Trojan White Paper

Trojans White Paper
By Dancho Danchev, Frame4.com

Home What is a Trojan Horse? How we reviewed anti-trojans About us

This useful paper is reproduced in full with the permission of the author. The original version of this article can be found at:

http://www.frame4.com/content/pubs/comp_trojans.txt

The Complete Windows Trojans Paper V1.0

By Dancho Danchev

dancho.danchev@frame4.com

http://www.frame4.com/

Part Four

17.Online Scanning Services

------------------------

These services are very popular these days and they are very handy for users

who haven't got much knowledge on all of the holes they're checking for, but

wanting to ensure they are protected from all of them. This section is placed

at the end of the paper with a specific reason. If you have read the paper,

you should know a LOT about trojans by now, their principles of working and

detection techniques, therefore you can decide whether these online scanners

are useful or if they give a false sense of safety.

There are several types of Online Scanners: Trojan Scanner, Port Scanner and

Bugs Checker.

- Trojan Scanner

It's using a list with predefined ports, associated with the name of the

trojan responding to its default port, like Girl Friend=21544, and if this

port is in "listening" state on your machine it will inform you that you've

been infected with the GirlFriend Trojan. As you already know, trojans have

functions like changing their default port to ANY of the attacker's choice.

That makes these Trojan Scanners kind of useless, because serious attackers

do change the default port for sure.

- Port Scanner

This service has two options like well-known ports scan and all ports scan.

The first feature is scanning for well known ports, again associated with

the appropriate service related to the port like port 21-FTP, 23-Telnet,

25-SMTP. The second feature is rarely seen on a free one, because of the

bandwidth it would generate to scan all of the 65,535 ports. It will again

associate ports with services like I mentioned above, and if it finds any

unknown ports not associated with any service, it will also report it, like

Port 34525 State:Listening, which means this port is waiting for connections

from the outside.

- Bugs Checker

Its purpose is to check your Browser or your E-mail Software for well known

bugs and security related problems. If any are detected, it will point you

to a site containing the patches for these bugs or a site with the latest

updated versions of the software.

It's strongly recommended to close any other Internet related application on

your machine before being scanned by Online Trojan Scanner and Port Scanner.

You decide which service is best for you, which one will be able to detect

trojan infections on your machine, and which won't; you now know the main

principles and the answers too, I hope. Links to several online scanning

services I know of are included in the Links Section.

18.Advice

------

This is a very useful section, full of tips and advice on how to protect

yourself from trojans using various ways you've already read about, but

summarised here for faster reading and hopefully better understanding.

[01] Never accept a file even it is from some friend. You're never sure who's

on the other side of the computer at the moment. If you really need this

file, let's say some presentation or a work paper, find other ways, like

the phone, and verify the file is from your friend. Yeah it will take you

some time and slow you a bit, but be paranoid about attachments you may

receive and don't get infected.

[02] When executing files, first check their type. Is it really a .doc or it's

some executable with a .doc icon.

[03] Update your Anti-Virus and Anti-Trojan package signature files regularly,

if possible EVERY day for maximal protection, as new trojans and viruses

are discovered every day. Most of the detection software have functions

like scheduling scans so if you are away from your machine during the

night but you leave it switched on, why not consider to schedule a scan

and update every night? Doing so will ensure your maximal protection.

[04] Make sure you always have the latest version of the software you're using

as new bugs appear very often and programs are regularly updated. Check

often to see if there are bugs and/or other problems found in software

that may potentially expose your system to risk - and patch/update your

system(s) accordingly. Some software have an option to check for the

latest version of the software from the vendor web site; make use of it.

[05] Take several minutes and regularly check the processes on your machine

with the software I reviewed above. You'll be surprised what you may

detect sometimes.

[06] It's vital to understand the risk of getting software from someone you

just met, or had only several ICQ, IRC conversations with.

[07] Consider freeware programs as very risky software to download, and try

searching for some reviews of the program before running it.

[08] Carefully read the help files coming with your detection software to be

able to use them to their full capacity.

[09] Download software ONLY from its official page(s) or dedicated mirror web

site. Never get the latest version of mIRC or ICQ from some site you've

never heard about like from some free web space provider like Geocities.

Consider it as an untrusted site and do NOT download anything from there.

[10] If you are playing with trojans you can also get infected as there are

trojans or other software that are already infected and is waiting for

someone with not so much knowledge on the topic to download and use it.

[11] Don't be so naive on everything you see on the Internet or what various

sites offer you - don't download some software you've never heard about.

19.Links Section

-------------

This section will be very useful for everyone interested in reading various

papers about trojans written by other people, anti-trojan software reviews

sites, trojans archives, trojan protection portals and many other sites

related to the topic. If you want me to add your link in the next update mail

me and if the site is somehow related to the topic, I will definately include

it in the list.

Please don't forget that you can find these and many other security related

links at our extensive web links directory at Frame4 Security Systems; check

it out at: http://www.frame4.com/php/modules.php?name=Web_Links

-- Trojan Portals and Archives --

URL : http://www.tlsecurity.net

DESC : Excellent, well-known security portal providing many trojan resources

and information regarding the topic

URL : http://www.euyulio.org

DESC : Security portal, huge trojans archive and other unique features

URL : http://www.megasecurity.org/

DESC : Megasecurity portal having huge trojans archive and well sorted library

on the subject

URL : http://www.trojan.ch

DESC : Trojans portal, news, archive, unique programs

URL : http://www.trojanforge.net/

DESC : Trojans portal, trojans archive, documents, www-board

URL : http://packetstormsecurity.org/trojans

DESC : Packetstorm's trojans section

URL : http://www.pcflank.com

DESC : Security portal providing various functions as browser tests, remote

trojan scanning

URL : http://www.staff.uiuc.edu/~ehowes/trojans/tr-tests.htm

DESC : Site showing results of actual (functional comparison) tests performed

with various trojan detection programs

-- Trojan Database Libraries --

URL : http://www.simovits.com/trojans/trojans.html

DESC : Huge, detailed and well sorted list of trojans and their functions

URL : http://www.tlsecurity.net/tlfaq.htm

DESC : Comprehensive list and analysis of probably all the public trojans

URL : http://www.blackcode.com/trojans/

DESC : Trojans/worms library database provided by BlackCode

-- Anti Trojan Sites --

URL : http://www.hackfix.org/

DESC : Site with resources related to trojan protection and helping newbies

URL : http://www.nohack.net/

DESC : The nohack project helps newbies clean their PCs and protect themselves

URL : http://www.virushelp.info

DESC : IRC channel related to virus and trojans protection

URL : http://www.anti-trojan.org

DESC : Anti-trojan help site

-- Detection Software Reviews --

URL : http://www.wilders.org/anti_trojans.htm

DESC : Site providing reviews of anti-trojan software

URL : http://www.rokopsecurity.de/

DESC : German site providing reviews of various anti-virus and anti-trojan

software, and many other information (site language is German)

URL : http://www.fruitloop.net/virushelp/index.html

DESC : Site providing reviews of detection software

URL : http://www.firewallguide.com/anti-trojan.htm

DESC : Site providing various security related services and reviews

-- Papers Regarding Windows Trojans --

URL : http://www.jmu.edu/computing/info-security/engineering/issues/remote.shtml

DESC : Interesting paper about windows trojans

URL : http://members.ozemail.com.au/~netsafe/trojan_index.html

DESC : Detailed information about windows trojans

URL : http://researchweb.watson.ibm.com/antivirus/SciPapers/Whalley/inwVB99.html

DESC : Windows trojans

URL : http://researchweb.watson.ibm.com/antivirus/SciPapers/Smoke/smoke.html

DESC : Another must read paper

URL : http://www.frame4.com/content/files/the_gentle_art_of_trojan_horsing_under_windows.txt

DESC : Windows trojans

URL : http://www.frame4.com/content/files/trojdetecte.txt

DESC : Snakebyte's tips about trojan detection

URL : http://www.frame4.com/content/files/what_trojan.pdf

DESC : Paper about windows trojans

URL : http://www.frame4.com/content/files/Trojan_reversing.txt

DESC : Interesting reading

-- Online Scanners --

URL : http://www.hackerwhacker.com/

DESC : A must visit vulnerability checker with unique features

URL : http://www.scannerx.com

DESC : Vulnerability assessment scanner

URL : http://scan.sygatetech.com/

DESC : Security scanner

-- Browser and E-mail Software --

URL : http://www.nwnetworks.com/iesc.html

DESC : Internet Explorer security centre

URL : http://www.guninski.com

DESC : Browser and active content researcher a must visit

URL : http://www.sophos.com/virusinfo/whitepapers/activecontent.html

DESC : Whitepaper about active content security

-- Misc --

URL : http://directory.google.com/Top/Computers/Security/Anti_Virus/Trojans/

DESC : Google's trojans directory

URL : http://support.microsoft.com/support/kb/articles/q262/6/31.asp?LN=EN-US&SD=gn&FR=0

DESC : Risky file extensions

URL : http://www.frame4.com/content/files/razor.wintrinoo.txt

DESC : Review of the WinTrinoo trojan

URL : http://www.megasecurity.org/Info/mIRC.txt

DESC : Very detailed paper on mIRC backdoors

20.Final Words

-----------

I really hope you've realised how big security problem Windows Trojan Horses

are, and you've become a little paranoid about your security. If you've ever

found yourself infected, I also hope that while reading the paper, you have

understood how you may have gotten infected the last time and I'm sure you

won't make the same mistake again. The paper will be regularly updated with

the latest info regarding the topic, as new variations of trojans and ways

of infection appear very often. If you think I've missed something, please

do not hesitate to contact me and contribute to it. Your feedback, ideas,

comments, suggestions and everything related to the paper and the topic will

be gratefully appreciated. I can be contacted at dancho.danchev@frame4.com.

Part of the Frame4 Security Systems Publications Archive, this paper can be

located at http://www.frame4.com/publications/index.php. Please visit the

archive to get the latest updates to this paper and many other security