| Trojans can be classified
according to the actions which they carry out on victim
machines.
Today backdoors are the most dangerous type of
Trojans and the most widespread. These Trojans are
remote administration utilities that open infected
machines to external control via a LAN or the Internet.
They function in the same way as legal remote
administration programs used by system administrators.
This makes them difficult to detect.
The only difference between a legal administration
tool and a backdoor is that backdoors are installed and
launched without the knowledge or consent of the user of
the victim machine. Once the backdoor is launched, it
monitors the local system without the user's knowledge;
often the backdoor will not be visible in the log of
active programs.
Once a remote administration utilitiy has been
successfully installed and launched, the victim machine
is wide open. Backdoor functions can include:
- Sending/ receiving files
- Launching/ deleting files
- Executing files
- Displaying notification
- Deleting data
- Rebooting the machine
In other words, backdoors are used by virus writers
to detect and download confidential information, execute
malicious code, destroy data, include the machine in bot
networks and so forth. In short, backdoors combine the
functionality of most other types of Trojans in one
package.
Backdoors have one especially dangerous sub-class:
variants that can propagate like worms. The only
difference is that worms are programmed to propagate
constantly, whereas these 'mobile' backdoors spread only
after a specific command from the 'master'.
This loose category includes a variety of Trojans
that damage victim machines or threaten data integrity,
or impair the functioning of the victim machine.
Multi-purpose Trojans are also included in this
group, as some virus writers create multi-functional
Trojans rather than Trojan packs.
This family of Trojans steals passwords, normally
system passwords from victim machines. They search for
system files which contain confidential information such
as passwords and Internet access telephone numbers and
then send this information to an email address coded
into the body of the Trojan. It will then be retrieved
by the 'master' or user of the illegal program.
Some PSW Trojans steal other types of information
such as:
- System details (memory, disk space, operating
system details)
- Local email client
- IP-address
- Registration details
- Passwords for on-line games
Trojan-AOL are PSW Trojans that steal passwords for aol (American Online) They are contained in a sub-groups
because they are so numerous.
This family of Trojans redirects victim machines to
specified websites or other Internet resources. Clickers
either send the necessary commands to the browser or
replace system files where standard Internet urls are
stored (e.g. the 'hosts' file in MS Windows).
Clickers are used:
- To raise the hit-count of a specific site for
advertising purposes
- To organize a DoS attack on a specified server
or site
- To lead the victim to an infected resource where
the machine will be attacked by other malware
(viruses or Trojans)
This family of Trojans downloads and installs new
malware or adware on the victim machine. The downloader
then either launches the new malware or registers it to
enable autorun according to the local operating system
requirements. All of this is done without the knowledge
or consent of the user.
The names and locations of malware to be downloaded
are either coded into the Trojan or downloaded from a
specified website or other Internet location.
These Trojans are used to install other malware on
victim machines without the knowledge of the user.
Droppers install their payload either without displaying
any notification, or displaying a false message about an
error in an archived file or in the operating system.
The new malware is dropped to a specified location on a
local disk and then launched.
Droppers are normally structured in the following
way:
Main file
contains the dropper payload |
File 1
first payload |
File 2
second payload |
...
as many files as the coder chooses to include
|
|
The dropper functionality contains code to install
and execute all of the payload files.
In most cases, the payload contains other Trojans and
at least one hoax: jokes, games, graphics and so forth.
The hoax is meant to distract the user or to prove that
the activity caused by the dropper is harmless, whereas
it actually serves to mask the installation of the
dangerous payload.
Hackers using such programs achieve two objectives:
- Hidden or masked installation of other Trojans
or viruses
- Tricking antivirus solutions which are unable to
analyse all components
These Trojans function as a proxy server and provide
anonymous access to the Internet from victim machines.
Today these Trojans are very popular with spammers who
always need additional machines for mass mailings. Virus
coders will often include Trojan-proxies in Trojan packs
and sell networks of infected machines to spammers.
This family includes a variety of spy programs and
key loggers, all of which track and save user activity
on the victim machine and then forward this information
to the master. Trojan-spies collect a range of
information including:
- Keystrokes
- Logs of active applications
- Other user actions
These Trojans are most often used to steal banking
and other financial information to support online fraud.
These Trojans inform the 'master' about an infected
machine. Notifiers confirm that a machine has been
successfully infected, and send information about
IP-address, open port numbers, the email address etc. of
the victim machine. This information may be sent by
email, to the master's website, or by ICQ.
Notifiers are usually included in a Trojan 'pack' and
used only to inform the master that a Trojan has been
successfully installed on the victim machine.
A rootkit is a collection of programs used by a
hacker to evade detection while trying to gain
unauthorized access to a computer. This is done either
by replacing system files or libraries, or by installing
a kernel module. The hacker installs the rootkit after
obtaining user-level access: typically this is done by
cracking a password or by exploiting a vulnerability.
This is then used to gather other user IDs until the
hacker gains root, or administrator, access to the
system.
The term originated in the Unix world, although it
has since been applied to the techniques used by authors
of Windows-based Trojans to conceal their actions.
Rootkits have been used increasingly as a form of
stealth to hide Trojan activity, something that is made
easier because many Windows users log in with
administrator rights.
These Trojans are archived files coded to sabotage
the de-compressor when it attempts to open the infected
archived file. The victim machine will slow or crash
when the Trojan bomb explodes, or the disk will be
filled with nonsense data. ArcBombs are especially
dangerous for servers, particularly when incoming data
is initially processed automatically: in such cases, an
ArcBomb can crash the server.
There are three types of ArcBombs: incorrect header
in the archive, repeating data and a series of identical
files in the archive.
An incorrect archive header or corrupted data can
both cause the de-compressor to crash when opening and
unpacking the infected archive.
A large file containing repeating data can be packed
into a very small archive: 5 gigabytes will be 200 KB
when packed using RAR and 480 KB in ZIP format.
Moreover, special technologies exist to pack an
enormous number of identical files in one archive
without significantly affecting the size of the archive
itself: for instance, it is possible to pack 10100
identical files into a 30 KB RAR file or a 230 KB ZIP
file. |
