Learn Ethical Hacking Tools Free Hacking Tricks How To Hack Hacking Passwords & Email Hacking

• ICQ

• IRC

• Attachments

• Physical Access

• Browser And E-mail Software Bugs

• NetBIOS (File Sharing)

• Fake Programs

• Un-trusted Sites And Freeware Software

• ICQ

  People can also get infected while chatting / talking / video messaging over ICQ or any other Instant Messenger Application. It is a risk that the user undertakes when it comes to receiving files no matter from whom or where it comes.

• IRC

  Here also, the threat comes from exchange of files no matter what they claim to be or where they come from. It is possible that some of these are infected files or disguised files.

• Attachments

  Any attachment, even if it is from a known source should be screened as it is possible that the source was infected earlier and is not aware of it.

• Physical Access

  Physical access to a target machine is perhaps the easiest way for an attacker to infect a machine. The motive may be a prank or just plain curiosity.

• Browser and E-mail Software Bugs

  Having outdated applications can expose the system to malicious programs such as Trojans without any other action on behalf of the attacker.

• NetBIOS (File Sharing)

  If port 139 is opened, the attacker can install trojan .exe and modify some system file, so that it will run the next time the system is rebooted. To block file sharing in Windows version, go to: Start->Settings->Control Panel->Network->File and Print Sharing and uncheck the boxes there.

• Remote Access Trojans

• Password Sending Trojans

• Keyloggers

• Destructive

• Denial Of Service (DoS) Attack Trojans

• Proxy/Wingate Trojans

• FTP Trojans

• Software Detection Killers

■ Remote Access Trojans

These are the Trojans usually seen referred to in the media and hence gain high visibility because of their ability to give the attackers the power to do more things on the victim's machine than the victim itself, while standing in front of the machine. Most of these Trojans are often a combination of the other variations discussed below.

■ Password Sending Trojans

These Trojans are directed towards extracting all the cached passwords and also capture other passwords entered by the victim and email them across to an attacker specified mail address, without the victim realizing it. The password harvest may include passwords for ICQ, IRC, FTP, HTTP or any other application that require a user to enter a login and password. Most of them do not restart when Windows is loaded, as the objective is to gather as much info about the victim's machine as passwords, mIRC logs, ICQ conversations and mail them to the attacker.

■ Keyloggers

These Trojans log the keystrokes of the victim and then let the attacker search for passwords or other sensitive data in the log file. They usually come with two functions such as online and offline recording. As with the previous group, these Trojans can be configured to send the log file to a specific e-mail address on a regular basis.

■ Destructive

The only function of these Trojans is to destroy and delete files. They can deliberately delete core system files (for example: .dll, .ini or .exe files, possibly others) on the target machine. The Trojan is activated by the attacker or sometimes works like a logic bomb and starts on a specific day and at specific hour.

■ Denial of Service (DoS) Attack Trojans

These Trojans used by attackers to issue a denial of service. A distributed denial of service may also be issued if the attacker has gathered enough victims. WinTrinoo is a DDoS tool that has become popular recently, and if the attacker has infected many ADSL users, major Internet sites could be shut down as a result.

Another variation of a DoS Trojan is the mail-bomb Trojan, whose main aim is to infect as many machines as possible and simultaneously attack specific e-mail address/addresses with random subjects and contents which cannot be filtered.

■ Proxy/Wingate Trojans

Underground sites are known to announce freely available proxy servers. These Trojans turn the victim's computer into a proxy/Wingate server available to the whole world or to the attacker only. It is used for anonymous Telnet, ICQ, IRC, etc., and also to register domains with stolen credit cards and for other illegal activities. This gives the attacker complete anonymity and the chance to do everything and point the trail to the victim.

■ FTP Trojans

These Trojans open port 21(the port for FTP transfers) and lets anybody or just the attacker connect to the machine. They may be password protected so only the attacker is able connect to the computer.

■ Software Detection Killers

There are such functionalities built into some Trojans, but there are also separate programs that will kill Zone Alarm, Norton Anti-Virus and many other (popular anti-virus/firewall) programs, that protect the target machine. When they are disabled, the attacker has full access to the machine to perform some illegal activity or use the computer to attack others and often disappear.

• Attacker gets access to the trojaned system as the system goes online

• By way of the access provided by the trojan attacker can stage attacks of different types.

Trojans work similar to the client-server model. Trojans come in two parts, a Client part and a Server part. The attacker deploys the Client to connect to the Server, which runs on the remote machine when the remote user (unknowingly) executes the Trojan on the machine. The typical protocol used by most Trojans is the TCP/IP protocol, but some functions of the Trojans may make use of the UDP protocol as well.

When the Server is activated on the remote computer, it will usually try to remain in a stealth mode, or hidden on the computer. This is configurable - for example in the Back Orifice Trojan, the server can be configured to remain in stealth mode and hide its process. Once activated, the server starts listening on default or configured ports for incoming connections from the attacker. It is usual for Trojans to also modify the registry and/or use some other auto starting method.

To exploit a Trojan, attackers need to ascertain the remote IP address to connect to the machine. Many Trojans have configurable features like mailing the victim's IP, as well as messaging the attacker via ICQ or IRC. This is relevant when the remote machine is on a network with dynamically assigned IP address or when the remote machine uses a dial-up connection to connect to the Internet. DSL users on the other hand, have static IPs so the infected IP is always known to the attacker.

Most of the Trojans use auto-starting methods so that the servers are restarted every time the remote machine reboots / starts. This is also notified to the attacker. As these features are being countered, new auto-starting methods are evolving. The start up method ranges from associating the Trojan with some common executable files such as explorer.exe to the known methods like modifying the system files or the Windows Registry. Some of the popular system files targeted by Trojans are Autostart Folder, Win.ini, System.ini, Wininit.ini, Winstart.bat, Autoexec.bat Config.sys. Could also be used as an auto-starting method for Trojans.

We will begin with:

• Terms of reference for various malicious code

• Defining Trojans and Backdoors

• Understanding the various backdoor genre

• Overview of various Trojan tools

• Learning effective prevention methods and countermeasures

• Overview of Anti-Trojan software

• Learning to generate a Trojan program

A Trojan horse is:

• An unauthorized program contained within a legitimate program. This unauthorized program performs functions unknown (and probably unwanted) by the user.

• A legitimate program that has been altered by the placement of unauthorized code within it; this code performs functions unknown (and probably unwanted) by the user.

• Any program that appears to perform a desirable and necessary function but that (because of unauthorized code within it that is unknown to the user) performs functions unknown (and definitely unwanted) by the user.

Trojan horses can do anything that the user who executes the program on the remote machine can. This includes deleting files, transmitting to the intruder any files that can be read, changing any files that can be modified, installing other programs such as programs that provide unauthorized network access that the user is entitled to and executing privilege-elevation attacks; that is, the Trojan horse can attempt to exploit a vulnerability to increase the level of access beyond that of the user running the Trojan horse. If this is successful, the Trojan horse can operate with the increased privileges and go about installing other malicious code.

If the user has administrative access to the operating system, the Trojan horse can do anything that an administrator can.

A compromise of any system on a network may have consequences for the other systems on the network. Particularly vulnerable are systems that transmit authentication material, such as passwords, over shared networks in clear text or in a trivially encrypted form, which is very common.

If a system on such a network is compromised via a Trojan (or another method), the intruder may be able to record usernames and passwords or other sensitive information as it navigates the network.

Additionally, a Trojan, depending on the actions it performs, may falsely implicate the remote system as the source of an attack by spoofing and thereby cause the remote system to incur liability.

• A buffer overrun is when a program allocates a block of memory of a certain length and then tries to stuff too much data into the buffer, with extra overflowing and overwriting possibly critical information crucial to the normal execution of the program. Consider the following source code:

• When the source is compiled and turned into a program and the program is run, it will assign a block of memory 32 bytes long to hold the name string.

              #include              int main ( )             {              char name[31 ] ;              printf("Please type your name:  ");              gets(name) ;              printf("Hello, %s", name) ;              return 0; 

Buffer overflow will occur if you enter:

'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA    AAAAAAAAAAAAAAAAAA 

A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity.

In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information.

Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.

Once a programmer has found a buffer overflow situation, then it is necessary to create a buffer of hex characters that represent assembled code instructions. The programmer then creates a C program that executes the target program, overflows the buffer by inserting the hex code to be executed.

• Netmeeting 2.x exploit

  (http://www.cultdeadcow.com/cDc_files/cDc-351/)

• NT RAS Exploit

  (http://www.cerberus-infosec.co.uk/wprasbuf.html)

• IIS Hack

  (http://www.eeye.com)

• Oracle Web Exploit

  (http://www.cerberus-infosec.co.uk/advowl.html)

• Outlook Exploit

  (http://www.ussrback.com/labs50.html)

• IIS.printer

  (http://www.securityfocus.com/bid/2674)

You may find details of a few known buffer overflow exploits at the URLs mentioned below:

• Netmeeting 2.x exploit (http://www.cultdeadcow.com/cDc_files/cDc -351/)

• NT RAS Exploit (http://www.cerberus-infosec.co.uk/wprasbuf.html)

• IIS Hack (http://www.eeye.com)

• Oracle Web Exploit (http://www.cerberus-infosec.co.uk/advowl.html)

• Outlook Exploit (http://www.ussrback.com/labs50.html)

• IIS .printer (http://www.securityfocus.com/bid/2674)

• Buffer overflow vulnerabilities are inherent in code due to poor or no error checking.

• General ways of protecting against buffer overflows:

  1. Close the port of service

  2. apply vendors patch or install the latest version of the software

  3. Filter specific traffic at the firewall

  4. Test key application

  5. Run software at the least privilege required

General ways of protecting against buffer overflows include:

1. Close the port of service: Keep track of vulnerability reports from sources like CERT, bugtraq and take preventive measures such as blocking the port in question.

2. Apply vendors patch or install the latest version of the software: The next step should be to apply hotfix or patches from a reliable source.

3. Filter specific traffic at the firewall: All suspicious traffic should be routed at the perimeter itself.

4. Test key application: Key applications should be tested for boundary conditions before being put into production.

5. Run software at the least privilege required: No unnecessary privileges should be granted to users or applications. This is a best practice.

• 
  
  The process of hiding data in images is called Steganography.
• 
  
  The most popular method for hiding data in files is to utilize graphic images as hiding place.
• 
  
  Attackers can embed information such as:
  1. 
     
     Source code for hacking tool
  2. 
     
     List of compromised servers
  3. 
     
     Plans for future attacks
  4. 
     
     your grandma/s secret cookie recipe

• 
  
  DiSi-Steganograph is a very small, DOS-based steganographic program that embeds data in PCX images.
• 
  
  EZStego is a Java based steganographic software which modifies the LSB of still pictures (supports only GIF and PICT formats) and rearranges the color palette.
• 
  
  Gif-It-Up v1.0 is a stego program for Windows 95 that hides data in GIF files. It replaces color indexes of the gif color table with indexes of 'color friends' (a color friend is a color in the same table and as close as possible).
• 
  
  Gifshuffle conceals a message in a GIF image by re-ordering the color map. Source code and a WIN32 executable are provided.
• 
  
  Hide and Seek is a stego program that hides any data into GIF images. It flips the LSB of pseudo-randomly chosen pixels. The data is first encrypted using the blowfish algorithm.
• 
  
  JPEG-JSTEG hides data inside a JPEG file. (Source code available)
• 
  
  MandelSteg and GIFExtract hide data in fractal GIF images. MandelSteg will create a Mandelbrot image (though it could be modified to produce other fractals), storing your data in the specified bit of the image pixels, after which GIFExtract can be used by the recipient to extract that bit-plane of the image. (Source code available)
• 
  
  MP3Stego hides data in popular MP3 sound files.
• 
  
  Nicetext transforms cipher-text into innocuous text which can be transformed back into the original cipher-text. The expandable set of tools allows experimentation with custom dictionaries, automatic simulation of writing style, and the use of Context-Free-Grammars to control text generation.
• 
  
  Pretty Good Envelope hides data in almost any file. In fact it embeds a binary message in a larger binary file by appending the message to the covert file as well as a 4-byte pointer to the start of the message. To retrieve the message, the last 4 bytes of the file are read, the file pointer is set to that value, and the file read from that point.
• 
  
  OutGuess is a steganographic tool for still images. It support the PNM and JPEG image formats. OutGuess 'preserves statistics based on frequency counts. As a result, no known statistical test is able to detect the presence of steganographic content'.
• 
  
  SecurEngine hides files into 24 bit bitmap images (JPEG or BMP) or even text files. Files can be encrypted using GOST, Vernam or '3-way'.
• 
  
  Stealth is a simple filter for PGP 2.x which strips of all identifying header information. Only the encrypted data (which looks like random noise) remains; thus it is suitable for steganographic use.
• 
  
  Snow is used to conceal messages in ASCII text by appending white spaces to the end of lines.
• 
  
  Steganography Tools 4 encrypts the data with IDEA, MPJ2, DES, 3DES and NSEA in CBC, ECB, CFB, OFB and PCBC modes and hides it inside graphics (by modifying the LSB of BMP files), digital audio (WAV files) or unused sectors of HD floppies. The embedded message is usually very small.
• 
  
  Steganos is an easy to use wizard style program to hide and/or encrypt files. Steganos encrypts files and hides them within various different types of files. It also includes a text editor using the soft-tempest technology. Many other security features are included.
• 
  
  Steghide features hiding data in BMP, WAV and AU files, blowfish encryption, MD5 hashing of pass phrases to blowfish keys and pseudo-random distribution of hidden bits in the cover-data.
• 
  
  Stegodos is a set of DOS programs that encodes messages into GIF or PCX images. It works only with 320x200x256 pictures. The data embedded by modifying the LSB of the picture is noticeable in most cases.
• 
  
  Stegonosaurus is a UNIX program that will convert any binary file into nonsense text, but which statistically resembles text in the language of the dictionary supplied.
• 
  
  StegonoWav is a Java (JDK 1.0) program that hides information in 16-bit wav files using a spread spectrum technique.
• 
  
  wbStego lets you hide data in bitmaps, text files and also HTML files. The data is encrypted before embedding. Two different user interfaces are proposed: 'the wizard' guides the user step by step and the 'pro' mode gives him full control.