Trojan Horse programs are able to hide themselves from being detected
after installing themselves into your computer generally without your knowledge sometimes using similar methods to spyware, but usually harder to fully detect.
Trojan horses are among the most dangerous threats to your computer & your confidential information - passwords,credit card details & your personal security.
Once a Trojan program is installed on your computer its allows full access to hackers.
The same Trojan can be used secretly by many hackers.It`s not just one Trojan to one hacker.
A Trojan on your computer can let a hacker view, copy or erase any folder or any file on your computer just as though they were sitting at your computer using the keyboard & mouse.
Any file on your computer can also be sent to any e-mail address or posted on the Internet.
There are many ways a system can be infected with a Trojan & because a Trojan is not the same as a virus (a self-replicating program segment)it is not always detected by anti-virus software.
Trojans are often installed by a virus or worm that is programmed to open a backdoor into your computer,sometimes to join in DDoS atacks against other computers, other trojans can be added to popular programs & released out to newsgroups and p2p networks especially in the hopes of infecting new hosts.
Many Bots scan for victims of other Trojans such as SubSeven.This has two advantages for the hacker.First they can scan a lot of class C blocks without scanning themselves or wasting their own bandwidth to do so & second they can get their Bot onto already Trojan infected machines on the premise that if the owner did not know they had one Trojan that is detectable by nearly all Anti Trojan/Virus applications then they certainly won't know they have another that is undetectable by signature by all of these applications.
This is why we use Generics as a second layer of defense against unknown Trojans.The sub
Seven scan yields victims on default ports & also exploits the old SubSeven master password which works on all SubSeven 2.* versions upto and not including SubSeven 2.1.3 Bonus.
Once a victim has been found & logged into using the command to update from the web is sent. Once received SubSeven will download the new file & run it & then remove itself.
The SubSeven trojan was made to improve the design of NetBus.
It has 'improved' NetBus so much now that this is a Very deadly trojanthat can be very damaging & hard to remove.
The best way to tell what version of SubSeven you are infected with is by running an updated AntiVirus program & a Anti-Trojan Scanner.
A Remote Administration Tool, or RAT, is a Trojan that when run,provides an attacker with the capability of remotely controlling a machine via a "client" in the attacker's machine, & a "server" in the victim's machine.The server in the victim "serves" incoming connections to the victim,
& runs invisibly with no user interface.The client is a GUI front-end that the attacker uses to connect to victim servers and "manage" those machines.Examples include Back Orifice, NetBus, SubSeven & Hack'a'tack.
What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker & whether or not control of the server is ever gained by another attacker -- who might have entirely different interests.
Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses.
Most known Trojan horses are programs, which "imitate" some other useful programs, new versions of popular utility software or software updates for them.Very often, they are sent to BBS stations or Usenet groups.
In comparison with viruses, Trojan horses are not widely spread.The reason for this is quite simple: they either destroy themselves together with the rest of the data on disks, or unmask their presence & are deleted by victimized users.
Virus "droppers" may also be considered Trojan horses.
They are files infected in such way that known anti-viruses do not determine virus presence in the file.
For example, a file is encrypted in some special way or packed by a rarely used archiver, preventing an anti-virus from "seeing" the infection.
A good method of discovering trojan infections is by identifying which virtual ports (there are 65535) are open and in use on your computer.
If you use a antivirus and personal firewall then you have a better chance of detecting and then blocking an unknown trojan from making outbound connections.
There are many programs to monitor for open ports, I mainly rely on TCPView or Outpost firewall to view which ports are listening and operating.
you can also use the builtin windows netstat utility from a command prompt to view the open ports and connections by going to :
- start -> run -> [ type ] cmd.exe [ win2000/xp] or command.exe [ win98/ME] .. then in the command prompt window type - netstat -an
Only a firewall can be set up to block outbound unauthorized traffic from your computer and without running a trojan can give full access to and from your computer to anyone that manages to locate it with an automated scan or to the person who originally released it.
XP SP2 / ICF firewall will not protect you from Trojans/Malware making outbound connections once they are on your system.
PORTS ::
The port lists below have listed default trojan ports, which the trojan program is designed to listen and operate on, keep in mind that any trojan may be altered to operate on other ports as well, and that activity on a known trojan port may be a false positive and a genuine connection.
Firewalls cannot tell whether the traffic is malicious or harmless , only that it is operating on a known trojan port.
Be suspicious of any connections that you aren't sure about , but don't completely panic if you suddenly notice something that shouldn't be running or is connected to the internet without your authorization. Just be prepared , and if need be , disconnect from the internet if you suspect your are being hacked.
Trojans are not able to infect your computer any further like viruses or worms, but they can often be the result of a virus or worm infection planting a backdoor on your system.
Some trojans may use more than one port number. This is because one port is used or"listening" & the other`s are used for the transfer of data.
In their default configurations, the following trojans use:
Back Orifice - UDP port 31337 or 31338
Deep Throat - UDP port 2140 and 3150
NetBus - TCP port 12345 and 12346
Whack-a-mole - TCP port 12361 and 12362
NetBus 2 Pro - TCP port 20034
GirlFriend - TCP port 21544
Sockets de Troie - TCP port 5000, 5001 or 50505
Masters Paradise - TCP port 3129, 40421, 40422, 40423 and 40426
Devil - port 65000
Evil FTP - port 23456
GateCrasher - port 6969
Hackers Paradise - port 456
ICKiller - port 7789
ICQTrojan - port 4590
Phineas Phucker - port 2801
Remote Grab - port 7000
Remote Windows Shutdown - port 53001
ANTI-TROJAN PROGRAMS / TOOLS
Since Trojan Defence Suite (TDS-3) has now been discontinued the next best alternatives are here:
BoClean
http://www.nsclean.com/boclean.html
TROJANHUNTER -
http://www.misec.net/trojanhunter/
The Cleaner -
http://www.moosoft.com/
A² Trojan Scanner -
http://www.emsisoft.com/en/
Free Tools that can help in Detecting Trojans :-)
Process Explorer-
TcpView-
Filemon-
Portmon-
Tdimon-
Filemap-
http://www.sysinternals.com/
http://www.sysinternals.com/ntw2k/freewa...cexp.shtml
http://www.wilders.org/free_tools.htm
Anti-trojan program Comparison by Agnitum with their Tauscan trojan scanner:
http://www.agnitum.com/products/tauscan/compare.html
after installing themselves into your computer generally without your knowledge sometimes using similar methods to spyware, but usually harder to fully detect.
Trojan horses are among the most dangerous threats to your computer & your confidential information - passwords,credit card details & your personal security.
Once a Trojan program is installed on your computer its allows full access to hackers.
The same Trojan can be used secretly by many hackers.It`s not just one Trojan to one hacker.
A Trojan on your computer can let a hacker view, copy or erase any folder or any file on your computer just as though they were sitting at your computer using the keyboard & mouse.
Any file on your computer can also be sent to any e-mail address or posted on the Internet.
There are many ways a system can be infected with a Trojan & because a Trojan is not the same as a virus (a self-replicating program segment)it is not always detected by anti-virus software.
Trojans are often installed by a virus or worm that is programmed to open a backdoor into your computer,sometimes to join in DDoS atacks against other computers, other trojans can be added to popular programs & released out to newsgroups and p2p networks especially in the hopes of infecting new hosts.
Many Bots scan for victims of other Trojans such as SubSeven.This has two advantages for the hacker.First they can scan a lot of class C blocks without scanning themselves or wasting their own bandwidth to do so & second they can get their Bot onto already Trojan infected machines on the premise that if the owner did not know they had one Trojan that is detectable by nearly all Anti Trojan/Virus applications then they certainly won't know they have another that is undetectable by signature by all of these applications.
This is why we use Generics as a second layer of defense against unknown Trojans.The sub
Seven scan yields victims on default ports & also exploits the old SubSeven master password which works on all SubSeven 2.* versions upto and not including SubSeven 2.1.3 Bonus.
Once a victim has been found & logged into using the command to update from the web is sent. Once received SubSeven will download the new file & run it & then remove itself.
The SubSeven trojan was made to improve the design of NetBus.
It has 'improved' NetBus so much now that this is a Very deadly trojanthat can be very damaging & hard to remove.
The best way to tell what version of SubSeven you are infected with is by running an updated AntiVirus program & a Anti-Trojan Scanner.
A Remote Administration Tool, or RAT, is a Trojan that when run,provides an attacker with the capability of remotely controlling a machine via a "client" in the attacker's machine, & a "server" in the victim's machine.The server in the victim "serves" incoming connections to the victim,
& runs invisibly with no user interface.The client is a GUI front-end that the attacker uses to connect to victim servers and "manage" those machines.Examples include Back Orifice, NetBus, SubSeven & Hack'a'tack.
What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker & whether or not control of the server is ever gained by another attacker -- who might have entirely different interests.
Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses.
Most known Trojan horses are programs, which "imitate" some other useful programs, new versions of popular utility software or software updates for them.Very often, they are sent to BBS stations or Usenet groups.
In comparison with viruses, Trojan horses are not widely spread.The reason for this is quite simple: they either destroy themselves together with the rest of the data on disks, or unmask their presence & are deleted by victimized users.
Virus "droppers" may also be considered Trojan horses.
They are files infected in such way that known anti-viruses do not determine virus presence in the file.
For example, a file is encrypted in some special way or packed by a rarely used archiver, preventing an anti-virus from "seeing" the infection.
A good method of discovering trojan infections is by identifying which virtual ports (there are 65535) are open and in use on your computer.
If you use a antivirus and personal firewall then you have a better chance of detecting and then blocking an unknown trojan from making outbound connections.
There are many programs to monitor for open ports, I mainly rely on TCPView or Outpost firewall to view which ports are listening and operating.
you can also use the builtin windows netstat utility from a command prompt to view the open ports and connections by going to :
- start -> run -> [ type ] cmd.exe [ win2000/xp] or command.exe [ win98/ME] .. then in the command prompt window type - netstat -an
Only a firewall can be set up to block outbound unauthorized traffic from your computer and without running a trojan can give full access to and from your computer to anyone that manages to locate it with an automated scan or to the person who originally released it.
XP SP2 / ICF firewall will not protect you from Trojans/Malware making outbound connections once they are on your system.
PORTS ::
The port lists below have listed default trojan ports, which the trojan program is designed to listen and operate on, keep in mind that any trojan may be altered to operate on other ports as well, and that activity on a known trojan port may be a false positive and a genuine connection.
Firewalls cannot tell whether the traffic is malicious or harmless , only that it is operating on a known trojan port.
Be suspicious of any connections that you aren't sure about , but don't completely panic if you suddenly notice something that shouldn't be running or is connected to the internet without your authorization. Just be prepared , and if need be , disconnect from the internet if you suspect your are being hacked.
Trojans are not able to infect your computer any further like viruses or worms, but they can often be the result of a virus or worm infection planting a backdoor on your system.
Some trojans may use more than one port number. This is because one port is used or"listening" & the other`s are used for the transfer of data.
In their default configurations, the following trojans use:
Back Orifice - UDP port 31337 or 31338
Deep Throat - UDP port 2140 and 3150
NetBus - TCP port 12345 and 12346
Whack-a-mole - TCP port 12361 and 12362
NetBus 2 Pro - TCP port 20034
GirlFriend - TCP port 21544
Sockets de Troie - TCP port 5000, 5001 or 50505
Masters Paradise - TCP port 3129, 40421, 40422, 40423 and 40426
Devil - port 65000
Evil FTP - port 23456
GateCrasher - port 6969
Hackers Paradise - port 456
ICKiller - port 7789
ICQTrojan - port 4590
Phineas Phucker - port 2801
Remote Grab - port 7000
Remote Windows Shutdown - port 53001
ANTI-TROJAN PROGRAMS / TOOLS
Since Trojan Defence Suite (TDS-3) has now been discontinued the next best alternatives are here:
BoClean
http://www.nsclean.com/boclean.html
TROJANHUNTER -
http://www.misec.net/trojanhunter/
The Cleaner -
http://www.moosoft.com/
A² Trojan Scanner -
http://www.emsisoft.com/en/
Free Tools that can help in Detecting Trojans :-)
Process Explorer-
TcpView-
Filemon-
Portmon-
Tdimon-
Filemap-
http://www.sysinternals.com/
http://www.sysinternals.com/ntw2k/freewa...cexp.shtml
http://www.wilders.org/free_tools.htm
Anti-trojan program Comparison by Agnitum with their Tauscan trojan scanner:
http://www.agnitum.com/products/tauscan/compare.html
Labels:
What is a Trojan
0 comments:
Post a Comment