|
|
|
|
|
|
|
A
Trojan Horse is a program that
infects your computer and allows a hacker to take control of
your machine behind your back. A trojan infection can allow
total remote access to your computer by a third party."
Unlike virus
or worms, trojans
do not replicate themselves. In order to get infected you must, one
way or another, have downloaded and installed the program onto your
computer. This most commonly occurs when you download a
program that pretends to be one thing while it is actually
another. Enhancing the origin of the "Trojan" name. Many people believe they are
protected from trojans by their virus software. Unfortunately
most virus software has only limited Trojan detection
capabilities. Problem
Description
Consider
for a moment the implications of someone controlling your
computer. They would have access to any account you
access from your computer. If you access your employer's
systems, they could use those accounts to perform fraudulent
transactions. They could perform online stock or banking
transactions with your personal accounts. They could read your
email and send email in your name. They could use your
computer, as a stepping- stone to another computer in which case
you could be blamed. The
victims of any abuse performed by the controller of your
computer would only see your computer's network address. You
may even be sitting in front of the keyboard when the computer
is used in some crime. This would make it very difficult for
you to prove your innocence, particularly if the actual
perpetrator erased the evidence of their presence after
performing the crime. With
these types of programs and the growing use of electronic
banking and other critical functions on our desktops, Donn
Parker's "automated crime", is just a short step
away. They've already been used to spread distributed denial
of service tools similar to those responsible for the early
February 2000 disruption of major Internet sites. The
programs have been disguised as games, pictures, screen
savers, holiday greetings, and other files. The three most
popular are probably Netbus, Back Orifice, and SubSeven.
However, there are hundreds more. We'll refer
to all of them here as Remote Control Trojan Horse's (RCTH)
Programs. They can be used by anyone more sophisticated than a
precocious ten year old to compromise your computer. The
good news is that you must run the programs in order for them
to be installed. The bad news is that you may not know when
you're running them because you have no way of determining
what a program does before you run it. In addition, they are
sometimes attached to "good" programs and install
themselves in the background while you're running the good
programs. That neat screen saver you just received from a
friend may have enabled persons unknown to you to control both
your computers and access all your accounts. And as its passed
around and installed, it lets the author know each time a new
machine is compromised and available. There
have been several instances of these programs found on
workstations; particularly on company machines. Common methods
of receipt are via ICQ, IM, or email. Someone tells you they
have a neat program or picture and sends it to you. When
you open it, it may indeed have a neat program or picture.
What you don't know is that it is simultaneously and silently
installing a remote control Trojan horse program. Distribution
can be by any means: ftp, web browser file download, email exe
attachment, etc. The
vast majority of compromises can be prevented simply by
regularly updating your anti-virus tools, Windows updates and
having a firewall in place. The only sure way of
preventing infection is to refuse to run unknown programs
because anti-virus and similar tools can only detect programs
they have been told are harmful. New ones go undetected. The
important point to keep in mind is that when you run any
programs, you're giving your computer to the person who wrote
that program! Before
outlining detection and removal procedures, PMC wants to discuss
the operation of the RCTH programs. PMC a firm believer that
to solve a problem you must first understand it. More
importantly, there is no absolute solution to these programs
and definitely no "tell me what keys to press"
solution. A good understanding of how the RCTH programs work
and how they can hide is the best weapon. There
are now hundreds of this type of programs. They all consist of
two parts...a server that runs on your computer, and a client
that runs on the controlling computer. They are
all freely available on the Internet. The server silently
opens up a virtual network port and listens for requests from
clients. People running the clients can connects to the server
from anywhere on the Internet and control's your PC almost
like they were sitting in front of it. In fact, some things
are easier using these programs than they would be using your
keyboard. For example, the program automatically decrypts
passwords used to protect Microsoft shared directories.
They can also scan a range of addresses looking for listening
servers so once you're infected, anyone can find you.
Netbus
and Back Orifice RCTH clients. The
server program can be named anything so you can't simply look
for a list of names. The
only sure solution is to refuse to run unknown programs and
update you're computer system, and put a firewall in place.
Unfortunately, abstinence isn't always practical or desirable.
I'll describe some protective tools you can use but keep in
mind that none of them are completely effective. As newer,
more sophisticated and deviant versions of the RCTH programs
are released, these measures will become less and less
effective. For that matter, a hostile program that succeeds in
executing, may simply reconfigure or disable a protective
programs. As you'll read later on this page, detection and
removal are not simple operations and the more infections we
can prevent, the better. The following prevention measures are
listed in order of effectiveness: 1.
The manual procedures below are for people who, for some
reason, don't have access to BOClean. There
are four ways to detect RCTH programs: 1.
Check the fingerprint of files for a match against a
"Trojan database". 2.
Check the fingerprint of running processes for a match against
a "Trojan database". 3.
Check for programs that are automatically started when you
boot your computer. 4.
Check for open virtual network ports. Each
has limitations and advantages. Many tools use a mixture of
the methods. The
first two methods are traditional virus checking methods. They
depend upon a database of code fragments or patterns that
uniquely identify each of the suspect programs or behavior
analysis that leads a file to be suspect. Of course, the
database has to be constantly updated to keep up with new
programs. The file check method can be time consuming because
it has to check every file. However, most virus tools now do
this only once when they're installed and then only in the
background when a file is read. The process check only
examines running programs so it can be quicker. Note that if
the writer of the RCTH program obfuscated the fingerprint
using compression, encryption, overlays, or some other method,
the fingerprint may not be recognizable to the tool as a RCTH
program. This possibility and the lag time associated with
updating tools to detect new programs' fingerprints
necessitates multiple checks using each of the detection
methods. Keep in mind that "fingerprint tools" only
work if they know the fingerprint. The fingerprint protection
tools can find the highly publicized or otherwise discovered
programs because they know about them. On the other hand, if
someone wanted to target an individual or organization, had
the ability to write their own program, and kept quiet about
it, traditional fingerprint tools like virus checkers would
never find it. All
the presently identified RCTH programs automatically restart
when you boot your computer. To do this they have an entry in
the registry, the win.ini file, the system.ini file, the
autoexec.bat file, the startup folder or similar places. Of
course, lots of other programs automatically start up when you
boot so the challenge is identifying the ones that aren't
supposed to be there. Since the RCTH programs can be renamed,
this is not a small challenge. If the programs were installed
with their default names, they are easy to spot. If they've
been renamed, we have to verify that the file is actually
something we want started. Sometimes there is no way to do
this except to remove the entry and see what breaks.
StartupCop is an easy to use tool that allows you to enable
and disable the various startup items as you're investigating. All
the presently identified RCTH programs open a virtual network
port to communicate. Every TCP/IP based system has a set of
131,070 ports it can use to communicate with other computers.
Some ports are dedicated to particular uses. For example port
80 is used by a web server, port 25 by a mail server, and
ports 137-139 are used by Microsoft file sharing services.
Each of the RCTH programs also have default ports on which
they listen for connections by other machines. If we find one
of these default ports active, we're almost guaranteed that
we've detected an infection. On the other hand, these programs
allow the interloper to change the default port. In that case,
we have to verify that any open port has been opened by a
program that we authorized to run. Two tools to perform this
task are
Foundstone's
FPort (free). Finally, some desktop firewalls
will tell you what programs are opening what ports. Without
such a tool, it becomes a matter of stopping services to see
what ports close. Another problem occurs when the RCTH program
doesn't hold the port open continuously. At least one program
sits silently until it has some data to send (your passwords),
opens a port, sends data, and closes the port. As
you can see there are ways around every detection method. That
is why the only 100% effective solution to this problem is not
to get infected in the first place. Of course, that is not too
realistic unless we refuse to run any programs
because there is always a chance, however slight, one of these
RCTH programs might get by a big vendor. Besides, there are
many, many useful programs written by shareware and freeware
authors that would be a shame to ignore. However, the need for
care has been exponentially increased due to these RCTH
programs. Another
option is the ages old Unix (and other host) system
administration trick of fingerprinting your critical files and
checking them for modifications once in a while using
something like Tripwire. The practicalities of doing something
like this across a diverse collection of "personal
computers" is, well daunting to say the least.
These are the type of things system administrators do on
"non-personal computers". Unfortunately, very little
thought is usually given to administration of "personal
computers". The marketers wouldn't be able to say
"just pull it out of the box and plug it in". The
truth is that they're every bit as vulnerable as larger
computers and maybe more so.
1.
The alternate tools below are for people who, for some reason,
don't have access to BOClean.
Pathetic state of affairs, eh? They ask the operator if
they want to allow any previously unseen types of
communications when an application tries to use the network.
Hence, the operator would probably allow netscape.exe or
iexplore.exe to go ahead and use the network but not allow
patch.exe or some other unfamiliar file name. It may get a
little trickier if the trojan was named iexplorer.exe or
email.exe though.
Once again, it would be up to the operator
to properly control access to their computer. Also keep in
mind that desktop firewalls don't remove an RCTH which means
if the computer is ever started without starting the firewall,
the RCTH will be active. And it should go without saying that
if any malware targets any desktop resident protective
software.
Often
the client (controlling) portion of the RCTH programs contain
a scanner that helps the interloper locate infected machines.
Using the clients to find out if you're infected is not
recommended due to the source of the programs.
If
you don't have BOClean installed, I'm going to recommend a
manual method to use in addition to any other tool that you
use. This is not a operator friendly, push a button method but
its the only one that PMC does right now. First, we'll look at the
places where these programs are started up.
Then we'll look
for the virtual network ports that they use to communicate. As
you'll recall, these are two of the four methods to detect
these programs. The other two, fingerprint checks, aren't
feasible to do manually and we'll have to depend upon
continually updated virus detector software and windows
updates and similar tools
for these functions.
Steps
1a and 2a will quickly detect the presently most popular
programs in their default installation configuration.
1.
Check for programs that are automatically running when you start
your computer.
2.
Check for open virtual ports
3.
Verify all entries and open ports Having
a firewall in place! 1.
Install and run BOClean. The manual procedures below are for
people who, for some reason, don't have access to BOClean. Again,
if you don't have access to BOClean for automatic removal, I'm
going to recommend a less friendly, manual procedure. I'd
highly recommend this procedure to double-check the
effectiveness of any automated program removal that you may
have access to. 1.
Remove the entries that automatically start the programs. 2.
Reboot. 3.
Remove the files associated with the programs. 4.
Repeat the detection procedures to ensure that the Trojan is
removed and that there are no others. 5.
Cleanup Change
all passwords on resources accessed from the infected machine
and all passwords stored on the machine including passwords
for Microsoft file sharing. Everyone who used the machine must
change any passwords they typed on the machine. For example,
their email, network, and PeopleSoft passwords. You
can use a tool such as StartupCop
to help in this process. Currently,
almost all the RCTH programs use the registry to autostart
during boot. To examine the registry, use the 'regedit' tool.
You must be careful while editing the registry as it is used
to control the internal operations of your computer.
Accidentally deleting or modifying entries may result in an
inoperative machine. Step
1: Start -> Run Step
2: Type 'regedit'. Click OK. You are now running the Microsoft
Registry Editor. regedit
when it starts. Step
3: There is an explorer-like operator interface on the left
hand side of the screen. You will traverse down through the
tree. Click the following selections in order: HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Now
you'll check each of the keys beginning with "Run",
sequentially examining them as described below. For the
"Quick Check", Run and RunServices are the default
locations for the most popular programs. In
each of the Run* entries, files that are on the right side of
the screen are started when you start your computer. If
patch.exe or " .exe" (space dot exe) are listed in
the "data" column, make note of the path name if it
exists, right-click on the associated item in the
"name" column, and select "delete". These
are the default names of the Netbus and Back Orifice RCTH
programs respectively. They are typically located in the
\windows or \windows\system directory. Deleting the entry will
prevent the program from starting when you reboot so you can
delete the associated file. In the example below, the
Netbus RCTH program is indicated by the presence of the patch.exe
entry. The
patch.exe and " .exe names are the default
file names for old versions of Netbus and Back Orifice and can
be changed. You should verify that each entry in the Run* keys
belongs there in case the default name was changed or you have
a RCTH other than Back Orifice or Netbus. Do this for
all the entries in each of the keys beginning with
"Run" (i.e. RunOnce, RunServices, etc.). A
cautious system administrator of a critical or multi-operator
machine would probably fingerprint these files and check them
periodically as part of normal system monitoring to assure
they're the original files. You
can use the Start -> Find -> Files or Folders utility if
you have problems locating the files specified in the
registry. After you delete the file, be sure to empty the
Recycle Bin. Note
that the default filename used by Windows is "
.exe" or. Explorer’s default configuration is to show file
names without their extensions. In this mode, you will not see
anything except a blank space in a file list. In addition, the
program has no icon, so it will not show up in explorer’s
icon view except as a blank space. Other RCTH programs may be
similarly hidden. We
will use the DOS utility netstat to check for open
ports. If you're using Windows NT4 or Windows 98 you can
proceed to the checks below. Unfortunately, the original TCP
stack that comes with Windows 95
doesn't produce accurate reports. It will tell you your
computer isn't vulnerable when it actually is. To fix this
problem, upgrade your Windows 95 TCP/IP stack by downloading
and running the Microsoft
Winsock2 patch before performing the rest of this
procedure. This has been a rather simple and painless upgrade
for everyone I've talked to. It may also increase your network
performance and reliability. The
Microsoft
Dial-up patch 1.3 also installs winsock2 but it is more
complicated to install. If
you have access to Winternals
TCPViewPro, use that instead. It has the advantage of
telling you what program is talking on each port...something
netstat doesn't do in the Windows world. Foundstone
released a similar tool called FPort
that is free. 1.
Open an MSDOS window. 2.
Close all other programs. 3.
Type netstat -an typical
netstat display. 4.
Examine the second column after the colon. In the listing
above, the item of interest in the first line is
"80" and in the second line is "135".
These are the virtual port numbers by which programs
communicate with the outside world. Other computers which want
to communicate with your machine must use your IP address plus
one of these virtual ports to form the equivalent of a
telephone number to find you. In the example above, a personal
web server is listening on port 80. 5.
If you see the numbers '12345 'or '31337', you almost
definitely have one of the programs installed (Netbus and Back
Orifice respectively). The Netbus port is active below. netstat
display on a machine infected with Netbus. 6.
The list above has many additional ports open which makes it
confusing. Most of these ports were caused by having a web and
email browser open. To decrease the number of ports you need
to examine its best to run netstat right after a reboot and
before any other applications are started. Many Windows 95/98
machines will only have ports 137, 138, and 139 active for
Microsoft file sharing use. If you don't use Microsoft file
sharing, turn it off in the network control panel so you don't
have those ports open. You can also delete the netbios
protocol in the same place. Otherwise, you have to ensure that
all open ports are supposed to be open which requires a
familiarity with network protocols and services. Generally,
you'll find that these ports are opened by programs that are
automatically started in the registry. So the process of
validating registry entries is related to the process of
validating ports. Sometimes it just boils down to removing
registry entries (after copying the information for
restoration if needed) and seeing what breaks and what ports
no longer open. Its a tedious process. One
helpful hint. If you telnet to a port on which Netbus is
listening, it will answer "Netbus v1.x" depending
upon the version. Resources
for default port assignments: A
Norton or Dr. Solomon manual scan WILL
NOT
stop a running trojan or remove the associated file even if it
says it deleted the file. The trojan will continue to
run and you'll continue to be exposed. If the File System Real-Time
protection feature is enabled, which it will be if you follow
the default installation instructions below, the trojan should
be detected and deleted during a reboot. I
do not want to be an alarmist but it is evident that there
will soon be some very sophisticated ways to hide this type of
programs. If you value your privacy, your computer data, and
your reputation, it is imperative to refuse to run unknown
executable programs.
It
is unfortunate that the publishing of these easily used and
abused programs has made our computing environment less
friendly to sharing and open communication. However, if the
programs hadn't been publicized, sneakier people could have
used similar tactics without warning. In
one swoop, a very dark cloud has been thrown over free
exchange of software over the Internet. This is NOT a
Microsoft specific problem. Almost every existing operating
system allows the sort of features that make RCTH programs
possible. Operators run programs. Programs open sockets.
Programs capture keystrokes. Operating systems provide
mechanisms to automatically start programs.
The
vulnerability that exists is that we (industry wide) use
computers that don't have many internal controls. They let us
do what we want. Without internal controls, it is up to us to
control them. If we don't control them, we'll either have
increasingly serious security breaches or the computer
industry will go back to locked down mainframe type processing
to force automatic controls. I suspect this latest threat will
hasten the use of "certified applications",
increased access controls to both organizational data and the
Internet, locked down desktop configurations, the
"Network Computer/Browser/Application Server
architectures, and an increased level of caution
associated with our computing environment. To
sum-it up that is why PMC is here to help to stop these problems!!
Domain Names Available. |
||||||||||||||||||||
|
|
||||||||||||||||||||||
| |
Home | Networking | Custom build | Office PC's | Trojan | Spyware | |
| Open ports | Close ports | Web Designing | Web Hosting | About PMC | Contact Us |
| (In Jesus I trust.) | |
| © Copyright 2003 Pyramid Made Computers. The Copyright of all pages on this website is held by Pyramid Made Computers. All Rights Reserved. Any use or reproduction of these contents is strictly prohibited. |