|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Trojan found...
From: aladin168 (aladin168
hotmail.com)
Date: Thu Apr 24 2003 - 09:22:50 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In-Reply-To: <20030417230836.23848.qmail@web41603.mail.yahoo.com>
By Kyle Lai, CISSP, CISA, KLC Consulting, Inc., www.klcconsulting.net
Where are Trojans hiding in your systems?
In any cases of virus/worm/Trojan infections, we should not automatically
assume that HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry
key is the only place Trojans try to tamper, otherwise we would be in a
false sense of security TRAP.
There are many other places on a Windows system that Trojans can add
scripts and shortcuts to startup Trojan processes:
· [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
· [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
·
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
·
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOn
ce]
· [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
· [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
Note: For the following registry keys, the key value should be exactly "%
1 %*" . Any programs that are added to the key value will get executed
every time a binary file (.exe, .com) is executed, i.e."Trojan.exe %1 %*".
· [HKEY_CLASSES_ROOT\exefile\shell\open\command]
· [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
Also, check:
· Startup folder: to go to this folder, click on Start->Programs-
>Startup, and right click on Startup and select "Open" from the menu.
Check every file in this folder and make sure you know what they are.
These files will startup automatically every time you login to your
systems.
· Windows Scheduler - check if any programs are scheduled to startup at
any specific time. Some Trojans use scheduler as a mean for program
execution.
o For Windows NT, 2000 and XP systems, use AT command to verify. Go to
command prompt and type "at" and if there is any scheduled tasks, it will
display "Status, ID, Day of execution, Time of execution, and Command line
to be executed"
o For Windows 9x/ME systems, use Windows Explorer and go to Task
Scheduler, which is under My Computer.
· Win.ini (load=Trojan.exe or run=Trojan.exe)
· system.ini (Shell=Explorer.exe trojan.exe)
· autoexec.bat - look for added Trojan files, may be in the following file
extensions: .exe, .scr, .pif, .com, .bat
· config.sys - look for added Trojan files
· Any suspicious or new batch files (.BAT), which might call the actual
Trojan.
Also, watch out for social engineering... Social engineering? Yes.
Don't be fooled by processes or programs with similar and/or exactly the
same filename as the legitimate Windows system programs. Many known
Trojans have included programs with exact same name as Windows system
programs, but put them into different folders. Many people lower their
guard when they see familiar Windows system programs, and some Trojans did
successfully create deceptions and exploit this human vulnerability. If
you just use the Windows Task Manager to check processes, you might be
fooled if you don't examine them carefully. You might want to use some
other tools for detailed examination i.e. pstools from
www.systeminternals.com.
Here are some sample filename of files included in recent Trojans:
· Explorer.exe - a legitimate program exists in \Windows or \Winnt folder,
NOT \Windows\system32 or \Winnt\system32, or anywhere else
· Rundll32.exe - a legitimate program exists in \Windows\system32 or
\Winnt\system32 folder, not anywhere else
· taskmngr.exe - the legitimate program is called "taskmgr.exe", not
taskmngr.exe"
Let's be vigilant about the files and registries and different places that
Trojan can touch.
Reference:
· Ocxdll.exe/mIRC Virus Analysis by KLC Consulting:
http://www.klcconsulting.net/mirc_virus_analysis.htm
· Deloder worm / IRC worm/Trojan Analysis by KLC Consulting:
http://www.klcconsulting.net/deloder_virus_analysis.htm
· The Complete Windows Trojans Paper By Dancho Danchev:
http://www.frame4.com/
· "Where are Trojans hiding?" by KLC Consulting:
http://www.klcconsulting.net/trojan/trojan_identification.htm
Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
klai@klcconsulting.net
www.klcconsulting.net
>Les,
>
>> I say it has never executed because contained
>> in the rar file is a .reg file that adds the trojan
>> to the
>> HKLM\Software\Microsoft\Windows\CurrentVersion\Run
>> key and that key is empty.
>
>What about the running processes on the system? If
>the key is empty, it may simply have not been able to
>write to the key. Keep in mind that the IIS web
>server runs as a guest on the system.
>
>> The folder that that registry entry points to does
>> not exist either. Also contained in the rar file is
>> a txt file that lists users and which groups to add
>> them to, none of these users exist on the system.
>
>Again...permissions.
>
>> If anyone has had experience with this trojan of
>> knows where I can find info on it I would be
>> greatful.
>
>Sounds like you have everything available to write an
>analysis. Since it looks as if no one has written one
>yet... ;-)
>
>Harlan
>
>__________________________________________________
>Do you Yahoo!?
>The New Yahoo! Search - Faster. Easier. Bingo
>http://search.yahoo.com
>
>--------------------------------------------------------------------------
--
>Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
>world's premier event for IT and network security experts. The two-day
>Training features 6 hand-on courses on May 12-13 taught by
professionals.
>The two-day Briefings on May 14-15 features 24 top speakers with no
vendor
>sales pitches. Deadline for the best rates is April 25. Register today
to
>ensure your place. http://www.securityfocus.com/BlackHat-incidents
>--------------------------------------------------------------------------
--
>
>
----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]