~**~ How Can You Get Infected by Trojans?~**~

Status
Not open for further replies.

jrkraj

Broken In
How Can You Get Infected by Trojans?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A lot of people out there can't differ various ways of infection just because
in their minds the only way of getting infected is by downloading and running
server.exe and they will never do it as they say. As you'll read here, there
are many more ways for malicious attackers to infect your machine and start
using it for illegal activities. Please take all of these topics I'm reviewing
here really seriously; read them carefully and remember that prevention is way
better than the cure!

ICQ
IRC
Attachments
Physical Access
Browser And E-mail Software Bugs
Netbios(FileSharing)


1) Via ICQ

People don't understand that they can also get infected while talking via ICQ
or any other Instant Messenger Application. It's all risky when it's about
receiving files no matter from who, and no matter from where.

Believe it or not, there are still guys out there, using really old versions
of ICQ and it's all because they can see the IP of the person they're talking
to. The older versions of ICQ had such functionality and it was useful for
everyone capable of using winnuke and other DoS tools, but really how hard it
is to click with the mouse? These people are often potential victims of
someone that is more knowledgeable on Windows Trojans and takes advantage of
their old ICQ versions.

Let's review various ways of getting infected via ICQ:

- You can never be 100% sure who's on the other side of the computer at the
particular moment. It could be someone that hacked your friend's ICQ UIN
(Unique Identification Number)and wants to spread some trojans over his/her
friends. You'll definitely trust your best dude Bob if he offers you
something interesting, but is it really Bob on the other side?

- Old versions of ICQ had bugs in the WebServer feature, that creates a site
on your computer, with your info from the ICQ database. The bug consists in
that the attacker can have access to EVERY file on your machine and if you
read the previous sections carefully and know the auto-start methods, you'll
probably realise what could happen if someone has access to your win.ini or
other system file, namely a trojan installed in a few minutes.

- Trojan.exe is renamed like Trojan....(150 spaces).txt.exe, icon changed to a
real .txt file and this will definitely get you infected. This bug must be
fixed in the newer versions for sure.

No matter which Instant Messenger Application you're using, you could always
get yourself infected by certain program bug you never had the chance to hear
about, and never took care of checking for newer versions of the application,
also when it's about receiving files no matter where, and no matter from who,
take that very seriously and realise the dangers of your naivety.

2) Via IRC

So many people LIVE on IRC and this is another place where you can get
yourself infected. Trust is vital no matter what you're doing. No matter who
is sending you files, pretending to be free porn archive, software for "free
internet", hacking Hotmail program, DO NOT get any of these files. Newbies are
often targets of these fakes, and believe me, many people are still newbies
about their security. Users get infected from porn-trade channels, and, of
course, warez channels, as they don't think about the risk, but how to get
free porn and free programs instead.

Here are several scenarios of you getting infected while using IRC:

- You're talking with someone, a "girl" probably, have great time and, of
course, you want to see the person you're talking to. You ask for a picture
or the "girl" offers you her pictures and I'm sure you'll definitely want to
see them. The "girl" says that she has just created her first screensaver,
using some known free or commercial software to do this, and offers it to
you, but how about if "she" mentions several pictures are naked ones?! You
have been talking to "her" for a week or so, you get this screensaver.exe,
you run it and, yeah, VERY nice pics, some are naked and she didn't lie to
you so nothing bad or suspicious has happened BUT think again what really
has happened!

- Trojan.exe could also be renamed into Trojan.scr like a screensaver
extension and will again run properly when you execute it so pay attention
about these file extensions.

- Trojan.exe is being renamed like Trojan....(150 spaces).txt.exe you'll get
the file over IRC in the DCC it will appear as .TXT and you won't get
worried about anything, run it and get yourself infected again. In all of
these examples the icon of the file is changed, of course, because it needs
to be the same icon as a normal .TXT and this fools victims very often.

Most people don't notice in their Explorer that the Type of the file is
Application BUT with a .TXT icon. So BEFORE you run something, even if it's
with a .TXT icon, check its extension and make sure it's really a text file.


3) Via Attachments

I'm always amazed how many people got themselves infected by an attachment,
sent into their mailboxes. Most of these users are new to the Internet and are
pretty naive. When they receive a mail,containing an attachment, saying they
will get free porn, free Internet access etc., they run it without completely
understanding the risks for their machines. Check the following scenario: you
know your friend Alex is a very skilled Visual Basic programmer. You also know
he's coding his latest program but you're curious what it is all about, and
you wait for an e-mail from him with the attachment when he finishes coding
the application. Yeah, but the person targeting YOU also knows that. The
attacker also knows your friend's e-mail address. Then the attacker will
simply code some program or get some freeware one, use some relaying mail
server to fake the e-mail's FROM field and make it look like your friend's
one; Alex's e-mail address is alex@example.com so the attacker's FROM field
will be changed to alex@example.com and, of course, it will include the
TROJANED attachment... You'll check your mail, see that Alex finally got his
program ready and sent it, you'll download and run it without thinking that it
might be a trojan or something else, because, hey, Alex wouldn't do something
like that to me, he's my friend, and you'll get yourself infected.

Information Is Power! Just because the attacker knew you were waiting for some
particular file, he found Alex's e-mail address and got you infected... the
right moment assumes importance here. And it all happened just because you
were naive, just because you saw alex@example.com in the FROM field, and just
because you didn't check the mail headers to see that the mail came from some
.jp mail server relaying e-mails and, has been used from spammers for several
months.

Many people got themselves infected by the famous "Microsoft Internet Explorer
Update" sent directly to their mailboxes, by the nonexistent Microsoft Updates
Staff. I understand you felt great because Microsoft are paying attention
especially to you, and sent you the latest updates, but these "updates" are
definitely trojans. Microsoft will NEVER send you updates of their software
via e-mail no matter you see the FROM field is updates@microsoft.com and as
you've noticed in the previous example the FROM field could and IS faked. If
you ever notice some mail in your mailbox with subjects like "Microsoft IE
Update" and such, delete WITHOUT viewing or reading the e-mail, because some
E-Mail clients like Outlook Express and others, have bugs that automatically
execute the file being attached in the e-mail WITHOUT you even touching it. As
you can imagine this is a extremely dangerous problem that requires you to be
always up to date with the latest version of any software you're using.


4) Physical Access

Physical access is vital for your computer's security. Imagine what can an
attacker do while having physical access on your machine, and let's not
mention if you're always connected to the Internet and leave the room for
several minutes... long enough to get you infected. Here I'll point you
several scenarios, often used by attackers to infect your computer while
they're having physical access to your machine. There are some very smart
people out there that keep thinking of new ways of getting physical access
to someone's computer. Here are some tricks that are interesting:

- Your "friend" wants to infect you with a trojan and he/she has physical
access to your machine. Let's say you were at home surfing the net,
chatting or whatever. Suddenly your "friend" asks you for a glass of
water, knowing that you'll go in another room and will be away for 1 or
2 minutes. While you do that he/she takes out a diskette of the pocket
and infects your unprotected PC. You came back and everything is OK
because your "friend" is doing exactly the same thing before you left
...surfing the net.

- The next example is when 2 guys want to take revenge on you cause of
something and are supporting each other to accomplish the task. Again you
are at home with your "friend", surfing, chatting, whatever you're doing;
suddenly the telephone rings and a "friend" of yours wants to speak with
you for something that is really important. He/she (it's better to be she
in this case) asks "Is there anyone around you? If so,please move somewhere
away from him/her(after knowing it is him or her,of course). I don't want
anyone to listen what I'm going to tell you". The victim is again lured away
from the computer, leaving the attacker to do whatever he/she wants on the
target computer.

- Other approaches like the previous ones might be sudden ring on the bell, as
well as other variations of phone calls and conversations leaving the
attacker alone with the victim's computer. There are so many other possible
approaches; just think for a while and you'll see what I mean and how easily
you could be tricked, and it's because you're not suspicious enough when it
is about your sensitive computer data.

- Another way of infecting while having physical access is the Auto-Starting
CD function. You've probably noticed that when you place a CD in your CDROM,
it automatically starts with some setup interface; here's an example of the
Autorun.inf file that is placed on such CD's:

[autorun]
open=setup.exe
icon=setup.exe

So you can imagine that while running the real setup program a trojan could
be run VERY easily, and as most of you probably don't know about this CD
function they will get infected and won't understand what happened and how
it's been done. Yeah, I know it's convenient to have the setup.exe autostart
but security is what really matters here, that's why you should turn off the
Auto-Start functionality by doing the following:

Start Button->Settings->Control Panel->
System->
Device Manager->CDROM->Properties->Settings

and there you'll see a reference to Auto Insert Notification. Turn it off
and you won't have any problems with that function anymore.

I know MANY other variations of physical access infections but these are the
most common ones so pay attention and try to make up several more by yourself.

When the victim IS connected to the Internet:

Here we have many variations; again, I'll mention the most common ones. While
the attacker is having physical access he/she may download the trojan.exe,
using various ways just by knowing how various Internet protocols work.

- A special IRCbot known only to the attacker is staying in IRC with the only
function to DCC the trojan.exe back to the attacker whenever he/she messages
the bot with a special command. The victim will probably be away from the
computer.
- The attacker wants to download some specific software like new version of
some programs infected with trojan(s), of course, and visit some URL, known
to him/her only, and download the trojan.
- The attacker pretends he/she wants to check his/her (web based) mail (for
example, at Yahoo! or HotMail) but in fact has the trojan.exe stored in his/
her mailbox and just downloads and executes the file, hereby infecting the
computer. The mail service is used as a storage area, in this case.

There are many more ways of infecting the victim while connected to the Net,
as you can imagine. Any of these examples will succeed but it all depends on
the victim's knowledge of the Internet and how advanced his/her skills are,
so the attacker needs to check these things somehow before doing any of these
activities I pointed here. After that, the attacker will be able to choose
the best variant for infecting the victim and doing the job.


5) Browser And E-mail Software Bugs

Users do not update their software versions as often as they should be, and a
lot of the attackers are taking advantage of this well known fact. Imagine you
are using an old version of Internet Explorer and you visit a (malicious) site
that will check and automatically infect your machine without you downloading
or executing any programs. The same scenario goes when you check your E-mail
with Outlook Express or some other software with well known problems, again
you will be infected without downloading the attachment. Make sure you always
have the latest version of your Browser and E-mail Software, and reduce the
ways of these variations to minimum. Here are some links about Browser and
E-mail Software bugs, check them out and understand how dangerous these bugs
are, and it's all because of you using an old version of the software.


6) Netbios(File Sharing)

If port 139 on your machine is opened,you're probably sharing files and this
is another way for someone to access your machine, install trojan.exe and
modify some system file, so it will run the next time you restart your PC.
Sometimes the attacker may use DoS(Denial Of Service Attack) to shut down
your machine and force you to reboot, so the trojan can restart itself
immediately. To block file sharing in WinME version, go to:

Start->Settings->Control Panel->Network->File And Print Sharing

and uncheck the boxes there. That way you won't have any problems related to
Netbios abuse.
 
Status
Not open for further replies.
Top Bottom