Trojan Horse Primer
"For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com"
A Trojan horse is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining or erasing data on your hard drive. A Trojan horse may be widely redistributed as part of a computer virus. The term comes from Homer's Iliad. In the Trojan War, the Greeks presented the citizens of Troy with a large wooden horse in which they had secretly hidden their warriors. During the night, the warriors emerged from the wooden horse and overran the city.
A Trojan can cause massive harm to you and your systems and worse yet, may turn your system into a killing machine as well! Lets look at Back Orifice specifically so we can highlight why a tool like this can get ugly if installed on your systems.
Back Orifice consists of two key pieces: a client application and a server application. The way Back Orifice works is that the client application runs on one machine and the server application runs on a different machine. The client application connects to another machine using the server application. The confusing part here is... the server is what is installed on the victim. Many people confuse this because it doesn't seem logical, but that's how it works. The only way for the server application of Back Orifice to be installed on a machine is to be deliberately installed. Obviously, the Trojan does not come with a default installation of Windows 2000, so you must find a way to get the victim to install it. This preludes to our last discussion on how Betty installed that beautiful Screensaver that was obviously (to you, not her) the BO2K.exe server.
Working with the BO2K Server Configuration
Newer versions of the server executable are downright sneaky. The executables don't show up because they are transparent. This is an evolving tool, evolving into total stealth mode for any attacker to take advantage of your systems with. You really need to be aware of not just this tool, but also any Trojan like it. BO2K just happens to be one of the most popular and well known. The figure above shows you that the tool is highly configurable and intuitive. No C++ programming and Shell Scripting knowledge needed here!
Adding servers to the server list
Since we know that anyone could be tricked to install the Trojan, we know exactly how the attacker will get the code on the victim machine. The attacker either has to install the server application on the target machine or trick the user of the target machine into doing so - more likely that it will be a trick. This is the reason why the server application (BO2K.exe) is commonly disguised as something other than a Trojan horse. After the server application has been installed, the client machine can transfer files to and from the target machine, execute an application on the target machine, restart or lockup the target machine, and log keystrokes from the target machine. All of these operations are of value to a hacker.
The server application is a single executable file, just over 122 kilobytes in size. The application creates a copy of itself in the Windows system directory and adds a value containing its filename to the Windows registry under the key:
The specific registry value that points to the server application is configurable. By doing so, the server application always starts whenever Windows starts, therefore is always functioning. One additional benefit of Back Orifice is that the application will not appear in the Windows task list, rendering it invisible to the naked eye. After first being initialized, it does its owner a favor and drops out of site. Sneaky huh?
The Back Orifice Trojan horse server will create hell for any network, but it takes a little network knowledge to get it operational. The creators made the tool to exploit the Windows based operating system, plain and simple. Many could argue in the days of its inception that it was nothing more than a remote access tool, but if you think about the functionality of the tool and where it came from, it was more that just a tool for remote access, it was a wake up call to Microsoft that their systems were just as susceptible to Unix based Root Kit type of applications as well. All it took was a little 'know how', and the tool and you were in business. There are some limitations though... Possibly the two most critical limitations to the Back Orifice Trojan Horse are that the attacker must know the IP address of the target machine and that there cannot be a firewall between the target machine and the attacker. A firewall makes it virtually impossible for the two machines to communicate most likely because the firewall is blocking a port that the B02K Trojan would be operational on. Yes, newer versions of the tool are known to operate on a wider range of ports, but this all goes back to my initial discussion on how most companies haven't invested in the security of their networks, or have people on staff that know this information either. That's really where the problem stems from. From the figure below, you can see that this is not a cheesy tool, it's a GUI based hacking nightmare. There are even Wizards that walk you through initial configuration... how can it get easier than that?
BO2K Configuration Wizard
Another common remote control Trojan horse is named the Subseven Trojan. This Trojan is also sent as an e-mail attachment and after it is executed can display a customized message that often misleads the victim. Actually, the customized message is intended to mislead the victim. This particular program will allow someone to have nearly full control of the victim's computer with the ability to delete folders and/or files. It also uses a function that displays something like a continuous screen cam, which allows the hacker to see screen shots of the victim's computer.
In general, be aware of Malware, the types and how they get on your systems. For the exam, be aware the general Malware concepts and for the field, make sure you are very aware of the damage that Malware can cause your Microsoft systems.
Visit TrojanScan.com for a free online trojan scan to see whether your system is infected.