text within an image.
Exercise: Hiding Data in an Image Using ImageHide

To hide data in an image using ImageHide:
  1. Download and install the ImageHide program.
  2. Add an image in the Image Hide program.
  3. Add text in the field at the bottom of the ImageHide screen.
  4. Hide the text within the image using ImageHide.

Steganography can be detected by some programs, although doing so is difficult. The first step in detection is to locate files with hidden text, which can be done by analyzing patterns in the images and changes to the color palette.

Popular Posts