PDA

View Full Version : Trojan Horses - An all-in-one informational thread


Benadryl
April 19th, 2009, 07:44 AM
Trojan horses are modified unsolicited software (or arguably cover software) that appear as fully legitimate software. Instances of trojan horses have been reported heavily since the late 1990s, but the software has been present since the 1970s. Since then, they have begun to show up in all intellectual entities. Here are some basic facts:
○ Trojans are browser-independent.
○ Some trojans infect the internet browser so that removal software cannot be downloaded.
○ Many trojans also act as screen savers.
○ Trojans that act as anti-virus software are known as rogue security software.
○ Trojans are usually not detected by real-time protection.
○ Since they are not viruses, many anti-virus programs do not detect them as an infection.
○ They are OS-dependent but there are many instances of trojans on both Mac and Windows.
○ They can infect any device that connects to the internet, or any device that connects to a computer that is or has been connected to the internet. This includes video game devices, Mp3 players, and cell phones if they connect.
○ They can be installed without consent of the victim.
○ They rarely appear in the Add/Remove Programs menu.

Negative effects:
○ Some cause moderate to severe system damage.
○ They are privacy invasive and steal information that is returned to where the trojan is planted.
○ They can hijack the control panel and internet browser to restrict access and resist removal.
○ They can disable some anti-virus software, allowing other threats to enter the computer's network.

Those are just negative effects of a plain old trojan. This doesn't include the effects of rogue security software. This software is extremely malicious and has additional effects:
○ They usually provide false positives in order to prompt the user into buying their product.
○ Credit card information is almost always stolen from anyone who buys the full version.
○ Some manually add real infections in the virus scan.
○ They always hijack the browser and continue to redirect the user to their website.
○ Installing the complete software will sometimes result in severe hardware damage. (Note: the blue screen of death)
○ They may overload random access memory and cause a dip in performance of the computer.

There are several tactics that the rogue software uses in order to avoid immediate detection and/or removal:
○ Pop-ups are frequently employed; as soon as one is closed, another may open.
○ Adult content (pornography) is said to be found on the computer, prompting the user to buy the full software.
○ The software is usually downloaded as a drive-by download. As soon as a site is visited, the download may begin.
○ Others can be downloaded alongside another download. It is most commonly downloaded with fraudulent spyware like Grokster or Warez but could be attached to virtually any file.
○ Some begin as system files and attempt to install themselves after they have been placed on the computer to slide by real-time protection.

Here is just a list of the most commonly-known trojan software in order of their discovery:
○ Ghostball** (1989)
○ Zlob (2005)
○ Bandook (2005)
○ MSAntivirus* (2006)
○ IE Antivirus* (2006)
○ Macsweeper (2008)
○ Conficker C** (2009)
Software noted by * are also known under several other alias.
Software noted by ** are spread in several different ways; some instances may be another form of malicious software, but the software has reportedly acted as a trojan in multiple cases.

One particular trojan, MSAntivirus, has reportedly costed computer users collectively hundreds of thousands of dollars each week. MSAntivirus is rogue software and may also be known as:
○ XP Antivirus
○ Vitae Antivirus
○ Windows Antivirus
○ Win Antivirus
○ Antivirus Pro
○ Antivirus Pro 2009
○ Antivirus 2007, 2008, 2009, and 2010
○ Antivirus 360
○ System Antivirus
○ Vista Antivirus
○ AntiSpywareMaster
○ XP AntiSpyware 2009
○ Antivirus XP Pro
○ Anti-Virus-1

There are very few safe ways to remove trojan horses from computers. Attempting to use the control panel will either fail or cause system damage. There are only 5 ways that will nearly always work:
○ Shareware anti-virus can usually detect the virus in a scan.
○ A system restore back to a certain point may sometimes work, but sophisticated software WILL resist this.
○ Using restore software to completely return the computer back to its factory settings always works, although is not always recommended.
○ If and only if the trojan is infected entirely in an internet browser, and not saved to the C: drive as a permanent file, it can be removed by clearing all Internet temporary files. If this doesn't work the victim should try to manually delete the file in the temporary file list on their browser.
○ HijackThis and similar software will remove any file that the user insists on removing. However, this is dangerous as important system files could be removed.

There are ways to prevent the software from causing significant problems. These methods and tricks do not always work when trying to avoid or detect trojans but they are useful:
○ Do not download software that has not been digitally signed by an individual or company and/or thoroughly scanned by the license owner of the browser you are using.
○ Do not download illegal software or reported spyware.
○ If you believe you have been infected, do not enter any passwords, credit card information, personally indentifiable information, or exclusively private information.
○ Always have at least two internet browsers installed in case one is disabled.

Here are some tips for differentiating legit software and trojans:
○ Legit software will not employ excessive pop-ups. (Usually none at all)
○ Legit software will not install itself.
○ Legit software can be removed at any time unless it is a system file.
○ Legit software will not re-install after it has been removed.
○ Legit software will not require that you download the complete version in order to use their services. (This does not mean that any software with a free and complete version isn't legit; if the free software offers any service at all, it may be legit)
○ Legit software will not intentionally give false positives.
○ Legit software will not hijack other legit software.
○ Legit software will not download other software without user consent unless it is an update or addition to the software itself.
○ Legit software will not disable the control panel or any part of the C: drive.

Now, to close, below is a list of freeware shareware anti-virus software that has reportedly been able to remove most trojan software. It may not always be able to detect newer viruses. Software:
○ Ad-Aware SE
○ Avast!
○ AVG Free
○ Comodo Internet Security
○ Malwarebytes

twocows
April 19th, 2009, 10:00 AM
Oh jeez. Don't remind me about AntiVirus 2008. I manually removed it from an acquaintance's laptop. Not a fun task. The wallpaper was particularly tough to remove; basically, what it did was disable the ability to change wallpapers via the registry, and then set the wallpaper to a blue background with a false error message on it that you couldn't click. It took me hours just to figure out why I couldn't fix the wallpaper, and then took me another hour once I figured out it was disabled in the registry to fix and remove the wallpaper itself.

On a side note, once I fully removed it, I ran AVG in safe mode and it decided System32 was too infected to not delete, so I had to re-install Windows anyway. I don't blame AVG, I blame myself for not paying attention to the stuff it asked me to delete. On the plus side, he didn't care about his data and I got his computer working like new.

Trojans are one of the few reasons you'll ever need a firewall, but chances are if you got the Trojan in the first place, you won't understand the signs your firewall is giving you that it's trying to send out information (good firewalls alert the user for pretty much every outgoing connection, but novices might not be able to tell the difference between a legit connection and a malicious one).

Benadryl
April 19th, 2009, 12:14 PM
Oh jeez. Don't remind me about AntiVirus 2008. I manually removed it from an acquaintance's laptop. Not a fun task. The wallpaper was particularly tough to remove; basically, what it did was disable the ability to change wallpapers via the registry, and then set the wallpaper to a blue background with a false error message on it that you couldn't click. It took me hours just to figure out why I couldn't fix the wallpaper, and then took me another hour once I figured out it was disabled in the registry to fix and remove the wallpaper itself.
Yeah, I never understood the wallpaper thing. Luckily it's never been a problem with me. (And I've gotten an instance of MSAntivirus 3 different times). I guess we can all agree that trojans just plain suck.

Mitchman
April 19th, 2009, 12:22 PM
Wow that was a good read. But yeah I have a pretty safe computer. I have NOD32(somehow it went from a proper full version to a trial version and if you can Shinjiro since you use it if you can answer why the hell it did so if you know of course) and it blocks a lot of viruses if some try to come into my computer and I use the defualt firewall from windows.

Zet
April 19th, 2009, 02:50 PM
so where did you copy/paste this from? and is there really any point to this thread besides showing off that you know what a trojan is and what it does?


@ Todoroki Is: I heard that some people have been abusing keys so you will need to contact eset about it

Benadryl
April 19th, 2009, 03:34 PM
so where did you copy/paste this from? and is there really any point to this thread besides showing off that you know what a trojan is and what it does?
Ololol, it's not copypasted. And I thought it would be a pretty nice resource considering the prevalence of trojans.