Who is this tut for? This is for all those people who *keep* posting the same old threads.

We all have read the other tuts about Trojans/etc and know what they are, here I attempt to expel some myths

Myth 1: Virus checkers will protect you
This is untrue.

Virus checkers mostly work by comparing programs against signatures in their databases. They are very stupid in this respect (I'm not knocking them per-se). This works very well against viruses, as each virus exists in huge numbers, and they're all the same. This does not work against trojans.

Clearly a backdoor program (not necessarily a trojan) can be hand-crafted on a per-installation basis, therefore there will not be another one in existence that is the same. No virus scanner can have it in its database, because it has never been seen before.

Virus checkers have signatures of well known binary-distributed backdoor "blackhat" programs in their databases. This mostly prevents kiddies. It will do nothing against an adversary who rolls their own, or compiles a modified version of a source-code distributed one.

Some experiments showed that changing compiler options or using a different compiler was entirely sufficient to mask even well-known backdoors from any virus checker.

Some use "Heuristics", which is extremely unreliable, as it creates a lot of false positives. Also, you don't *know* exactly what a given backdoor is going to do.

Myth 2: firewalls will protect you

So you think firewalls will protect you? No.

There are two types of firewall - network and application. The former are common in companies and filter packets on a rule-basis or by stateful inspection. They won't help, because a backdoor program can disguise its malicious traffic as normal traffic.

Application firewalls won't help either. These are common on desktops, and often used by home users. However, a backdoor can easily get around them, by masquerading as a normal application and creating an innocent type of traffic.

Myth 3: backdoors listen on "ports"

This is untrue too. It is entirely unnecessary for a piece of mal-ware to listen on a "port", whatever that means.

Complete remote control can be obtained without the need to listen on any ports, or show up on "netstat".

They can simply make innocent-looking connections in an outward direction from
time to time, looking for commands.

They can operate by sending and receiving covert emails through your email program.

They can use the port-less ICMP or raw sockets.

Conclusions

1. No amount of off-the-shelf security products will protect you against every
back-door or trojan.
2. The recipies for detecting them (netstat, looking at the registry, process listing) often cited on AO can be fooled fairly easily.
3. The ONLY WAY of preventing backdoors from taking over your computer is to engage in safe computing practices. There are no other measures which are effective. So DON'T open that attachment, don't download that crack and don't install that suspect program.

You can also switch to linux and not have to worry about alot of the crap that goes along with windows boxes. None the less, you made some good points.

VEry nice points there ...lots of stuff i ddint know about firewalls not protecting ... tx

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by King of CaveMen
You can also switch to linux and not have to worry about alot of the crap that goes along with windows boxes.

In a way this is true and false. On un*x you don't have to worry about windows virusses that's true. But all un*x have their own specific little problems that make this a false statement. What Slarty wrote is true for all operating systems (not just windows).

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by King of CaveMen
You can also switch to linux and not have to worry about alot of the crap that goes along with windows boxes. None the less, you made some good points.

i love it how people think that linux is the best thing in the world, with absolutely no viruses written for it, user-friendliness, worldwide program compatibility.

get real. some people can't use linux for very obvious reasons.... half of the world doesn't write programs for linux, including most of the big industry stuff. some people are by default married to windows, and there aint a thing to be done about it (i'm luckily not one of those, but you get my point)

linux is not for everyone. stop offering "switch to linux" as a solution for a simple virus or trojan problem. it doesn't make sense, nor is it economical to ditch the os you just payed a few hundred for.

Are you suggesting that we should discard our firewall totally?

I also heard some posters telling us Zone Alarm sucks. I wonder whether these posters are trying to ask people to switch to other firewalls because they discover that they could not hack those who are using Zone Alarm.

It is very difficult to tell who is telling the truth in the forum if you are a newbie like me who has a lot to learn about network security.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by King of CaveMen
You can also switch to linux and not have to worry about alot of the crap that goes along with windows boxes. None the less, you made some good points.

I am assumeing that you have never heard of a root kit, trojans like a root kit are the ban of a unix admins existance, they are a pain to find, and a pain to clean.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by Shakira
Are you suggesting that we should discard our firewall totally?

I also heard some posters telling us Zone Alarm sucks. I wonder whether these posters are trying to ask people to switch to other firewalls because they discover that they could not hack those who are using Zone Alarm.

It is very difficult to tell who is telling the truth in the forum if you are a newbie like me who has a lot to learn about network security.

I don't think the suggestion was to discard a firewall. Just Understand that you are not 100% secure just because you have a firewall. Its a great tool but not the end all and be all of network security, nothing is. This is why the concept of security in depth is so important.

On another note, a tool that should be added to every ones kit is spy++, its a great little tool that can be used to find Trojans and other malicious code bits if you know what to look for. I haven’t had anything hid from it yet, and it lets you know all the interesting stuff going on in the background.

Ok, I'm going to attempt to respond:

You can also switch to linux and not have to worry about alot of the crap...

Not at all. None of the stuff in the article was platform-specific, all the points APPLY EQUALLY to Linux or any other OS for that matter.

Are you suggesting that we should discard our firewall totally?

No, firewalls are valuable for preventing most attacks, they just won't necessarily help against backdoors installed locally. In many cases, they will still be effecive at preventing the backdoors from being installed in the first place.

This is a theoretical article which examines what backdoors CAN do. It has very little to do with what backdoors DO do. In fact, most are much more stupid and use few if any of the techniques I mentioned. Also (thankfully) most of the people using them are equally, if not more, stupid.

I'm not for a minute suggesting that people abandon virus scanners and firewalls, they do their job very well. They just have limits.

A statement that I make to *anyone* who asks:

There is no such thing as a 100% secure network - period.

This is for obvious reasons, many of which are noted very well by Slarty. The information given in this thread is accurate. For that reason alone, layered approaches to network security are in place in many (not all) IT shops. This includes security awareness training which stresses safe computing techniques.

--My two cents

nice post but a virus scanner will not protect you from a slight change in kode of a trojan like back orifice if they configure it at all more than likely the scanner wont detect it until it is runnin and sometimes the trojan has specified directories to delete like C:\program files\norton or C:\windows\netstat and by the way i agree with sickyouIT that an OS switch isnt the awnswer

It is very difficult to tell who is telling the truth in the forum if you are a newbie like me who has a lot to learn about network security. [/B][/QUOTE]

Now you have done it, never point out the trouth it will get you anti-points and you will get banned. you have more than likley got a warning now, so your best bet is to become very smart and give good answers and ask smart questions ( how your supposed to know a smart Question from a bad one, when your a newbie.) Or get your nose stuck up someones but crack real quick, but remember do not point out the facts. :D

great topic!...along with AV, Firewalls, Watch Guards and intrusion detection I would suggest utilizing a system that only allows a list of particular programs to run on your computer.

ISS' Blace Ice has a basic one that is coupled with their IDS. While you can still get around this it makes it infinatley more difficult.

.02

Wow great post man. There is alot in there that i didnt know about virus scanners and firewalls. well i think im gonna save that one to my desktop so can read it many times over. Great post keep up the good work. -Twisted-

They can use the port-less ICMP

Would you care to explain this, or maybe direct me towards a URL.

I want to ask about myth3 as I dont understand it :/
"It is entirely unnecessary for a piece of mal-ware to listen on a "port", whatever that means"

I thought that if a program does not listen to trafic, it is not going to communicate, and if it opens connection even from time to time, that is opening a port that a software firewall should allert the user about ?

If the trojan is to communicate over the net, it has to use tcp/ip to be able to communicate over routers, and that means opening ports ? I do not know what port-less TCP/IP is, but on a hardware firewall one opens some ports and drops all other trafic. If some trafic is port-less, it should not go throug the firewall.

Im not saying it is so, just asking....

The nice thing about software firewalls is that it does not only look what port and IP is used to communicate, it also looks what program is communicating. So even if a trojan was to use a well known port, the firewall should alert the user because a strange program is using the net?

Or do you (slarty) mean that a trojan can operate in the same subnet (behind the same router) and that way somehow communicate without listening / opening ports ?

I do agree that software firewalls does not protect the home user 100%. But it should catch any new programs trying to communicate over tcp/ip.

Problem with this how I see it is that when I allow multiplayer games, ICQ etc. to use the Internet, someon can use the security holes of those allowed programs to do their malicious stuff :(

Please note that im not an expert on TCP/IP and im just asking about this.

I thought that if a program does not listen to trafic, it is not going to communicate, and if it opens connection even from time to time, that is opening a port that a software firewall should allert the user about ?


Note that I refer to your "software firewalls" as "host firewalls" - not all software firewalls are "host firewalls"


There are two possibilities (as I stated)

- It uses non TCP/UDP IP traffic, for example ICMP or some other IP protocol. The host firewalls *may* protect you from this by restricting this in the same way as TCP / UDP. To do this, it will need to open ICMP or RAW sockets, something which may be restricted by the host firewall.

The other is much more sinister

- It "piggybacks" its traffic on some existing program and protocol. Rather than doing its own networking, the backdoor uses your web browser or your mail client to communicate. It communicates using email or HTTP requests.

The host firewalls won't protect against that, because it is going to be already on their authorised list.

Ok, so is RAW sockets an API that programmers can use to make IP routable package to send data from your computer? Maybe that would be able to by pass the host firewall ? Would that program be able to listen / recive data also? By passing the kernell maybe ? http://www.linuxchix.org/content/courses/security/raw_sockets
Guess some programming guru could write code to read data directly on the network level, to be able to send and recive, without the host firewall knowing this ? Or mabye this is not possible ? Anyway this gives me the feeling that an externall firewall (one that is not running on the host) is a good secondary "line of defence", in stead of just trusting a host firewall.

Gues its also very important to drop all ICMP trafic, so that a programmer is not sending real data in an ping package for instance?

Still the "biggest" threat would probobly be that a trojan is using a security hole in one of the allowed programs as you say.

In that sense a host firewall on a standalone client that is not connected to a LAN and is not running any network services, is really not protecting anything :) Its only good to alert if a trojan is opening its own tcp or udp ports maybe...

I have only one PC @ home, that is only running TCP/IP network service on my WinXP (I removed the default microsoft client/server, and the Quality of service that I dont know what it does) so I guess I dont really need a host firlewall at all, as I allow programs that use the Inet to bypass the firewall anyway :p

I think the OS programmers should do a security feature that prompts the user every time some program is set to autostart or is assosiated to run with some file extension. That way maybe it would be hard to get a trojan installed on a pc to autostart with windows? But then again there migt be countles ways to get a program running, other that the registry run, services, ini and startup folders, makeing it impossible to do that kind of security stuff.

Now I understand why our commpany network security guy is getting grey hair so soon :/
All those users installing strange stuff on their workstations, I wonder when a trojan is going undetected by our AV&fw :(

Nice tut.slarty



I think the OS programmers should do a security feature that prompts the user every time some program is set to autostart or is assosiated to run with some file extension. That way maybe it would be hard to get a trojan installed on a pc to autostart with windows? But then again there migt be countles ways to get a program running, other that the registry run, services, ini and startup folders, makeing it impossible to do that kind of security stuff.(quote HippoDuck)

The Kerio Personal Firewall 3
Version 3.0.0 beta 6 tries to combat all these problems.

http://www.kerio.com/beta_section.html




I m trying it out and it looks way more advanced than any other software-firewall!

I m waiting for the final version.

Grtz kadeng

Abtrusion Protector prevents Windows from loading unrecognized or unknown software. Only software that you have safely installed or explicitly allowed can be loaded into memory. Contrary to typical anti-virus scanners, Abtrusion Protector is not dependent on frequent virus definition updates.

http://www.abtrusion.com/abtrusion_protector_ps.asp

FYI

I realize that this thread is fairly old, but I found something that demonstrates a point that slarty made here.

2. The recipies for detecting them (netstat, looking at the registry, process listing) often cited on AO can be fooled fairly easily.

I read this thread recently, and I wondered how netstat could be fooled and today I came across a program that demonstrates how this can be done. I took this quote from a text file that came zipped with it:

Many tutorials on how to determine if your computer's infected with a trojan tell you to run "netstat -a" to see if any ports are listed as "listening", because "listening" ports can be trojans. In all honesty this was a good idea, because netstat never lies... or does it? I have to admit that netstat was my usual way of checking for trojans, until now. I was wondering how you could hide the fact that there was a trojan installed on one of your victim's computers... the authors of these trojans go through great effort to hide the trojan from Windows and so on, but netstat still wins. Not anymore.

My program requires you to rename the original "netstat.exe" to "systray.exe" (they are almost identical in size - the original systray.exe is in the "system" directory), and then upload MY netstat to their windows directory (in place of the old netstat). The next time they run netstat to check for trojans, it wont show certain ports (four in total) : 666 (dunno), 27374 (Subseven - the best trojan out there!), 31337 (Back Orifice - yeah cDc man !!!) and 12345 (NetBus I think?). Anyway - if you want to change any of these ports (I can only think of a billion reasons why you might want to), just modify the source code and recompile, in Turbo C++. Consider your victim 0wned !!!

I left out the name of the program to avoid causing a stir.

Just thought it was worth mentioning incase anyone was confused about this like I was.

~FrameWork

nice tut slarty
it really revealed alot of unquestioned things
aabout windows
u cant stop a trojan using a software
as most up to date trojans contain a feature to kill AVs and firewalls while starting up!
most of ppl see that Norton,Macafee r good antiviruses
but in deed they r not
i can say they r useless
the best antivirus when dealing with trojans outhtere is kaspersky!
iit's not well known but it has a huge databases
let's say that a trojan was realesed yesterday
u found ur kaspersky detecting it
while when it comes to norton or macafee
it takes ages
about a month or something!
second if u wanna stop a trojan it requieres knowledge about ur own programs and thier ports
means u use the netstat to check ur pc's state
and then block unknown or ports u suspect!
iam telling u this from a trojaner perspectice


about linux
i believe that linux isnot more secure than windows
the prob is windows has so many enemies waiting for the first fall to attack!!!!
as we c out there most exploits r for linux
and linux backdoors r much more dangerous than windows backdoors!
rootkits and other maliscous software
linux is just hacker friendly
maybe it gives u more control upon ur system
but this doesnt mean it's more secured than windows

by the way no need to flame for what i said about linux
i know there r a lot of linux lovers here:)

at the end
we come to one thing
Nothing is called complete security
there must be a hole as software is made by humans
and it's well known for everyone that only humans make errors

Hmmm... the ideia of "forging" a netstat.exe then uploading it to replace the real one on the victim comp is a great scheme. I think it only lacks perfection because the user's box must have been already compromised or he has to download it.

Didn't really know about it, nice going ;)

I think the point here is that their is no deffenete "fix" for security problems. The best way to protect yourself is to use a varity of solutions. Their is no point in saying switch to linux because a lot of people, myself included either prefer windows or have to use it for a particular aplication. I`ve tried a lot of diffrent solutions and the best i`ve come up with so far is to use linux as a firewall and to route my internet connection to the other computers running windows. Then to run a virus scanner and spy ware remover program every day or two on my windows boxes. So far i have not had any infections what so ever and with the linux firewall set up right when i portscan my network from outside it is as if it didn`t exsist.
You just have to try diffrent solutions untill u find the one that suits your network or computer the best.

anyway thats just my 2 cents..

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by mosad2

u cant stop a trojan using a software


No, that's not what I meant. I didn't mean you can't stop *a* trojan, I meant you can't stop *all* trojans. The ones that are the most commonly used by script kiddies are in AV databases and can be stopped.


as most up to date trojans contain a feature to kill AVs and firewalls while starting up!


Yes, but they can't kill an AV if it kills them first.


most of ppl see that Norton,Macafee r good antiviruses
but in deed they r not
i can say they r useless


No. They are NOT USELESS. They are very useful at stopping viruses.


the best antivirus when dealing with trojans outhtere is kaspersky!
iit's not well known but it has a huge databases
let's say that a trojan was realesed yesterday
u found ur kaspersky detecting it


No. No virus checker can detect a brand new trojan crafted for the purpose.

Slarty

@ slarity
i agree to what u said
but u have to pay attention that a trojan can be detected when it's wide spread
while most of hackers prefer to use thier own tools including trojans!

about the antivirus killing feature
i have used so many trojans
i can say when u bind ur trojan
the AV cant detect it ,then the trojan is excuted
and it kills the Av everytime the pc boots up;)
sure antiviruses can kill them first but this work with old versions of trojans

about Norton and macafee
i meant by useless when it comes to trojans not viruses
sure they can stop a wide range of viruses

about kaspersky
i think u have to give it a try
just try it and u will c
it's sufficient
at least for me:)

peace out

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by Shakira
Are you suggesting that we should discard our firewall totally?

I also heard some posters telling us Zone Alarm sucks. I wonder whether these posters are trying to ask people to switch to other firewalls because they discover that they could not hack those who are using Zone Alarm.

It is very difficult to tell who is telling the truth in the forum if you are a newbie like me who has a lot to learn about network security.

ZoneAlarm is great for the newbie, it is easy to use and install.
Only there are some bad things about ZoneAlarm,
1) some earlier versions did not protect a win98 pc before the logon (ZoneAlarm says it does, but some members here tested it and protection was not like it should have been)
2) it is a resource eater
3) it triggers on to many things, if you are going to react on every thing ZoneAlarm sees as an incoming attack then you are going to react a lot. This however can be solved by reading ZoneAlarm's output exactly.

On the other hand ZoneAlarm does it's job. On application and port level.

There are alternatives: sygate, outpost,...
however those are less 'newbie user friendly'.

About telling the truth, unless there are very evil and wicked members ;) , I think you can trust some of the (more mature?) senior members from the early forum days.