Monday, July 30, 2007

More About The Trojan Horse

Let’s take a closer at the Trojan Horse using The NetBus Trojan as a reference

The Netbus Trojan has two parts to it as almost all Trojans do.
There is a Client and a Server. The server is the file that
would have to get installed on your system in order to have
your system compromised. Here’s how the hack would go.

The objective of the Hack is Getting the potential victim to install the server
onto his/her system. Now there are two ways to it.

Method 1
Send the server file (for explanation purposes we’ll call the file
netbusserver.exe) to you via E-Mail. This was how it was
originally done.
The hacker would claim the file to be a game of some sort.
When you then double click on the file, the result is nothing.
You don’t see anything. (Very Suspicious)
Note: (How many times have you double clicked on a
file someone has sent you and it apparently did
At this point what has happened is the server has now been
installed on your system. All the “hacker” has to do is use the
Netbus Client to connect to your system and everything you
have on your system is now accessible to this “hacker.”

But with increasing awareness of the use of Trojans, “hackers”
became smarter, and thus method 2 comes into picture.

Method 2
You might have often recieved games like hit Bill Gates in the face with a pie. Perhaps the game
shoot Saddam? There are lots of funny little files like that.
Now I’ll show you how someone intent on getting access to
your computer can use that against you.
There are utility programs available that can combine the
(“server” (a.k.a. Trojan)) file with a legitimate “executable
file.” (An executable file is any file ending in .exe). It will
then output another (.exe) file of some kind. Think of this
process as mixing poison in a drink.
Same procedure goes for
combining the Trojan with another file.
For Example:
The “Hacker” in question would do this: (say, he sends you game called "Ball Game")
Name: ball.exe (name of file that starts the chess
Trojan: netbusserver.exe (The Trojan)

The joiner utility will combine the two files together and output
1 executable file called:
This file can then be renamed back to ball.exe. It’s not
exactly the same Ball Game. It’s like the poisoned drink, it’s
just slightly different.
The difference in these files will be noticed in their size.
The original file: chess.exe size:60 Kbytes
The new file (with Trojan): ball.exe size: 75 Kbytes
(Explanatory Made-Up figures)
The process of joining the two files, takes about 10 seconds to
get done. Now the “hacker” has a new ball game file to send out
with the Trojan in it.

What happens when you click on the new ball.exe file?

The Ball Game program starts like normal. No more
suspicion because the file did something. The only difference
is while the Ball Game program starts the Trojan also gets installed
on your system.
Now you receive an email with the attachment except in the
format of Ball.exe.
The unsuspecting will execute the file and see a Ball game.
Meanwhile in the background the “Trojan” gets silently
installed on your computer.

If that’s not scary enough, after the Trojan installs itself on
your computer, it will then send a message from your
computer to the hacker telling him the following information.

Username: (A name they call you)
IP Address: (Your IP address)
Online: (Your victim is online)

So it doesn’t matter if you are on dial up. The potential
hacker will automatically be notified when you log on to your

This is enough for reading, in a single post. With the next post in the series, we'll talk about some other ways that your PC can be compromised by a H4x0r