You are on page 1of 38

SEMINAR REPORT

ON
TROJAN HORSE

Submitted in partial fulfillment of


Bachelor of Engineering degree
Of the University of Rajasthan, Jaipur

Submitted to: Submitted by:


Mr.D.K.Mehta Jalaj Mathur
Head of the department, IVth Year
Computer Science Department Computer Science

Department of Computer Science & Engineering


JODHPUR ENGINEERING COLLEGE AND RESEARCH CENTRE
JODHPUR (RAJ).
CONTENTS

1. ACKNOWLEDGEMENT 1

2. COMPUTER VIRUSES 3
3. PREMILINARIES 11
4. TROJAN HORSES 19
5. LIST OF TROJAN HORSES 24

6. TYPES OF TROJAN HORSE PAYLOADS 28


7. TROJAN HORSE ATTACKS 30

8. COMBATING TROJAN HORSES 36

9. CONCLUSION 37
10. BIBILOGRAPHY 38
ACKNOWLEDGEMENT

At the very outset, we would like to express our deep sense of gratitude to our
mentors at the college, Principle Dr. D C Surana and Mr. D.K. Mehta, who have been so
kind to give us the necessary guidance. They have also been a constant source of
inspiration.

.
I extend heartfelt thanks to my parents and friends for their inspiration and thoughtfulness
in care and support.

With these comments, I take this opportunity of revealing my thanks to those who have
helped me in a number of ways and helped during my project work.
COMPUTER VIRUSES

Computer viruses are small software programs that are designed to spread from one
computer to another and to interfere with computer operation.

A virus might corrupt or delete data on your computer, use your e-mail program to spread
itself to other computers, or even erase everything on your hard disk.

Viruses are most easily spread by attachments in e-mail messages or instant messaging
messages. That is why it is essential that you never open e-mail attachments unless you
know who it's from and you are expecting it.

Viruses can be disguised as attachments of funny images, greeting cards, or audio and
video files.

Viruses also spread through downloads on the Internet. They can be hidden in illicit
software or other files or programs you might download.

To help avoid viruses, it's essential that you keep your computer current with the latest
updates and antivirus tools, stay informed about recent threats, and that you follow a few
basic rules when you surf the Internet, download files, and open attachments.

Once a virus is on your computer, its type or the method it used to get there is not as
important as removing it and preventing further infection.
Key Terms To Understanding Computer Viruses:

Virus
A program or piece of code that is loaded onto your computer without your knowledge
and runs against your wishes.

Trojan Horse
A destructive program that masquerades as a benign application. Unlike viruses, Trojan
horses do not replicate themselves

Worm
A program or algorithm that replicates itself over a computer network and usually
performs malicious actions

Blended Threat
Blended threats combine the characteristics of viruses, worms, Trojan Horses, and
malicious code with server and Internet vulnerabilities .

Antivirus Program
A utility that searches a hard disk for viruses and removes any that are found.
The internet consists of hundreds of millions of computers distributed around the world.
Millions of people use the internet daily, taking full advantage of the available services at
both personal and professional levels. The internet connectivity among computers on
which the World Wide Web relies, however renders its nodes on easy target for malicious
users who attempt to exhaust their resources or damage the data or create a havoc in the
network. Computer Viruses, especially in recent years, have increased dramatically in
number. One of the most highprofile threats to information integrity is the Computer
Virus.

Surprisingly, PC viruses have been around for two-thirds of the IBM PC’s lifetime,
appearing in 1986. With global computing on the rise, computer viruses have had more
visibility in the past few years. In fact, the entertainment industry has helped by
illustrating the effects of viruses in movies such as ”Independence Day”, ”The Net”, and
”Sneakers”. Along with computer viruses, computer worms are also increasing day by
day. So, there is a need to immunise the internet by creating awareness in the people
about these in detail. In this paper I have explained the basic concepts of viruses and
worms and how they spread.

.
PRELIMINARIES

A. Virus:
A self-replicating program. Some definitions also add the constraint saying that it has to
attach itself to a host program to be able to replicate. Often Viruses require a host, and
their goal is to infect other files so that the virus can live longer. Some viruses perform
destructive actions although this is not necessarily the case.Many viruses attempt to hide
from being discovered. A virus might rapidly infect every file on individual computer or
slowly infect the documents on the computer, but it does not intentionally try to spread
itself from that computer (infected computer) to other. In most cases, that’s where
humans come in. We send e-mail document attachments, trade programs on diskettes, or
copy files to file servers. When the next unsuspecting user receives the infected file or
disk, they spread the virus to their computers, and so on.

B. Worms:
Worms are insiduos because they rely less (or not at all) upon human behaviour in order
to spread themselves from one computer to others. The computer worm is a program that
is designed to copy itself from one computer to another, leveraging some network
medium: e-mail, TCP/IP, etc. The worm is more interested in infecting as many machines
as possible on the network, and less interested in spreading many copies of itself on a
single computer (like a computer virus).

The prototypical worm infects (or causes its code to run on) target system only once; after
the initial infection, the worm attempts to spread to other machines on the network.
Some researchers define worms as a sub-type of Viruses. In early years the worms are
considered as the problem of Mainframes only. But this has changed after the Internet
become wide spread; worms quickly accustomed to windows and started to send
themselves through network functions.
Some categories that come under worms are
_Mailers and Mass-Mailer worms
_Octopus
_Rabbits

C. Trojan Horses:
A Trojan Horse is a one which pretend to be useful programs but do some unwanted
action. Most Trojans activate when they are run and sometimes destroy the structure of
the current drive (FATs, directories, etc.) obliterating themselves in the process. These
does not require a host and does not replicate. A special type is the backdoor trojan,
which does not do anything overtly destructive, but sets your computer open for remote
control and unauthorised access.

D. Others:
There are other types of malicious programs apart from Viruses, Worms and Trojan
Horses. Some of them are described below.

1) Logic Bombs:: A logic bomb is a programmed malfunction of a legitimate application.


These are intentionally inserted in otherwise good code. They remains hidden with only
their effects are being visible. These are not replicated. Bugs do everything except make
more bugs.

2) Germs:: These are first-generation viruses in a form that the virus cannot generate to
its usual infection process. When the virus is compiled for the first time, it exists in a
special form and normally does not have a host program attached to it. Germs will not
have the usual marks that the most viruses use in second-generation form to flag infected
files to avoid reinfecting an already infected object.

3) Exploits:: Exploit is specific to single vulnerability or set of vulnerabilities. Its goal is


to run a program (possibly remote, networked) system automatically or provide some
other form of more highly previliged access to the target system.

E. Characteristics:

The following are some of the characteristics of Viruses:


1) Size - The sizes of the program code required for computer viruses are very
small.

2) Versatility - Computer viruses have appeared with the ability to generically


attack a wide variety of applications.

3) Propagation - Once a computer virus has infected a program, while this


program is running, the virus is able to spread to other programs and files
accessible to the computer system.

4) Effectiveness - Many of the computer viruses have far-reaching and


catastrophic effects on their victims, including total loss of data, programs, and
even the operating systems.

5) Functionality - A wide variety of functions has been demonstrated in virus


programs. Some virus programs merely spread themselves to applications without
attacking data files, program functions, or operating system activities. Other
viruses are programmed to damage or delete files, and even to destroy systems.

6) Persistence - In many cases, especially networked operations, eradication of


viruses has been complicated by the ability of virus program to repeatedly spread
and reoccur through the networked system from a single copy.

III. DETAILED DESCRIPTION

A. Malicious Code Environments


It is important to know about the particular execution environments to understand about
Computer Viruses. A successful penetration of the system by a viral code occurs only if
the various dependencies of malicious code match a potential environment. The
following are some of the various malicious code environments

1) Computer Architecture Dependency


2) CPU Dependency
3) Operating System Dependency and Operating System
version Dependency
4) File System Dependency
5) File Form Dependency
6) Interpreted Environment Dependency
7) Vulnerability Dependency
8) Date and Time Dependency
9) Just-In-Time Dependency
10) Achieve Format Dependency
11) File Format Extension Dependency
12) Network Protocol Dependency
13) Source Code Dependency
14) Self Contained Environment Dependency

B. Virus/Worm types overview


These are the main categories of Viruses and worms:

1) Binary File Virus and Worm – File virus infect executables (program files). They are
able to infect over networks. Normally these are written in machine code. File worms, are
also written in machine code, instead of infecting other files, worms focus on spreading
to other machines.

2) Binary Stream Worms – Stream worms are a group of network spreading worms that
never manifest as files. Instead, they will travel from computer to computer as just pieces
of code that exist only in memory.

3) Script File Virus and Worm – A script virus is technically a file virus, but script viruses
are written as human readable text. Since computers cannot understand text instructions
directly, the text first has to be translated from text to machine code. This rocess is called
”Interpretation”,and is performed by separate programs on computer.

4) Macro Virus – Macro Viruses infect data files, or files that are normally perceived as
data files, like documents and spreadsheets. Just about anything that we can do with
ordinary programs on a computer we can do with macro instructions. Macro viruses are
more common now-a-days. These can infect over the network.

5) Boot Virus – The first known successful computer viruses were boot sector viruses.
Today these are rarely used. These infect boot sectors of hard drives and floppy disks and
are not dependent on the actual operating system installed. These are not able to infect
over networks. These take the boot process of personal computers. Because most
computers don’t contain Operating System in their Read Only Memory (ROM), they
need to load the system from somewhere else, such as from a disk or from the network
(via a network adapter).

6) Multipartite Viruses – Multipartite Virus infect both executable files and boot sectors,
or executable and data files. These are not able to infect over the networks.
COMPUTER SECURITY

Secure Operating System

One use of the term computer security refers to technology to implement a secure
operating system. Much of this technology is based on science developed in the 1980s
and used to produce what may be some of the most impenetrable operating systems ever.
Though still valid, the technology is almost inactive today, perhaps because it is complex
or not widely understood. Such ultra strong secure operating systems are based on
operating system kernel technology that can guarantee that certain security policies are
absolutely enforced on an operating environment. An example of such a security policy is
the Bell-LaPadula model. The strategy is based on a coupling of special microprocessor
hardware features, often involving the Memory Management Unit, to a special correctly
implemented operating system kernel. This forms the foundation for a secure operating
system that if certain critical parts are designed and implemented correctly can ensure
that it is physically impossible for hostile or subversive applications to violate the
security policy. This capability is enabled because the operating system not only impose a
security policy, but completely protects itself from corruption. Ordinary operating
systems lack the completeness property. The design methodology to produce such secure
systems is not an ad-hoc best effort activity, but one that is very precise, deterministic and
logical.

Systems designed with such methodology represent the state of the art of computer
security and the capability to produce them is not widely known. In sharp contrast to
most kinds of software, they meet specifications with verifiable certainty comparable to
specifications for size, weight and power. Secure operating systems designed this way are
used primarily to protect national security information and military secrets. These are
very powerful security tools and very few secure operating systems have been certified at
the highest level (Orange Book A-1) to operate over the range of Top Secret to
unclassified (including Honeywell SCOMP, USAF SACDIN, NSA Blacker and Boeing
MLS LAN.) The assurance of security depends not only on the soundness of the design
strategy, but also on the assurance of correctness of the implementation, and therefore
there are degrees of security strength defined for COMPUSEC. The Common Criteria
quantifies security strength of products in terms of two components, security capability
(as Protection Profile) and assurance levels (as EAL levels.) None of these ultra high
assurance secure general purpose operating systems have been produced for decades or
certified under the Common Criteria.

Computer Security By Design

Computer security is a logic-based technology. There is no universal standard notion of


what secure behavior is. “Security” is a property that is unique to each situation and so
must be overtly defined by a Security Policy, if it is to be seriously enforced. Security is
not an ancillary function of a computer application, but often what the application doesn’t
do. Unless the application is just trusted to ‘be secure,’ security can only be imposed as a
constraint on the application’s behavior from outside of the application. There are several
approaches to security in computing, sometimes a combination of approaches is valid:

1. Trust all the software to abide by a security policy but the software is not
trustworthy (this is computer insecurity).

2. Trust all the software to abide by a security policy and the software is validated as
trustworthy (by tedious branch and path analysis for example).

3. Trust no software but enforce a security policy with mechanisms that are not
trustworthy (again this is computer insecurity).

4. Trust no software but enforce a security policy with trustworthy mechanisms.


Many approaches unintentionally follow 1. One and 3 lead to failure. Since 2 is
expensive and non-deterministic, its use is very limited. Because 4 is often hardware-
based mechanisms and avoid abstractions and a multiplicity of degrees of freedom, it is
more practical. Combinations of 2 and 4 are often used in a layered architecture with thin
layers of 2 and thick layers of 4.

There are a strategies and techniques used to design in security. There are few, if any
strategies to add-on security after design.

One technique enforces the principle of least privilege to great extent, where an entity has
only the privileges that are needed for its function. That way, even if an attacker has
subverted one part of the system, fine-grained security ensures that it is just as difficult
for them to subvert the rest.

Furthermore, by breaking the system up into smaller components, the complexity of


individual components is reduced, opening up the possibility of using techniques such as
automated theorem proving to prove the correctness of crucial software subsystems. This
enables a closed form solution to security that works well when only a single well-
characterized property can be isolated as critical, and that property is also assessable to
math. Not surprisingly, it is impractical for generalized correctness, which probably
cannot even be defined, much less proven. Where formal correctness proofs are not
possible, rigorous use of code review and unit testing represent a best-effort approach to
make modules secure.

The design should use "defense in depth", where more than one subsystem needs to be
compromised to compromise the security of the system and the information it holds.
Defense in depth works when the subverting one hurdle is not a platform to facilitate
subverting another. Also, the cascading principle acknowledges that several low hurdles
does not make a high hurdle. So cascading several weak mechanisms does not provide
the safety of a single stronger mechanism.

Subsystems should default to secure settings, and wherever possible should be designed
to "fail secure" rather than "fail insecure" (see fail safe for the equivalent in safety
engineering). Ideally, a secure system should require a deliberate, conscious,
knowledgeable and free decision on the part of legitimate authorities in order to make it
insecure. What constitutes such a decision and what authorities are legitimate is
controversial.

In addition, security should not be an all or nothing issue. The designers and operators of
systems should assume that security breaches are inevitable in the long term. Full audit
trails should be kept of system activity, so that when a security breach occurs, the
mechanism and extent of the breach can be determined. Storing audit trails remotely,
where they can only be appended to, can keep intruders from covering their tracks.
Finally, full disclosure helps to ensure that when bugs are found the "window of
vulnerability" is kept as short as possible.

Early History of Security By Design

The early Multics operating system was notable for its early emphasis on computer
security by design, and Multics was possibly the very first operating system to be
designed as a secure system from the ground up. In spite of this, Multics' security was
broken, not once, but repeatedly. The strategy was known as 'penetrate and test' and has
become widely known as a non-terminating process that fails to produce computer
security. This led to further work on computer security that prefigured modern security
engineering techniques producing closed form processes that terminate.

Secure Coding

The majority of software vulnerabilities result from a few known kinds of coding defects.
Common software defects include buffer overflows, format string vulnerabilities, integer
overflow, and code/command injection.

Some common languages such as C and C++ are vulnerable to all of these defects (see
Seacord, "Secure Coding in C and C++"). Other languages, such as Java, are immune to
some of these defects, but are still prone to code/command injection and other software
defects which lead to software vulnerabilities.
Techniques for Creating Secure Systems

The following techniques can be used in engineering secure systems. These techniques,
whilst useful, do not of themselves ensure security. One security maxim is "a security
system is no stronger than its weakest link"

• Automated theorem proving and other verification tools can enable critical
algorithms and code used in secure systems to be mathematically proven to meet
their specifications.
• Thus simple microkernels can be written so that we can be sure they don't contain
any bugs: eg EROS and Coyotos.

A bigger OS, capable of providing a standard API like POSIX, can be built on a
microkernel using small API servers running as normal programs. If one of these API
servers has a bug, the kernel and the other servers are not affected: eg Hurd.

• Cryptographic techniques can be used to defend data in transit between systems,


reducing the probability that data exchanged between systems can be intercepted
or modified.
• Strong authentication techniques can be used to ensure that communication end-
points are who they say they are.

Secure cryptoprocessors can be used to leverage physical security techniques into


protecting the security of the computer system.

• Chain of trust techniques can be used to attempt to ensure that all software loaded
has been certified as authentic by the system's designers.
• Mandatory access control can be used to ensure that privileged access is
withdrawn when privileges are revoked. For example, deleting a user account
should also stop any processes that are running with that user's privileges.
• Capability and access control list techniques can be used to ensure privilege
separation and mandatory access control. The next sections discuss their use.
Some of the following items may belong to the computer insecurity article:

• Do not run an application with known security flaws. Either leave it turned off
until it can be patched or otherwise fixed, or delete it and replace it with some
other application. Publicly known flaws are the main entry used by worms to
automatically break into a system and then spread to other systems connected to
it. The security website Secunia provides a search tool for unpatched known flaws
in popular products.

Cryptographic techniques involve transforming information, scrambling it so it becomes


unreadable during transmission. The intended recipient can unscramble the message, but
eavesdroppers cannot.

• Backups are a way of securing information; they are another copy of all the
important computer files kept in another location. These files are kept on hard
disks, CD-Rs, CD-RWs, and tapes. Suggested locations for backups are a
fireproof, waterproof, and heat proof safe, or in a separate, offsite location than
that in which the original files are contained. Some individuals and companies
also keep their backups in safe deposit boxes inside bank vaults. There is also a
fourth option, which involves using one of the file hosting services that backs up
files over the Internet for both business and individuals.
o Backups are also important for reasons other than security. Natural
disasters, such as earthquakes, hurricanes, or tornadoes, may strike the
building where the computer is located. The building can be on fire, or an
explosion may occur. There needs to be a recent backup at an alternate
secure location, in case of such kind of disaster. The backup needs to be
moved between the geographic sites in a secure manner, so as to prevent it
from being stolen.

• Anti-virus software consists of computer programs that attempt to identify, thwart


and eliminate computer viruses and other malicious software (malware).
• Firewalls are systems which help protect computers and computer networks from
attack and subsequent intrusion by restricting the network traffic which can pass
through them, based on a set of system administrator defined rules.

• Access authorization restricts access to a computer to group of users through the


use of authentication systems. These systems can protect either the whole
computer - such as through an interactive logon screen - or individual services,
such as an FTP server. There are many methods for identifying and authenticating
users, such as passwords, identification cards, and, more recently, smart cards and
biometric systems.

• Encryption is used to protect the message from the eyes of others. It can be done
in several ways by switching the characters around, replacing characters with
others, and even removing characters from the message. These have to be used in
combination to make the encryption secure enough, that is to say, sufficiently
difficult to crack. Public key encryption is a refined and practical way of doing
encryption. It allows for example anyone to write a message for a list of
recipients, and only those recipients will be able to read that message.

• Intrusion-detection systems can scan a network for people that are on the network
but who should not be there or are doing things that they should not be doing, for
example trying a lot of passwords to gain access to the network.

• Social engineering awareness - Keeping employees aware of the dangers of social


engineering and/or having a policy in place to prevent social engineering can
reduce successful breaches of the network and servers.
Capabilities vs. ACLs

Within computer systems, the two fundamental means of enforcing privilege separation
are access control lists (ACLs) and capabilities. The semantics of ACLs have been proven
to be insecure in many situations (e.g., Confused deputy problem). It has also been shown
that ACL's promise of giving access to an object to only one person can never be
guaranteed in practice. Both of these problems are resolved by capabilities. This does not
mean practical flaws exist in all ACL-based systems — only that the designers of certain
utilities must take responsibility to ensure that they do not introduce flaws.

Unfortunately, for various historical reasons, capabilities have been mostly restricted to
research operating systems and commercial OSs still use ACLs. Capabilities can,
however, also be implemented at the language level, leading to a style of programming
that is essentially a refinement of standard object-oriented design. An open source project
in the area is the E language [2].

The Cambridge CAP computer demonstrated the use of capabilities, both in hardware and
software, in the 1970s, so this technology is hardly new. A reason for the lack of adoption
of capabilities may be that ACLs appeared to offer a 'quick fix' for security without
pervasive redesign of the operating system and hardware.

The most secure computers are those not connected to the Internet and shielded from any
interference. In the real world, the most security comes from operating systems where
security is not an add-on, such as OS/400 from IBM. This almost never shows up in lists
of vulnerabilities for good reason. Years may elapse between one problem needing
remediation and the next.

A good example of a secure system is EROS. But see also the article on secure operating
systems. TrustedBSD is an example of an opensource project with a goal, among other
things, of building capability functionality into the FreeBSD operating system. Much of
the work is already done.

Other Uses of the Term "trusted"


The term "trusted" is often applied to operating systems that meet different levels of the
common criteria, some of which are discussed above as the techniques for creating secure
systems.

TROJAN HORSE

The most common blunder people make when the topic of a computer virus arises is to
refer to a worm or Trojan horse as a virus. While the words Trojan, worm and virus are
often used interchangeably, they are not the same. Viruses, worms and Trojan Horses are
all malicious programs that can cause damage to your computer, but there are differences
among the three, and knowing those differences can help you to better protect your
computer from their often damaging effects.
A computer virus attaches itself to a program or file so it can spread from one computer
to another, leaving infections as it travels. Much like human viruses, computer viruses
can range in severity: Some viruses cause only mildly annoying effects while others can
damage your hardware, software or files. Almost all viruses are attached to an executable
file, which means the virus may exist on your computer but it cannot infect your
computer unless you run or open the malicious program. It is important to note that a
virus cannot be spread without a human action, (such as running an infected program) to
keep it going. People continue the spread of a computer virus, mostly unknowingly, by
sharing infecting files or sending e-mails with viruses as attachments in the e-mail.

A worm is similar to a virus by its design, and is considered to be a sub-class of a virus.


Worms spread from computer to computer, but unlike a virus, it has the capability to
travel without any help from a person. A worm takes advantage of file or information
transport features on your system, which allows it to travel unaided. The biggest danger
with a worm is its capability to replicate itself on your system, so rather than your
computer sending out a single worm, it could send out hundreds or thousands of copies of
itself, creating a huge devastating effect. One example would be for a worm to send a
copy of itself to everyone listed in your e-mail address book. Then, the worm replicates
and sends itself out to everyone listed in each of the receiver's address book, and the
manifest continues on down the line. Due to the copying nature of a worm and its
capability to travel across networks the end result in most cases is that the worm
consumes too much system memory (or network bandwidth), causing Web servers,
network servers and individual computers to stop responding. In more recent worm
attacks such as the much-talked-about .Blaster Worm., the worm has been designed to
tunnel into your system and allow malicious users to control your computer remotely.
A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named
after. The Trojan Horse, at first glance will appear to be useful software but will actually
do damage once installed or run on your computer. Those on the receiving end of a
Trojan Horse are usually tricked into opening them because they appear to be receiving
legitimate software or files from a legitimate source. When a Trojan is activated on your
computer, the results can vary. Some Trojans are designed to be more annoying than
malicious (like changing your desktop, adding silly active desktop icons) or they can
cause serious damage by deleting files and destroying information on your system.
Trojans are also known to create a backdoor on your computer that gives malicious users
access to your system, possibly allowing confidential or personal information to be
compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other
files nor do they self-replicate.
Added into the mix, we also have what is called a blended threat. A blended threat is a
sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan
horses and malicious code into one threat. Blended threats use server and Internet
vulnerabilities to initiate, transmit and spread an attack. This combination of method and
techniques means blended threats can spread quickly and cause widespread damage.
Characteristics of blended threats include: causes harm, propagates by multiple methods,
attacks from multiple points and exploits vulnerabilities.

To be considered a blended thread, the attack would normally serve to transport multiple
attacks in one payload. For examplem it wouldn't just launch a DoS attack — it would
also install a backdoor and damage a local system in one shot. Additionally, blended
threats are designed to use multiple modes of transport. For example, a worm may travel
through e-mail, but a single blended threat could use multiple routes such as e-mail, IRC
and file-sharing sharing networks. The actual attack itself is also not limited to a specific
act. For example, rather than a specific attack on predetermined .exe files, a blended
thread could modify exe files, HTML files and registry keys at the same time — basically
it can cause damage within several areas of your network at one time.

Blended threats are considered to be the worst risk to security since the inception of
viruses, as most blended threats require no human intervention to propagate.
In the context of computer software, a Trojan horse is a program that contains or installs
a malicious program (sometimes called the payload or 'trojan'). The term is derived from
the classical myth of the Trojan Horse. Trojan horses may appear to be useful or
interesting programs (or at the very least harmless) to an unsuspecting user, but are
actually harmful when executed.

Often the term is shortened to simply trojan, even though this turns the adjective into a
noun, reversing the myth (Greeks, not Trojans, were gaining malicious access).

There are two common types of Trojan horses. One, is otherwise useful software that has
been corrupted by a hacker inserting malicious code that executes while the program is
used. Examples include various implementations of weather alerting programs, computer
clock setting software, and peer to peer file sharing utilities. The other type is a
standalone program that masquerades as something else, like a game or image file, in
order to trick the user into some misdirected complicity that is needed to carry out the
program's objectives.

Trojan horse programs cannot operate autonomously, in contrast to some other types of
malware, like viruses or worms. Just as the Greeks needed the Trojans to bring the horse
inside for their plan to work, Trojan horse programs depend on actions by the intended
victims. As such, if trojans replicate and even distribute themselves, each new victim
must run the program/trojan. Therefore their virulence is of a different nature, depending
on successful implementation of social engineering concepts rather than flaws in a
computer system's security design or configuration.

However there is another meaning for the term 'Trojan Horse' in the field of computer
architecture. Here it basically represents any piece of User Code which makes the Kernel
Code access anything it would not have been able to access itself in the first place (i.e
making the OS do something it wasn't supposed to be doing). Such security loopholes are
called Trojan Horses.
Example of a simple Trojan horse
A simple example of a trojan horse would be a program named "waterfalls.scr" claiming
to be a free waterfall screensaver which, when run, instead would allow access to the
user's computer remotely.
LIST OF TROJAN HORSES

Isolation
Name Alias(es) Type Subtype Isolation Origin Author Notes
Date
AIDS
Back Orifice Sir Dystic
Successor to
Back Orifice 2000 Dildog
Back Orifice
Beast Trojan
Bifrose ksv
Insurrection
Carl-
NetBus Fredrik
Neikter
Optix Pro
http://www.chas
Posion Ivy ShapeLeSS
enet.org/
ProRat
Sub7 SubSeven Mobman
EGABTR
RemoteHAK HaKKa
A-311 Death
A4zeta
Abacab Abware.F
Acessor
AcidBattery
Acid Drop
AcidHead
Acid Kor
Acidsena
AcidShivers
Acid Trojan Horse
AckCmd
Acojonaor
Acropolis
Admin.Troj.Kikzyurarse
Advertiser Bot
AeonwindDoll
Afcore
A-FTP
AF
Agent 40421
AH
Aibolit
AIMaster
AIM Filter
AimFrame
aim P
Aim Password Stealer
AIM Pws
AimRat
AIM Robber
AIM Spy
AIMVision
AIR
AirBot
Akosch
Aladino
Al-Bareki
Alcatraz
Alerter
AlexMessoMalex
Alicia
Alien Hacker
Alien Spy
Almaster
Almetyevsk
Almq
Alex
Alofin
Alop
Alph
AlphaDog
Alvgus
Amanda
Amiboide Uploader
Ambush
AmigaAnywhere
Amitis
Amoeba
AMRC
AMS
Anal FTP
Anal Ra
AnarchoIntruder
Andromeda
A New Trojan
Angelfire
AngelShell
Annoy Toys
Anthena
Anti Danger
Anti-Denial
AntiMks
AntiPC
AntiLamer Backdoor
Anti MSN
Antylamus
AolAdmin
Apdoor
Aphex's FTP
Aphex's Remote Packet
Sniffer
Aphex tunneld 2.0
AppServ
APRE
Aqua
Arcanum
Area Control
Ares Invader
Armageddon
arplhmd
Arranca
Arsd
Artic
Arturik
AsbMay
A.S.H.
Ashley
Ass4ss1n
Assasin
Asylum
Admin.Troj.Kikzyurarse
Atentator
A-Trojan
Attack FTP
Atwinda
AudioDoor
Autocrat
AutoPWN
Autograph
AutoSpY
Avanzado
Avone
Ayan Bilisim
Azrael
BD Blade runner 0.80a
Crazy Daisy
Connect4 Rituall33
Donald Dick
Flatley Trojan
Theef
Twelve Tricks
VMLFILL

Types of Trojan horse payloads


Trojan horse payloads are almost always designed to do various harmful things, but could
be harmless. They are broken down in classification based on how they breach systems
and the damage they cause. The seven main types of Trojan horse payloads are:

• Remote Access
• Email Sending
• Data Destructive
• Proxy trojan (disguising others as the infected computer)
• FTP trojan (adding or copying data from the infected computer)
• security software disabler
• denial-of-service attack (DoS)
• URL trojan (directing the infected computer to only connect to the internet via an
expensive dial-up connection)

Some examples are:

• erasing or overwriting data on a computer.


• encrypting files in a cryptoviral extortion attack.
• corrupting files in a subtle way.
• upload and download files.
• allowing remote access to the victim's computer. This is called a RAT (remote
administration tool).
• spreading other malware, such as viruses. In this case the Trojan horse is called a
'dropper' or 'vector'.
• setting up networks of zombie computers in order to launch DDoS attacks or send
spam.
• spying on the user of a computer and covertly reporting data like browsing habits
to other people (see the article on spyware).
• make screenshots.
• logging keystrokes to steal information such as passwords and credit card
numbers (also known as a keylogger).
• phish for bank or other account details, which can be used for criminal activities.
• installing a backdoor on a computer system.
• opening and closing CD-ROM tray.
• harvest e-mail addresses and use them for spam.
• Restarts the computer whenever the infected program is started.
• Deactivate or interfere with anti-virus and firewall programs
• Deactivate or interfere with other competing forms of malware

Time bombs and logic bombs

"Time bombs" and "logic bombs" are types of trojan horses.

"Time bombs" activate on particular dates and/or times. "Logic bombs" activate on
certain conditions met by the computer.
Droppers

Droppers perform two tasks at once. A dropper performs a legitimate task but also installs
a computer virus or a computer worm on a system or disk at the same time.

Trojan Horse Attacks


If you were referred here, you may have been "hacked" by a Trojan horse attack. It's
crucial that you read this page and fix yourself immediately. Failure to do so could result
in being disconnected from the IRC network, letting strangers access your private files, or
worst yet, allowing your computer to be hijacked and used in criminal attacks on others.

Trojan horse attacks pose one of the most serious threats to computer security. If you
were referred here, you may have not only been attacked but may also be attacking others
unknowingly. This page will teach you how to avoid falling prey to them, and how to
repair the damage if you already did. According to legend, the Greeks won the Trojan war
by hiding in a huge, hollow wooden horse to sneak into the fortified city of Troy. In
today's computer world, a Trojan horse is defined as a "malicious, security-breaking
program that is disguised as something benign". For example, you download what
appears to be a movie or music file, but when you click on it, you unleash a dangerous
program that erases your disk, sends your credit card numbers and passwords to a
stranger, or lets that stranger hijack your computer to commit illegal denial of service
attacks like those that have virtually crippled the DALnet IRC network for months on
end.

The following general information applies to all operating systems, but by far most of the
damage is done to/with Windows users due to its vast popularity and many weaknesses.

(Note: Many people use terms like Trojan horse, virus, worm, hacking and cracking all
interchangeably, but they really don't mean the same thing. If you're curious, here's a
quick primer defining and distinguishing them. Let's just say that once you are "infected",
trojans are just as dangerous as viruses and can spread to hurt others just as easily!)

II. How can one get infected?


Trojans are executable programs, which means that when you open the file, it will
perform some action(s). In Windows, executable programs have file extensions like
"exe", "vbs", "com", "bat", etc. Some actual trojan filenames include: "dmsetup.exe" and
"LOVE-LETTER-FOR-YOU.TXT.vbs" (when there are multiple extensions, only the last
one counts, be sure to unhide your extensions so that you see it

Trojans can be spread in the guise of literally ANYTHING people find desirable, such as
a free game, movie, song, etc. Victims typically downloaded the trojan from a WWW or
FTP archive, got it via peer-to-peer file exchange using IRC/instant messaging/Kazaa
etc., or just carelessly opened some email attachment. Trojans usually do their damage
silently. The first sign of trouble is often when others tell you that you are attacking them
or trying to infect them!

III. How do one avoid getting infected in the future?


You must be certain of BOTH the source AND content of each file you download! In
other words, you need to be sure that you trust not only the person or file server that gave
you the file, but also the contents of the file itself.

1. NEVER download blindly from people or sites which you aren't 100% sure
about. In other words, as the old saying goes, don't accept candy from strangers.
If you do a lot of file downloading, it's often just a matter of time before you fall
victim to a trojan.

2. Even if the file comes from a friend, you still must be sure what the file is
before opening it, because many trojans will automatically try to spread
themselves to friends in an email address book or on an IRC channel. There is
seldom reason for a friend to send you a file that you didn't ask for. When in
doubt, ask them first, and scan the attachment with a fully updated anti-virus
program.

3. Beware of hidden file extensions! Windows by default hides the last extension of
a file, so that innocuous-looking "susie.jpg" might really be "susie.jpg.exe" - an
executable trojan! To reduce the chances of being tricked, unhide those pesky
extensions.

4. NEVER use features in your programs that automatically get or preview


files. Those features may seem convenient, but they let anybody send you
anything which is extremely reckless. For example, never turn on "auto DCC get"
in mIRC, instead ALWAYS screen every single file you get manually. Likewise,
disable the preview mode in Outlook and other email programs.
5. Never blindly type commands that others tell you to type, or go to web
addresses mentioned by strangers, or run pre-fabricated programs or scripts
(not even popular ones). If you do so, you are potentially trusting a stranger with
control over your computer, which can lead to trojan infection or other serious
harm.
6. Don't be lulled into a false sense of security just because you run anti-virus
programs. Those do not protect perfectly against many viruses and trojans, even
when fully up to date. Anti-virus programs should not be your front line of
security, but instead they serve as a backup in case something sneaks onto your
computer.

7. Finally, don't download an executable program just to "check it out" - if it's a


trojan, the first time you run it, you're already infected!

IV. How can one get rid of trojans?!?


Here are your many options, none of them are perfect. I strongly suggest you read
through all of them before rushing out and trying to run some program blindly.
Remember - that's how you got in this trouble in the first place. Good luck!

1. Clean Re-installation: Although arduous, this will always be the only sure way
to eradicate a trojan or virus. Back up your entire hard disk, reformat the disk, re-
install the operating system and all your applications from original CDs, and
finally, if you're certain they are not infected, restore your user files from the
backup. If you are not up to the task, you can pay for a professional repair service
to do it.

2. Anti-Virus Software: Some of these can handle most of the well known trojans,
but none are perfect, no matter what their advertising claims. You absolutely
MUST make sure you have the very latest update files for your programs, or else
they will miss the latest trojans. Compared to traditional viruses, today's trojans
evolve much quicker and come in many seemingly innocuous forms, so anti-virus
software is always going to be playing catch up. Also, if they fail to find every
trojan, anti-virus software can give you a false sense of security, such that you go
about your business not realizing that you are still dangerously compromised.
There are many products to choose from, but the following are generally
effective: AVP, PC-cillin, and McAfee VirusScan. All are available for immediate
downloading typically with a 30 day free trial. For a more complete review of all
major anti-virus programs, including specific configuration suggestions for each,
see the HackFix Project's anti-virus software page [all are ext. links]. When you
are done, make sure you've updated Windows with all security patches [ext. link].

3. Anti-Trojan Programs: These programs are the most effective against trojan
horse attacks, because they specialize in trojans instead of general viruses. A
popular choice is The Cleaner, $30 commercial software with a 30 day free trial.
To use it effectively, you must follow hackfix.org's configuration suggestions
[ext. link]. When you are done, make sure you've updated Windows with all
security patches [ext. link], then change all your passwords because they may
have been seen by every "hacker" in the world.
4. IRC Help Channels: If you're the type that needs some hand-holding, you can
find trojan/virus removal help on IRC itself, such as EFnet #dmsetup or DALnet
#NoHack. These experts will try to figure out which trojan(s) you have and offer
you advice on how to fix it. The previous directions were in fact adapted from
advice given by EFnet #dmsetup.

Combating Trojan Horses


The first steps to protecting your computer are to ensure your operating system (OS) is
up-to-date. This is essential if you are running a Microsoft Windows OS. Secondly, you
should have anti-virus software installed on your system and ensure you download
updates frequently to ensure your software has the latest fixes for new viruses, worms,
and Trojan horses. Additionally, you want to make sure your anti-virus program has the
capability to scan e-mail and files as they are downloaded from the Internet. This will
help prevent malicious programs from even reaching your computer. You should also
install a firewall as well.

A firewall is a system that prevents unauthorized use and access to your computer. A
firewall can be either hardware or software. Hardware firewalls provide a strong degree
of protection from most forms of attack coming from the outside world and can be
purchased as a stand-alone product or in broadband routers. Unfortunately, when battling
viruses, worms and Trojans, a hardware firewall may be less effective than a software
firewall, as it could possibly ignore embedded worms in out going e-mails and see this as
regular network traffic. For individual home users, the most popular firewall choice is a
software firewall. A good software firewall will protect your computer from outside
attempts to control or gain access your computer, and usually provides additional
protection against the most common Trojan programs or e-mail worms. The downside to
software firewalls is that they will only protect the computer they are installed on, not a
network.

It is important to remember that on its own a firewall is not going to rid you of your
computer virus problems, but when used in conjunction with regular operating system
updates and a good anti-virus scanning software, it will add some extra security and
protection for your computer or network.

CONCLUSION
The seminar preperation period was really a very enriching and
informative experience for me .. The making of the seminar has enhanced my practical
knowledge and taught me about a very interesting yet a new topic to me.. The regular
guidance and constant watch never let us frivolous and kept me aware of what was going
on in other parts of the department and the world. In the end, we would once again thank,
all the persons who made such kind of project work possible for us.

BIBILOGRAPHY
1) Google.com
2) Symantec.com
3) Wikipedia

You might also like