Version: 1.0.2Trojan
- Malware contained inside seemingly harmless programs.
- activated when such programs are executed.
- Used to gain access and/or cause damage to victims systems.
- Run with same privileges of the victim but can exploit vulnerabilities to gain more privileges.
- Symptoms include
- change of system settings such as disabling updates, antivirus, task manager
- more usage of system resources such as network bandwidth and CPU.
- Broad use-cases including
- Install other malicious code
- Use victims computer for other attacks including DDoS, or spam e-mails
- Steal information through keyloggers
- Running a ransomware
- Infect victim as proxy-server to do replay attacks
Trojan communication
- Different trojans use different ports for communication
- 💡 Check active connections on different ports to detect presence of trojans.
Communication paths
Overt channels
- Legitimate and transparent paths to send information
- E.g. HTTP and TCP/IP
- Can be exploited to create a covert channel
Covert channels
- 📝 Sending information by an unknown, unmonitored way
- Outside of the security policy
- Useful to bypass multi-level security solutions in order to leak data out of a protected network
- May use steganography
- E.g. storage channel
- Reading tweets from Twitter to get commands from C&C servers
- Leaves evidence behind
- E.g. timing channel
- Small pauses when watching a video sends encoded commands
- Leaves almost no trace of its existence
- Requires receiver to be actively listening
- E.g. use of reserved fields in various packet headers/footers to conceal data
- Utilizes tunneling protocol (allows moving data between different networks)
- Wrapper
- An application that can concatenate two executable files and produce an application containing both.
- Used to embed trojans in legitimate files
- Can utilize e.g.
petite.exe
, IExpress, elitewrap
- Trojan Construction Kits
- Allows you to create a trojan in an easy way
- E.g. DarkHorse trojan virus maker
Steps of infecting with a trojan
- Create a new trojan
- Create a dropper to install the trojan
- Create a wrapper to bind trojan into legitimate files
- Propagate the trojan
Techniques for evading antivirus
- Do not use a known trojan, it'll be known by antivirus
- Write your own trojan instead
- 📝 Distribute trojan as e.g.
.doc.exe
or .pdf.exe
- Because Windows hides "known extensions" by default so they appear as
.doc
or .pdf
- 📝 Perform code obfuscation or morphing to confuse anti-viruses
- E.g.
alert( 'Hello, world!' );
becomes var _0xc890=["\x68\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64"];alert(_0xc890[0])
- Change the content / checksum or morph it to generate different signatures
Trojan types
Remote access trojans (RATs)
- Also known as remote administration trojans.
- Malware that includes a back door for administrative control over the target computer
- Includes an user interface to issue commands
- Usually has functionalities like keylogger, camera access, taking screenshots etc.
- E.g. • Saefko, njRAT • turkojan • Biodox
Covert Channel Tunneling Trojan (CCTT)
- A form of RAT
- Enables attackers to gain shell interfaces into and out of a network using authorized channels covertly
Backdoor trojans
- Trojans that installs backdoors to give uninterrupted access to attackers
- The difference from RAT is that RATs have user interface
- Can usually bypass programs e.g. by injecting connections into browser processes
- Often used to create a botnet or zombie network to execute malicious activities
- E.g. • Qadars • z3r0 Remvio • SubRoot
- See also backdoor
Botnet trojans
- Bot herders are attackers who installs bot programs on victims.
- Infected machines become one of their bots or zombies in their bot herd.
- Bots are controlled through Command and Control (C&C) center.
- 📝 Bots allow attackers to
- do DDoS attacks
- steal data
- send spam and access the device
- Examples
- Conficker
- Has also worm features to infect other systems in the network.
- Mirai
- Infects weak IoT devices.
- Probes IoT devices in network and brute forces login on Telnet (port 23 and 2323)
- Open-sourced
- See also Botnet and Botnets | Denial of Service
Rootkit trojans
- Enable access to unauthorized areas in a software
- Root (privilege account in Unix) + kit (software components that implement it)
- Type of backdoors but hard to detect as it often masks its existence
- E.g. by subverting software that's intend t find it such as hiding its name from service lists, task lists or registry viewers.
- Does not propagate by themselves as opposed to worms
- Often used in blended threat
- Blended threat is an exploit that combines elements of multiple types of malware
- E.g. a malware consisting of
- dropper (to install)
- loader (causes e.g. buffer overflow and load rootkit into memory)
- rootkit.
- Commonly hidden in the boot sector of a hard disk to evade antivirus detection.
- E.g.
- See also Rootkits | Hiding Files
E-banking Trojans
- Intercepts account information before encryption and sends to attacker.
- Can steal e.g. credit card numbers, billing details
- Can also show false bank account information
- E.g. ZeuS (ZBot)
- Uses man-in-the-browser keylogging and form grabbing
- One of the most successful banking trojans
- Used fast flax to evade detection
- Uses compromised hosts as proxies for commands
- Idea is to change DNS record of domain very quickly using hundreds of IPs
- Keylogging
- Form data capture
- Inserting fraudulent form fields
- Screen captures and video recording
- Mimicking financial websites
- Redirecting to banking websites
- Man-in-the-middle attack
Tan Gabber
- Transaction Authentication Number (TAN)
- Single use one-time passwords (OTPs) to authorize financial transactions
- E.g. ChipTAN
- A card needs to be inserted to a device to get the code
- Used by many German and Austrian banks
- Trojan intercepts the number and replaces it
- User gets rejected
- Attacker logs in using target's login details.
HTML injection
- Also known as Webinjects
- Injects HTML or JavaScript code into e-banking content before it's rendered on a web browser
- 📝 Manipulates original forms in bank webpages with additional fields
- E.g. login credentials, credit card numbers, CVVs, PINs, tokens, etc.
- Goal is to prompt user to give out more information that'll be collected
- Retrieves authorization and log-in credentials from a web forms before they're sent
- More effective than keyloggers as it acquire credentials even if they use virtual keyboard, autofill etc.
Covert credential grabber
- Hides itself on a machine
- Searches through session cookies for financial transaction info
- Sends the information the attacker
Proxy-server trojans
- Allows attacker to use victims computers as proxy to connect to the Internet.
- Starts a hidden proxy server on victim machine
- Used for attackers for illegal activities such as purchasing goods with illegal cards
- E.g. Linux.Proxy.10, Pinkslipbot
Defacement trojan
- Resource editors allow to view, edit, extract, and replace strings, bitmaps, logos and icons from any Windows program.
- E.g. changes title of Word documents to "You've been hacked"
- See also Website defacement | Web threats and attacks
- E.g. using Restorator to modify files' icons.