Anti-Trojan Information / Protection

All things related to Firewalls and Anti Virus.

Moderators: Admin Team, Moderators

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Anti-Trojan Information / Protection

Postby TeMerc » Wed Feb 23, 2005 11:52 pm

This post was created and posted originally, over at Bluetack Internet Security Solutions, and created by Moore.

I have copied and pasted it here, with his permission.

Some of this may be a bit advanced for many users, but the info is so well written, I had to post it here.


===================================================================
<><><><TROJAN HORSES><><><>
===================================================================


:: What is a Trojan : ? ::

Trojan Horse programs are able to hide themselves from being detected
after installing themselves into your computer generally without your knowledge sometimes using similar methods to spyware, but usually harder to fully detect.

Trojan horses are among the most dangerous threats to your computer files
and your confidential information such as your passwords,
credit card data and personal security.

Once a Trojan program is installed on your computer its allows full access to hackers.
The same Trojan can be used secretly by many hackers.
It?s not just one Trojan to one hacker.

It?s one Trojan to many hackers.

A Trojan on your computer can let a hacker view, copy or erase any folder
and any file on your computer just as though he or she were sitting
at your computer using its keyboard and mouse.
Any file on your computer can also be sent to any e-mail address
or posted on the Internet.

There are many ways a system can be infected with a Trojan and because
a Trojan is not the same as a virus (a self-replicating program segment)
it is not always detected by anti-virus software.

Trojans are often installed by a virus or worm that is programmed to open a backdoor into your computer,
sometimes to join in DDoS atacks against other computers, other trojans can be added to popular programs and released
out to newsgroups and p2p networks especially in the hopes of infecting new hosts.

Trojan Horse explanation:
- http://www.viruslist.com/eng/viruslist.html?id=13

complete windows Trojan paper : 24/10/02
- http://www.infosecwriters.com/texts.php?op...p=display&id=58

Trojan Horse Attacks:
http://www.irchelp.org/irchelp/security/trojan.html

Many Bots scan for victims of other Trojans such as SubSeven.
This has two distinct advantages for the hacker.
Firstly they can scan a lot of class C blocks without scanning
themselves or wasting their own bandwidth to do so and secondly
they can get their Bot onto already Trojan infected machines on
the premise that if the owner did not know they had one Trojan
that is detectable by nearly all Anti Trojan/Virus applications
then they certainly won't know they have another that is undetectable
by signature by all of these applications.

This to a large degree is why we use Generics as a second layer of
defense against unknown Trojans.
The SubSeven scan yields victims on default ports and also exploits
the old SubSeven master password which works on all
SubSeven 2.* versions upto and not including SubSeven 2.1.3 Bonus.
Once a victim has been found and logged into using the command
to update from the web is sent. Once received SubSeven will download
the new file and run it and then remove itself.

SubSeven trojan was made to improve upon the design of NetBus.

It has 'improved' NetBus so much now that this is a Very deadly trojan
that can be very damaging and quite hard to remove.

The best way to tell what version of SubSeven you are infected with
is by running an updated AntiVirus program and a Anti-Trojan Scanner.
Next best is to check this Which Version page.

- http://www.hackfix.org/subseven/
- http://www.norman.com/virus_info/subseven_...n_trojan.shtml/


- A Remote Administration Tool, or RAT, is a Trojan that when run,
provides an attacker with the capability of remotely controlling
a machine via a "client" in the attacker's machine,
and a "server" in the victim's machine.

The server in the victim "serves" incoming connections to the victim,
and runs invisibly with no user interface.
The client is a GUI front-end that the attacker uses to connect
to victim servers and "manage" those machines.
Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack.

What happens when a server is installed in a victim's machine depends on the
capabilities of the trojan, the interests of the attacker, and whether or not
control of the server is ever gained by another attacker -
- who might have entirely different interests.

Infections by remote administration Trojans on
Windows machines are becoming as frequent as viruses.


- REMOTE ACCESS TROJANS-
- http://pestpatrol.com/Support/About/About_Rats.asp

- A Backdoor is a program that opens secret access to systems, and is often used to bypass system security.
- A Backdoor program does not infect other host files, but nearly all Backdoor programs make registry modifications.

The Enemy Within: Firewalls and Backdoors :
- http://www.securityfocus.com/infocus/1701

DLL Trojans and other:
- http://home.arcor.de/scheinsicherheit/introduction.htm
- http://securityresponse.symantec.com/avcen...ojan.anits.html

--------------------------------------------------------------------------------------------------

Most known Trojan horses are programs, which "imitate" some other useful programs, new versions of popular utility software or software updates for them.
Very often, they are sent to BBS stations or Usenet groups.

In comparison with viruses, Trojan horses are not widely spread.
The reason for this is quite simple: they either destroy themselves together with the rest of the data on disks, or unmask their presence and are deleted by victimized users.

Virus "droppers" may also be considered Trojan horses.
They are files infected in such way that known anti-viruses do not determine virus presence in the file.

For example, a file is encrypted in some special way or packed by a rarely used archiver, preventing an anti-virus from "seeing" the infection.

Hoaxes are also worth mentioning.

These are programs that do not cause any direct harm to computers, but, rather,
display messages falsely stating that harm has already been done,
or will be done under some circumstances; or these hoaxes warn a user about some kind of non-existent danger.

Hoaxes are, for example, programs which "scare" a user with a message about disk formatting (although no formatting actually takes place); detect viruses in uninfected files; display strange virus-like messages (CMD640X disk driver from some commercial software packages); etc.

All of this depends on the author's sense of humor.
Apparently, the string "CHOLEEPA" in the second sector of Seagate hard disks is also a hoax.

Purposely false messages about new super viruses also fall into the category of hoaxes.
Such messages appear in newsgroups from time to time, and usually create panic among users.

http://www.viruslist.com/eng/viruslistbooks.html?id=64

-------------------------------------------------------------------------------------------------------------------------------

These sites below will help direct you to the best places to search for hidden trojans/spyware:

Auto Start checklist - best places to check:
http://www.cknow.com/ckinfo/def_a/autostart.shtml

===========================================
:: BHO Lists / Start Up lists / Process Libraries ::

===========================================
- http://www.generation.net/~hleboeuf/bho_a_d.htm
- http://www.sysinfo.org/bholist.php
- http://computercops.biz/CLSID.html
- http://computercops.biz/LSPs.html
- http://computercops.biz/StartupList.html
- http://computercops.biz/software.html
- http://www.windowsstartup.com/wso/search.php
- http://www.sysinfo.org/startuplist.php
- http://www.rockymountain.com/ref_startup.htm
- http://www.allsecpros.com/startuplist.html
- http://members.shaw.ca/austin.powers/
- http://www.3feetunder.com/krick/startup/list.html
- http://www.michaelpreslar.com/sysinfo/startupinfo.html
- http://www.neuber.com/taskmanager/process/index.html
- http://www.reger24.de/processes.php
- http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
- http://www.pacs-portal.co.uk/startup_index.htm
- http://www.pacs-portal.co.uk/startup_pages/startup_all.php
- http://www.processlibrary.com/
- http://www.liutilities.com/products/wintas...processlibrary/
- http://www.liutilities.com/products/wintas...library/system/
- http://www.liutilities.com/products/wintas...brary/security/


-Windows XP Home and Professional Tasks and Services:
- http://www.blkviper.com/WinXP/servicecfg.htm
- http://www.blkviper.com/index.html

Anti Trojan guides and links...

- https://netfiles.uiuc.edu/ehowes/www/info10.htm
- http://radified.com/Articles/trojan.htm
- http://www.net-security.org/dl/articles/comp_trojans.txt


Reverse Engineering Hostile Code:
- http://www.securityfocus.com/infocus/1637


Merijns Sub 7 removal page :
http://www.geocities.com/merijn_bellekom/new/sub7guide/index.html


Masters Of Paradise Trojan Removal guides:

http://www.hackfix.org/miscfix/mp.shtml
http://www.pestpatrol.com/PestInfo/m/masters_paradise.asp


Sophos Guide to removing Trojans:

1. Removing Trojans in Windows 95/98/Me
2. Removing Trojans in Windows NT/2000/XP/2003
3. Removing Trojans on Macintosh computers
4. Removing Trojans in DOS
5. Removing Trojans in OS/2
6. Removing Trojans in NetWare
7. Removing Trojans in Unix
8. Removing Trojans in OpenVMS

http://www.sophos.com/support/disinfection/trojan.html


---------------------------------------------------------------------------------------------------

If BO is running, it takes mere seconds for an intruder to access
all cached passwords and view most of your system's vital statistics.
He may have all he wants in moments and be gone.
You almost certainly wouldn't notice and there is absolutely nothing you could do.

Back Orifice Removal Guide:
http://www.pchell.com/internet/boserve.shtml

Detailed info on tracking and removing The Back Orifice "Backdoor" Program:
- http://www.nwinternet.com/~pchelp/bo/bo.html

A look into the Back Orifice Trojan:
- http://www.windowsecurity.com/articles/Trojan_Horse_Primer.html

----------------------------------------------------------------------------------------------------

A good method of discovering trojan infections is by identifying which virtual ports (there are 65535) are open and in use on your computer.

If you use a antivirus and personal firewall then you have a better chance of detecting and then blocking an unknown trojan from making outbound connections.

There are many programs to monitor for open ports, I mainly rely on TCPView or Outpost firewall to view which ports are listening and operating.

you can also use the builtin windows netstat utility from a command prompt to view the open ports and connections by going to :

- start -> run -> [ type ] cmd.exe [ win2000/xp] or command.exe [ win98/ME] .. then in the command prompt window type - netstat -an

Only a firewall can be set up to block outbound unauthorised traffic from your computer and without one running a trojan can give full access to and from your computer to anyone that manges to locate it with an automated scan or to the person who originally released it.

XP SP2 / ICF firewall will not protect you from Trojans/Malware making outbound connections once they are on your system


Some trojans are able to get through your firewall though, by using DLL / Process injection and other technical methods displayed at the firewall leak testing site:

http://www.firewallleaktester.com

An example:

New Trojan beats firewalls [2003]:

A malevolent program capable of using a browser to transmit and receive data secretly across a firewall was demonstrated at the DefCon security conference in the US earlier this year.

Once connected through the browser, the hacker can plant applications to allow activities such as recording
key strokes on the host machine or can access and download files.

Security experts attending DefCon in Las Vegas said the demonstration of Setiri has confirmed their fears that the next step in hacking technology will bypass firewall detection


- http://www.computercops.biz/article1321.html

======================================================================================

:: PORTS ::


The port lists below have listed default trojan ports, which the trojan program is designed to listen and operate on, keep in mind that any trojan may be altered to operate on other ports as well, and that activity on a known trojan port may be a false positive and a genuine connection.

Firewalls cannot tell whether the traffic is malicious or harmless , only that it is operating on a known trojan port.

Be suspicious of any connections that you arent sure about , but dont completely panic if you suddenly notice something that shouldnt be running or is connected to the internet without your authorization. Just be prepared , and if need be , disconnect from the internet if you suspect your are being hacked.

Trojans are not able to infect your computer any further like viruses or worms, but they can often be the result of a virus or worm infection planting a backdoor on your system.


NOTE: Some trojans may use more than one port number. This is because one port is used for "listening" and the other/s are used for the transfer of data.

In their default configurations, the following trojans use:

Back Orifice - UDP port 31337 or 31338
Deep Throat - UDP port 2140 and 3150
NetBus - TCP port 12345 and 12346
Whack-a-mole - TCP port 12361 and 12362
NetBus 2 Pro - TCP port 20034
GirlFriend - TCP port 21544
Sockets de Troie - TCP port 5000, 5001 or 50505
Masters Paradise - TCP port 3129, 40421, 40422, 40423 and 40426

Devil - port 65000
Evil FTP - port 23456
GateCrasher - port 6969
Hackers Paradise - port 456
ICKiller - port 7789
ICQTrojan - port 4590
Phineas Phucker - port 2801
Remote Grab - port 7000
Remote Windows Shutdown - port 53001

http://www.cybercity-online.net/Trojan.html

--------------------------------------------------------------------------------------------------------

One of the most frequently fielded questions among security analysts is, "Do I have a Trojan-horse program if I've found a port open on my computer?"

Variations of this question litter security mailing lists, but the answer is always the same: Trace the port number to the program that's opening the port, and investigate the program.

The process of tracing an open port to its causative agent is called port enumeration (or port mapping). Of course, the answer assumes that you have an adequate understanding of port numbers, a good port-enumeration tool, and the ability to research whether the found program is malicious.

Let's take a look at port enumeration in general, then review 11 Windows port enumerators.


Top Port Monitoring Tools :
http://www.winnetmag.com/Articles/ArticleI...313/pg/1/1.html

Ultimate Trojan Ports List
http://www.bluetack.co.uk/forums/index.php?showtopic=777

-------------------------------------------------------------------------------------------

The port numbers are divided into three ranges: the Well Known Ports,
the Registered Ports, and the Dynamic and/or Private Ports.

The Well Known Ports are those from 0 through 1023.

The Registered Ports are those from 1024 through 49151

The Dynamic and/or Private Ports are those from 49152 through 65535

- http://www.iana.org/assignments/port-numbers

Use this PORT LOOKUP PAGE or download your own copy:
- http://lists.gpick.com/portlist/lookup.asp

For a complete listing of assigned ports and numbers ;
- http://www.networksorcery.com/enp/protocol/ip/ports00000.htm

Trojan ports list:
- http://www.glocksoft.com/trojan_port.htm


This excellent Port Reference website also provides their handy tool available for download as a Windows HTML Help (.chm) file.
Direct DOWNLOAD your own copy now or use the ONLINE PAGE to find what services and trojans operate on each port.
immediately useful for doublechecking port connections from the results in your firewall..
Updated regularly


Block known trojan ports:
- http://www.doshelp.com/trojanports.htm

Ports descriptions and services:
- http://www.portsdb.org/bin/portsdb.cgi

Giant Port List:
- http://keir.net/portlist.html

ONCTek has compiled a list of known Trojan/Backdoors and the TCP/UDP ports on which they operate
The list should not be considered complete, nor should all activity on these ports be considered suspect:
- http://www.onctek.com/trojanports.html

Known Ports 0-1023:
- http://www.onctek.com/known_ports.txt

Known registered ports:
The Registered Ports are in the range 1024-49151.
- http://www.onctek.com/registered_ports.txt

------------------------------------------------------------------------------------------------------------------------

Analysis of the BioNet Trojan:
- http://www.misec.net/bionet312analysis.jsp

-computer trojan horses:
- http://www.infosecwriters.com/texts.php?op...p=display&id=39

Trojan search results;
- http://www.computercops.biz/modules.php?na...Search&topic=24

Google directory on Security/Anti-Trojans/Malicious Software:

- http://directory.google.com/Top/Computers/Security/
- http://directory.google.com/Top/Compute ... _Software/

=======================================================================

:: PREVENTION IS BETTER THAN A CURE ::

-------------------------------------------------------------------------------------------------------------------------------

The same programs I use for protection against spyware also work well
against any trojans that attempt to install themselves by modifying the registry.

I mainly rely on these for my protection :

- Outpost Pro/Blockpost - Firewall
- RegrunGold - Heavy duty registry / file and full system protection and lots more
- Winpatrol - Lightweight Registry/system monitor
- SSM / System Safety Monitor - Dll injection protection and a lot more
- TDS-3 - Trojan Defence Suite
- Wormguard- Worm and script protection
- Goback - Advanced system restore
- Commview - Packet sniffer

Applications that have well worked for me in detecting or stopping trojans from installing to begin with:

System Safety Monitor
- http://maxcomputing.narod.ru/ssme.html?lang=en

Winpatrol
- http://www.winpatrol.com

Also my favourite program for monitoring changes to your system and giving you complete control over any changes before windows even boots up , plus system file protection and more is : REGRUN GOLD.

- http://www.wilderssecurity.com/regrungold.html

REGRUN Security Suite
- http://www.greatis.com/security/download.htm
- http://www.greatis.com/security/detail.htm

A good firewall is essential , which is why I recommend Outpost Pro. It's not quite a beginners firewall but it can be learned quickly thanks to the excellent support forum and has some of the best features available for protecting your system.

Tiny firewall Pro is one of the most advanced sandbox/firewall applications available and if you like tweaking your security apps to the max then try this if you have time and the knowledge to configure it securely.

- http://www.tinysoftware.com/home/tiny2?la=EN


=======================================================================

ANTI-TROJAN PROGRAMS / TOOLS


Well since Trojan Defence Suite (TDS-3) has now been discontinued, the next best alternatives are included here:

- Ewido
- http://www.ewido.net/en/?section=ess

- BoClean:
- http://www.nsclean.com/boclean.html

- TROJANHUNTER -
- http://www.misec.net/trojanhunter/

- The Cleaner -
- http://www.moosoft.com/

- A² Trojan Scanner -
- http://www.emsisoft.com/en/
a² personal is primarily a Trojan scanner and remover. But beside Trojan Horses and Backdoors, it also detects other harmful software like Worm-Virurses, Dialer and other dangerous tools which are used by attackers to spy your files. The advanced background guard gives harmful programs no chance to get on your PC. As from now you have the full control over all active programs and their rights on your computer.

- http://www.spywarewarrior.com/uiuc/soft5.htm
- http://www.wilders.org/anti_trojans.htm
- http://www.computercops.biz/downloads-cat-6.html

GREAT FORUM ON ANTI-TROJANS:
http://www.wilderssecurity.com/index.php?board=5

Forum sticky of best TDS-3 links:
http://www.wilderssecurity.com/showthread.php?t=24666

Initialize TDS Sockets :
http://forum.gladiator-antivirus.com/index...?showtopic=4768


----------------------------------------------

:: Anti-trojan Review ::
http://www.anti-trojan-software-reviews.com/

----------------------------------------------
Other Good Anti-Trojan Scanners Available:
----------------------------------------------

- TROJANHUNTER -
- http://www.misec.net/trojanhunter/

- BoClean:
- http://www.nsclean.com/boclean.html

- The Cleaner -
- http://www.moosoft.com/

Kaspersky AntiVirus , while not a trojan scanner , works extremelly well at detecting trojans and has powerful scanning features for detecting malicious files inside packed files , which many other AntiVirus programs miss..

===========================================

- Download links for Anti-trojan scanners:
- http://www.wilders.org/anti_trojans.htm
- http://www.computercops.biz/downloads-cat-6.html

===========================================

- FREEWARE TROJAN SCANNERS -

- Ewido Trojan Scanner / security suite -

- A relatively new and free Trojan Scanner , with extras including Xp-AntiSpy and Eraser, has many impressive features all packed in one , like a startup program / processes display and Netstat online connection viewer , and free updates available.

http://www.ewido.net/en/?section=ess

- A² Trojan Scanner -
- http://www.emsisoft.com/en/

- a² personal is primarily a Trojan scanner and remover. But beside Trojan Horses and Backdoors, it also detects other harmful software like Worm-Virurses, Dialer and other dangerous tools which are used by attackers to spy your files. The advanced background guard gives harmful programs no chance to get on your PC. As from now you have the full control over all active programs and their rights on your computer.

--------------------------------------------------

- Anti-trojan program Comparison by Agnitum with their Tauscan trojan scanner:

http://www.agnitum.com/products/tauscan/compare.html

-------------------------------------------------

=================
:: Rootkit Detection ::
=================

There are also applications available for specific identification of Trojan Rootkits :

- Unhack me -
http://www.greatis.com/unhackme/index.html

What is UnHackMe?
UnHackMe allows you to detect and remove a new generation of Trojan programs - invisible Trojans. They are called "rootkits".
UnHackMe is not a usual Trojan's scanner like RegRun or HijackThis.

It's used to detect Invisible Trojans (rootkits) only!

A rootkit is a collection of programs that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network. The intruder installs a rootkit on a computer using a user action or by exploiting a known vulnerability or cracking a password. The rootkit installs a backdoor giving the hacker a full control of the computer. It hides their files, registry keys, and process names, and network connections from your eyes.

Your antivirus could not detect such programs because they use compression and encryption of its files. The sample software is Hacker Defender rootkit.



- RKDetect -

RKDetect is a little anomaly detection tool that can find services hidden by generic Windows rootkits like Hacker Defender. The tool enumerates the services on a remote computer via WMI (user level) and Services Control Manager (kernel level), the result is then compared and any difference is displayed. In this way we can find hidden services that are usually used to start rootkits. Similar approach can be used to enumerate processes, files, registry keys and anything that rootkits usually hides.


Source Code:
The tool is a VB script which requires the sc.exe application that can be found in %WINDIR%\system32\sc.exe or can be downloaded along with the source code below at: http://www.security.nnov.ru/files/rkdetect.zip

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<


DiamondCS ProcessGuard also needs mentioning..

While not a specific trojan scanner , it will prevent the installation of trojans , rootkits and rogue applications from disabling your security software..

DiamondCS ProcessGuard protects Windows processes from attacks by other processes, services, drivers, and other forms of executing code on your system. ProcessGuard also stops applications from executing without the users consent, stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. ProcessGuard even stops most keyloggers and leaktests, and is recognised by many to be the most comprehensive anti-rootkit solution available.


The new free version now allows the user to protect more than one application from termination ...

More info / Download from here :
http://www.diamondcs.com.au/processguard/

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

-----------------------------------------------------
- Free Tools that can help in Detecting Trojans:
-----------------------------------------------------

:: SysInternals Freeware ::

-Process Explorer-
-TcpView-
-Filemon-
-Portmon-
-Tdimon-

* yes theres more... :wink:
http://www.sysinternals.com/
http://www.sysinternals.com/ntw2k/freeware...e/procexp.shtml

http://www.wilders.org/free_tools.htm


------------------------------------------------------------------------------------------------------

GFI TrojanScan :

Is your system infected by Trojans?

Trojan horses are a huge security threat.
A Trojan is a program that can easily enter your computer undetected,
giving the attacker who planted the Trojan unrestricted access to the
data stored on your computer.
Trojans can transmit credit card information and other confidential data in the background.
Trojans are often not caught by virus scanning engines, because these are focused on viruses, not Trojans.
Catching such threats would require the use of a Trojan scanner
(a.k.a Trojan cleaner, Trojan remover, anti-Trojan).

- http://www.trojanscan.com/


-----------------------------------------------------------------------------------------------------------------------

* For advanced users *

- Back Officer Download -

- http://www.nfr.com/resource/backOfficer.php

Free - Back Officer Friendly "honeypot" attracts and traps attackers
Known as a "honey pot" for its ability to attract and trap hackers,
Back Officer Friendly (BOF) is a popular free download available exclusively from NFR Security, Inc.

Back Officer Friendly was originally created to detect when anyone attempts a Back Orifice scan against your computer.
It has since evolved to detect attempted connections to other services, such Telnet, FTP, SMTP, POP3 and IMAP2.

When BOF receives a connection to one of these services,
it will fake replies to the hopeful hacker, wasting the attacker's time,
and giving you time to stop them from other mischief.

you will need to fill in a form and a link will be sent to you via email to download the program.


==========================================

One of the best task managers available:

- http://www.wilderssecurity.com/wintaskspro.html
- http://www.liutilities.com/products/wintas...epapers/paper6/


Permanently removing trojans:
Using WinTasks 4 Professional it is possible to prevent trojans processes from loading the next time you reboot.
To do this, you simply open the autostart window in WinTasks and select the trojan executable.

By disabling the trojan from this window it will be removed from the registry autostart sections and will not be started the next time you reboot your system.

You can either temporarily disable the trojan, to find out whether you have disabled the right program, or you can permanently remove it from the registry.

In WinTasks 4 Professional there are also a number of other features like scripting and cpu usage logs that can be used to detect and remove unwanted processes and to increase overall system security.


Sysinternals ProcessExplorer can also be used for a replacement task manager , especially handy if the windows taskmanager is hijacked or damaged.

You can still remove it all yourself with out buying anything really , you just have to know what your doing , and know what to dig out and whre to dig it out from ..

The programs such as these can make removal a bit easier :D

======================================
----------------------------------------------------------------------------------------------------------------------------
======================================

The following example is the results of a old browser hijack , one of my first , which also installed a subseven trojan, recorded in early 2003 , which was blocked by Outpost and later killed. Winpatrol detected it atempting to install itself into the auto run registry key.

-two .exe files were created upon infection:

- msrexe.exe and msdos.exe :

--------------------------------------------

C:\WINDOWS\System32\msrexe.exe
C:\Msdos.exe

Default trojan filename: RAT.AlexMessoMalex

UPX0 2576384 UXRW 00000000
UPX1 32768 DXRW bd57383b
UPX2 4096 DRW 273d1722

RegEnumKeyA
ExitProcess
GetProcAddress
LoadLibraryA
PostQuitMessage
Ordinal 115

--------------------------------------------------------------

Outbound connection was blocked by using Outpost firewall Pro V1 in block most mode , which denied the trojan access to the internet since there were no rules allowing it.... arent they smart.. :thumb: B)

66.150.0.159-ortv098.hypermart.net#(bo.trojanhorse-03)
66.150.0.0-66.150.3.255,InfoSpace-Go2net#(trojan-f**kers-03)


Block All Activity MSREXE.EXE TCP 2271 n/a Unknown 0*/00/2003 1:36:30 AM ortv098.hypermart.net *.*.*.*

Block All Activity MSREXE.EXE TCP 1278 n/a Unknown 0*/00/2003 11:30:30 PM ortv098.hypermart.net *.*.*.*

Block All Activity MSREXE.EXE TCP 1294 n/a Unknown 0*/00/2003 4:36:30 PM ortv098.hypermart.net *.*.*.*

Block All Activity MSREXE.EXE TCP 1202 n/a Unknown 0*/00/2003 4:21:30 PM ortv098.hypermart.net *.*.*.*


It was running for a little while , I was a bit too busy with other things to take care of it :D

----------------------------------------------------------------------------------------------------------------------


Ok , the fact is every AntiVirus company likes to use a different name from their competition just because they can :P , its a competition after all and the majority are in business for themselves to make money, not to make it easy for people ..

Luckily there are companies however that do provide an enormous amount or research and support for people , not just for their customers.

However , you can get very confusing information when the same Trojan or Virus has six different aliases :roll: , and its the users problem to try and work it all out not any of the companies.


so this is symantecs version of the trojan name.. because I used NAV* at that time .. [ *Norton Antivirus] [ since then I have switched to Kaspersky personal , which I am very happy with]


alias:
Backdoor.Jeem

From sysinternals process explorer :
\BaseNamedObjects\Jeem.p


Modules used by the process msrexe.exe running on the computer KonTr0L , using Wintasks Pro:

Name Executable

ADVAPI32.dll C:\WINDOWS\system32\ADVAPI32.dll
apitrap.dll C:\WINDOWS\System32\apitrap.dll
DNSAPI.dll C:\WINDOWS\System32\DNSAPI.dll
GDI32.dll C:\WINDOWS\system32\GDI32.dll
iphlpapi.dll C:\WINDOWS\System32\iphlpapi.dll
kernel32.dll C:\WINDOWS\system32\kernel32.dll
msvcrt.dll C:\WINDOWS\system32\msvcrt.dll
mswsock.dll C:\WINDOWS\system32\mswsock.dll
ntdll.dll C:\WINDOWS\System32\ntdll.dll
psapi.dll C:\WINDOWS\System32\psapi.dll
rasadhlp.dll C:\WINDOWS\System32\rasadhlp.dll
RPCRT4.dll C:\WINDOWS\system32\RPCRT4.dll
USER32.dll C:\WINDOWS\system32\USER32.dll
winrnr.dll C:\WINDOWS\System32\winrnr.dll
WLDAP32.dll C:\WINDOWS\system32\WLDAP32.dll
WS2_32.dll C:\WINDOWS\System32\WS2_32.dll
WS2HELP.dll C:\WINDOWS\System32\WS2HELP.dll
wshtcpip.dll C:\WINDOWS\System32\wshtcpip.dll
WSOCK32.dll C:\WINDOWS\System32\WSOCK32.dll


----------------------------------------------------------------------------------

SubSeven v2.1

Msrexe.exe

SubSeven v2.1 can use four different methods to load itself.
It can use one or more of the methods mention below.

To remove check all the alternatives below:

Open c:\windows\win.ini and look for the lines; run=MSREXE.exe load=MSREXE.exe
Delete 'MSREXE.exe' from these lines.
Open c:\windows\system.ini.
Replace the line; shell = Explorer.exe MSREXE.exe with shell = Explorer.exe
Run regedit.exe
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\RunServices
Delete any keys with the value; 'MSREXE.exe'
Run Regedit.exe
Go to
HKEY_CLASSES_ROOT\exefile\shell\open\command
If the trojan use this method to load itself, the value in this key will typically be"WINDOS \"%1\" %*"
Replace this value with; "\"%1\" %*" (by simply removing WINDOS from the beginning of the line.)

By using this method, SubSeven trojan will be loaded into memory every time any .exe file is loaded.

A side effect of this is, if you delete the trojan (i.e WINDOS.exe) Windows will not be able to run any .exe program.
Reboot the computer and delete all infected files.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
---------------------------------------------------------------------

Alternate Data Streams:

---------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


NTFS has alternative data streams, which means that information can be hidden in your HDD without your knowledge or permission.

One way to use alternative data streams is to put a trojan horse in your computer and hide it in alternative data streams.

This could be a serious security issue.

Only ways to find out what alternative datastreams there are, is to download and use programs like TDS-3 , S-Find , ADS spy and others ..


Why is ADS a security risk?


The primary reason why ADS is a security risk is because streams are almost completely hidden and represent possibly the closest thing to a perfect hiding spot on a file system - something trojans can and will take advantage of.

Streams can easily be created/written to/read from, allowing any trojan or virus author to take advantage of a hidden file area.
But while streams can easily be used, they can only be detected with specialist software.

Programs such as Explorer can view normal parent files, but they can't see streams linked to such files, nor can they determine how much diskspace is being used by streams.

Because ADS is virtually unknown to many developers,
there are very few security programs available that are ADS-aware.

As such, if a virus implants itself into an ADS stream,
your anti-virus software will probably not be able to detect it.

In addition, streams cannot be deleted - to delete a stream you must delete its parent.

Streams are of particular importance to law enforcement agencies as important data
can sometimes be hidden in these covert file system channels.

Why does NTFS support streams?

The main (but not only) reason is for Macintosh file support.
Files stored on the Macintosh file system consist of two parts (known as forks) - one data fork, and one resource fork. Windows relies on the extension of the file (eg. ".exe") in order to determine which program should be associated with that file.
Macintosh files use the resource fork to do this.
NT stores Macintosh resource forks in a hidden NTFS stream,
with the data fork becoming the main parent file to the stream.

ADS has other uses.

As just one example, you could store a thumbnail image of a picture in a stream and even an audio track,
allowing a single file to have several multimedia components.
Some anti-virus programs store checksums in a stream under every file on your disk.


More info on Alternate Data Streams :

http://www.bleepingcomputer.com/forums/ind...showtutorial=25
http://www.windowsecurity.com/articles/Alt...ta_Streams.html
http://www.diamondcs.com.au/index.php?page...id=ntfs-streams

ADS scanning Programs :

TDS-3 - http://tds.diamondcs.com.au
Lads - http://www.heysoft.de/Frames/f_sw_la_en.htm
CrucialADS - http://www.crucialsecurity.com/downloads.html

--

ADS Spy

Freeware
Operating System: XP/2000/2003/NT

http://www.bleepingcomputer.com/files/adsspy.php

Ads Spy is a tool used to list, view or delete Alternate Data Streams (ADS) on Windows 2000/XP with NTFS file systems.

ADS is a way of storing meta-information for files without actually storing the information in the file it belongs to, carried over from early MacOS compatibility from Windows NT4.

Recently browser hijackers began using this technique to store hidden information on the system, and even store trojan executable files in ADS streams of random files on the system. Use with caution.

---

you can get Foundstones S-FIND from;
http://www.foundstone.com/knowledge/prodde...ic-toolkit.html

----------------------------------------------------------------------------------------------------
2 b cont.. :wink: :arrow:
----------------------------------------------------------------------------------------------------
Last edited by TeMerc on Sun Mar 05, 2006 10:57 am, edited 2 times in total.
Image

User avatar
turtledove
Countermeasures Team
Countermeasures Team
Posts: 86
Joined: Wed Feb 08, 2006 9:36 pm
Gender: Female
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: Alot more than I should
Location: California
Contact:

Postby turtledove » Fri Feb 24, 2006 1:38 am

Thanks 8)
I'm keeping this info :D Bookmarked too ;)

User avatar
JeanInMontana
Posts: 2570
Joined: Wed Feb 02, 2005 9:47 am
Gender: Female
experience: I know the functions, OS settings, registry tweaks and more
PC time: More than 4 hours a day
Location: South Central Montana USA
Contact:

Postby JeanInMontana » Fri Feb 24, 2006 12:38 pm

Wow! It's like the encyclopedia of Trojans....thanks Moore.
Image Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Fri Feb 24, 2006 12:57 pm

Moore just updated this earlier in the week, I'll need to edit it tonite.
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Sat Mar 04, 2006 11:22 am

TeMerc wrote:Moore just updated this earlier in the week, I'll need to edit it tonite.

Done. Finally.
Image

User avatar
JeanInMontana
Posts: 2570
Joined: Wed Feb 02, 2005 9:47 am
Gender: Female
experience: I know the functions, OS settings, registry tweaks and more
PC time: More than 4 hours a day
Location: South Central Montana USA
Contact:

Postby JeanInMontana » Sat Mar 04, 2006 1:00 pm

Is the original article for members only? The link you posted is just to the portal is why I ask.
Image Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Sat Mar 04, 2006 1:34 pm

JeanInMontana wrote:Is the original article for members only? The link you posted is just to the portal is why I ask.

I suppose so, but the info here mirrors what's on Moores site, so, unless you're feeling the urge to join there, you can read it all here.

Moores site is more for advanced users, loads of malware and IP tracking, blocking and all of that. Lots of other good resources too tho.
Image

User avatar
JeanInMontana
Posts: 2570
Joined: Wed Feb 02, 2005 9:47 am
Gender: Female
experience: I know the functions, OS settings, registry tweaks and more
PC time: More than 4 hours a day
Location: South Central Montana USA
Contact:

Postby JeanInMontana » Sat Mar 04, 2006 1:39 pm

TeMerc wrote:
JeanInMontana wrote:Is the original article for members only? The link you posted is just to the portal is why I ask.

I suppose so, but the info here mirrors what's on Moore's site, so, unless you're feeling the urge to join there, you can read it all here.

Moores site is more for advanced users, loads of malware and IP tracking, blocking and all of that. Lots of other good resources too tho.


Yes very advanced, I took a peak. I was just going to bookmark the original and had no idea where to find it.
Image Image

User avatar
Moore
Countermeasures Team
Countermeasures Team
Posts: 21
Joined: Fri Feb 18, 2005 8:33 pm
Location: Somewhere
Contact:

Postby Moore » Thu Mar 09, 2006 10:05 am

Hi , glad you like the guide :D

It sure helps me to have it all in one place, then I dont have to go looking all over for some link that I remember seeing once but can never find it again. :P

The guide section is open to everyone - I think it's important to share this kind of information around.

User avatar
JeanInMontana
Posts: 2570
Joined: Wed Feb 02, 2005 9:47 am
Gender: Female
experience: I know the functions, OS settings, registry tweaks and more
PC time: More than 4 hours a day
Location: South Central Montana USA
Contact:

Postby JeanInMontana » Thu Mar 09, 2006 3:46 pm

~!+ Thanks Moore! I agree it is vital information. {]>
Image Image


Return to “Firewalls and Anti-Virus\Trojans\Worms Related”

Who is online

Users browsing this forum: No registered users and 2 guests