will redirect you to the IP x.x.x.x ,when you type in your browser adress http://google.com and hit “Go”. x.x.x.x can be an advertising site or another malicious site, you got the idea.
A lot of computer users save the used passwords and usernames in the browsers Passwords Manager, every modern browser ask you to save the used password if you want to. These passwords are encrypted and saved mostly in Application Data\…\Profile folder or in the registry sometimes for Download Managers, example Internet Download Manager.
In a normal Windows installation Mozilla Firefox save the passwords database–signons.sqlite , the key file–key3.db and the certificate–cert8.db used for encryption and decryption in :
C:\Documents and Settings\%username%\Application Data\Mozilla\Firefox\Profiles
Users think their passwords are safe because are long enough, contains special characters, numbers and letters and are stored in an encrypted database, but the main problem is the hacker who has access to the whole storage system of the computer, can download the whole browser Profile folder with key, certificate and signons database files, and decrypt the passwords extremely easy in their computers. So, programs as Firepassword, though an useful program, can be used in criminal activities as decrypting and stealing Mozilla Firefox saved passwords.
The same with premium file hosting accounts that can be easy stolen reading the registry keys and values where the Download Managers save the passwords, it does not matter encrypted or not. In fact, a single email password stolen is enough for the hacker, he can request in the randomly picked sites(rapidshare.com,hotfile.com,paypal.com and other sites of interest) the “Forgotten password” and often they find active accounts of the victim, accessing these other accounts by the hacker beeing a piece of cake after they found the right password and username. Using these methods the privacy is gone and the hacker can access banking sites or make online transactions very easy, using for example your paypal account and quickly deleting the confirmation email received from Paypal after the finish of the transaction and the victims will not be aware of what is happening–they will find about the fraudulous transactions from the monthly Bank Report of Activity, when is too late. To prevent all these troubles it’s recommended to NOT use the saving passwords browser facility.
Using a trojan an hacker can monitor in real time your computer, your webcam, your running processes and can kill them(for example an antivirus), can make screenshots, can use your computer for sending spam, can delete your entire harddisk, he will own your computer in a few words.
A trojan can bypass the traditional siganture based detection using an executables crypter. Crypters are programs that obfuscate, encrypt the trojan body and then attach a small stub to the new resulting executable with the decryption role. The trojans are encrypted using passwords and different encryption algorithms as DES, Blowfish, AES (Rijndael), RC4, GOST or Twofish. The stub, which has appended also the password used for encryption, decrypt and run in RAM memory the trojan, thus very often avoiding the AntiVirus detection. When installing, the trojan inject itself in the default browser process or Instant Messenger process but any other “Host” process can be choosen by the hacker at the trojan building time. Also the hacker can choose any name for the trojan or any icon, can choose at what IP it connects and port used, between 0 and 65536. Very often we can read in security forums that a trojan has a certain name for his executable, or drop in Temporary folder a file with a name but this name is totally random one, choosen by the hacker.Also the installation folder can be Temporary folder, System folder, Application Data folder or any other folder. Details about what the trojan does, what name has or what registry value it write to the harddisk are wothless, because these variables always differ from infection to infection.
Very often the trojans uses reverse connections for their communications, thus they can bypass easily a strong firewall and even the communications are encrypted using for example the Camellia algorithm and a key, so sniffing the traffic will not reveal very much about the kind of the traffic.
Also the trojans using different methods as written in the registry in the StartUp keys or in the StartUp files or folder, wants to be assured they will run again at System StartUp time–Boot time. For example registry keys which run a program at computer boot :
But the registry keys that cause programs to run each time that a user logs on, are many, many more and monitoring registry keys by the AntiViruses often gives NO results.
The only way to prevent the computer infections with trojans or other malicious code, is to download programs only from trusted sources, to run an up-to-date AntiVirus, and to scan with a multi-engine online scanning services like those posted in the Home page of this site.
Another subcategories of the trojans are Droppers and Downloaders.
Droppers are trojans containing other malicious programs inside. Once the trojan is installed it will decompress and run secretly his payload. There is a lot of online advertisement companies that use Trojan-Droppers to silently drop their adware or spyware in the compromised systems. By dropping and decompressing these malicious programs directly in memory and running them, antiviruses fail to detect them on the harddisk. To avoid resources consumption, the antiviruses use a lot for scanning harddisk operations like read or write on it, and not so much RAM memory operations so decrypting a spyware directly in memory is often used by malware creators.
Downloaders are tiny trojans, but very used. Their goal is to download from a site one or more files and execute them. It’s very difficult for AntiViruses to detect them, because their operations are only a few, they connect to a site, download a file, sometimes change his extension to .exe because the downloaded file can be a false .jpg or .gif or .mp3 file and execute it. Of course the downloaded files are always malicious codes, trojans, worms or spyware. To prevent these computer infections, it’s recommended to use a firewall or a program for monitoring the Network activity.