~**~ How Can You Get Infected by Trojans?~**~

Discussion in 'Tutorials' started by jrkraj, Feb 6, 2007.

Thread Status:
Not open for further replies.
  1. jrkraj

    jrkraj New Member

    Sep 11, 2006
    Likes Received:
    Trophy Points:
    some where in Internet
    How Can You Get Infected by Trojans?


    A lot of people out there can't differ various ways of infection just because
    in their minds the only way of getting infected is by downloading and running
    server.exe and they will never do it as they say. As you'll read here, there
    are many more ways for malicious attackers to infect your machine and start
    using it for illegal activities. Please take all of these topics I'm reviewing
    here really seriously; read them carefully and remember that prevention is way
    better than the cure!

    Physical Access
    Browser And E-mail Software Bugs

    1) Via ICQ

    People don't understand that they can also get infected while talking via ICQ
    or any other Instant Messenger Application. It's all risky when it's about
    receiving files no matter from who, and no matter from where.

    Believe it or not, there are still guys out there, using really old versions
    of ICQ and it's all because they can see the IP of the person they're talking
    to. The older versions of ICQ had such functionality and it was useful for
    everyone capable of using winnuke and other DoS tools, but really how hard it
    is to click with the mouse? These people are often potential victims of
    someone that is more knowledgeable on Windows Trojans and takes advantage of
    their old ICQ versions.

    Let's review various ways of getting infected via ICQ:

    - You can never be 100% sure who's on the other side of the computer at the
    particular moment. It could be someone that hacked your friend's ICQ UIN
    (Unique Identification Number)and wants to spread some trojans over his/her
    friends. You'll definitely trust your best dude Bob if he offers you
    something interesting, but is it really Bob on the other side?

    - Old versions of ICQ had bugs in the WebServer feature, that creates a site
    on your computer, with your info from the ICQ database. The bug consists in
    that the attacker can have access to EVERY file on your machine and if you
    read the previous sections carefully and know the auto-start methods, you'll
    probably realise what could happen if someone has access to your win.ini or
    other system file, namely a trojan installed in a few minutes.

    - Trojan.exe is renamed like Trojan....(150 spaces).txt.exe, icon changed to a
    real .txt file and this will definitely get you infected. This bug must be
    fixed in the newer versions for sure.

    No matter which Instant Messenger Application you're using, you could always
    get yourself infected by certain program bug you never had the chance to hear
    about, and never took care of checking for newer versions of the application,
    also when it's about receiving files no matter where, and no matter from who,
    take that very seriously and realise the dangers of your naivety.

    2) Via IRC

    So many people LIVE on IRC and this is another place where you can get
    yourself infected. Trust is vital no matter what you're doing. No matter who
    is sending you files, pretending to be free porn archive, software for "free
    internet", hacking Hotmail program, DO NOT get any of these files. Newbies are
    often targets of these fakes, and believe me, many people are still newbies
    about their security. Users get infected from porn-trade channels, and, of
    course, warez channels, as they don't think about the risk, but how to get
    free porn and free programs instead.

    Here are several scenarios of you getting infected while using IRC:

    - You're talking with someone, a "girl" probably, have great time and, of
    course, you want to see the person you're talking to. You ask for a picture
    or the "girl" offers you her pictures and I'm sure you'll definitely want to
    see them. The "girl" says that she has just created her first screensaver,
    using some known free or commercial software to do this, and offers it to
    you, but how about if "she" mentions several pictures are naked ones?! You
    have been talking to "her" for a week or so, you get this screensaver.exe,
    you run it and, yeah, VERY nice pics, some are naked and she didn't lie to
    you so nothing bad or suspicious has happened BUT think again what really
    has happened!

    - Trojan.exe could also be renamed into Trojan.scr like a screensaver
    extension and will again run properly when you execute it so pay attention
    about these file extensions.

    - Trojan.exe is being renamed like Trojan....(150 spaces).txt.exe you'll get
    the file over IRC in the DCC it will appear as .TXT and you won't get
    worried about anything, run it and get yourself infected again. In all of
    these examples the icon of the file is changed, of course, because it needs
    to be the same icon as a normal .TXT and this fools victims very often.

    Most people don't notice in their Explorer that the Type of the file is
    Application BUT with a .TXT icon. So BEFORE you run something, even if it's
    with a .TXT icon, check its extension and make sure it's really a text file.

    3) Via Attachments

    I'm always amazed how many people got themselves infected by an attachment,
    sent into their mailboxes. Most of these users are new to the Internet and are
    pretty naive. When they receive a mail,containing an attachment, saying they
    will get free porn, free Internet access etc., they run it without completely
    understanding the risks for their machines. Check the following scenario: you
    know your friend Alex is a very skilled Visual Basic programmer. You also know
    he's coding his latest program but you're curious what it is all about, and
    you wait for an e-mail from him with the attachment when he finishes coding
    the application. Yeah, but the person targeting YOU also knows that. The
    attacker also knows your friend's e-mail address. Then the attacker will
    simply code some program or get some freeware one, use some relaying mail
    server to fake the e-mail's FROM field and make it look like your friend's
    one; Alex's e-mail address is alex@example.com so the attacker's FROM field
    will be changed to alex@example.com and, of course, it will include the
    TROJANED attachment... You'll check your mail, see that Alex finally got his
    program ready and sent it, you'll download and run it without thinking that it
    might be a trojan or something else, because, hey, Alex wouldn't do something
    like that to me, he's my friend, and you'll get yourself infected.

    Information Is Power! Just because the attacker knew you were waiting for some
    particular file, he found Alex's e-mail address and got you infected... the
    right moment assumes importance here. And it all happened just because you
    were naive, just because you saw alex@example.com in the FROM field, and just
    because you didn't check the mail headers to see that the mail came from some
    .jp mail server relaying e-mails and, has been used from spammers for several

    Many people got themselves infected by the famous "Microsoft Internet Explorer
    Update" sent directly to their mailboxes, by the nonexistent Microsoft Updates
    Staff. I understand you felt great because Microsoft are paying attention
    especially to you, and sent you the latest updates, but these "updates" are
    definitely trojans. Microsoft will NEVER send you updates of their software
    via e-mail no matter you see the FROM field is updates@microsoft.com and as
    you've noticed in the previous example the FROM field could and IS faked. If
    you ever notice some mail in your mailbox with subjects like "Microsoft IE
    Update" and such, delete WITHOUT viewing or reading the e-mail, because some
    E-Mail clients like Outlook Express and others, have bugs that automatically
    execute the file being attached in the e-mail WITHOUT you even touching it. As
    you can imagine this is a extremely dangerous problem that requires you to be
    always up to date with the latest version of any software you're using.

    4) Physical Access

    Physical access is vital for your computer's security. Imagine what can an
    attacker do while having physical access on your machine, and let's not
    mention if you're always connected to the Internet and leave the room for
    several minutes... long enough to get you infected. Here I'll point you
    several scenarios, often used by attackers to infect your computer while
    they're having physical access to your machine. There are some very smart
    people out there that keep thinking of new ways of getting physical access
    to someone's computer. Here are some tricks that are interesting:

    - Your "friend" wants to infect you with a trojan and he/she has physical
    access to your machine. Let's say you were at home surfing the net,
    chatting or whatever. Suddenly your "friend" asks you for a glass of
    water, knowing that you'll go in another room and will be away for 1 or
    2 minutes. While you do that he/she takes out a diskette of the pocket
    and infects your unprotected PC. You came back and everything is OK
    because your "friend" is doing exactly the same thing before you left
    ...surfing the net.

    - The next example is when 2 guys want to take revenge on you cause of
    something and are supporting each other to accomplish the task. Again you
    are at home with your "friend", surfing, chatting, whatever you're doing;
    suddenly the telephone rings and a "friend" of yours wants to speak with
    you for something that is really important. He/she (it's better to be she
    in this case) asks "Is there anyone around you? If so,please move somewhere
    away from him/her(after knowing it is him or her,of course). I don't want
    anyone to listen what I'm going to tell you". The victim is again lured away
    from the computer, leaving the attacker to do whatever he/she wants on the
    target computer.

    - Other approaches like the previous ones might be sudden ring on the bell, as
    well as other variations of phone calls and conversations leaving the
    attacker alone with the victim's computer. There are so many other possible
    approaches; just think for a while and you'll see what I mean and how easily
    you could be tricked, and it's because you're not suspicious enough when it
    is about your sensitive computer data.

    - Another way of infecting while having physical access is the Auto-Starting
    CD function. You've probably noticed that when you place a CD in your CDROM,
    it automatically starts with some setup interface; here's an example of the
    Autorun.inf file that is placed on such CD's:


    So you can imagine that while running the real setup program a trojan could
    be run VERY easily, and as most of you probably don't know about this CD
    function they will get infected and won't understand what happened and how
    it's been done. Yeah, I know it's convenient to have the setup.exe autostart
    but security is what really matters here, that's why you should turn off the
    Auto-Start functionality by doing the following:

    Start Button->Settings->Control Panel->
    Device Manager->CDROM->Properties->Settings

    and there you'll see a reference to Auto Insert Notification. Turn it off
    and you won't have any problems with that function anymore.

    I know MANY other variations of physical access infections but these are the
    most common ones so pay attention and try to make up several more by yourself.

    When the victim IS connected to the Internet:

    Here we have many variations; again, I'll mention the most common ones. While
    the attacker is having physical access he/she may download the trojan.exe,
    using various ways just by knowing how various Internet protocols work.

    - A special IRCbot known only to the attacker is staying in IRC with the only
    function to DCC the trojan.exe back to the attacker whenever he/she messages
    the bot with a special command. The victim will probably be away from the
    - The attacker wants to download some specific software like new version of
    some programs infected with trojan(s), of course, and visit some URL, known
    to him/her only, and download the trojan.
    - The attacker pretends he/she wants to check his/her (web based) mail (for
    example, at Yahoo! or HotMail) but in fact has the trojan.exe stored in his/
    her mailbox and just downloads and executes the file, hereby infecting the
    computer. The mail service is used as a storage area, in this case.

    There are many more ways of infecting the victim while connected to the Net,
    as you can imagine. Any of these examples will succeed but it all depends on
    the victim's knowledge of the Internet and how advanced his/her skills are,
    so the attacker needs to check these things somehow before doing any of these
    activities I pointed here. After that, the attacker will be able to choose
    the best variant for infecting the victim and doing the job.

    5) Browser And E-mail Software Bugs

    Users do not update their software versions as often as they should be, and a
    lot of the attackers are taking advantage of this well known fact. Imagine you
    are using an old version of Internet Explorer and you visit a (malicious) site
    that will check and automatically infect your machine without you downloading
    or executing any programs. The same scenario goes when you check your E-mail
    with Outlook Express or some other software with well known problems, again
    you will be infected without downloading the attachment. Make sure you always
    have the latest version of your Browser and E-mail Software, and reduce the
    ways of these variations to minimum. Here are some links about Browser and
    E-mail Software bugs, check them out and understand how dangerous these bugs
    are, and it's all because of you using an old version of the software.

    6) Netbios(File Sharing)

    If port 139 on your machine is opened,you're probably sharing files and this
    is another way for someone to access your machine, install trojan.exe and
    modify some system file, so it will run the next time you restart your PC.
    Sometimes the attacker may use DoS(Denial Of Service Attack) to shut down
    your machine and force you to reboot, so the trojan can restart itself
    immediately. To block file sharing in WinME version, go to:

    Start->Settings->Control Panel->Network->File And Print Sharing

    and uncheck the boxes there. That way you won't have any problems related to
    Netbios abuse.
    Siddharth Maheshwari likes this.
  2. Siddharth Maheshwari

    Siddharth Maheshwari New Member

    Sep 23, 2006
    Likes Received:
    Trophy Points:
    Gud tut for beginners .Rep for u.
Thread Status:
Not open for further replies.

Share This Page