|
Introduction
This
demonstration will show you some of the capabilities of
trojan horse programs. It has become increasingly obvious
to us that the general public awareness is very low in this
key area of internet security.
Most internet users do not even know what a trojan horse
is, let alone the high danger potential that these type
of programs possess.
A
brief description of a trojan horse program:
A
trojan horse is a program that infects your computer and
allows a hacker to run hidden tasks behind your back. A
Trojan infection can allow total remote access to your computer
by a third party.
I
know you may say why would anyone want to hack my computer
because it has nothing interesting on it or I'm not a bank
or an official organization but the fact is you are likely
to be more of a target than the latter because the latter
usually has this kind of protection already.
How
Trojans Are Spread:
Trojans
are spread in various ways such as email attachments, files
made to look like something they are not or files placed
on sites on the internet to lure people to download them
with names like Pokemon.exe, files sent to you via chat
programs. One of the sneakiest methods is to take a legitimate
file and join a trojan to it so when you run the file all
looks normal only a trojan was secretly installed in the
background and is now just sitting there waiting for the
hacker to connect.
Hacker's
Are Sent Your IP When You Log On Internet:
The
chances are the moment it is executed the hacker will know
because these programs often notify the hacker that their
victim is online and ready for their intentions. It's a
bit like going on holiday for a month and leaving all your
doors and windows wide open and the posting an advert in
the classified ads announcing that you are going away and
giving your name and address and saying, please stop by
and help yourself to any of my private possessions and do
feel free to poke around in all the cupboards and drawers
as all the doors and windows are wide open. Many trojan
horse programs have similar capabilities to the one we tested
below.
SubSeven Trojan Demo
The Hacker
Can Retrieve All Of Your Passwords:
Above
is a screen shot of the SubSeven user interface showing
the section relating to passwords. As you can see your passwords
for your dial up and mail accounts and any sites that you
visit requiring a password can all be stolen just at the
click of a button if your machine was compromised by this
trojan. The simplicity of use of this powerful trojan is
the reason it's popularity has exploded.
Hacker's
Are Scanning For Infected Computers:
You
will often be probed on ports 1243, 27374 and port 6667
TCP by exploiters subnet scanning for computers infected
by this backdoor. After receiving a list of all your cached
passwords hackers will often use these passwords to access
your mail accounts or if you are on a dial up connection
they will use your account to hack from or trade with other
hackers. ICQ and AOL instant messenger screen/nicknames
are often taken over and stolen in the same way. Sites that
you pay for or subscribe to and online banking accounts
that you may use are all now accessible by the hacker.
Hacker's
Can Take Over Your Accounts:
If
you have your own web site you can pretty much expect the
hacker to access that and exchange your trusted download
files for trojans or just to deface and delete your site
and then change the password to deny you access to your
hard work. Some hackers use the ICQ takeover feature which
basically downloads your ICQ database files and your personal
and private chat history along with your password to their
own ICQ. Once they have done this they log onto ICQ as you
and change the account password and change the email address
that ICQ should send lost or changed passwords to. The account
is now secured by the hacker and you have very little chance
of getting it back. Often their next trick would be to message
all your friends on ICQ that have known you a long while
and trust you and then send them trojan horse files which
most will readily accept and run because they know and trust
you.
The
hacker can access your files just as though they were their
own.
Using
the file manager part of the program the hacker can access
all of your drives including hidden drives and has full
access to all of your files. Normally the hacker will go
to the My Documents folder first looking for personal items
about you or lists of passwords or financial details. They
can download any files they wish to again just at the click
of a button. Often hackers find it funny to delete files
that are important or have taken a lot of time and effort
like a resume document or a school project or business accounts.
Common
Things Hacker's Do:
It
is also not uncommon for hackers to also alter documents.
Lets say for example your resume which probably took you
hours of work to complete and make look good and was probably
checked several times for errors. You apply for a job and
you just hit print or add it as an email attachment, because
you think that the resume is fine as you took a lot of time
preparing it. Imagine if they change just a few details
in it like the reason for leaving your last job and you
could potentially be sending a resume that ensures you wont
ever get a job with that company or any others like it.
We have personally seen and heard about many such incidences
from people that have now become customers of LockDown after
having had experiences just like the above. Many people
keep a lot of personal documents on their computers pertaining
to themselves or their personal lives. Hackers often like
to read peoples chat history especially if you are a chat
program user. In rare cases hackers have sent peoples personal
chat history to the authorities or to other users on your
chat list especially if you have maybe said something derogatory
about them. Blackmail is also not unheard of in some cases.
Hackers will often upload other trojan horse files to your
computer and then run them, again just at the click
of a button. As you can see the machine is wide open to
this kind of abuse and your machine will only carry on working
at the good grace of the hacker as deletion of Windows folder
and its contents is also again only a click away.
You may also notice that the program has the ability to
display an image and another hackers favorite is to display
obscene pictures on your computer which you can't close
until you restart the computer or to change the desktop
wallpaper. A lot of people have experienced just this kind
of activity. It is often done if the user is a female or
a child so as to cause shock and distress and I wonder how
many children have got into trouble for messing up the computer
when it was actually a hacker that was responsible for the
phenomena.
The
Hacker Can See Every Computer Key You Press:
The
key logger logs every key that you press on your keyboard
and the application that you typed to. Any email that you
write or any texts that you write or private messages to
friends in chats are logged just as above. The key logger
not only records all the keys pressed but even saves a log
of the keys that you pressed when not connected to the internet
for the hacker to simply download and read at their leisure
again just at the touch of a button. If the hacker is logging
keys while you are online and typing something then he sees
the keys as they are pressed. If the hacker was spying on
you chatting on ICQ then they could simply enable the key
logger to see your replies to messages and enable the ICQ
spy tool to see the incoming messages. All these processes
run hidden from you and a skilled hacker will use this type
of program stealthily and you will never know that they
are there.
Other
Symptoms Of A Trojan Infection:
Normally
if your CD drawer starts to open or you have programs open
by themselves or images displayed or chat message boxes
from the hacker appear then its most likely an unskilled
hacker. Usually this type of hacker is destructive
and often just deletes files for the sake of it. However
the most dangerous type are the ones that you don't see
and don't know they are there. In testing we have tried
several other firewall programs and ran the SubSeven server
without raising any alarm whatsoever. The reason is that
SubSeven will open a port on the computer as soon as it
starts up ready and listening for the hacker to connect.
As the port is already open when the standard firewall opens,
it simply trusts it and ignores the trojan.
LockDown
Uses Generics To Detect Unknown Trojans:
Because
LockDown uses generics and scans in memory you would be
alerted to the danger immediately after you restarted your
computer that the SubSeven trojan was present and you would
be able to close it and delete it and clean it up. The hacker
can find a trojan infected computer by scanning subnet ranges
for computers with listening ports or even have the
infected computer do the work and scan for them. As scanning
is illegal the hacker commands the innocent victims computer
to do the work and they get the blame for it or their internet
service account terminated or possibly even legal action.
Some people may say this is impossible or that it is so
rare it won't happen to me. Think again, it is estimated
that there are well over a million computers infected with
just this trojan alone.
Trojans
Can Send IRC & ICQ Pages To The Hacker:
A
hacker can also find a compromised computer if they were
the one to edit and alter the server because they can set
it up in such a way as to have the infected computer send
an ICQ pager as illustrated above or to broadcast on an
IRC ( Internet Relay Chat Network ) or by sending an email
the moment the computer connects to the internet. This information
gives the hacker the IP address you are at and the port
number to connect to as well as the password and the version
of the trojan. Above is an ICQ WWW Pager message informing
the hacker that one of his target computers is online and
awaiting his attentions. Some hackers receive hundreds of
these pagers every day and it has become such a problem
that ICQ have tried on numerous occasions to deny these
pagers being sent via their network to very little avail
as SubSeven is updated just as fast as ICQ stops the pagers
with a new workaround version.
The
Hacker Can Hide Behind Your Connection:
Above
is a client screen shot of the port redirect function after
it has been enabled which shows how the hacker can activate
a port on your machine to open up and point to any destination
they like. This one was set up so the hacker could connect
to an IRC chat server. The hacker then simply opens up an
IRC script of choice and types /server 127.0.0.1 9000 (
127.0.0.1 denoting the IP address of the computer that was
port redirected ) and hits connect and usually moments later
ends up connected to IRC but with a difference. The difference
is that they are showing your address now instead of their
own and can anonymously commit crimes like trading credit
card numbers or denial of service attacks with you getting
the blame or being reported for it. A lot of compromised
machines are being used in just this way. Not only that
but the hacker can have your machine connect to an IRC server
as a drone or a zombie machine.
These
zombie machines are used to spy on other IRC networks or
as IRC channel bots and are controlled by commands typed
in the channel or by private messages to the zombie. By
these means the hacker can control 1000's of these machines
just by one command and use them as a flood net or to attack
other computers or web sites. By using IRC the hacker does
not even need to connect to the machines that they control.
Distributed Denial Of Service ( DDOS ) attacks are illegal
but often impossible to pinpoint the individual that launched
the attack. Generally if your machine was involved in the
attack then you can expect a visit from the authorities
and your machine is your own responsibility. Even though
you never launched an attack or even knew about it the fact
is that the attack came from your machine regardless.
The
Hacker Can Use Your Connection To Scan For Other Infected
Computers:
Here
we see the scanner options in the client. The scanner can
be run from the client itself or it can be launched from
the compromised machine. The hacker can make your machine
illegally probe 1000's of machines for trojans as well as
waste your bandwidth. Then as above use port redirection
to try and connect to these computers that your computer
probed and reported as being trojan infected. At the moment
the balance of power lays firmly in the hands of hackers
but by running LockDown you can push the odds into your
favor.
Because
LockDown detects trojans in the conventional way and generically
it can detect trojans that are totally unknown to other
Anti Virus and Anti Trojan Software. LockDown also monitors
the start up areas of your system ( 99% of the time trojans
restart at every reboot of Windows and so need to install
themselves to a start up area. ) including the registry
and the windows *.ini files. Also watched for are programs
that try to access the internet ( most trojans need to do
this ) as well as scan in active memory. With the Program
Manager in the LockDown Millennium not only can you see
a hidden program running but also you can kill it and delete
it. Before you had to restart your computer in MSDOS mode
and delete it or restart in safe mode and do it or kill
the programs start up method then restart and delete. This
used to be complicated for novice users to perform but now
easy for everyone without it being necessary to go to the
trouble of a restart.
The
Hacker Can Turn On Your WebCam And Watch You Without Your
Knowledge:
Above
we see what is possible if the compromised computer has
a webcam. The hacker can actually sit and watch you without
your knowledge and I think you agree the possibilities are
endless as to what the hacker may see using this spying
feature. The hacker is also able to look at your desktop
and click your mouse for you as shown below or obtain a
full screen image of your desktop.
The
Hacker Can Watch Everything That You Do On Your Computer
As If You Were On TV:
These
are demonstrations of just a few of the hundreds of features
that this program has on offer for the hacker mostly just
a case of point and click. The creators of this program
even give help on how to use it. None of this demonstration
would have been possible if at the time of doing it I had
been running LockDown.
|
