TYPES OF TROJAN HORSES

Once a Trojan horse has found a way onto your computer, it can unleash a variety of different payloads, much like a computer virus. These attacks range from harmless to destructive, including

• Displaying taunting or annoying messages

• Wiping out data

• Stealing information, such as a password

• Placing a virus or another Trojan horse on your computer

• Allowing remote access to your computer

To help Trojan horses avoid detection, many hackers simply rename the Trojan horse file. While this won't fool an antivirus program or a Trojan horse detector, a simple name change is often enough to trick an unsuspecting user into running the Trojan horse.

Joke Trojans

A joke Trojan causes no damage but may play an annoying sound from your computer's speaker, warp the appearance of your computer screen, or display a taunting message on the screen, such as "Now formatting hard drive!" Although irritating and unwanted, joke Trojan horses are harmless and easily deleted.

NVP Trojan

NVP Trojan is a Macintosh Trojan horse that modifies the system file so that when the user types any text, the vowels (a, e, i, o, and u) fail to appear. To entice victims to run this Trojan horse, the NVP Trojan masquerades as a utility program that can customize the look of the computer display.

IconDance Trojan

The IconDance Trojan minimizes all application windows and then starts rapidly scrambling all the desktop icons. Beyond scrambling your desktop icons, it does nothing more than make you take the time to reorganize your Windows desktop.

Destructive Trojans

A destructive Trojan can either wipe out your hard drive or selectively delete or modify certain files. Although these are the most dangerous Trojans, their very nature tends to limit their spread: In the process of attacking your computer, they reveal their presence, often by displaying a taunting message on the screen. And, if they reformat your hard drive, they also wipe themselves out.

The only warning you may have that you've been hit by a destructive Trojan may be a blinking light or grinding noise from your hard disk. By the time you notice this suspicious sound, at least some of your files will likely already be wiped out.

Feliz Trojan

When the Feliz Trojan runs, it displays the image shown in Figure 8-1. If the victim clicks the Exit button, a series of message boxes appears, warning the user not to run programs. At the end, the program displays a message wishing the user a Happy New Year.

Figure 8-1: The Feliz Trojan horse displays a threatening image to warn users that the program is about to attack.

While the program displays its message boxes, it deletes the core Windows files, thus preventing the computer from rebooting.

AOL4Free Trojan

In 1995, a Yale student named Nicholas Ryan wrote a program called AOL4FREE, which allowed users access to America Online without having to pay the normal subscriber fee. Immediately following news of the AOL4FREE program, someone started a hoax, warning that the AOL4FREE program was actually a Trojan horse:

Anyone who receives this [warning] must send it to as many people as you can. It is essential that this problem be reconciled as soon as possible. A few hours ago, someone opened an Email that had the subject heading of "AOL4FREE.COM". Within seconds of opening it, a window appeared and began to display all his files that were being deleted. He immediately shut down his computer, but it was too late. This virus wiped him out.

Inevitably, someone actually wrote a Trojan horse, called it AOL4FREE, and on March 1997, began distributing it to America Online users by email. Attached to the email message was the archive file named AOL4FREE.COM, which claimed to provide the original AOL4FREE program for allowing access to America Online for free.

Once executed, the Trojan wipes out every file from your hard drive and then displays "Bad Command or file name" along with an obscene message.

Trojans that steal passwords and other sensitive information

One of the most common uses for a Trojan horse is to steal passwords. Hackers often build custom Trojans to gain unauthorized access to a computer. For example, if a school computer requires a password before anyone can use it, a hacker can install a program that looks like the log-in screen, asking the user to type in a password.

When an unsuspecting victim comes along and types a password, the Trojan stores the password and displays a message like "Computer down" to convince this person to go away or try another machine. The hacker can then retrieve the saved passwords and use them to access other people's accounts.

If hackers can't physically access a targeted computer, they can sometimes trick a victim into loading the Trojan under the guise of a game or utility program. Once loaded, the Trojan can steal files stored on the hard disk, and it can then transmit them back to the hacker. Because you may not even be aware that the Trojan is on your computer, it can steal information every time you use your computer.

Once someone has stolen your password or other vital information (like a credit card number), guess what? The thief can now access your account and masquerade as you without your knowledge, using the account to harass others online in your guise or your credit card information to run up huge charges.

Hey You! AOL Trojan

The Hey You! AOL Trojan often arrives in an unsolicited email with "hey you" in the subject line and the following text:

hey i finally got my pics scanned..theres like 5 or 6 of them..so just download it and unzip it..and for you people who dont know how to then scroll down..tell me what you think of my pics ok?

if you dont know how to unzip then follow these steps

When you sign off, AOL will automatically unzip the file, unless you have turned this feature off in your download preferences.

If you want to do it manually then

On the My Files menu on the AOL toolbar, click Download Manager.

In the Download Manager window, click Show Files Downloaded.

Select my file and click Decompress.

If the victim downloads and runs the attached file, the Trojan horse hides in memory and tries to send your ID and password by email to the waiting hacker. Armed with your America Online ID and password, anyone can access America Online using your account and even change your password, locking you out of your own account.

ProMail Trojan

In 1998, a programmer named Michael Haller developed an email program dubbed Phoenix Mail. Eventually, he tired of maintaining the program and released it as freeware, even to the point of providing the Delphi language source code so that anyone could modify it. Unfortunately, someone took the Phoenix Mail source code and used it to create a Trojan horse dubbed ProMail v1.21.

Like Phoenix Mail, ProMail claims to be a freeware email program, and has been distributed by several freeware and shareware websites including SimTel.net and Shareware.com as the compressed file, proml121.zip.

When a victim runs ProMail, the program asks for a whole bunch of information about the user's Internet account—similar to the information you'd enter when setting up email software to download your email:

• User's email address and real name

• Organization

• Reply-to email address

• Reply-to real name

• POP3 username and password

• POP3 server name and port

• SMTP server name and port

Once the user provides this information, ProMail encrypts it and attempts to send it to an account (naggamanteh@usa.net) on NetAddress (http://www.netaddress.com), a free email provider.

Since ProMail allows users to manage multiple email accounts, it's possible that this Trojan horse can send information about each account to the waiting hacker, allowing that person complete access to every email account the victim may use.

Remote access Trojans

Remote access programs are legitimate tools that people use to access another computer through the telephone or the Internet. For example, a salesman might need to access files stored on a corporate computer, or a technician might need to troubleshoot a computer online without physically accessing that computer. Some popular remote access programs are pcAnywhere, Carbon Copy, LapLink, and even the remote assistance feature built into Windows XP. Remote access Trojans (RATs) are simply remote access programs that sneak onto a victim's computer. While people knowingly install remote access programs like pcAnywhere on their computer, RATs trick a victim into installing the Trojan on their computer first. Once installed, the RAT allows an unseen user (who may be anywhere in the world) complete access to that computer as if he were physically sitting in front of its keyboard—he can see everything that you do and see on your computer.

Using a RAT, a hacker could erase files on your hard disk, copy files (including viruses or other Trojan horses) to your machine, type messages in a program that the user is currently running, rearrange your folders, change your log-in password, open your CD-ROM drive door, play strange noises through the speaker, reboot the computer, or watch and record every keystroke that you type, including credit card numbers, Internet account passwords, or email messages.

RATs come in two parts: a server file and a client file.The server file runs on the victim's computer and the client file runs on the hacker's computer. As long as a hacker has the right client file, he can connect to any computer that has inadvertently installed the server file of that particular Trojan horse.

To fool someone into installing the server file of a Trojan horse, hackers often disguise this file as a game or utility program, as shown in Figure 8-2. When the victim runs the Trojan, the server file installs itself and waits for anyone with the right client file to access that computer.

Figure 8-2: To trick a victim, many hackers disguise the server file of a Trojan horse as a game for the victim to play.

Once the server file has been successfully installed, it opens a port on your computer that allows your computer to send and receive data. Many hackers methodically probe a network of computers (such as those connected to cable or DSL modems) and try client files from different Trojan horses. The hope is that if they or another hacker has managed to infect a computer with a server file, they'll be able to connect to it using the right client file.

Some Trojans will even secretly email the hacker once they're installed and notify him that the server file has successfully been installed on a target computer and give that target computer's IP address. Once a hacker knows the IP address of an infected computer, he can access that computer through the Trojan horse. Or if he's particularly devious, he can publicize his find and let any hacker with the right Trojan horse keep returning to that computer again and again and again….

Back Orifice (BO)

The most famous remote access Trojan is Back Orifice (dubbed BO), named to mock Microsoft's own Back Office program. Back Orifice is one of the few Trojan horse programs with its own website (http://www.cultdeadcow.com/tools/bo.html).

An underground computer group, called the Cult of the Dead Cow (http://www.cultdeadcow.com), originally wrote Back Orifice as a Trojan and released it in 1998. The program caused an immediate uproar as hackers around the world began infecting computers with the Back Orifice server file and accessing other people's computers.

In 1999, the Cult of the Dead Cow released the updated version of Back Orifice called Back Orifice 2000 (or BO2K). Unlike the previous release, Back Orifice 2000 came with complete C/C++ source code so that anyone could examine how the program worked. In addition, Back Orifice 2000 provided a plug-in feature so programmers around the world could extend its features by writing their own plug-ins.

With the release of Back Orifice 2000, the Cult of the Dead Cow moved the program away from its hacker roots and promoted BO2K as a remote administration tool for Windows, putting it in the same class of remote access programs as pcAnywhere and Carbon Copy. Besides giving away Back Orifice 2000 for free along with its source code, the Cult of the Dead Cow further embarrassed the commercial vendors by comparing the features of BO2K with commercial remote access tools.

Besides costing you money, commercial remote access programs hog more disk space and memory than BO2K. While BO2K requires just over 1MB of disk space and 2MB of RAM, Carbon Copy requires about 20MB of disk space and 8MB of RAM, and pcAnywhere requires about 32MB of disk space and 16MB of RAM. Perhaps more surprising is that both BO2K and Carbon Copy offer a stealth remote installation feature, which means that both programs could be used to remotely access a computer without the user's knowledge!

Although the computer community shuns Back Orifice 2000 as a cheap hacker tool, it's really no more a hacker tool than Carbon Copy. Yet considering the group that made it and its original intent, Back Orifice treads the fine line between a Trojan and a legitimate remote access tool for administrators. Used carefully, Back Orifice can be an invaluable program. But used recklessly, it can become a dangerous weapon.

SubSeven

SubSeven (see Figure 8-3) is another Trojan that has been growing in popularity. Besides the standard features of remote access (deleting, modifying, or copying files and folders), SubSeven can also steal ICQ identification numbers and passwords, take over an instant messaging program such as AOL Instant Messenger, and make the victim's computer read text out loud in a computer-generated voice.

Figure 8-3: The SubSeven client program lists all the Trojan horse features in a user-friendly interface.

The Thing

The server files for RATs such as BO2K or SubSeven can range in size from 300KB up to 1.2MB or more. Trying to hide such a large file may be difficult, so hackers sometimes use smaller Trojans like The Thing.

The Thing takes up only 40KB of space, thus ensuring that it won't be detected when linked or bound to another program. Unlike other RATs, The Thing won't give you complete access to a victim's computer. Instead, it only opens a single port so a hacker can later upload a larger RAT, like Back Orifice or SubSeven, which does provide complete control over a victim's computer. Once a hacker has uploaded and installed one of the more sophisticated RATs, he can erase The Thing from the victim's computer and use the other RAT to wreak havoc.