Trojans

In the 12th century BC, Greece declared war on the city of Troy. The dispute erupted then the prince of Troy abducted the queen of Sparta and declared that he wanted to make her his wife. This naturally angered the Greeks (and especially the queen of Sparta). The Greeks besieged Troy for 10 years but met with no success as Troy was very well fortified. In a last effort, the Greek army pretended to be retreating, and left behind a huge wooden horse. The people of Troy saw the horse, and, thinking it was some kind of a present from the Greeks, pulled the horse into their city, unaware that the hollow wooden horse had some of the best Greek soldiers sitting inside it.

Under the cover of night, the soldiers snuck out and opened the gates of the city, and later, together with the rest of the army, killed the entire army of Troy. Similar to the wooden horse, a Trojan horse program pretends to do one thing while actually doing something completely different.

Types of Trojans

The following are the most common types of Trojan horses:
Remote Administration Trojans (RATs)

These are the most popular Trojans. They let a hacker access the victim's hard disk, and also perform many functions on his computer (shut down his computer, open and close his CDROM drive etc.).

Modern RATs are very simple to use. They come packaged with two files - the server file and the client file. The hacker tricks someone into running the server file, gets his IP address and gets full control over his/her computer. Some Trojans are limited by their functions, but more functions also mean larger server files. Some Trojans are merely meant for the attacker to use them to upload another Trojan to his target's computer and run it; hence they take very little disk space. Hackers also bind Trojans into other programs, which appear to be legitimate e.g. a RAT could be bound with an egreeting card.

Most RATs are used for malicious purposes, to irritate, scare people or harm computers.

There are many programs that detect common Trojans. Firewalls and anti-virus software can be useful in tracing RATs.

Remote administration Trojans open a port on your computer and bind themselves to it (make the server file listen to incoming connections and data going through these ports). Then, once someone runs his client program and enters the victim's IP address, the Trojan starts receiving commands from the attacker and runs them on the victim's computer. Some Trojans let the hacker change this port into any other port and also put a password so only the person who infects the specific computer will be able to use the Trojan. In some cases the creator of the Trojan would also put a backdoor within the server file itself so he'll be able to access any computer running his Trojan without the need to enter a password. This is called "a backdoor within a backdoor". The most popular Windows RATs are Netbus, BO and Sub7.

Password Trojans

Password Trojans search the victim's computer for passwords and then send them to the attacker or the author of the Trojan. Whether it's an Internet password or an email password there is a Trojan for every password. These Trojans usually send the information back to the attacker via Email.

Privileges-Elevating Trojans

These Trojans are usually used to fool system administrators. They can either be bound into a common system utility or pretend to be something harmless and even quite useful and appealing. Once the administrator runs it, the Trojan will give the attacker more privileges on the system. These Trojans can also be sent to less-privileges users and give the attacker access to their account.

Key loggers

These Trojans are very simple. They log all of the victim's keystrokes on the keyboard (including passwords), and then either save them on a file or email them to the attacker once in a while. Key loggers usually don't take much disk space and can masquerade as important utilities, thus making them very hard to detect.

Destructive Trojans

These Trojans can destroy the victim's entire hard drive, encrypt or just scramble important files. Some might seem like joke programs, while they are actually ripping every file they encounter to pieces.

Joke Programs

Joke programs are not harmful. They can either pretend to be formatting your hard drive, sending all of your passwords to some hacker, self-destructing your computer, turning in all information about illegal and pirated software you might have on your computer to the police (or to Privacy Watch!) etc. In reality these programs do not do anything.

Some common Trojans

Back Orifice (BO)

This Trojan was developed by a community of hackers known as "Cult of the dead cow" (www.cultdeadcow.com). This Trojan can be downloaded from www.BO2K.com and numerous other websites. (Note: the websites keep changing and it is best to use a powerful search engine like www.Google.com to search for the program.)

Back Orifice consists of two parts, a client application and a server application (approximately 122 KB). The client application, running on the hacker's computer, can be used to monitor and control the victim's computer (which runs the server application). The hacker can do the following activities on the victim's computer:

i. Run any program or see any file
ii. Keep a record of all the keys punched on the keyboard
iii. Shutdown or restart the victim's computer
iv. Transfer files to or from the victim computer

The hacker could be in Australia and the victim in China, but still the hacker can do all the above activities on the victim's computer! The following are the main characteristics of BO:

i. BO can only be used on victim computers that are running the Windows 95 or Windows 98 operating systems.

ii. The server part of the program has to be installed on the victim computer. The victim is usually fooled into installing the server part by sending him the Trojan fused with another program (e.g. an electronic Diwali card fused with the Trojan program).
iii. The hacker needs to know the IP address of the victim computer.
iv. If the victim computer is behind a firewall, then BO will not work

NetBus

NetBus was developed by a Swedish citizen named Carl-Fredrik Neikter who claimed that he developed it "purely for fun". Netbus can be downloaded from hundreds of websites. It is best to use Google.com to search for the program. Netbus allows the hacker to do numerous activities on the victim's computer. Some of these are:

i. Open/close the CD-ROM once or in intervals (specified in seconds)
ii. Swap mouse buttons - the right mouse button works like the left mouse
button and vice versa.
iii. Start any program.
iv. Play any sound-file (it supports only WAV files).
v. Point the mouse to some other place. The hacker can navigate the victim's mouse with his own.
vi. Show a message dialogue on the screen. The answer is sent back to the hacker. The hacker can ask for the password and the victim would enter it!
vii. Shutdown or log off the victim.
viii. Open any website
ix. Type anything in the program that the victim is using.
x. Obtain a list of all the keys on the keyboard that the victim is punching.
xi. Get an image of the screen (called a screen dump)
xii. Get information about the victim computer.
xiii. Upload any file to the victim computer. Using this feature the hacker can upload any virus or Trojan or update the Netbus Trojan itself.
xiv. Increase and decrease the sound-volume.
xv. Record sounds that the microphone can catch. The sound is sent to the hacker.
xvi. Make click sounds every time a key is pressed.
xvii. Download and delete any file on the victim computer.
xviii. Disable keys on the victim keyboard.

The following are the main characteristics of Netbus:

i. Once it is installed on the victim computer, it runs every time the computer is started 184.
ii. Netbus can be used on victim computers that are running the Windows 95 or Windows 98 or Windows NT operating systems.

NetBus 2 Pro

NetBus 2 Pro is the "legitimate" version of NetBus. It affects computers running the Windows 95, 98 and NT operating systems. The "server" portion (named "NBSvr.exe") is approximately 599 KB in size. Once installed NetBus is run every time the computer is started.

Deep throat v 2

Deep Throat was developed by a person called ^Cold^ KiLler, CEO of DarkLIGHT Corp. Deep Throat v 2 affects computers running the Windows 95 / 98 operating systems. The Trojan deletes the existing "systray.exe" file of the victim computer (which is normally 36 KB in size) and replaces it with the "server" portion of the Trojan (which is approximately 301kb in size). Once installed, it is run every time the computer is started. Among other things, Deep Throat allows the hacker to open/close the CD-ROM tray of the victim's computer, restart the victim computer, get a screen dump, and start an FTP Server on Port 21 of the victim