Malicious code, types and trends–part 2

Trojans
These days, we can see a dramatic upsurge  computers infections with trojans, they are the preffered tools for hackers. As in the old legend with the Trojan Horse, this type of malware masquerades as a useful program or is hidden(binded) in a useful program, tricking the user to execute it, “as it is” or together with the program that carry it. A Trojan horse neither replicates nor copies itself, but the damages it brings to the computer are huge. Once installed in a system, it gives to the hacker the ability to download or upload and execute other malware in the compromised system, or ability to steal passwords, other documents, to change the settings, registry or to edit important system files like “hosts” file.
“hosts” file exists in any Windows based system and is referenced prior to perform any DNS lookups. Editing this file can lead to phishing attacks or can stop the AntiViruses software  connect to the update site. The file has not an extension but is a plain text file that can be viewed with Notepad and the original content of the file is this entry in a line :

127.0.0.1     localhost Adding a second line can map the URL adress to another IP which can be a phishing site asking you for your login credentials or redirect you to an advertising site. For example this line :

x.x.x.x      google.com

will redirect you to the IP x.x.x.x ,when you type in your browser adress http://google.com and hit “Go”. x.x.x.x can be an advertising site or another malicious site, you got the idea.

A lot of computer users save the used passwords and usernames in the browsers Passwords Manager, every modern browser ask you to save the used password if you want to. These passwords are encrypted and saved mostly in Application Data\…\Profile folder or in the registry sometimes for Download Managers, example Internet Download Manager.

In a normal Windows installation Mozilla Firefox save the passwords database–signons.sqlite , the key file–key3.db and the certificate–cert8.db used for encryption and decryption in :

C:\Documents and Settings\%username%\Application Data\Mozilla\Firefox\Profiles

Users think their passwords are safe because are long enough, contains special characters, numbers and letters and are stored in an encrypted database, but the main problem is the hacker who has access to the whole storage system of the computer, can download the whole browser Profile folder with key, certificate and signons database files, and decrypt the passwords extremely easy in their computers. So, programs as Firepassword, though an useful program, can be used in criminal activities as decrypting and stealing Mozilla Firefox saved passwords.

The same with premium file hosting accounts that can be easy stolen reading the registry keys and values where the Download Managers save the passwords, it does not matter encrypted or not. In fact, a single email password stolen is enough for the hacker, he can request in the randomly picked sites(rapidshare.com,hotfile.com,paypal.com and other sites of interest) the “Forgotten password” and often they find active accounts of the victim,  accessing these other accounts by the hacker beeing a piece of cake after they found the right password and username. Using these methods the privacy is gone and the hacker can access banking sites or make online transactions very easy, using for example your paypal account and quickly deleting the confirmation email received from Paypal after the finish of the transaction and the victims will not be aware of what is happening–they will find about the fraudulous transactions from the monthly Bank Report of Activity, when is too late. To prevent all these troubles it’s recommended to NOT use the saving passwords browser facility.

Using a trojan an hacker can monitor in real time your computer, your webcam, your running processes and can kill them(for example an antivirus), can make screenshots, can use your computer for sending spam, can delete your entire harddisk, he will own your computer in a few words.

A trojan can bypass the traditional siganture based detection using an executables crypter. Crypters are programs that obfuscate, encrypt the trojan body and then attach a small stub to the new resulting executable with the decryption role. The trojans are encrypted using passwords and different encryption algorithms as DES, Blowfish, AES (Rijndael), RC4, GOST or Twofish. The stub, which has appended also the password used for encryption,  decrypt and run in RAM memory the trojan, thus very often avoiding the AntiVirus detection. When installing, the trojan inject itself in the default browser process or Instant Messenger process but any other “Host” process can be choosen by the hacker at the trojan building time. Also the hacker can choose any name for the trojan or any icon, can choose at what IP it connects and port used, between 0 and 65536. Very often we can read in security forums that a trojan has a certain name for his executable, or drop in Temporary folder a file with a name but this name is totally random one, choosen by the hacker.Also the installation folder can be Temporary folder, System folder, Application Data folder or any other folder. Details about what the trojan does, what name has or what registry value it write to the harddisk are wothless, because these variables always differ from infection to infection.

Very often the trojans uses reverse connections for their communications, thus they can bypass easily a strong firewall and even the communications are encrypted using for example the Camellia algorithm and a key, so sniffing the traffic will not reveal very much about the kind of the traffic.

Also the trojans using different methods as written in the registry in the StartUp keys or in the StartUp files or folder, wants to be assured they will run again at System StartUp time–Boot time. For example registry keys which run a program at computer boot :

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

or

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
But the registry keys that cause programs to run each time that a user logs on, are many, many more and monitoring registry keys by the AntiViruses often gives NO results.

The only way to prevent the computer infections with trojans or other malicious code, is to download programs only from trusted sources, to run an up-to-date AntiVirus, and to scan with a multi-engine online scanning services like those posted in the Home page of this site.

Another subcategories of the trojans are Droppers and Downloaders.

Droppers are trojans containing other malicious programs inside. Once the trojan is installed it will decompress and run secretly his payload. There is a lot of online advertisement companies that use Trojan-Droppers to silently drop their adware or spyware in the compromised systems. By dropping and decompressing these malicious programs directly in memory and running them, antiviruses fail to detect them on the harddisk. To avoid resources consumption, the antiviruses use a lot for scanning harddisk operations like read or write on it, and not so much RAM memory operations so decrypting a spyware directly in memory is often used by malware creators.

Downloaders are tiny trojans, but very used. Their goal is to download from a site one or more files and execute them. It’s very difficult for AntiViruses to detect them, because their operations are only a few, they connect to a site, download a file, sometimes change his extension to .exe because the downloaded file can be a false .jpg or .gif or .mp3 file and execute it. Of course the downloaded files are always malicious codes, trojans, worms or spyware. To prevent these computer infections, it’s recommended to use a firewall or a program for monitoring the Network activity.

Posted in Thoughts.

One Response

Leave a Reply

Your email address will not be published. Required fields are marked *