- What is a trojan?
- Why the name "trojan horse"?
- Remote Administration Trojans
- How RATs work
- Using RATs for legitimate purposes
- Password Trojans
- Priviledges-Elevating Trojans
- Destructive Trojans
- Joke Programs
- Protecting Yourself Against Trojans
What is a trojan?
A trojan horse could be either:
a) Unauthorized instructions contained within a legitimate program. These instrcutions
perform functions unknown to (and probably unwanted by) the user.
b) A legitimate program that has been altered by the placement of anauthorized
instructions within it. These instructions perform functions unknown to (and
probably unwanted by) the user.
c) Any program that appears to perform a desirable and necessary function but
that (because of unauthorized instructions within it) performs functions unknown
to (and probably unwanted by) the user.
Under a restricted environment (a restricted Unix shell or a restricted Windows
NT computer), malicious trojans can"t do much, since they are restricted in
their actions. But on a home PC, trojans can be lethal and quite destructive.
Why the name "trojan horse"?
In the 12th century B.C., Greece declared war on the city of Troy. The dispute
erupted when the prince of Troy abducted the queen of Sparta and declared that
he wanted to make her his wife, which made the Greeks and especially the queen
of Sparta quite furious.
The Greeks gave chase and engaged Troy in a 10-year war, but unfortunately for
them, all of their efforts went down the drain. Troy was simply too well fortified.
In a last effort, the Greek army pretended to be retreating, leaving behind
a hude wooden horse. The people of Troy saw the horse, and, thinking it was
some kind of a present from the Greeks, pulled the horse into their city, without
knowing that the finest soldiers of Greece were sitting inside it, since the
horse was hollow.
Under the cover of night, the soldiers snuck out and opened the gates of the
city, and later, together with the rest of the army, killed the entire army
This is why such a program is called a trojan horse - it pretends to do something
while it does something completely different, or does what it is supposed to
be and hides it"s malicious actions from the user"s prying eyes.
During the rest of this text, we will explain about the most common types of
Remote Administration Trojans
These trojans are the most popular trojans now. Everyone wants to have them
trojan because they let you have access to your victim"s hard drive, and also
perform many functions on his computer (open and close his CD-ROM drive, put
message boxes on his computer etc"), which will scare off most computer users
and are also a hell lot of fun to run on your friends or enemies.
Modern RAT"S (remote administration trojans) are very simple to use. They come
packaged with two files - the server file and the client file (if you don"t
know which is which, look for a help file, a FAQ, a readme or instructions on
the trojan"s homepage). Just fool someone into runnig the server file and get
his IP and you have FULL control over his/her computer (some trojans are limited
by their functions, but more functions also mean larger server files. Some trojans
are merely ment for the attacker to use them to upload another trojan to his
target"s computer and run it, hence they take very little disk space). You can
also bind trojans into other programs which appear to be legitimate.
RAT"S have the common remote access trojan functions like:
keylogging (logging the target"s keystrokes (keyboard functions) and sometimes
even interfering with them, thus being able to use your keyboard to type instead
of the target and say weird things in chatrooms or scare the hell out of people),
upload and download function, make a screenshot of the target"s monitor and
Some people use the trojans for malicious purposes. They either use them to
irritate, scare or harm their enemies, scare the hell out of their friends or
enemies and seem like a "super hacker" to them, getting information about people
and spying on them or just get into people"s computers and delete stuff. This
is considered very lame.
There are many programs out there that detects the most common trojans (such
as Nemesis at blacksun.box.sk, which also detects people trying to access your
computer), but new trojans are released every day and it"s pretty hard to keep
track of things.
Trojans would usually want to automatically start whenever you boot-up your
computer. If you use Windows, you can get b00tm0n from blacksun.box.sk (note:
at the time this tutrial was released, b00tm0n was not ready yet, but it should
be ready some time before year 2,000, so if you"re reading this after Y2K, b00tm0n
should probably be available at blacksun.box.sk). Under Unix, we suggest getting
some sort of an IDS (Intrusion Detection System) programs to monitor your system.
Most Windows trojans hide from the Alt+Ctrl+Del menu (we havn"t seen any Unix
program that had the ability to hide itself from the processes list yet, but
you can never know - one day someone might discover a way to do so. Hell, someone
might have already did). This is bad because there are people who use the task
list to see which process are running. There are programs that will tell me
you exactly what processes are running on your computer (such as Wintop, which
is the Windows version of the popular Unix program called top). Some trojans,
however, use fake names and it"s a little harder for certain people to realize
that they are infected.
Also, some trojans might simply open an FTP server on your computer (usually
NOT on port 21, the default FTP port, in order to be less noticable). The FTP
server is, of course, unpassworded, or has a password which the attacker has
determined, and allows the attacker to download, upload and execute files quickly
How RATs work
Remote administration trojans open a port on your computer and bind themselves
to it (make the server file listen to incoming connections and data going through
these ports). Then, once someone runs his client program and enters the victim"s
IP, the trojan starts receiving commands from the attacker and runs them on
the victim"s computer.
Some trojans let you change this port into any other port and also put a password
so only the person that infect this specific computer will be able to use the
trojan. However, some of these password protections can be cracked due to bugs
in the trojan (people who program RATs usually don"t have much knowledge in
the field of programming), and in some cases the creator of the trojan would
also put a backdoor (which can be sometimes detected, under certain conditions)
within the server file itself so he"ll be able to access any computer running
his trojan without the need to enter a password. This is called "a backdoor
within a backdoor".
The most popular RATs are Netbus (because of it"s simplicity), BO (has many
functions and hides itself pretty good) and Sub7 (lots of functions and easy
to use). These are all Windows RATs.
If you havn"t done so already, it is advised to get some RAT and play around
with it, just to see how the whole thing works.
Using RATs for legitimate purposes
Some people use RATs to remotely administer computers they are allowed to have
access to. This is all good and fine, but anyway, you should always be careful
while working with RATs. Make sure you have legal access and the right to remotely
administer a computer before using a RAT on it.
Yes, password trojans. Password trojans scour your computer for password and
then send them to the attacker or the author of the trojan. Whether it"s your
Internet password, your Hotmail password, your ICQ password or your IRC passwords,
there is a trojan for every passsword. These trojans usually send the information
back to the attacker via Email.
These trojans would usually be used to fool system administrators. They can
either be binded into a common system utility or pretend to be something unharmful
and even quite useful and appealing. Once the administrator runs it, the trojan
will give the attacker more priviledges on the system. These trojans can also
be sent to less-priviledges users and give the attacker access to their account.
These trojans are very simple. They log all of your keystrokes (including passwords),
and then either save them on a file or Email them to the attacker once in a
Keyloggers usually don"t take much disk space and can masquerade as important
utilities, thus making them very hard to detect. Some keyloggers can also highlight
passwords found in text boxes with titles such as "enter password" or just the
word password somewhere within the title text.
These little fellows do nothing but damaging your computer. These trojans can
destroy your entire hard drive, encrypt or just scramble important files and
basically make you feel very unpleasent. I wouldn"t want to bump into one in
a dark alley.
Some might seem like joke programs, while they are actually tearing every file
they encounter to pieces.
Joke programs are nice, cute and unharmful. They can either pretend to be formatting
your hard drive, sending all of your passwords to some evil cracker, self-destructing
your computer, turning in all information about illegal and pirated software
you might have on your computer to the FBI etc". They are certainly no reason
to worry about (except if you work in tech support, since unexperienced computer
users tend to get scared off pretty easily by joke programs.
Protecting Yourself Against Trojans
If you are working on your PC, DO NOT work as root! If you run a trojan as root,
you can endanger your entire system! The whole point in multi-users on a single-user
system is limiting yourself in such cases (or in case you want to prevent yourself
from doing anything stupid). Switch to root only when you NEED root, and when
you know what you"re running. Also, remember that even if you"re working on
a restricted environment, you still put the passwords and files you still have
access to to risk. Also, if someone has a keylogger on your system, and you
type in some passwords (especially the root password), they will be logged!
Also, DO NOT download any files from untrusted sources (small websites, underground
websites, Usenet newsgroups, IRC etc"), even if it comes in the form of source
Windows is a whole lot different in this aspect. Limiting yourself under Windows
is quite an annoyance. It is almost impossible to work like that, in comparison
Also, make sure you don"t run any untrusted software. There are much more evil
Windows trojans for Windows than Unix, since people are more motivated to write
trojans for Unix (because of all the security Unix imposes). Also, when running
on a restricted Windows environment, you cannot just act like you"re so protected
and all. Remember that people can still steal passwords owned by the restricted
user, and also, some trojans can break into administrator priviledges and then
compromise your entire system, since Windows imposes such lame security.
Oh, and one last tip - you should try to download and use at least some of the
types of trojans listed above, so you could get to know them better and be able
to remove them in case you get infected.