Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Security 1:1 - Part 2 - Trojans and other security threats

Created: 26 Dec 2013 • Updated: 27 Dec 2013
Language Translations
SebastianZ's picture
+2 2 Votes
Login to vote

symantec_logo.png

Welcome to the Security 1:1 - Part 2

In Part 2 we take a closer look at Trojans - what is a Trojan? Why is it different from a virus? What are the types of Trojans based on their function and attack vectors. The introduced classification of Trojans will be complemented with references to Symantec Security Response write ups to provide a real world examples of Trojans at large as well as theirs technical details, characteristics and removal steps.

In second part of this article we will dive into some more threats types - this time more general to cover the various definitions that are sometimes interchanagably used to define a specific trojan or threat.

The Security 1:1 series consist so far of following articles:

1. Trojans

Computer Trojans or Trojan Horses are named after the mythological Trojan Horse from Trojan War, in which the Greeks give a giant wooden horse to their foes, the Trojans. As soon as Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their soldiers to capture Troy. Computer Trojan horse works in way that is very similar to such strategy - it is a type of malware software that masquerades itself as a not-malicious even useful application but it will actually do damage to the host computer after its installation.

Trojans do not self-replicate since its key difference to a virus and require often end user intervention to install itself - which happens in most scenarios where user is being tricked that the program he is installing is a legitimate one (this is very often connected with social engineering attacks on end users). One of the other common method is for the Trojan to be spammed as an email attachment or a link in an email. Another similar method has the Trojan arriving as a file or link in an instant messaging client. Trojans can be spread as well by means of drive-by downloads (see Symantec Video) or downloaded and dropped by other trojans itself or legimate programs that have been compromised.

video_drive.png

Video: Symantec Guide to Scary Internet Stuff: Drive-By Downloads

The results of trojan activities can vary greatly - starting from low invasive ones that only change the wallpaper or desktop icons; through trojans that mere purpose is to open backdoors on the computer and allow in such way other threats to infect the host or allow a hacker remote access to targeted computer system; up to trojans that itself can cause serious damage on the host by deleting files or destroying the data on the system using various ways (like drive format or causing BSOD). Such Trojans are usually stealthy and do not advertise their presence on the computer.

Reference:
[Trojan Horse]
http://www.symantec.com/security_response/writeup.jsp?docid=2004-021914-2822-99

The trojan classification can be based upon performed function and the way they breach the systems. Important thing to keep in mind is that many trojans have multiple payload functions so any such classification will provide only a general overview and not a strict boundaries. Some of the most common Trojan types are:

  • Remote Access Trojans (RAT) aka Backdoor.Trojan - this type of trojan opens backdoor on the targeted system to allow the attacker remote access to the system or even complete control over it. This kind of Trojans is most widespread type and often has as well various other functions. It may be used as an entry point for DOS attack or for allowing worms or even other trojans to the system. A computer with a sophisticated back door program installed may also be referred to as a "zombie" or a "bot". A network of such bots may often be referred to as a "botnet" (see part 3 of the Security 1:1 series). Backdoor.Trojans are generally created by malware authors who are organized and aim to make money out of their efforts. These types of Trojans can be highly sophisticated and can require more work to implement than some of the simpler malware seen on the Internet.

Reference:
[Backdoor.Trojan]
http://www.symantec.com/security_response/writeup.jsp?docid=2001-062614-1754-99

  • Trojan-DDoS - this trojan is being installed simultaneously on a large number of computers in order to create a zombie network (botnet) of machines that can be used (as attackers) in a DDoS attack on a particular target.

Reference:
[DDoS.Trojan]
http://www.symantec.com/security_response/writeup.jsp?docid=2012-111917-3846-99

  • Trojan-Proxy - this trojan is designed to use target computer as a proxy server - which allows then the attacked to perform multitude of operations anonymously or even to launch further attacks.
  • Trojan-FTP - trojan designed to open FTP ports on the targeted machine allow remote attacker access to the host. Furthermore the attacked can access as well network shares or connections to further spread other threats.
  • Destructive Trojans - are designed to destroy or delete data - in its purpose are much like viruses.
  • Security Software Disabler Trojans - designed to stop security programs like antivirus solutions, firewalls or IPS either by disabling them or killing the processes. This kind of trojan functionality is often combined with destructive trojan that can execute data deletion or corruption only after the security software is disabled. Security Software Disablers are entry trojans that allow next level of attack on the targeted system.
  • Infostealer (Data Sending/Stealing Trojan) - this trojan is designed to provide attacker with confidential or sensitive information from compromised host and send it to a predefined location (attacker). The stolen data comprise of login details, passwords, PII, credit card information, etc. Data sending trojans can be designed to look for specific information only or can be more generic like Key-logger trojans. Nowadays more than ever before attackers are concentrating on compromising end users for financial gain - the information stolen with use of Infostealer Trojans is often sold on the black market. Infostealers gather information by using several techniques. The most common techniques may include log key strokes, screen shots and Web cam images, monitoring of Internet activity, often for specific financial web sites. The stolen information may be stored locally so that it can be retrieved later or it can be sent to a remote location where it can be accessed by an attacker. It is often encrypted before posting it to the malware author.

Reference:
[Infostealer]
http://www.symantec.com/security_response/writeup.jsp?docid=2000-122016-0558-99

  • Keylogger Trojans - a type of data sending trojan that is recording every keystroke of the end user. This kind of trojan is specifically used to steal sensitive information from targeted host and send it back to attacker. For these Trojans, the goal is to collect as much data as possible without any direct specification what the data will be.

video_keylogger.png

Video - The Threat Factory - Keystroke Logging From the Victim and Cybercrminal's Perspective

  • Trojan-PSW (Password Stealer) - type of data sending trojans designed specifically to steal passwords from the targeted systems. In its execution routine the trojan will very often first drop a keylogging component onto the infected machine.
  • Trojan-Banker -  trojan designed specifically to steal online banking information to allow attacker further access to bank account or credit card information.

enlightened A good example of Trojan.Banker would be the Trojan.Zbot aka Zeus - designed to steal confidential information from the computers it compromises, it can be created and customized through the Zeus toolkit to gather any sort of information.

videos_zeus.png

Video - Zeus: King of crimeware toolkits

Reference:
[Trojan.Zbot]
http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99
Zeus, King of the Underground Crimeware Toolkits
https://www-secure.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits

  • Trojan-IM - type of data sending trojans designed specifically to steal data or account information from instant messaging programs like MSN, Skype, etc.
  • Trojan-GameThief - trojan designed to steal information about online gaming account.
  • Trojan Mailfinder - trojan used to harvest any emails found on the infected computer. The email list is being then forwarded to the remote attacker.
  • Trojan-Dropper - trojan used to install (drop) other malware on targeted systems. The dropper is usually used at the start or in the early stages of a malware attack.

Reference:
[Trojan.Dropper]
http://www.symantec.com/security_response/writeup.jsp?docid=2002-082718-3007-99

  • Trojan-Downloader - trojan that can download other malicious programs to the target computer. Very often combined with the functionality of Trojan-Dropper. Most downloaders that are encountered will attempt to download content from the Internet rather than the local network. In order to successfully achieve its primary function a downloader must run on a computer that is inadequately protected and connected to a network.

Reference:
[Downloader]
http://www.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99

  • Trojan-FakeAV - trojans posing as legitimate AV programs. They try to trick the user to believe that the system is infected with a virus and offer a paid solution to remove the threat.

video_fakeav.png

Video: Symantec Security Response - Fake Antivirus Schemes

These programs intentionally misrepresent the security status of a computer by continually presenting fake scan dialogue boxes and alert messages that prompt the user to buy the product. The alert messages can include as well pop-up notifications in the notification area of Windows.

FakeAV.png

This type of trojan can be either targeted to extort money for "non-existing" threat removal or in other cases the installation of the program itself injects other malware to the host machine. FakeAV applications can perform a fake scans with variable results, but always detect at least one malicious object. They may as well drop files that are then ‘detected’.The FakeAV application are constantly updated with new interfaces so that they mimic the legitimate anti-virus solutions and appear very professional to the end users. An example of this may be the Nortel Antivirus (http://www.symantec.com/security_response/writeup.jsp?docid=2009-090113-2706-99&tabid=2).

nortel.jpg

In order to further convince the user to purchase the product, many of these applications also have a professionally designed product Web pages containing bogus reviews or even offering live online support. Symantec has published a blog article that describes how some misleading application vendors provide live online support - see referenced links.

Reference:
[Trojan.FakeAV]
http://www.symantec.com/security_response/writeup.jsp?docid=2007-101013-3606-99
Fake AV & Talking With The Enemy
https://www-secure.symantec.com/connect/blogs/fake-av-talking-enemy

  • Trojan-Spy - trojan has a similar functionality to a Infostealer or Trojan-PSW and its purpose is to spy on the actions executed on the target host - these can the include tracking data entered via keystrokes, collecting screenshots, listing active processes/services on the host or stealing passwords.
  • Trojan-ArcBomb - trojan used to slow down or incapacitate the mail servers.
  • Trojan-Clicker or Trojan-ADclicker - trojan that continuously attempts to connect to specific websites in order to boost the visit counters on those sites. More specific functionality of the trojan can include generating traffic to pay-per-click Web advertising campaigns in order to create or boost revenue.

Reference:
[Trojan.Adclicker]
http://www.symantec.com/security_response/writeup.jsp?docid=2002-091214-5754-99&tabid=2

  • Trojan-SMS - trojan used to send text messages from infected mobile devices to to premium rate paid phone numbers.

Examples of Trojan-SMS:
AndroidOS.FakePlayer (http://www.symantec.com/security_response/writeup.jsp?docid=2010-081100-1646-99)
Android.Opfake (http://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-2732-99).

Reference:
Server-side Polymorphic Android Applications
https://www-secure.symantec.com/connect/blogs/server-side-polymorphic-android-applications

  • Trojan-Ransom (Trojan-Ransomlock) aka Ransomware Trojan - trojan prevents normal usage of the infected machine and demands payment (ransom) to restore the full functionality. The prevention of normal use can be achieved by locking the desktop, preventing access to files, restrict access to management tools, disable input devices or by similar means. The program displays a warning or a notice (often combined with a lock screen) prompting for a payment and often claims to originate from governmental or law enforcement agencies to convince the end user of its authenticity.

ransomware.jpg

By checking the IP address of the user computer the Ransomware can tailor the language of the fake notice to the country of the user. Another technique used by Ransomware Trojans is to display notice posing as warning from a legitimate software vendor like Microsoft - this can concern for example expiring software license.

ransomware2.png

video_ransom.png

Video - Ransomware: A Growing Menace

Reference:
[Trojan.Ransomlock]
http://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99
Additional information about Ransomware threats
http://www.symantec.com/business/support/index?page=content&id=TECH211589
Recovering Ransomlocked Files Using Built-In Windows Tools
https://www-secure.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools
Ransomware: A Growing Menace
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ransomware-a-growing-menace.pdf

  • Cryptolock Trojan (Trojan.Cryptolocker) - this is a new variation of Ransomware Trojan emerged in 2013 - in a difference to a Ransomlock Trojan (that only locks computer screen or some part of computer functionality), the Cryptolock Trojan encrypts and locks individual files. While the Cryptolocker uses a common trojan spreading techniques like spam email and social engineering in order to infect victims, the threat itself uses also more sophisticated techniques likes public-key cryptography with strong RSA 2048 encryption.

Reference:
[Trojan.Cryptolocker]
http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99
Cryptolocker: A Thriving Menace
https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace
Cryptolocker Alert: Millions in the UK Targeted in Mass Spam Campaign
https://www-secure.symantec.com/connect/blogs/cryptolocker-alert-millions-uk-targeted-mass-spam-campaign
Cryptolocker Q&A: Menace of the Year
https://www-secure.symantec.com/connect/blogs/cryptolocker-qa-menace-year

2. Other security threats

  • Malware - malicious software. This general term is often used to refer viruses, spyware, adware, worms, trojans, ransomeware etc. Malware is designed to cause damage to a targeted computer or cause a certain degree of operational disruption. Malware often exploits security vulnerabilities in both operating systems and applications.
  • Rootkit - malicious software designed to hide certain processes or programs from detection. Rootkit usually acquires and maintains privileged system access, while hiding its presence in the same time. The privileged access can allow rootkit to provide the attacker with a backdoor to a system; it can as well conceal malicious payload bundled with the rootkit - like viruses or trojans.

Reference:
Rootkits
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/rootkits.pdf

  • Spyware - software that monitors and collects information about particular user, his computer or his organisation without his knowledge. Very often spyware applications are bundled with free packages of freeware or shareware and downloaded without any cost by users from internet. Spyware is usually installed unwillingly.Spyware can be generally classified into following types: system monitors, trojans (keyloggers, banker trojans, inforstealers), adware, tracking cookies.
  • Tracking Cookies  - are a specific type of cookie that is distributed, shared, and read across two or more unrelated Web sites for the purpose of gathering information or potentially to present customized data to you. Tracking cookies are not harmful like malware, worms, or viruses, but they can be a privacy concern.

video_track.png

Video - Tracking Cookies

Reference:
[Tracking Cookie]
http://www.symantec.com/security_response/writeup.jsp?docid=2006-080217-3524-99

  • Riskware - term used to describe a potentially dangerous software whose installation may pose a risk to the computer. Riskware is not necessarily a spyware or malware program, it may be as well a legitimate program containing loopholes or vulnerabilities that can be exploited by malicious code.
  • Adware - in generall term adware is a software generating or displaying certain advertisements to the user. The advertisements may be displayed either directly in the user interface while the software is being used or during the installation process. This kind of adware is very common for freeware and shareware software and is on itself more annoying than malicious - in such scenario it is merely a mean for the software producer to gain some revenue while releasing applications that are free of change or at a reduced price. Adware may be as well used to analyse end user internet habits and then tailor the advertisements directly to users interests. Term adware is on occasions used interchangeably with malware to describe the pop-up or display of unwanted advertisements.
  • Scareware - class of malware that includes both Ransomeware (Trojan.Ransom) and FakeAV software. Scareware is known as well under the names "Rogue Security Software" or "Misleading Software". This kind of software tricks user into belief that the computer has been infected and offers paid solutions to clean the "fake" infection. Scareware can advertise as well system or software security updates luring users into fraudalent transactions by buying for example fake Antivirus Software - thats either non-functional or malware itself.

video_scare.png

Video - Symantec Guide to Scary Internet Stuff: Misleading Applications

Reference:
List of rogue security software
http://en.wikipedia.org/wiki/List_of_rogue_security_software

  • Spam - the term is used to describe unsolicited or unwanted electronic messages - especially advertisements. The most widely recognizewd form of spam is email Spam, but there are many different forms of it in almost any available communication media - Instant messaging (called SPIM), over VOIP (called SPIT), internet forums, newsgroups, blogs, online gaming, etc. Spam may be a medium for phishing or social engineering attacks. It is estimated that between 70% and 80% of total email traffic worldwide is spam.
  • Creepware - term used to describe activities like spying others through webcams (very often combined with capturing pictures), tracking online activities of others and listening conversation over the computer's microphone, stealing passwords and other data. The information, data, pictures gained with use of creepware may be later on used to extort money or blackmail the victims of this threat. Creepware is other term to RAT (Remote Access Trojan) described before.

Some of the creepware examples:
W32.Shadesrat - a worm that attempts to spread through instant messaging applications and file-sharing programs. It also opens a back door on the compromised computer.
http://www.symantec.com/security_response/writeup.jsp?docid=2011-022214-1739-99
Backdoor.Krademok -  a Trojan horse that opens a back door on the compromised computer.
http://www.symantec.com/security_response/writeup.jsp?docid=2011-121417-0311-99
Backdoor.Darkmoon - a Trojan horse that opens a back door on the compromised computer and has keylogging capabilities.
http://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99
Backdoor.Jeetrat - a Trojan horse that opens a back door on the compromised computer, steals information, and may download additional threats.
http://www.symantec.com/security_response/writeup.jsp?docid=2013-062815-5700-99
Trojan.Pandorat - a Trojan horse that opens a back door on the compromised computer and may steal confidential information.
http://www.symantec.com/security_response/writeup.jsp?docid=2013-101616-2121-99

video_creep.png

Video - Creepware: Who Is Watching You?

Reference:
Creepware - Who’s Watching You?
https://www-secure.symantec.com/connect/blogs/creepware-who-s-watching-you

  • Blended threat - defines an exploit that combines elements of multiple types of malware components. Usage of multiple attack vectors and payload types targets to increase the severity of the damage causes and as well the speed of spreading. Blended threat usually attempts to exploit multiple vulnerabilities at the same time.

Wikipedia references:
http://en.wikipedia.org/wiki/Trojan_horse_(computing)
http://en.wikipedia.org/wiki/Malware
http://en.wikipedia.org/wiki/Spyware
http://en.wikipedia.org/wiki/Riskware
http://en.wikipedia.org/wiki/Adware
http://en.wikipedia.org/wiki/Rootkit
http://en.wikipedia.org/wiki/Scareware
http://en.wikipedia.org/wiki/Spam_(electronic)