Untitled


SUBMITTED BY: Guest

DATE: Dec. 8, 2013, 6:28 a.m.

FORMAT: Text only

SIZE: 35.0 kB

HITS: 4897

  1. Trojan Horse programs are able to hide themselves from being detected
  2. after installing themselves into your computer generally without your knowledge sometimes using similar methods to spyware, but usually harder to fully detect.
  3. Trojan horses are among the most dangerous threats to your computer files
  4. and your confidential information such as your passwords,
  5. credit card data and personal security.
  6. Once a Trojan program is installed on your computer its allows full access to hackers.
  7. The same Trojan can be used secretly by many hackers.
  8. It?s not just one Trojan to one hacker.
  9. It?s one Trojan to many hackers.
  10. A Trojan on your computer can let a hacker view, copy or erase any folder
  11. and any file on your computer just as though he or she were sitting
  12. at your computer using its keyboard and mouse.
  13. Any file on your computer can also be sent to any e-mail address
  14. or posted on the Internet.
  15. There are many ways a system can be infected with a Trojan and because
  16. a Trojan is not the same as a virus (a self-replicating program segment)
  17. it is not always detected by anti-virus software.
  18. Trojans are often installed by a virus or worm that is programmed to open a backdoor into your computer,
  19. sometimes to join in DDoS atacks against other computers, other trojans can be added to popular programs and released
  20. out to newsgroups and p2p networks especially in the hopes of infecting new hosts.
  21. Trojan Horse explanation:
  22. - http://www.viruslist.com/eng/viruslist.html?id=13
  23. complete windows Trojan paper : 24/10/02
  24. - http://www.infosecwriters.com/texts.php?...play&id=58
  25. - Malware: Fighting Malicious Code -
  26. sample Chapters : [ Great Information - Essential reading ]
  27. http://www.informit.com/articles/article...1&seqNum=1
  28. http://www.informit.com/articles/article...1&seqNum=2
  29. http://www.informit.com/articles/article...1&seqNum=3
  30. Trojan Horse Attacks:
  31. http://www.irchelp.org/irchelp/security/trojan.html
  32. Many Bots scan for victims of other Trojans such as SubSeven.
  33. This has two distinct advantages for the hacker.
  34. Firstly they can scan a lot of class C blocks without scanning
  35. themselves or wasting their own bandwidth to do so and secondly
  36. they can get their Bot onto already Trojan infected machines on
  37. the premise that if the owner did not know they had one Trojan
  38. that is detectable by nearly all Anti Trojan/Virus applications
  39. then they certainly won't know they have another that is undetectable
  40. by signature by all of these applications.
  41. This to a large degree is why we use Generics as a second layer of
  42. defense against unknown Trojans.
  43. The SubSeven scan yields victims on default ports and also exploits
  44. the old SubSeven master password which works on all
  45. SubSeven 2.* versions upto and not including SubSeven 2.1.3 Bonus.
  46. Once a victim has been found and logged into using the command
  47. to update from the web is sent. Once received SubSeven will download
  48. the new file and run it and then remove itself.
  49. SubSeven trojan was made to improve upon the design of NetBus.
  50. It has 'improved' NetBus so much now that this is a Very deadly trojan
  51. that can be very damaging and quite hard to remove.
  52. The best way to tell what version of SubSeven you are infected with
  53. is by running an updated AntiVirus program and a Anti-Trojan Scanner.
  54. Next best is to check this Which Version page.
  55. - http://www.hackfix.org/subseven/
  56. - http://www.norman.com/virus_info/subseve...jan.shtml/
  57. - A Remote Administration Tool, or RAT, is a Trojan that when run,
  58. provides an attacker with the capability of remotely controlling
  59. a machine via a "client" in the attacker's machine,
  60. and a "server" in the victim's machine.
  61. The server in the victim "serves" incoming connections to the victim,
  62. and runs invisibly with no user interface.
  63. The client is a GUI front-end that the attacker uses to connect
  64. to victim servers and "manage" those machines.
  65. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack.
  66. What happens when a server is installed in a victim's machine depends on the
  67. capabilities of the trojan, the interests of the attacker, and whether or not
  68. control of the server is ever gained by another attacker -
  69. - who might have entirely different interests.
  70. Infections by remote administration Trojans on
  71. Windows machines are becoming as frequent as viruses.
  72. REMOTE ACCESS TROJANS
  73. - http://pestpatrol.com/Support/About/About_Rats.asp
  74. - A Backdoor is a program that opens secret access to systems, and is often used to bypass system security.
  75. - A Backdoor program does not infect other host files, but nearly all Backdoor programs make registry modifications.
  76. The Enemy Within: Firewalls and Backdoors :
  77. - http://www.securityfocus.com/infocus/1701
  78. DLL Trojans and other:
  79. - http://home.arcor.de/scheinsicherheit/introduction.htm
  80. - http://securityresponse.symantec.com/avc...anits.html
  81. --------------------------------------------------------------------------------------------------
  82. Most known Trojan horses are programs, which "imitate" some other useful programs, new versions of popular utility software or software updates for them.
  83. Very often, they are sent to BBS stations or Usenet groups.
  84. In comparison with viruses, Trojan horses are not widely spread.
  85. The reason for this is quite simple: they either destroy themselves together with the rest of the data on disks, or unmask their presence and are deleted by victimized users.
  86. Virus "droppers" may also be considered Trojan horses.
  87. They are files infected in such way that known anti-viruses do not determine virus presence in the file.
  88. For example, a file is encrypted in some special way or packed by a rarely used archiver, preventing an anti-virus from "seeing" the infection.
  89. Hoaxes are also worth mentioning.
  90. These are programs that do not cause any direct harm to computers, but, rather,
  91. display messages falsely stating that harm has already been done,
  92. or will be done under some circumstances; or these hoaxes warn a user about some kind of non-existent danger.
  93. Hoaxes are, for example, programs which "scare" a user with a message about disk formatting (although no formatting actually takes place); detect viruses in uninfected files; display strange virus-like messages (CMD640X disk driver from some commercial software packages); etc.
  94. All of this depends on the author's sense of humor.
  95. Apparently, the string "CHOLEEPA" in the second sector of Seagate hard disks is also a hoax.
  96. Purposely false messages about new super viruses also fall into the category of hoaxes.
  97. Such messages appear in newsgroups from time to time, and usually create panic among users.
  98. http://www.viruslist.com/eng/viruslistbooks.html?id=64
  99. -------------------------------------------------------------------------------------------------------------------------------
  100. These sites below will help direct you to the best places to search for hidden trojans/spyware:
  101. Auto Start checklist - best places to check:
  102. http://www.cknow.com/ckinfo/def_a/autostart.shtml
  103. ################################
  104. :: BHO Lists / Start Up lists / Process Libraries ::
  105. ################################
  106. - http://www.generation.net/~hleboeuf/bho_a_d.htm
  107. - http://www.sysinfo.org/bholist.php
  108. - http://computercops.biz/CLSID.html
  109. - http://computercops.biz/LSPs.html
  110. - http://computercops.biz/StartupList.html
  111. - http://computercops.biz/software.html
  112. - http://www.windowsstartup.com/wso/search.php
  113. - http://www.sysinfo.org/startuplist.php
  114. - http://www.rockymountain.com/ref_startup.htm
  115. - http://www.allsecpros.com/startuplist.html
  116. - http://members.shaw.ca/austin.powers/
  117. - http://www.3feetunder.com/krick/startup/list.html
  118. - http://www.michaelpreslar.com/sysinfo/startupinfo.html
  119. - http://www.neuber.com/taskmanager/process/index.html
  120. - http://www.reger24.de/processes.php
  121. - http://www.answersthatwork.com/Tasklist_...sklist.htm
  122. - http://www.pacs-portal.co.uk/startup_index.htm
  123. - http://www.pacs-portal.co.uk/startup_pag...up_all.php
  124. - http://www.processlibrary.com/
  125. - http://www.liutilities.com/products/wint...sslibrary/
  126. - http://www.liutilities.com/products/wint...ry/system/
  127. - http://www.liutilities.com/products/wint.../security/
  128. -Windows XP Home and Professional Tasks and Services:
  129. - http://www.blkviper.com/WinXP/servicecfg.htm
  130. - http://www.blkviper.com/index.html
  131. Anti Trojan guides and links...
  132. - https://netfiles.uiuc.edu/ehowes/www/info10.htm
  133. - http://radified.com/Articles/trojan.htm
  134. - http://www.net-security.org/dl/articles/...rojans.txt
  135. Reverse Engineering Hostile Code:
  136. - http://www.securityfocus.com/infocus/1637
  137. Merijns Sub 7 trojan Removal Guide
  138. http://www.bluetack.co.uk/forums/index.p...opic=13340
  139. Masters Of Paradise Trojan Removal guides:
  140. http://www.hackfix.org/miscfix/mp.shtml
  141. http://www.pestpatrol.com/PestInfo/m/mas...radise.asp
  142. Sophos Guide to removing Trojans:
  143. 1. Removing Trojans in Windows 95/98/Me
  144. 2. Removing Trojans in Windows NT/2000/XP/2003
  145. 3. Removing Trojans on Macintosh computers
  146. 4. Removing Trojans in DOS
  147. 5. Removing Trojans in OS/2
  148. 6. Removing Trojans in NetWare
  149. 7. Removing Trojans in Unix
  150. 8. Removing Trojans in OpenVMS
  151. http://www.sophos.com/support/disinfection/trojan.html
  152. ---------------------------------------------------------------------------------------------------
  153. If BO is running, it takes mere seconds for an intruder to access
  154. all cached passwords and view most of your system's vital statistics.
  155. He may have all he wants in moments and be gone.
  156. You almost certainly wouldn't notice and there is absolutely nothing you could do.
  157. Back Orifice Removal Guide:
  158. http://www.pchell.com/internet/boserve.shtml
  159. Detailed info on tracking and removing The Back Orifice "Backdoor" Program:
  160. - http://www.nwinternet.com/~pchelp/bo/bo.html
  161. A look into the Back Orifice Trojan:
  162. - http://www.windowsecurity.com/articles/T...rimer.html
  163. ----------------------------------------------------------------------------------------------------
  164. A good method of discovering trojan infections is by identifying which virtual ports (there are 65535) are open and in use on your computer.
  165. If you use a antivirus and personal firewall then you have a better chance of detecting and then blocking an unknown trojan from making outbound connections.
  166. There are many programs to monitor for open ports, I mainly rely on TCPView or Outpost firewall to view which ports are listening and operating.
  167. you can also use the builtin windows netstat utility from a command prompt to view the open ports and connections by going to :
  168. - start -> run -> [ type ] cmd.exe [ win2000/xp] or command.exe [ win98/ME] .. then in the command prompt window type - netstat -an
  169. Only a firewall can be set up to block outbound unauthorized traffic from your computer and without one running a trojan can give full access to and from your computer to anyone that manages to locate it with an automated scan or to the person who originally released it.
  170. XP SP2 / ICF firewall will not protect you from Trojans/Malware making outbound connections once they are on your system
  171. Some trojans are able to get through your firewall though, by using DLL / Process injection and other technical methods displayed at the firewall leak testing site:
  172. http://www.firewallleaktester.com
  173. An example:
  174. New Trojan beats firewalls [2003]:
  175. Quote:
  176. A malevolent program capable of using a browser to transmit and receive data secretly across a firewall was demonstrated at the DefCon security conference in the US earlier this year.
  177. Once connected through the browser, the hacker can plant applications to allow activities such as recording
  178. key strokes on the host machine or can access and download files.
  179. Security experts attending DefCon in Las Vegas said the demonstration of Setiri has confirmed their fears that the next step in hacking technology will bypass firewall detection
  180. - http://www.computercops.biz/article1321.html
  181. -continued in 2nd post @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  182. :: PORTS ::
  183. The port lists below have listed default trojan ports, which the trojan program is designed to listen and operate on, keep in mind that any trojan may be altered to operate on other ports as well, and that activity on a known trojan port may be a false positive and a genuine connection.
  184. Firewalls cannot tell whether the traffic is malicious or harmless , only that it is operating on a known trojan port.
  185. Be suspicious of any connections that you aren't sure about , but don't completely panic if you suddenly notice something that shouldn't be running or is connected to the internet without your authorization. Just be prepared , and if need be , disconnect from the internet if you suspect your are being hacked.
  186. Trojans are not able to infect your computer any further like viruses or worms, but they can often be the result of a virus or worm infection planting a backdoor on your system.
  187. NOTE: Some trojans may use more than one port number. This is because one port is used for "listening" and the other/s are used for the transfer of data.
  188. In their default configurations, the following trojans use:
  189. Back Orifice - UDP port 31337 or 31338
  190. Deep Throat - UDP port 2140 and 3150
  191. NetBus - TCP port 12345 and 12346
  192. Whack-a-mole - TCP port 12361 and 12362
  193. NetBus 2 Pro - TCP port 20034
  194. GirlFriend - TCP port 21544
  195. Sockets de Troie - TCP port 5000, 5001 or 50505
  196. Masters Paradise - TCP port 3129, 40421, 40422, 40423 and 40426
  197. Devil - port 65000
  198. Evil FTP - port 23456
  199. GateCrasher - port 6969
  200. Hackers Paradise - port 456
  201. ICKiller - port 7789
  202. ICQTrojan - port 4590
  203. Phineas Phucker - port 2801
  204. Remote Grab - port 7000
  205. Remote Windows Shutdown - port 53001
  206. http://www.cybercity-online.net/Trojan.html
  207. --------------------------------------------------------------------------------------------------------
  208. Quote:
  209. One of the most frequently fielded questions among security analysts is, "Do I have a Trojan-horse program if I've found a port open on my computer?"
  210. Variations of this question litter security mailing lists, but the answer is always the same: Trace the port number to the program that's opening the port, and investigate the program.
  211. The process of tracing an open port to its causative agent is called port enumeration (or port mapping). Of course, the answer assumes that you have an adequate understanding of port numbers, a good port-enumeration tool, and the ability to research whether the found program is malicious.
  212. Let's take a look at port enumeration in general, then review 11 Windows port enumerators.
  213. Top Port Monitoring Tools :
  214. http://www.winnetmag.com/Articles/Articl...g/1/1.html
  215. Ultimate Trojan Ports List
  216. http://www.bluetack.co.uk/forums/index.p...wtopic=777
  217. -------------------------------------------------------------------------------------------
  218. The port numbers are divided into three ranges: the Well Known Ports,
  219. the Registered Ports, and the Dynamic and/or Private Ports.
  220. The Well Known Ports are those from 0 through 1023.
  221. The Registered Ports are those from 1024 through 49151
  222. The Dynamic and/or Private Ports are those from 49152 through 65535
  223. - http://www.iana.org/assignments/port-numbers
  224. Use this PORT LOOKUP PAGE or download your own copy:
  225. - http://lists.gpick.com/portlist/lookup.asp
  226. For a complete listing of assigned ports and numbers ;
  227. - http://www.networksorcery.com/enp/protoc...s00000.htm
  228. Trojan ports list:
  229. - http://www.glocksoft.com/trojan_port.htm
  230. This excellent Port Reference website also provides their handy tool available for download as a Windows HTML Help (.chm) file.
  231. Direct DOWNLOAD your own copy now or use the ONLINE PAGE to find what services and trojans operate on each port.
  232. immediately useful for doublechecking port connections from the results in your firewall..
  233. Updated regularly
  234. Block known trojan ports:
  235. - http://www.doshelp.com/trojanports.htm
  236. Ports descriptions and services:
  237. - http://www.portsdb.org/bin/portsdb.cgi
  238. Giant Port List:
  239. - http://keir.net/portlist.html
  240. ONCTek has compiled a list of known Trojan/Backdoors and the TCP/UDP ports on which they operate
  241. The list should not be considered complete, nor should all activity on these ports be considered suspect:
  242. - http://www.onctek.com/trojanports.html
  243. Known Ports 0-1023:
  244. - http://www.onctek.com/known_ports.txt
  245. Known registered ports:
  246. The Registered Ports are in the range 1024-49151.
  247. - http://www.onctek.com/registered_ports.txt
  248. ------------------------------------------------------------------------------------------------------------------------
  249. Analysis of the BioNet Trojan:
  250. - http://www.misec.net/bionet312analysis.jsp
  251. -computer trojan horses:
  252. - http://www.infosecwriters.com/texts.php?...play&id=39
  253. Trojan search results;
  254. - http://www.computercops.biz/modules.php?...h&topic=24
  255. Google directory on Security/Anti-Trojans/Malicious Software:
  256. - http://directory.google.com/Top/Computers/Security/
  257. - http://directory.google.com/Top/Computer..._Software/
  258. =======================================================================
  259. :: PREVENTION IS BETTER THAN A CURE ::
  260. -------------------------------------------------------------------------------------------------------------------------------
  261. The same programs I use for protection against spyware also work well
  262. against any trojans that attempt to execute , install themselves to auto run by modifying the registry or add themselves as system services etc..
  263. I mainly rely on these for my protection :
  264. - Outpost Pro/Blockpost - Firewall
  265. - Processguard - Kernal mode protection and process termination protection
  266. - SSM / System Safety Monitor - Dll injection protection and more
  267. - RegrunGold - Heavy duty registry / file and full system protection and lots more
  268. - Spywall - Internet explorer browser firewall
  269. - Winpatrol - Lightweight Registry/system monitor
  270. - TDS-3 - Trojan Defence Suite [ discontinued ]
  271. - Wormguard- Worm and script protection
  272. - Goback - Advanced system restore
  273. - Commview - Packet sniffer
  274. Bluetack Hosts file & Hosts File manager:
  275. http://www.bluetack.co.uk/forums/index.p...wforum=125
  276. Applications that have well worked for me in detecting or stopping trojans from installing to begin with:
  277. ProcessGuard
  278. http://www.diamondcs.com.au/
  279. System Safety Monitor
  280. http://syssafety.com/
  281. Winpatrol
  282. - http://www.winpatrol.com
  283. Also my favorite program for monitoring changes to your system and giving you complete control over any changes before windows even boots up , plus system file protection and more is : REGRUN GOLD.
  284. - http://www.wilderssecurity.com/regrungold.html
  285. REGRUN Security Suite
  286. - http://www.greatis.com/security/download.htm
  287. - http://www.greatis.com/security/detail.htm
  288. Outpost firewall
  289. - http://www.agnitum.com
  290. Outpost offers various protections against malicious software , spyware realtime monitor and spyware scanner based on their Tauscan trojan remover engine , also includes component control , hidden process control , and Blockpost - IP blocker [for importing Bluetack spyware blocklist Thumb Up ]
  291. =======================================================================
  292. -continued in 3rd post ANTI-TROJAN PROGRAMS / TOOLS
  293. - Well since Trojan Defence Suite (TDS-3) has now been discontinued Sad , the next best alternatives are included here:
  294. - Ewido - no longer exists ; bought by AVG, now known as AVG antispyware
  295. - http://www.ewido.net/en/?section=ess
  296. - BoClean - bought by Comodo
  297. - http://www.nsclean.com/boclean.html
  298. - TROJANHUNTER -
  299. - http://www.misec.net/trojanhunter/
  300. - The Cleaner -
  301. - http://www.moosoft.com/
  302. - A² Trojan Scanner -
  303. - http://www.emsisoft.com/en/
  304. Quote:
  305. a² personal is primarily a Trojan scanner and remover. But beside Trojan Horses and Backdoors, it also detects other harmful software like Worm-Virurses, Dialer and other dangerous tools which are used by attackers to spy your files. The advanced background guard gives harmful programs no chance to get on your PC. As from now you have the full control over all active programs and their rights on your computer.
  306. - http://www.spywarewarrior.com/uiuc/soft5.htm
  307. - http://www.wilders.org/anti_trojans.htm
  308. - http://www.computercops.biz/downloads-cat-6.html
  309. ANTI-TROJAN forums:
  310. http://forum.misec.net/ - Trojanhunter -
  311. http://www.wilderssecurity.com/index.php?board=5
  312. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
  313. Kaspersky Antivirus and Avast , while not trojan scanners , work extremely well at detecting trojans and has powerful scanning features for detecting malicious files inside packed files , which many other antivirus programs miss.
  314. http://www.kaspersky.com
  315. DiamondCS ProcessGuard also needs mentioning..
  316. While not a specific trojan scanner , it will prevent the installation of trojans , rootkits and rogue applications from disabling your security software..
  317. Quote:
  318. DiamondCS ProcessGuard protects Windows processes from attacks by other processes, services, drivers, and other forms of executing code on your system. ProcessGuard also stops applications from executing without the users consent, stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. ProcessGuard even stops most keyloggers and leaktests, and is recognised by many to be the most comprehensive anti-rootkit solution available.
  319. Download from here :
  320. http://www.diamondcs.com.au/processguard/
  321. A good firewall is also essential , which is why I recommend Outpost Pro.
  322. Tiny Firewall Pro also has some very advanced features for locking down your system if you have time and the knowledge to configure it securely.
  323. -----------------------------------------------------
  324. - Free Tools that can help in Detecting Trojans:
  325. -----------------------------------------------------
  326. -Process Explorer-
  327. -TcpView-
  328. -Filemon-
  329. -Portmon-
  330. -Tdimon-
  331. -Filemap-
  332. * yes theres more...
  333. http://www.sysinternals.com/
  334. http://www.sysinternals.com/ntw2k/freewa...cexp.shtml
  335. http://www.wilders.org/free_tools.htm
  336. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  337. - Anti-trojan program Comparison by Agnitum with their Tauscan trojan scanner:
  338. http://www.agnitum.com/products/tauscan/compare.html
  339. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  340. GFI TrojanScan :
  341. Is your system infected by Trojans?
  342. Trojan horses are a huge security threat.
  343. A Trojan is a program that can easily enter your computer undetected,
  344. giving the attacker who planted the Trojan unrestricted access to the
  345. data stored on your computer.
  346. Trojans can transmit credit card information and other confidential data in the background.
  347. Trojans are often not caught by virus scanning engines, because these are focused on viruses, not Trojans.
  348. Catching such threats would require the use of a Trojan scanner
  349. (a.k.a Trojan cleaner, Trojan remover, anti-Trojan).
  350. - http://www.trojanscan.com/
  351. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  352. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
  353. * For advanced users *
  354. - Back Officer Download -
  355. - http://www.nfr.com/resource/backOfficer.php
  356. Free - Back Officer Friendly "honeypot" attracts and traps attackers
  357. Known as a "honey pot" for its ability to attract and trap hackers,
  358. Back Officer Friendly (BOF) is a popular free download available exclusively from NFR Security, Inc.
  359. Back Officer Friendly was originally created to detect when anyone attempts a Back Orifice scan against your computer.
  360. It has since evolved to detect attempted connections to other services, such Telnet, FTP, SMTP, POP3 and IMAP2.
  361. When BOF receives a connection to one of these services,
  362. it will fake replies to the hopeful hacker, wasting the attacker's time,
  363. and giving you time to stop them from other mischief.
  364. you will need to fill in a form and a link will be sent to you via email to download the program.
  365. ==========================================
  366. Sysinternals ProcessExplorer can also be used for a replacement task manager , especially handy if the windows taskmanager is hijacked or damaged.
  367. You can still remove it all yourself with out buying anything really , you just have to know what your doing , and know what to dig out and whre to dig it out from ..
  368. The programs such as these can make removal a bit easier Very Happy
  369. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
  370. ---------------------------------------------------------------------
  371. Alternate Data Streams:
  372. ---------------------------------------------------------------------
  373. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  374. NTFS has alternative data streams, which means that information can be hidden in your HDD without your knowledge or permission.
  375. One way to use alternative data streams is to put a trojan horse in your computer and hide it in alternative data streams.
  376. This could be a serious security issue.
  377. Only ways to find out what alternative datastreams there are, is to download and use programs like TDS-3 , S-Find , ADS spy and others ..
  378. Why is ADS a security risk?
  379. The primary reason why ADS is a security risk is because streams are almost completely hidden and represent possibly the closest thing to a perfect hiding spot on a file system - something trojans can and will take advantage of.
  380. Streams can easily be created/written to/read from, allowing any trojan or virus author to take advantage of a hidden file area.
  381. But while streams can easily be used, they can only be detected with specialist software.
  382. Programs such as Explorer can view normal parent files, but they can't see streams linked to such files, nor can they determine how much diskspace is being used by streams.
  383. Because ADS is virtually unknown to many developers,
  384. there are very few security programs available that are ADS-aware.
  385. As such, if a virus implants itself into an ADS stream,
  386. your anti-virus software will probably not be able to detect it.
  387. In addition, streams cannot be deleted - to delete a stream you must delete its parent.
  388. Streams are of particular importance to law enforcement agencies as important data
  389. can sometimes be hidden in these covert file system channels.
  390. Why does NTFS support streams?
  391. The main (but not only) reason is for Macintosh file support.
  392. Files stored on the Macintosh file system consist of two parts (known as forks) - one data fork, and one resource fork. Windows relies on the extension of the file (eg. ".exe") in order to determine which program should be associated with that file.
  393. Macintosh files use the resource fork to do this.
  394. NT stores Macintosh resource forks in a hidden NTFS stream,
  395. with the data fork becoming the main parent file to the stream.
  396. ADS has other uses.
  397. As just one example, you could store a thumbnail image of a picture in a stream and even an audio track,
  398. allowing a single file to have several multimedia components.
  399. Some anti-virus programs store checksums in a stream under every file on your disk.
  400. More info on Alternate Data Streams :
  401. http://www.bleepingcomputer.com/forums/i...utorial=25
  402. http://www.windowsecurity.com/articles/A...reams.html
  403. http://www.diamondcs.com.au/index.php?pa...fs-streams
  404. ADS scanning Programs :
  405. TDS-3 - http://tds.diamondcs.com.au
  406. Lads - http://www.heysoft.de/Frames/f_sw_la_en.htm
  407. CrucialADS - http://www.crucialsecurity.com/downloads.html
  408. --
  409. ADS Spy
  410. Freeware
  411. Operating System: XP/2000/2003/NT
  412. http://www.bleepingcomputer.com/files/adsspy.php
  413. Ads Spy is a tool used to list, view or delete Alternate Data Streams (ADS) on Windows 2000/XP with NTFS file systems.
  414. ADS is a way of storing meta-information for files without actually storing the information in the file it belongs to, carried over from early MacOS compatibility from Windows NT4.
  415. Recently browser hijackers began using this technique to store hidden information on the system, and even store trojan executable files in ADS streams of random files on the system. Use with caution.
  416. ---
  417. you can get Foundstones S-FIND from;
  418. http://www.foundstone.com/knowledge/prod...olkit.html
  419. ========================================================
  420. -continued in 4th post ======================================
  421. The following example is the results of a old browser hijack , which also installed a subseven trojan, recorded in early 2003.
  422. It was blocked by Outpost and later killed by me Twisted Evil . Winpatrol detected it atempting to install itself into the auto run registry key.
  423. -two .exe files were created upon infection:
  424. - msrexe.exe and msdos.exe :
  425. --------------------------------------------
  426. C:\WINDOWS\System32\msrexe.exe
  427. C:\Msdos.exe
  428. Default trojan filename: RAT.AlexMessoMalex
  429. UPX0 2576384 UXRW 00000000
  430. UPX1 32768 DXRW bd57383b
  431. UPX2 4096 DRW 273d1722
  432. RegEnumKeyA
  433. ExitProcess
  434. GetProcAddress
  435. LoadLibraryA
  436. PostQuitMessage
  437. Ordinal 115
  438. --------------------------------------------------------------
  439. Outbound connection was blocked by using Outpost firewall Pro V1 in block most mode , which denied the trojan access to the internet since there were no rules allowing it.
  440. 66.150.0.159-ortv098.hypermart.net#(bo.trojanhorse-03) 66.150.0.0-66.150.3.255,InfoSpace-Go2net#(trojan-f**kers-03)
  441. Block All Activity MSREXE.EXE TCP 2271 n/a Unknown 0*/00/2003 1:36:30 AM ortv098.hypermart.net *.*.*.*
  442. Block All Activity MSREXE.EXE TCP 1278 n/a Unknown 0*/00/2003 11:30:30 PM ortv098.hypermart.net *.*.*.*
  443. Block All Activity MSREXE.EXE TCP 1294 n/a Unknown 0*/00/2003 4:36:30 PM ortv098.hypermart.net *.*.*.*
  444. Block All Activity MSREXE.EXE TCP 1202 n/a Unknown 0*/00/2003 4:21:30 PM ortv098.hypermart.net *.*.*.*
  445. It was running for a little while , I was a bit too busy with other things to take care of it Very Happy
  446. ----------------------------------------------------------------------------------------------------------------------
  447. Ok , the fact is every antivirus company likes to use a different name from their competition just because they can Razz , its a competition after all and the majority are in business for themselves to make money, not to make it easy for people ..
  448. Luckily there are companies however that do provide an enormous amount or research and support for people , not just for their customers.
  449. However , you can get very confusing information when the same Trojan or Virus has six different aliases Rolling Eyes , and its the users problem to try and work it all out not any of the companies.
  450. so this is Symantec's version of the trojan name.. because I used NAV* at that time .. [ *Norton Antivirus] [ since then I have switched to Kaspersky , and now I use NOD 32 ]
  451. alias:
  452. Backdoor.Jeem
  453. From sysinternals process explorer :
  454. \BaseNamedObjects\Jeem.p
  455. Modules used by the process msrexe.exe running on the computer KonTr0L , using Wintasks Pro:
  456. Name Executable
  457. ADVAPI32.dll C:\WINDOWS\system32\ADVAPI32.dll
  458. apitrap.dll C:\WINDOWS\System32\apitrap.dll
  459. DNSAPI.dll C:\WINDOWS\System32\DNSAPI.dll
  460. GDI32.dll C:\WINDOWS\system32\GDI32.dll
  461. iphlpapi.dll C:\WINDOWS\System32\iphlpapi.dll
  462. kernel32.dll C:\WINDOWS\system32\kernel32.dll
  463. msvcrt.dll C:\WINDOWS\system32\msvcrt.dll
  464. mswsock.dll C:\WINDOWS\system32\mswsock.dll
  465. ntdll.dll C:\WINDOWS\System32\ntdll.dll
  466. psapi.dll C:\WINDOWS\System32\psapi.dll
  467. rasadhlp.dll C:\WINDOWS\System32\rasadhlp.dll
  468. RPCRT4.dll C:\WINDOWS\system32\RPCRT4.dll
  469. USER32.dll C:\WINDOWS\system32\USER32.dll
  470. winrnr.dll C:\WINDOWS\System32\winrnr.dll
  471. WLDAP32.dll C:\WINDOWS\system32\WLDAP32.dll
  472. WS2_32.dll C:\WINDOWS\System32\WS2_32.dll
  473. WS2HELP.dll C:\WINDOWS\System32\WS2HELP.dll
  474. wshtcpip.dll C:\WINDOWS\System32\wshtcpip.dll
  475. WSOCK32.dll C:\WINDOWS\System32\WSOCK32.dll
  476. ----------------------------------------------------------------------------------
  477. SubSeven v2.1
  478. Msrexe.exe
  479. SubSeven v2.1 can use four different methods to load itself.
  480. It can use one or more of the methods mention below.
  481. To remove check all the alternatives below:
  482. Open c:\windows\win.ini and look for the lines; run=MSREXE.exe load=MSREXE.exe
  483. Delete 'MSREXE.exe' from these lines.
  484. Open c:\windows\system.ini.
  485. Replace the line; shell = Explorer.exe MSREXE.exe with shell = Explorer.exe
  486. Run regedit.exe
  487. Go to
  488. HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run
  489. HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\RunServices
  490. Delete any keys with the value; 'MSREXE.exe'
  491. Run Regedit.exe
  492. Go to
  493. HKEY_CLASSES_ROOT\exefile\shell\open\command
  494. If the trojan use this method to load itself, the value in this key will typically be"WINDOS \"%1\" %*"
  495. Replace this value with; "\"%1\" %*" (by simply removing WINDOS from the beginning of the line.)
  496. By using this method, SubSeven trojan will be loaded into memory every time any .exe file is loaded.
  497. A side effect of this is, if you delete the trojan (i.e WINDOS.exe) Windows will not be able to run any .exe program.
  498. Reboot the computer and delete all infected files.

comments powered by Disqus