CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [47]
Trojans ride on the backs of other programs and are usually installed on a system without the user's knowledge. A Trojan can be sent to a victim system in many ways: as an Instant Messenger (IM) attachment, IRC, an e-mail attachment, or NetBIOS file sharing. Many fake programs purporting to be legitimate software such as freeware, spyware-removal tools, system optimizers, screen savers, music, pictures, games, and videos can install a Trojan on a system just by being downloaded. Advertisements for free programs, music files, or video files lure a victim into installing the Trojan program; the program then has system-level access on the target system, where it can be destructive and insidious.
Table 5.1 lists some common Trojans and their default port numbers.
What Is Meant by Overt and Covert Channels?
An overt channel is the normal and a legitimate way that programs communicate within a computer system or network. A covert channel uses programs or communications paths in ways that were not intended.
Trojans can use covert channels to communicate. Some client Trojans use covert channels to send instructions to the server component on the compromised system. This sometimes makes Trojan communication difficult to decipher and understand.
Covert channels rely on a technique called tunneling, which lets one protocol be carried over another protocol. Internet Control Message Protocol (ICMP) tunneling is a method of using ICMP echo-request and echo-reply to carry any payload an attacker may wish to use, in an attempt to stealthily access or control a compromised system.
Hacking Tool
Loki is a hacking tool that provides shell access over ICMP, making it much more difficult to detect than TCP- or UDP-based backdoors. As far as the network is concerned, a series of ICMP packets is being sent across the network. However, the hacker is really sending commands from the Loki client and executing them on the server.
List the Different Types of Trojans
Trojans can be created and used to perform different attacks. Some of the most common types of Trojans are:
■ Remote Access Trojans (RATs)-used to gain remote access to a system
■ Data-Sending Trojans-used to find data on a system and deliver data to a hacker
■ Destructive Trojans-used to delete or corrupt files on a system
■ Denial of Service Trojans-used to launch a denial or service attack
■ Proxy Trojans-used to tunnel traffic or launch hacking attacks via other system
■ FTP Trojans-used to create an FTP server in order to copy files onto a system
■ Security software disabler Trojans-used to stop antivirus software
How Do Reverse-Connecting Trojans Work?
Reverse-connecting Trojans let an attacker access a machine on the internal network from the outside. The hacker can install a simple Trojan program on a system on the internal network, such as the reverse WWW shell server. On a regular basis (usually every 60 seconds), the internal server tries to access the external master system to pick up commands. If the attacker has typed something into the master system, this command is retrieved and executed on the internal system. Reverse WWW shell uses standard HTTP. It's dangerous because it's difficult to detect-it looks like a client is browsing the Web from the internal network.
Hacking Tools
TROJ_QAZ is a Trojan that renames the application notepad.exe file to note. corn and then copies itself as notepad. exe to the Windows folder. This will cause the Trojan to be launched every time a user runs Notepad. It has a backdoor that a remote user or hacker can use to connect to and control the computer using port 7597. TROJ_QAZ also infects the registry so that it is loaded every time Windows is started.
Tini is a very small and simple backdoor Trojan for Windows operating systems. It listens on port 7777 and gives a hacker a remote command prompt on the