Skip to main content
Version: Next

Trojan

  • Malware contained inside seemingly harmless programs.
    • activated when such programs are executed.
  • Used to gain access and/or cause damage to victims systems.
  • Run with same privileges of the victim but can exploit vulnerabilities to gain more privileges.
  • Symptoms include
    • change of system settings such as disabling updates, antivirus, task manager
    • more usage of system resources such as network bandwidth and CPU.
  • Broad use-cases including
    • Install other malicious code
    • Use victims computer for other attacks including DDoS, or spam e-mails
    • Steal information through keyloggers
    • Running a ransomware
    • Infect victim as proxy-server to do replay attacks

Trojan communication

  • Different trojans use different ports for communication
  • 💡 Check active connections on different ports to detect presence of trojans.

Communication paths

Overt channels

  • Legitimate and transparent paths to send information
  • E.g. HTTP and TCP/IP
  • Can be exploited to create a covert channel

Covert channels

  • 📝 Sending information by an unknown, unmonitored way
  • Outside of the security policy
  • Useful to bypass multi-level security solutions in order to leak data out of a protected network
  • May use steganography
    • E.g. storage channel
      • Reading tweets from Twitter to get commands from C&C servers
      • Leaves evidence behind
    • E.g. timing channel
      • Small pauses when watching a video sends encoded commands
      • Leaves almost no trace of its existence
      • Requires receiver to be actively listening
    • E.g. use of reserved fields in various packet headers/footers to conceal data
  • Utilizes tunneling protocol (allows moving data between different networks)

Trojan tools

  • Wrapper
    • An application that can concatenate two executable files and produce an application containing both.
    • Used to embed trojans in legitimate files
    • Can utilize e.g. petite.exe, IExpress, elitewrap
  • Trojan Construction Kits
    • Allows you to create a trojan in an easy way
    • E.g. DarkHorse trojan virus maker

Steps of infecting with a trojan

  1. Create a new trojan
  2. Create a dropper to install the trojan
  3. Create a wrapper to bind trojan into legitimate files
  4. Propagate the trojan

Techniques for evading antivirus

  • Do not use a known trojan, it'll be known by antivirus
    • Write your own trojan instead
  • 📝 Distribute trojan as e.g. .doc.exe or .pdf.exe
    • Because Windows hides "known extensions" by default so they appear as .doc or .pdf
  • 📝 Perform code obfuscation or morphing to confuse anti-viruses
    • E.g. alert( 'Hello, world!' ); becomes var _0xc890=["\x68\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64"];alert(_0xc890[0])
  • Change the content / checksum or morph it to generate different signatures

Trojan types

Remote access trojans (RATs)

  • Also known as remote administration trojans.
  • Malware that includes a back door for administrative control over the target computer
  • Includes an user interface to issue commands
  • Usually has functionalities like keylogger, camera access, taking screenshots etc.
  • E.g. • Saefko, njRATturkojan • Biodox

Covert Channel Tunneling Trojan (CCTT)

  • A form of RAT
  • Enables attackers to gain shell interfaces into and out of a network using authorized channels covertly

Backdoor trojans

  • Trojans that installs backdoors to give uninterrupted access to attackers
  • The difference from RAT is that RATs have user interface
  • Can usually bypass programs e.g. by injecting connections into browser processes
  • Often used to create a botnet or zombie network to execute malicious activities
  • E.g. • Qadarsz3r0 Remvio • SubRoot
  • See also backdoor

Botnet trojans

  • Bot herders are attackers who installs bot programs on victims.
  • Infected machines become one of their bots or zombies in their bot herd.
  • Bots are controlled through Command and Control (C&C) center.
  • 📝 Bots allow attackers to
    • do DDoS attacks
    • steal data
    • send spam and access the device
  • Examples
    • Conficker
      • Has also worm features to infect other systems in the network.
    • Mirai
      • Infects weak IoT devices.
      • Probes IoT devices in network and brute forces login on Telnet (port 23 and 2323)
      • Open-sourced
  • See also Botnet and Botnets | Denial of Service

Rootkit trojans

  • Enable access to unauthorized areas in a software
  • Root (privilege account in Unix) + kit (software components that implement it)
  • Type of backdoors but hard to detect as it often masks its existence
    • E.g. by subverting software that's intend t find it such as hiding its name from service lists, task lists or registry viewers.
  • Does not propagate by themselves as opposed to worms
  • Often used in blended threat
    • Blended threat is an exploit that combines elements of multiple types of malware
    • E.g. a malware consisting of
      • dropper (to install)
      • loader (causes e.g. buffer overflow and load rootkit into memory)
      • rootkit.
  • Commonly hidden in the boot sector of a hard disk to evade antivirus detection.
  • E.g.
  • See also Rootkits | Hiding Files

E-banking Trojans

  • Intercepts account information before encryption and sends to attacker.
  • Can steal e.g. credit card numbers, billing details
  • Can also show false bank account information
  • E.g. ZeuS (ZBot)
    • Uses man-in-the-browser keylogging and form grabbing
    • One of the most successful banking trojans
    • Used fast flax to evade detection
      • Uses compromised hosts as proxies for commands
      • Idea is to change DNS record of domain very quickly using hundreds of IPs

Banking information analysis

  • Keylogging
  • Form data capture
  • Inserting fraudulent form fields
  • Screen captures and video recording
  • Mimicking financial websites
  • Redirecting to banking websites
  • Man-in-the-middle attack
Tan Gabber
  • Transaction Authentication Number (TAN)
    • Single use one-time passwords (OTPs) to authorize financial transactions
    • E.g. ChipTAN
      • A card needs to be inserted to a device to get the code
      • Used by many German and Austrian banks
  • Trojan intercepts the number and replaces it
    • User gets rejected
    • Attacker logs in using target's login details.
HTML injection
  • Also known as Webinjects
  • Injects HTML or JavaScript code into e-banking content before it's rendered on a web browser
  • 📝 Manipulates original forms in bank webpages with additional fields
    • E.g. login credentials, credit card numbers, CVVs, PINs, tokens, etc.
  • Goal is to prompt user to give out more information that'll be collected
Form Grabber
  • Retrieves authorization and log-in credentials from a web forms before they're sent
  • More effective than keyloggers as it acquire credentials even if they use virtual keyboard, autofill etc.
Covert credential grabber
  • Hides itself on a machine
  • Searches through session cookies for financial transaction info
  • Sends the information the attacker

Proxy-server trojans

  • Allows attacker to use victims computers as proxy to connect to the Internet.
  • Starts a hidden proxy server on victim machine
  • Used for attackers for illegal activities such as purchasing goods with illegal cards
  • E.g. Linux.Proxy.10, Pinkslipbot

Defacement trojan

  • Resource editors allow to view, edit, extract, and replace strings, bitmaps, logos and icons from any Windows program.
  • E.g. changes title of Word documents to "You've been hacked"
  • See also Website defacement | Web threats and attacks
  • E.g. using Restorator to modify files' icons.