If you missed the other articles in this series please read:
In this article series we will profile a trojan in action, as exemplified by a fictional, but all too possible scenario. The trojan that will be used is Optix Pro, and I have deliberately not included a link to it. For those of you who wish to play with it in a lab setting then I am sure you are savvy enough to find it. Optix Pro is very much a full featured RAT, aka remote administration tool. It is surprisingly functional with its rich set of commands, and could very easily be a commercial tool were it not for its underground roots.
There is a key point to recognize about a trojan that differentiates it from other well known security issues such as buffer overflows, and format string attacks. A trojan in and of itself does not leverage a specific code flaw found in a program, but rather it is installed onto a remote computer where it will open a socket. This socket now open on the victim's computer, is then connected to by a person with a malicious intent in most cases. Much like the rest of the computer world, a trojan will also act on the client/server model ie: Internet Explorer to Microsoft IIS web server. This trojan is very much the same in such that it has, both a server, and a client.
Dawn of the trojan
The first really well known trojan was Back Orifice, and was coded by one of the best known hacking collectives of its day; Cult of the Dead Cow. Where as the Back Orifice trojan back in 1998 was relatively crude in nature, other trojans such as Optix Pro are far more sophisticated, and lethal. We will see over the course of this article series what some of these sophisticated features are; notably, the ability to kill most every firewall and anti-virus product out there today. Plus several other neat design features will be shown.
It should be noted that there is a specific reason that I have chosen the fictional background setting of the college campus. Many college, and universities have a very delicate balancing act to perform when it comes to computer network security, versus freedom of access to the internet for the student body. I was an invited guest speaker at Lockdown 2004 where I spoke on a topic other then trojans. During my short time there the University of Wisconsin has seemingly done an admirable job of balancing both needs, as per my discussion with Jeffery Savoy the information security officer there. That plus listening to other speakers there.
Let's have a look
Now with that being said, let's begin to flesh out our fictional college network so that you can visualize what it looks like. Well, as you can see below there is nothing remarkable in the design of it, nor is it particularly a hardened network design. The only things I have not shown are the server farms as they are not really germane to this article. In reality, this network is what is called a flat network, and is actually commonplace today. One of the local colleges here in Ottawa had such a design.
To explain further for those of you who may not understand the setup, as seen above, there is the edge router first, or border gateway. Behind this is the firewall, which is placed there to reduce the load. There is no need to have it at the router so that it must parse all traffic directed towards the college network. Far simpler to have it behind where it need only deal with the traffic allowed through the router, and on into the college network. Directly behind the firewall we have the college's main switch. Behind the main switch, are the various departmental switches, such as one for major departments, and accounting for example.
Well we have pretty much laid down all the groundwork that is required to understand, what is to follow. The only exception being is how the college class rooms themselves are actually wired for internal LAN access. At the beginning of the scholastic year all students were handed diagrams, for each class they attended. On this diagram was a rendering of what seat had what IP address assigned to it. Also on the classroom network diagram was the class professors IP address. This was done so that students could access from their seats, any and all class assignments plus other pertinent class data. We will see later on, how this setup helps the college's IT staff catch themselves a hacker.
Our lazy student John
John was a second year student at our fictional college, and had just scraped through his first year. He has also discovered the marvel that is IRC, and discovered through his IRC chats, what he believed would be his deliverance. You see John was failing his math class quite badly, and needed to pass it, to finish his diploma. John had begun to spend quite a bit of time researching malware, and networks in general. With his knowledge he felt pretty good about his chances of obtaining a copy of the upcoming math exam from his professor's computer. Due to the layout of the college network he did not think he could infect the match professor's computer remotely from his home.
John remembered though that every seat in the math classroom had a CAT 5 jack for student laptops, so that they could access the math professor's computer for homework assignments. Not only that but John also knew that the college had the professors keep an open door policy for their offices, in an attempt to foster the student-teacher relationship. From this began John's plan to gain physical access to the professor's computer, and infect it himself with his trojan. The beauty of it did not end there though. Due to the classroom having CAT 5 jacks to allow access to the professor's computer he would be able to look for the math exam while in class! This was great, as the professor would not be there himself to detect anything while he looked through the professor's computer, as he would be in class teaching!
Physical access is bad
With all of this in John's head he now decided to take a trial run, as it were to determine the feasibility, of his master plan. At class the next day he excused himself while the professor was droning on, about some formula, or other. Once out of class John made a beeline for the professor's office, and walked on past it while looking inside. It was decidedly empty, as the professor was in class teaching. John kept trucking on past to the washroom, and made up him mind to infect the professor's computer on the way back to class. John had brought his USB stick with him, and the trojan server on it. All John had to do was configure the server quickly, and get back to class. Should anyone walk in while he was doing it, he would simply say he was writing a note on the professor's computer that he was sick and going home. Quite ingenious John thought! With that in mind John walked into the professor's office, and sat down at the computer. John noticed there was an anti-virus product there which he disabled. He then plugged in his USB stick and transferred over his trojan server.
Now John was faced with the "main menu" as it were, to configure the trojan server settings. He would need to quickly go through several of these, to make the caper work. On that note, we will break the article here, and in the second part go through the configuration of the trojan server. Also we will begin to see how it is connected to. Until then!
If you missed the other articles in this series please read: