Trojans

Daniel BartschCPSC 420

April 19,2007

What is a Trojan? Trojans are malware Named after

Odysseus’s mythical trick

Embedded in a program

Cause a variety of undesired effects

Not simple to define!

©2007 Steve Smith and World of Stock

http://images.worldofstock.com/slides/BTE1174.jpg

Why are Trojans Hard to Define?

Definition creep! Should only refer only to infected

file Term expanded to refer to effects

file has as well Trickery used to prevent program

removal commonly classified as trojan

A Trojan is Not A Virus

Confusion caused by virus scanners Viruses infect other files The goals are different Viruses do not rely on tricking the

user Viruses do require action from the

user

A Trojan is Not a Worm

Worms do not require action from the user

Worms exploit security flaws Worms spread themselves Worms typically make multiple

copies of themselves

What are Some Properties of Trojans?

Use trickery in some form Do not typically spread themselves File they are attached to has to be

put into use at least once Have means to continue running Can be added to virtually anything

What Kinds of Trickery do Trojans Use? Highly desirable files

Exclusive Rare Free Codec Packs Bootlegs

New files No CD cracks Key Generators

What Kinds of Trickery do Trojans Use?

Disguises Fake error messages Lies from the sender Rootkits Encryption Vague process names

What Kinds of Things are Trojans Used for?

Pranks Make some zombies

Denial of service attacks Proxies Servers Spam

Mess with data

What Kinds of Things are Trojans Used for?

Disabling security software - the blended threat

Spying Key logging Drive Access Spyware and Adware Backdoors

What Kinds of Things are Trojans Used for?

Remote Administration

What are Some Common Trojans?

BO2K NetBus SubSeven SpySheriff

BO2K Free program

marketed as a RAT Reputation caused

classification Windows 2000,

NT, XP Actively

Developed Continuation of

Back Orifice

Some Features of BO2K

Key logging Registry Editing Remote upgrade and installation Connection redirection Audio and video capture Remote Reboot

BO2K in Action

NetBus Intended for

pranks Famously used to

put child pornography on Magnus Ericson’s computer

SubSeven Allows attacker to

lock out other attackers

Early versions included a master password

Optix Pro

Fully customizable Can disable security No longer in development

Optix Pro Configuration

Optix Pro Configuration

Optix Pro Configuration

Optix Pro Configuration

SpySheriff

Not a Remote Administration Trojan Masquerades as a spyware scanner Blocks connections, Disables internet

connections, prevents system restores

Can reinstall itself and give itself administrative rights

SpySheriff

One Famous Use of a Trojan

US learned of a Soviet plot to steal turbine control software

Leaked software with a trojan Software used in Trans-Siberian

gas pipeline Caused one of the largest non-

nuclear explosions and fires ever

Dealing with Trojans

Research required to remove any Trojan that a virus scanner can’t remove by itself

Preventative measures are best Multiple firewalls Disconnect computers from

networks if use of a RAT is suspected

Sources http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp http://www.webopedia.com/TERM/T/Trojan_horse.html http://cpsc420.cs.clemson.edu/material/Malware/Trojan%20Horses.jnt – authentication

required http://computer.howstuffworks.com/virus.htm http://pcworld.about.com/news/Jul122005id121793.htm http://www.bleepingcomputer.com/forums/topic22402.html http://hackpr.net/~sub7/faq.shtml#CA.1 http://www.symantec.com/avcenter/warn/backorifice.html http://bo2k.sourceforge.net/docs/bo2k_pressrelease.html http://bo2k.sourceforge.net/featurelist.html http://radsoft.net/resources/rants/20041128,00.shtml http://www.windowsecurity.com/articles/Student-Teacher-Optix-Pro-Part2.html http://www.taipeitimes.com/News/editorials/archives/2004/02/04/2003097438/print http://en.wikipedia.org/wiki/Zombie_computer http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29 http://en.wikipedia.org/wiki/Pest_Trap http://en.wikipedia.org/wiki/SubSeven http://en.wikipedia.org/wiki/Back_Orifice_2000 http://en.wikipedia.org/wiki/NetBus http://en.wikipedia.org/wiki/Optix_Pro http://en.wikipedia.org/wiki/List_of_trojan_horses

Any Questions?

Trojan Rabbit from Monty Python and the Holy Grail