"Trojan Horses" (or Backdoors) have been in the news just recently, the term probably sounds familiar to you. But perhaps you’re not quite sure what a Trojan Horse is and what damage it is capable of doing to your system. Trojan Horses, of which there are now more than one thousand in circulation (including modifications and variants), are a relatively new and probably the most dangerous strain of viruses that have appeared in recent times.
The Meaning of its Name :
The name "Trojan Horse" derives itself from a page in Greek history when the Greeks had lain siege to the fortified city of Troy for over ten years. Their spy, a Greek called Sinon offered the Trojans a gift in the form of a wooden horse and convinced them that by accepting it, they would become invincible. The horse though was hollow and was occupied by a contingent of Greek soldiers. When they emerged in the dead of night and opened the city gates, the Greeks swarmed in, slaughtered its citizens and subsequently pillaged, burned and laid waste to the city.
How it Works :
In order to gain access to a user’s computer, the victim has to be induced to install the Trojan himself. The usual method is to offer a seemingly useful system enhancement or perhaps a free game that has the Trojan attached to it. By installing it, the user also installs the Trojan.
The most common sources of infection are as follows:
- Executing any files from suspicious or unknown sources.
- Opening an e-mail attachment from an unknown source.
- Allowing a "friend" access to your computer while you are away.
- By executing files received from any online activity client such as ICQ.
- Virtually every Trojan virus is comprised of two main parts. These are the called the "server" and the other, the "client". It is the server part that infects a user’s system.
Once infected, the computer becomes accessible to any remote user, usually referred to as a "cracker" or "intruder", that has the client part of the Trojan. That person can perform any action that the user can. For example, if the user keeps his credit card details on the computer, the intruder can steal that information. He may not necessarily make use of the credit card himself, but he can certainly sell the information to a third party who can then go on a spending spree at the user’s expense. The intruder can also steal passwords in order to gain access to restricted information or to password protected web sites as well.
In addition, the intruder can cause the system to reboot without warning, shutdown without warning, eject the CDROM tray, delete files, add files, make use of the user’s e-mail client, etc. etc. The possibilities are endless.
Problems Caused by it :
Let's suppose that you have already been infected. How do intruders attack and get a full control of your computer?
Practically every Trojan virus has two functional parts called the server and the client. The server part is the part of the program that infects a victim's computer. The client part is the one that allows a hacker to manipulate data on the infected machine.
Intruders scan the Internet for an infected user (technically speaking, an attacker sends request packets to all users of a specific Internet provider) using the client part of the virus. Once an infected computer has been found (the server part of the virus that is located on infected machine replies to client part's request) the attacker connects to that user's computer and creates a "link" between the two just like the one in an ordinary telephone conversation. Once that has happened (this procedure may only take a few seconds), the intruder will be able to get unrestricted access to the user's computer and can do anything he likes with it. The intruder becomes the master and the user the slave because short of disconnecting from the Internet, the user is helpless and has no means at his disposal to ward off an attack.
Intruders can monitor, administer and perform any action on your machine just as if they were sitting right in front of it.
A Trojan Horse works a bit like the backdoor to your house. If you leave it unlocked, anybody can come in and take whatever they want while you're not looking. The main difference with a backdoor installed on your computer is that anybody can come in and steal your data, delete your files or format your hard drive even if you are looking. There are no visible outward signs that anything untoward is happening other than perhaps unusual hard disk activity for no apparent reason.
Types of Trojans :
Each of the Trojan classes described next contains a variety of cracker's tools. Tauscan is capable of removing all of these classes if it detects them. To view the Trojans in each class, click on the Database button on the Tauscan toolbar.
Remote Access Trojans
These are the probably the most popular and very likely the most dangerous of the many Trojan classes currently available. It is these types that work in the server/client mode. The server part installs itself on the unsuspecting user's computer and the client remains on the attacker's system. Once an infected machine has been discovered, the intruder establishes a link between the two. He can subsequently perform any action the user can and more. For example, let's assume that the user has valuable data stored in a folder called "ABC" on his C: drive. In order to steal that data, all the intruder needs to do is to drag and drop the folder called ABC from the user's C: drive onto his own. It's as simple as that!
Mail Trojans
Another popular type of Trojan in hackers' circles is the mail Trojan. It works in server mode only and its main function is to record certain data such as the keystrokes the user enters when passwords are typed, the web sites he regularly visits and files in general. An infected machine will automatically send the information by e-mail to the attacker. These are very difficult to spot because the e-mail client is part of the Trojan itself.
FTP Trojans
This particular class of Trojan works in server mode only. It allows FTP access to an infected machine and can download or upload files at the intruder's whim.
Telnet Trojans
Telnet Trojans run in server mode only and allow an intruder to execute DOS commands on a remote machine.
Keylogger Trojans
These Trojans record the keystroke input on an infected machine and then stores the information in a special log file that the intruder can access in order to decipher passwords.
Fake Trojans
This type of Trojan uses fake dialog boxes and other bogus windows that purport to show that the user has attempted to perform an illegal operation. By displaying a dialog box, its sole purpose is to get the user to enter his user name and password. That information is then stored on file so that the intruder can use it at a later date.
Form Trojans
This is a Trojan that once installed ascertains the users personal data such as IP address, passwords and other personal data that he or she has stored on their system and then by connecting to the cracker's web page, submits the online form via HTTP. A cracker can then use the information gained whenever he wishes. The Trojan performs this function without any user intervention and without the user's knowledge. The user will not see any indication of the transmission such as pop-up windows that would indicate that this is taking place.
