Crime Branch Advisory
The Nigerian Scam
In the 12th century BC, Greece declared
war on the city of Troy. The dispute erupted then the prince of
Troy abducted the queen of Sparta and declared that he wanted to
make her his wife. This naturally angered the Greeks (and especially
the queen of Sparta). The Greeks besieged Troy for 10 years but
met with no success as Troy was very well fortified. In a last effort,
the Greek army pretended to be retreating, and left behind a huge
wooden horse. The people of Troy saw the horse, and, thinking it
was some kind of a present from the Greeks, pulled the horse into
their city, unaware that the hollow wooden horse had some of the
best Greek soldiers sitting inside it.
Under the cover of night, the soldiers
snuck out and opened the gates of the city, and later, together
with the rest of the army, killed the entire army of Troy. Similar
to the wooden horse, a Trojan horse program pretends to do one thing
while actually doing something completely different.
Types of Trojans
The following are the most common
types of Trojan horses:
Remote Administration Trojans (RATs)
These are the most popular Trojans.
They let a hacker access the victim's hard disk, and also perform
many functions on his computer (shut down his computer, open and
close his CDROM drive etc.).
Modern RATs are very simple to use.
They come packaged with two files - the server file and the client
file. The hacker tricks someone into running the server file, gets
his IP address and gets full control over his/her computer. Some
Trojans are limited by their functions, but more functions also
mean larger server files. Some Trojans are merely meant for the
attacker to use them to upload another Trojan to his target's computer
and run it; hence they take very little disk space. Hackers also
bind Trojans into other programs, which appear to be legitimate
e.g. a RAT could be bound with an egreeting card.
Most RATs are used for malicious
purposes, to irritate, scare people or harm computers.
There are many programs that detect
common Trojans. Firewalls and anti-virus software can be useful
in tracing RATs.
Remote administration Trojans open
a port on your computer and bind themselves to it (make the server
file listen to incoming connections and data going through these
ports). Then, once someone runs his client program and enters the
victim's IP address, the Trojan starts receiving commands from the
attacker and runs them on the victim's computer. Some Trojans let
the hacker change this port into any other port and also put a password
so only the person who infects the specific computer will be able
to use the Trojan. In some cases the creator of the Trojan would
also put a backdoor within the server file itself so he'll be able
to access any computer running his Trojan without the need to enter
a password. This is called "a backdoor within a backdoor".
The most popular Windows RATs are Netbus, BO and Sub7.
Password Trojans search the victim's
computer for passwords and then send them to the attacker or the
author of the Trojan. Whether it's an Internet password or an email
password there is a Trojan for every password. These Trojans usually
send the information back to the attacker via Email.
These Trojans are usually used to
fool system administrators. They can either be bound into a common
system utility or pretend to be something harmless and even quite
useful and appealing. Once the administrator runs it, the Trojan
will give the attacker more privileges on the system. These Trojans
can also be sent to less-privileges users and give the attacker
access to their account.
These Trojans are very simple. They
log all of the victim's keystrokes on the keyboard (including passwords),
and then either save them on a file or email them to the attacker
once in a while. Key loggers usually don't take much disk space
and can masquerade as important utilities, thus making them very
hard to detect.
These Trojans can destroy the victim's
entire hard drive, encrypt or just scramble important files. Some
might seem like joke programs, while they are actually ripping every
file they encounter to pieces.
Joke programs are not harmful. They
can either pretend to be formatting your hard drive, sending all
of your passwords to some hacker, self-destructing your computer,
turning in all information about illegal and pirated software you
might have on your computer to the police (or to Privacy Watch!)
etc. In reality these programs do not do anything.
Some common Trojans
Back Orifice (BO)
This Trojan was developed by a community
of hackers known as "Cult of the dead cow" (www.cultdeadcow.com).
This Trojan can be downloaded from www.BO2K.com and numerous other
websites. (Note: the websites keep changing and it is best to use
a powerful search engine like www.Google.com to search for the program.)
Back Orifice consists of two parts,
a client application and a server application (approximately 122
KB). The client application, running on the hacker's computer, can
be used to monitor and control the victim's computer (which runs
the server application). The hacker can do the following activities
on the victim's computer:
i. Run any program or see any file
ii. Keep a record of all the keys punched on the keyboard
iii. Shutdown or restart the victim's computer
iv. Transfer files to or from the victim computer
The hacker could be in Australia
and the victim in China, but still the hacker can do all the above
activities on the victim's computer! The following are the main
characteristics of BO:
i. BO can only be used on victim
computers that are running the Windows 95 or Windows 98 operating
ii. The server part of the program
has to be installed on the victim computer. The victim is usually
fooled into installing the server part by sending him the Trojan
fused with another program (e.g. an electronic Diwali card fused
with the Trojan program).
iii. The hacker needs to know the IP address of the victim computer.
iv. If the victim computer is behind a firewall, then BO will not
NetBus was developed by a Swedish
citizen named Carl-Fredrik Neikter who claimed that he developed
it "purely for fun". Netbus can be downloaded from hundreds
of websites. It is best to use Google.com to search for the program.
Netbus allows the hacker to do numerous activities on the victim's
computer. Some of these are:
i. Open/close the CD-ROM once or
in intervals (specified in seconds)
ii. Swap mouse buttons - the right mouse button works like the left
button and vice versa.
iii. Start any program.
iv. Play any sound-file (it supports only WAV files).
v. Point the mouse to some other place. The hacker can navigate
the victim's mouse with his own.
vi. Show a message dialogue on the screen. The answer is sent back
to the hacker. The hacker can ask for the password and the victim
would enter it!
vii. Shutdown or log off the victim.
viii. Open any website
ix. Type anything in the program that the victim is using.
x. Obtain a list of all the keys on the keyboard that the victim
xi. Get an image of the screen (called a screen dump)
xii. Get information about the victim computer.
xiii. Upload any file to the victim computer. Using this feature
the hacker can upload any virus or Trojan or update the Netbus Trojan
xiv. Increase and decrease the sound-volume.
xv. Record sounds that the microphone can catch. The sound is sent
to the hacker.
xvi. Make click sounds every time a key is pressed.
xvii. Download and delete any file on the victim computer.
xviii. Disable keys on the victim keyboard.
The following are the main characteristics
i. Once it is installed on the victim
computer, it runs every time the computer is started 184.
ii. Netbus can be used on victim computers that are running the
Windows 95 or Windows 98 or Windows NT operating systems.
NetBus 2 Pro
NetBus 2 Pro is the "legitimate"
version of NetBus. It affects computers running the Windows 95,
98 and NT operating systems. The "server" portion (named
"NBSvr.exe") is approximately 599 KB in size. Once installed
NetBus is run every time the computer is started. Carl-Fredrik Neikter
who is also the creator of the original NetBus developed NetBus
Deep throat v 2
Deep Throat was developed by a person
called ^Cold^ KiLler, CEO of DarkLIGHT Corp. Deep Throat v 2 affects
computers running the Windows 95 / 98 operating systems. The Trojan
deletes the existing "systray.exe" file of the victim
computer (which is normally 36 KB in size) and replaces it with
the "server" portion of the Trojan (which is approximately
301kb in size). Once installed, it is run every time the computer
is started. Among other things, Deep Throat allows the hacker to
open/close the CD-ROM tray of the victim's computer, restart the
victim computer, get a screen dump, and start an FTP Server on Port
21 of the victim.