Trojan

Trojans are designed to allow a hacker remote access to

a target computer system. Any type of code or Program
that is used for unauthorized remote access of your
computer known as Trojans.
 Content
1. Introduction

2. What is a Trojan

3. History of Trojan

4. Attacker’s Motive

5. Types of Trojans

6. Working of Trojans

7. Where Trojan live\located

8. Mode of Attacking

2
Content
9. Mode of Transmission

10. Type of Connections

11. Some Known Trojans

12. Handling Victim via Trojan

13. Detection and Removal a Trojan

14. Counter Measures of Trojan

3
History of Trojan .…
The History Introduction includes information about….

• The Greek myth that inspired the graphic novel.

• How the Trojan War begins in Greek mythology.

• About the Trojan horse story.

• What Happened after the Trojan war

4
 Greek Myth…

In Greek mythology, the Trojan War was waged against the city of
Troy by the Achaeans (Greeks) after Paris of Troy took Helen from
her husband Menelaus, the king of Sparta. The war is among the
most important events in Greek mythology and was narrated in
many works of Greek literature, including the Iliad and the
Odyssey by Homer.

5
 Greek Myth…
"The Iliad" relates a part of the last year of the siege of Troy, while
the Odyssey describes the journey home of Odysseus, one of the
Achaean leaders. Other parts of the war were told in a cycle of epic
poems, which has only survived in fragments. Episodes from the
war provided material for Greek tragedy and other works of Greek
literature, and for Roman poets like Virgil and Ovid.

6
 The Trojan War…

The first nine years of the war consisted of both war in Troy and
war against the neighboring regions. The Greeks realized that Troy
was being supplied by its neighboring kingdoms, so Greeks were
sent to defeat these areas.

As well as destroying Trojan economy, these battles let the

Greeks gather a large amount of resources and other spoils of war,
including women.

7
The Greeks won many important battles and the Trojan hero
Hector fell, as did the Trojan ally Penthesilea. However, the Greeks
could not break down the walls of Troy.
Patroclus was killed and, soonafter, Achilles was felled by Paris.

8
 The Trojan Horse..

Still seeking to gain entrance into Troy, clever Odysseus (some say
with the aid of Athena) ordered a large wooden horse to be built. Its
insides were to be hollow so that soldiers could hide within it.

Once the statue had been built by the artist Epeius, a number of
the Greek warriors, along with Odysseus, climbed inside. The rest of
the Greek fleet sailed away, so as to deceive the Trojans.

9
The Trojan Horse..

Greek reassured the Trojans that the wooden horse was safe and
would bring luck to the Trojans.

That night, after most of Troy was asleep or in a drunken stupor,
Sinon let the Greek warriors out from the horse, and they
slaughtered the Trojans. Priam was killed as he huddled by Zeus'
altar and Cassandra was pulled from the statue of Athena

10
 After the Trojan war..

After the war, Polyxena, daughter of Priam, was sacrificed at the

tomb of Achilles and Astyanax, son of Hector, was also sacrificed,
signifying the end of the war.

The surviving Trojan women were divided among the Greek men
along with the other plunder. The Greeks then set sail for home,
which, for some, proved as difficult and took as much time as the
Trojan War itself (e.g., Odysseus and Menelaus).

11
 What is Trojan…

Named after the Trojan Horse of ancient Greek history, a Trojan
is a network software application designed to remain hidden on an
installed computer. Trojans generally serve malicious purposes
and are therefore a form of malware, like viruses.

12
What is Trojan…

Trojan horses are designed to allow a hacker remote access to a

target computer system. Once a Trojan horse has been installed on
a target computer system, it is possible for a hacker to access it
remotely and perform various operations. The operations that a
hacker can perform are limited by user privileges on the target
computer system and the design of the Trojan horse.

13
Trojans sometimes, for example, access personal information
stored locally on home or business computers, then send these
data to a remote party via the Internet. Alternatively, Trojans may
serve merely as a "backdoor" application, opening network ports to
allow other network applications access to that computer. Trojans
are also capable of launching Denial of Service (DoS) attacks. A
combination of firewalls and antivirus software protect networks
against Trojans..

14
 In the IT world, a Trojan horse is used to enter a victim’s
computer undetected, granting the attacker unrestricted access to
the data stored on that computer and causing great damage to the
victim. A Trojan can be a hidden program that runs on your
computer without your knowledge, or it can be ‘wrapped’ into a
legitimate program meaning that this program may therefore have
hidden functions that you are not aware of.

15
 Attacker’s Motive

Credit Card Information (often used for domain registration,

shopping with your credit card)

Any accounting data (E-mail passwords, Dial-Up passwords, Web

Services passwords, etc.)

16
 Attacker’s Motive
Email Addresses (Might be used for spamming, as explained
above)

Work Projects (Steal your presentations and work related papers)

Children's names/pictures, Ages (pedophile attacker?!)

School work (steal your papers and publish them with his/her
name on it)

17
 Type of Trojan…
There are several types of Trojans each behaves differently and
produces differing results from the others. Depending upon the
type of Trojan, an attacker can use them to stage various types of
exploits.

18
Types of Trojans Attack..

Erasing or overwriting data on a computer

Spreading other malware, such as viruses. In this case the

Trojan horse is called a 'dropper'.

Logging keystrokes to steal information such as passwords and

credit card numbers (known as a key logger)

Phish for bank or other account details, which can be used for
criminal activities.

Installing a backdoor on a computer system.

19
Types of Trojans
1. Remote Administration Tool

2. File Serving Trojan

3. Distributed Denial of Service Attack Trojan

4. Keylogging Trojan

5. Password Stealing Trojan

6. System Killing Trojan

20
 Remote Administration Tool

This type of Trojan horse virus gives hacker behind the

malware the possibility to gain control over the infected
system. Often the remote administration Trojan horse virus
functions without being identified. It can help the hacker to
perform different functions including altering the registry,
uploading or downloading of files, interrupting different
types of communications between the infected computer and
other machines.

21
 File Serving Trojan
Trojan horse viruses from this category are able to create a
file server on the infected machine. Usually this server is
configured as an FTP server and with its help the intruder
will be able to control network connections, upload and
download various files. These Trojan horse viruses are rather
small in size, sometimes not more than 10Kb, which makes
it difficult to detect them.

They are often attached to emails or hidden in other files that

users may download from the Internet. Regularly these
Trojan viruses spread with the help of funny forwarded
messages that a user receives from friends. Trojan horse
viruses may also be hidden in small downloadable games.

22
Distributed Denial of Service Attack Trojan

A lot of computers can be tricked intro installing the Distributed

Denial of Service Trojan so that the hacker can gain control over one,
several or all computers through a client that is connected with a
master server. Using the primary computer within one huge zombie
network of machines, hackers are able to sent attacks at particular
targets, including companies and websites. They simply flood the
target server with traffic, thus making it impossible for simple users
to access certain websites or systems. Often these attacks are used
to stop the activity of famous brands that could handle different
financial demands.

23
 Keylogging Trojan Horse

These Trojan horse viruses make use of spyware with the goal of
recording every step of user's activity on the computer. They are
called keylogging because they transmit to the hacker via email
the information about logged and recorded keystrokes. Hackers
use this type of malware for their financial benefit (through card
fraud or identity theft). Some individuals or companies can offer a
great reward for valuable information.

24
 Password Stealing Trojan

The name speaks for itself - Trojans from this category are used to
steal passwords. The Trojan transmits information about passwords
to the hacker through email. Just like keylogging Trojans, this
malware is used mainly for hacker's financial benefit (a lot of people
use passwords to access their bank accounts or credit cards).

25
 System Killing Trojan

These Trojans are meant to destroy everything in the system

starting with drive Z and ending with drive A. One of the
recent Trojan horse viruses of this type is called
Trojan.Killfiles.904. The reasons for creating such Trojans
are unknown but the results could be catastrophic.

26
Working of Trojan

Trojans work similar to the client-server model. Trojans come in

two parts, a Client part and a Server part. The attacker deploys the
Client to connect to the Server, which runs on the remote machine
when the remote user (unknowingly) executes the Trojan on the
machine. The typical protocol used by most Trojans is the TCP/IP
protocol, but some functions of the Trojans may make use of the
UDP protocol as well.

27
…Working of Trojan

When the Server is activated on the remote computer, it will

usually try to remain in a stealth mode, or hidden on the
computer. This is configurable - for example in the Back Orifice
Trojan, the server can be configured to remain in stealth mode and
hide its process. Once activated, the server starts listening on
default or configured ports for incoming connections from the
attacker. It is usual for Trojans to also modify the registry and/or
use some other auto starting method.

28
 …Working of Trojan

To exploit a Trojan, attackers need to ascertain the remote IP

address to connect to the machine. Many Trojans have
configurable features like mailing the victim's IP, as well as
messaging the attacker via ICQ or IRC. This is relevant when the
remote machine is on a network with dynamically assigned IP
address or when the remote machine uses a dial-up connection to
connect to the Internet. DSL users on the other hand, have static
IPs so the infected IP is always known to the attacker..

29
… Working of Trojan
Most of the Trojans use auto-starting methods so that the servers
are restarted every time the remote machine reboots / starts. This
is also notified to the attacker. As these features are being
countered, new auto-starting methods are evolving. The start up
method ranges from associating the Trojan with some common
executable files such as explorer.exe to the known methods like
modifying the system files or the Windows Registry. Some of the
popular system files targeted by Trojans are Auto start Folder,
Win.ini, System.ini, Wininit.ini, Winstart.bat, Autoexec.bat
Config.sys. Could also be used as an auto-starting method for
Trojans.

30
Where Trojan live\located…

Autostart Folder
The Autostart folder is located in C:\Windows\Start
Menu\Programs\startup and as its name suggests, automatically
starts everything placed there.

Win.ini
Windows system file using load=Trojan.exe and run=Trojan.exe to
execute the Trojan

System.ini
Using Shell=Explorer.exe trojan.exe results in execution of every file
after Explorer.exe

Wininit.ini
Setup-Programs use it mostly; once run, it's being auto-deleted, which
is very handy for Trojans to restart.

31
Trojan Method of Attacking…
A Trojan may infect a system through various attack vectors.
A Trojan employs an attack vector to install its payload on the
target’s computer systems. The most
common attack vectors are:

• Emails & Attachments

• Deception & Social Engineering
• Website Bugs & Downloads
• Physical Access (pen drive)
• Fake Executables

32
How can you be infected..

Website Bugs & Downloads : You can be infected by visiting a

rogue website. Internet Explorer is most often targeted by makers
of Trojans and other pests. Even using a secure web browser, such
as Mozilla's Firefox, if Java is enabled, your computer has the
potential of receiving a Trojan horse.

Instant message: Many get infected through files sent through

various messengers. This is due to an extreme lack of security in
some instant messengers, such of AOL's instant messenger.

Emails & Attachments : Attachments on e-mail messages may

contain Trojans. Trojan horses via SMTP.
33
Type of connections in Trojan..

1. Direct Connection: A direct-connect RAT is a simple set-up where

the client connects to a single or multiple servers directly. Stable
servers are multi-threaded, allowing for multiple clients to be
connected, along with increased reliability.

34
Type of connections in Trojan..
2. Reverse Connection : new technology that came around about
the same time that routers became popular.
advantages of Reverse connection:

a) No problems with routers blocking incoming data, because

the connection is started outgoing for a server.

b) Allows for mass-updating of servers by broadcasting

commands, because many servers can easily connect to a
single client.

35
 Some Known Trojans..

On Windows computers, Many tools commonly used by

intruders to gain remote access to your computer like:

• Beast
• Back Orifice
• Netbus
• Donald Dick
• Sub Seven(help to hack other pc's).

36
 … Trojan Beast
Beast is a Windows-based backdoor Trojan horse more commonly
known in the underground cracker community as a RAT (Remote
Administration Tool). It is capable of infecting almost all Windows
versions i.e. 95 through XP.

Written in Delphi and released first by its author Tataye in 2002, it

became quite popular due to its unique features. It used the
typical client/server mechanism where the client would be under
operation by the attacker and the server is what would infect the
victim.

37
 …Trojan Beast

Using the 'reverse connection' there was no need for the attacker to know
the target IP, instead the server itself connected to a predefined DNS,
which was redirected to the attacker IP. For its DLL, it used the 'injection
method' i.e. they were injected into a specified process, commonly
'explorer.exe' (Windows Explorer), 'iexplore.exe' (Internet Explorer) or
'msnmsgr.exe' (MSN Messenger). Due to this the DLLs were automatically
loaded into the memory once these processes were executed.

38
Trojan Beast…

Beast was one of the first Trojans to feature a 'reverse connection to its
victims and once established, it gave the attacker complete control over
the infected computer.

39
Trojan Beast
40
Back Orifice Trojan…
Back Orifice (often shortened to BO) is a controversial computer
program designed for remote system administration. It enables a
user to control a computer running the Microsoft Windows
operating system from a remote location. The name is a pun on
Microsoft BackOffice Server software.

Although Back Orifice has legitimate purposes, such as remote

administration, there are other factors that make it suited for less
benign business. The server can hide itself from cursory looks by
users of the system. As the server can be installed without user
interaction, it can be distributed as payload of a Trojan horse.

41
Back Orifice Trojan…

42
 Netbus Trojan…
Netbus is a software program for remotely controlling a Microsoft
Windows computer system over a network. It was created in 1998
and has been very controversial for its potential of being used as
a backdoor.

There are two components to the client–server architecture. The

server must be installed and run on the computer that should be
remotely controlled. It was a .exe file with a file size of almost 500
KB. The name and icon varied a lot from version to version.
Common names were "Patch.exe" and "SysEdit.exe". When
started for the first time, the server would install itself on the
host computer, including modifying the Windows registry so that
it starts automatically on each system startup.

43
Netbus Trojan…
The client was a separate program presenting a graphical user
interface that allowed the user to perform a number of activities
on the remote computer.

44
Donald Dick Trojan …
It is also known as Backdoor.DonaldDick.153 Trojan.PSW.EPS.dr
Trojan.PSW.Ring0.a

This is a Windows 9x Internet Backdoor Trojan. When running it

gives full access to the system over the Internet to anyone
running the appropriate client software.

Attacker does:
• Read/write/delete/run any file on the computer
• Record keystrokes
• Get information about the system
• Open/close the CD-ROM tray
• And many other things

45
Donald Dick Trojan

46
Sub Seven Trojan…

Sub7, or Sub Seven, is the name of a popular Trojan or backdoor

program. It is mainly used by script kiddies for causing mischief,
such as hiding the computer cursor, changing system settings or
loading up pornographic websites. However, it can also be used for
more serious criminal applications, such as stealing credit card
details with a keystroke logger.

These back door or remote administration programs, once

installed, allow other people to access and control your computer.

47
Sub Seven Trojan …
It’s helping to access the remote control of pc..

48
Ways of Detecting/Removal a Trojan..
1.Using Anti-Trojan Software

2.Manual Detection

3.TCP Viewer

4.Process Viewer

5.Process Explorer

49
Using Anti-Trojan Software..
Antivirus software is designed to detect
and delete Trojan horses, as well as
preventing them from ever being
installed. Although it is possible to
remove a Trojan horse manually, it
requires a full understanding of how that
particular Trojan horse operates. In
addition, if a Trojan horse has possibly
been used by a hacker to access a
computer system, it will be difficult to
know what damage has been done and
what other problems have been
introduced.

50
 Manual Detection Trojan

Though manual removal/detection of Trojans is

difficult, but this is best way to remove the Trojans
completely from the computer. With practice, it
becomes easy to manually detect/remove the
Trojans

51
 TCP Viewer

TCPView is a Windows program that will show you detailed listings

of all TCP and UDP endpoints on your system, including the local
and remote addresses and state of TCP connections. On Windows
NT,
2000, and XP, TCPView also reports the name of the process that
owns the endpoint. TCPView provides a more informative and
conveniently presented subset of the Netstat program that ship with
Windows. The TCPView download includes Tcpvcon, a command-line
version with the same functionality.

52
 Process Viewer

It is a free GUI-based process viewer utility that displays

detailed information about processes running under Windows.
For each process it displays memory, threads, and module
usage. For each DLL, it shows full path and version
information.

53
 Process Viewer

Preview comes with a command-line version that allows you to write

scripts to check whether a process is running and stop it, if
necessary.

54
Process Explorer
Process Explorer is a system monitoring and examination utility. It
provides the functionality of Windows Task Manager along with a
rich set of features for collecting information about processes
running on the user's system. It can be used as the first step in
debugging software or system problems.

55
..Process Explorer

Process Explorer can be used to track down problems. For

example, it provides a means to list or search for named resources
that are held by a process or all processes. This can be used to
track down what is holding a file open and preventing its use by
another program.

56
 ..Process Explorer
as another example, it can show the command lines used to start a
program, allowing otherwise identical processes to be distinguished.
Or like Task Manager, it can show a process that is maxing out the
CPU, but unlike Task Manager it can show which thread (with the
call stack) is using the CPU – information that is not even available
under a debugger.

57
 ..Counter Measures of Trojan

• Always Use Process Explorer To Detect Or Remove The Trojan In

Your Computer.
• Use Updated Antivirus To Detect The Trojan.
• Ignore To Open The Unwanted exe Files.

58
 ..Counter Measures of Trojan

• 4. Ignore To Click On Unwanted Links Of Email.

• 5. Always Try To Disable The Pendrive Auto Run Functionality In
Your Computer.
• 6. Never Allowed The Unknown User To Use Your Computer.

59
60