I am writing this article in two parts. In 1st part I am describing about the working of Trojan and how Trojan infects systems and in 2nd part I will show you how to prevent Trojan Attack with Symantec Critical System Protection (SCSP).
What is a Trojan?
In the IT world, a Trojan horse is used to enter a victim’s computer undetected, granting the attacker unrestricted access to the data stored on that computer and causing great damage to the victim. A Trojan can be a hidden program that runs on your computer without your knowledge, or it can be ‘wrapped’ into a legitimate program meaning that this program may therefore have hidden functions that you are not aware of.
How a Trojan works?
Trojans typically consist of two parts, a client part and a server part. When a victim (unknowingly) runs a Trojan server on his machine, the attacker then uses the client part of that Trojan to connect to the server module and start using the Trojan. The protocol usually used for communications is TCP, but some Trojans' functions use other protocols, such as UDP, as well. When a Trojan server runs on a victim’s computer, it (usually) tries to hide somewhere on the computer; it then starts listening for incoming connections from the attacker on one or more ports, and attempts to modify the registry and/or use some other auto-starting method.
How to Create Server
To Infect Victim Machine first we have to create Trojan server which we send to victim. When a victim runs a Trojan server on his machine then attacker is able to connect with victim machine. Follow the below steps to create trojan server.
1) I am using ProRat v1.9 Trojan for this demostration. This is ProRat client which help us to connect with Victim Machine.
2) Now we have to Create Trojan Server. Which we will use to infect and take control over victim machine.
3) Click on Create and then Select Create ProRat Server.
4) In General Setting Options We have to Mention Server Port and Server Password. We will use this Port and Password to connect with Victim Machine.
5) In Bind with File Option, Tick Bind Server with a File Checkbox and Select exe with which you want to bind your Trojan file. In this case i bind trojan file with firefox setup.
6) In Server Icon Option, Select ICON and Click on Create Server.
7) Now we will get server.exe. Send this server.exe file to your victim to infect his machine.
How to Infect Victim Machine
1) I am using Windows XP Professional SP2 as Victim Machine. Victim has trojan file on his desktop.
2) When our victim Double Click on server.exe. It starts installing Firefox on Victim Machine and our trojan server executes as background process.
3) To check Wheater our trojan server did its work properly or not. Just check the listiening ports on Victim machine. I run netstat -an command to check the Listiening Port and i found port no 5110 (I mentioned this port no when I created server) is listiening for connections on victim machine. It means our trojan successfully executed on Victim Machine.
How to Connect with Victim Machine
1) To connect with victim machine. Just open our trojan client and enter Victim IP address and Port no (I mentioned this port no when I created server) and Click on Connect.
2) Now It ask for Password. Enter password (I mentioned when I created server) to connect with Victim Machine and Click on ok.
3) I successfully connected with Victim Machine.I am able to do anything with my victim machine. here i took the Screenshot of my victim machine.
4) I also get the drive details of my victim machine and i am able to download, upload, delete, create directory, rename or run any program.
5) I am able to do many things with the help of this trojan such as:
- Detail of Application Installed on Victim Machine.
- Send any Message to Victim Machine.
- Access all the drives of Victim Machine.
- Install or Uninstall any Software.
- Modification In Registry.
- Take Screenshot, Shutdown PC.
- Keylogging, Dump Hashfile.
- Start or Stop any services, format any drive.