|
The
Hacker's Tricks Of The Trade
Exposing
The Hacker
It
is our desire that by exposing these "tricks of the
trade" the Internet user will be better prepared with
the knowledge and tools needed not be fooled by the following
hacker tricks. We will use the LockDown Millennium software
as a basis for defeating these tricks, because every hacker
trick and every trojan type has been taken into account
during the years that it took for us to develop it.
Windows Hidden File Extensions
You
might not be aware of this, but even if you tell Windows
to show all file extensions there are still some that are
hidden by default. Also, any installed program can configure
extensions to be hidden. This is why you will find a special
window in the Generics program that will show you what extensions
are being hidden and allow you to toggle them unhidden.
The Show Extensions window iin the LockDown Millennium Generics
menu will automatically mark any potentially dangerous hidden
extensions in red, so that you will know which ones to toggle
to unhidden. Here are a couple of examples on how this works
and why some hidden extensions could be a danger to some
computer users. Assuming that you already configured Windows
explorer to show
all extensions:
SHS Extensions
-
Make
a copy of notepad.exe and put it on your desktop.
-
Open
Wordpad
-
Click
and drag notepad.exe into the open wordpad document.
-
Click
and drag it back to the desktop
-
Rename
the file that it created (Scrap) to Readme.txt
You
now have what appears to be a text document icon and a clearly
named readme.txt file showing on your desktop. Click on
the text file and the notepad opens up. If this were a trojan,
you would have been fooled and infected by what seemed to
be a harmless text file. If the extension was allowed to
be seen you would not have been fooled by the file Readme.txt.shs
PIF
Extensions
Next,
try renaming notepad.exe to anything.txt.pif You will only
see the file name anything.txt on your desktop. This is
because PIF is another extension that Windows hides by default.
If you run the file it will execute the program, this is
because Windows will also execute PIF extensions as if they
were executable files.
SCR
Extensions
Another
extension to watch out for is SCR. Rename your copy of notepad.exe
to notepad.scr and click on it. It will run notepad as an
executable file. Many people have been fooled by hackers
taking over a victim's account. The hacker sends email or
other type of message to all of the victim's friends saying
"Check out this cool new screen saver, you will laugh
your butt off!" Because the message came from a
trusted source, most were fooled and ran the SCR file and
then ended up with a hacker connecting to their computer.
LockDown Millennium scans all SCR files for trojan infections
by default.
Dangerous
Commands That Can Be Embedded
PIF
Shortcut Extensions
Some
hidden file extensions can easily be programmed with hidden
commands that could do damage to your system. Following
is a simple test:
-
Right
click your mouse on your desktop and select New
and then ShortCut
-
In
the command line type: format a: /autotest
-
Click
Next
-
In
the "Select a name for the shortcut" area
type: readme.txt
-
Click
Next
-
Select
a notepad icon and click Finish
You
now have a file on your desktop called readme.txt with a
notepad icon. Make sure there is a disk in your drive that
you do not mind being wiped and click on the icon. The file
that you click on will do a format on the disk in the A:
drive. Of course, the hacker's icon would target another
drive, or maybe have a name such as 'game.exe' and with
a command to delete your Windows directory or (deltree /y
c:\*.*) your entire C drive!
If
the PIF extension were not hidden, this would not be able
to fool you. And if it was added to your startup folder
waiting for a reboot, LockDown Millennium would warn you
within seconds.
SHS
Extensions
Scrap
files can also hide embedded commands. Following is a simple
test:
-
Make
a copy of notepad.exe and put it on your desktop.
-
Open
Wordpad
-
Click
and drag notepad.exe into the open wordpad document.
-
Click
on Edit and select Package Object, then select Edit
Package
-
Click
on Edit and then Command Line
-
Type
a command in the box such as format a: /autotest and
click on Ok
-
The
Icon can also be changed from this edit window
-
Exit
from the edit window and it will update the document
-
Click
and drag notepad back to the desktop
-
Rename
the file that it created (Scrap) to Readme.txt
You
now have what will look like a text file. If it is run it
will format the disk in the A: drive. As seen in the example
above for PIF Shortcut Extensions, the hacker could use
more dangerous commands.
Trojan
Startup Methods
Most
people do not know the many different ways that hackers
are using to start trojan files. If a hacker infects your
computer with a trojan, he will need to select a startup
method so that the trojan will load when you reboot your
computer. Common startup methods are the registry run keys,
the Windows Startup folder, the Windows load= or run= lines
found in the Win.ini file and the Shell= line found in the
Windows System.ini.
Dangerous
Startup Methods
Because
there are only a handful of these startup methods, we find
more hackers going to extremes to find new methods of startup.
This includes using dangerous changes to the system registry,
which will rend the system useless if the trojan file or
it's companion file is ever removed. This is one reason
not to use standard anti virus software to remove trojans.
If one of these methods are used, and the file is removed
without fixing the system registry, your system may not
be able to run any programs after you reboot. LockDown Millennium
detects and repairs all of these dangerous startup methods
as seen with this Sub7
infection.
The
ICQ Startup Method
Another
startup method now commonly used is the ICQ netdetect. Many
ICQ users are not aware that a hacker can add a configuration
line to ICQ in order to have it start the trojan every time
that the program is loaded. As a test you can try the following:
-
Open
ICQ
-
Click
on the ICQ icon and select Preferences
-
Click
on Connection
-
Click
on Edit Launch List
-
Click
On Add
-
Click
on Browse
-
Find
a file to add \Windows\Notepad.exe would work for this
test.
-
Click
on Open, and then Ok
The
file will run when you restart ICQ. If you go to your Startup
Programs window in the Generics module, you can locate the
program listed as a startup program. You will see "ICQ
NetDetect" as the startup method. Simply select the
file in the LockDown Millennium Start Programs window and
click on the "Remove Program From Startup" button
and it will be removed immediately.
Other
Startup Methods
For
information about other startup methods and dangers read
the Startup Programs area of this help file under the topic
The LockDown Millennium Program ; Generics ; Startup
Programs
|
