Trojan(Trojan horse) is a type of malware whose main purpose is to cause harmful effects on a computer system. Trojans are distinguished by the absence of a mechanism for creating their own copies. Some Trojans are capable of autonomously overcoming computer protection systems in order to penetrate and infect the system. In general, a Trojan enters a system along with a virus or worm, as a result of careless user actions or active actions of an attacker.

Due to the lack of reproduction and distribution functions in Trojans, their life cycle is extremely short - only three stages:

1. Computer penetration.
2. Activation.
3. Execution of assigned functions.

This, of course, does not mean that Trojans have a short lifespan. On the contrary, a Trojan can remain unnoticed in the computer’s memory for a long time, without revealing its presence in any way, until it is detected by anti-virus tools. Trojans usually solve the problem of penetrating a user’s computer using one of the following two methods.

Disguise- a Trojan pretends to be a useful application that the user independently downloads from the Internet and launches. Sometimes the user is excluded from this process by placing a special script on the Web page, which, using holes in the browser, automatically initiates the download and launch of the Trojan.

• Example. Trojan.SymbOS.Hobble.a is an archive for the Symbian operating system (SIS archive). At the same time, it disguises itself as Symantec antivirus and bears the name symantec.sis. After launching on a smartphone, the Trojan replaces the original FExplorer.app shell file with a damaged file. As a result, the next time you boot the operating system, most of the smartphone’s functions are unavailable.

One of the disguise options could also be for an attacker to insert Trojan code into the code of another application. In this case, it is even more difficult to recognize a Trojan, since an infected application can openly perform some useful actions, but at the same time secretly cause damage through Trojan functions.

The method of introducing Trojans onto user computers is also common. via websites. In this case, either a malicious script is used that downloads and runs a Trojan program on the user’s computer, using a vulnerability in the web browser, or social engineering methods - the content and design of the website provokes the user to download the Trojan on his own. With this injection method, not one copy of the Trojan can be used, but a polymorphic generator that creates a new copy every time it is loaded. The polymorphism technologies used in such generators usually do not differ from viral polymorphic technologies.

Cooperation with viruses and worms- a Trojan travels along with worms or, less commonly, viruses. In principle, such worm-Trojan pairs can be considered entirely as a composite worm, but in current practice it is customary to consider the Trojan component of a worm, if it is implemented in a separate file, to be considered an independent Trojan with its own name. In addition, the Trojan component may reach the computer later than the worm file.

• Example. Using the backdoor functionality of the Bagle family of worms, the author of the worm carried out a hidden installation of the Trojan SpamTool.Win32.Small.b, which collected and sent to a specific address email addresses contained in files on the infected computer

Cooperation between worms and viruses is often observed, when the worm transports the virus between computers, and the virus spreads throughout the computer, infecting files.

• Example. The well-known Email-Worm.Win32.Klez.h worm, when infecting a computer, also launched the Virus.Win32.Elkern.c virus on it. It’s hard to say why this was done, since the virus itself, apart from infection and malicious manifestations associated with errors in the code (there are no obvious malicious procedures in it), does not perform any actions, i.e. it is not a “strengthening” of the worm in in any sense

The techniques here are the same as those used by worms: waiting for the user to launch a file, or using vulnerabilities to launch it automatically. Unlike viruses and worms, which are divided into types according to their methods of reproduction/distribution, Trojans are divided into types according to the nature of the malicious actions they perform. The most common types of Trojans are:

Keyloggers- Trojans that are permanently in memory and save all data coming from the keyboard for the purpose of subsequently transferring this data to an attacker. Typically, this is how an attacker tries to find out passwords or other confidential information.

• Example. In the past, just a couple of years ago, there were still keyloggers that recorded all keystrokes and recorded them in a separate file. Trojan-Spy.Win32.Small.b, for example, read the codes of the keys pressed in an endless loop and saved them in the C:\SYS file. Modern spyware is optimized for collecting information that a user transmits on the Internet, since this data may include logins and passwords for bank accounts, credit card PINs, and other confidential information related to the user’s financial activities. Trojan-Spy.Win32.Agent.fa monitors open Internet Explorer windows and saves information from sites visited by the user, keyboard input into a specially created file servms.dll in the Windows system directory

Password thieves - Trojans, also designed to obtain passwords, but do not use keyboard tracking. Such Trojans implement methods for extracting passwords from files in which these passwords are stored by various applications.

• Example. Trojan-PSW.Win32.LdPinch.kw collects information about the system, as well as logins and passwords for various services and application programs - instant messengers, email clients, dialers. Often this data is poorly protected, which allows the Trojan to obtain it and send it to the attacker by email.

Remote control utilities- Trojans that provide complete remote control over the user’s computer. There are legitimate utilities with the same properties, but they differ in that they indicate their purpose during installation or are provided with documentation that describes their functions. Trojan remote control utilities, on the contrary, do not reveal their real purpose in any way, so the user does not even suspect that his computer is under the control of an attacker. The most popular remote control utility is Back Orifice.

• Example. Backdoor.Win32.Netbus.170 provides full control over the user's computer, including performing any file operations, downloading and running other programs, taking screenshots, etc.

Hatches (backdoor)- Trojans that provide the attacker with limited control over the user’s computer. They differ from remote control utilities in that they have a simpler design and, as a result, a small number of available actions. However, one of the usual actions is the ability to download and run any files at the attacker's command, which allows you to turn limited control into full control if necessary.

• Example. Recently, backdoor functionality has become a characteristic feature of worms. For example, Email-Worm.Win32.Bagle.at uses port 81 to receive remote commands or download Trojans that extend the functionality of the worm. There are also individual backdoor Trojans. The Backdoor.win32.Wootbot.gen Trojan uses an IRC channel to receive commands from the “host”. Upon command, the Trojan can download and launch other programs, scan other computers for vulnerabilities, and install itself on computers through detected vulnerabilities.

Anonymous smtp servers and proxies- Trojans that perform the functions of mail servers or proxies and are used in the first case for spam mailings, and in the second for covering their tracks by hackers.

• Example. Trojans from the Trojan-Proxy.Win32.Mitglieder family are distributed with different versions of the Bagle worms. The Trojan is launched by a worm, opens a port on the computer and sends information about the IP address of the infected computer to the virus author. After this, the computer can be used to send spam

Dialing utilities- a relatively new type of Trojans, which are utilities for dial-up Internet access through expensive email services. Such Trojans are registered in the system as default dialing utilities and entail huge bills for using the Internet.

• Example. Trojan.Win32.Dialer.a, when launched, dials the Internet through paid email services. Does not perform any other actions, including creating keys in the registry, i.e. It doesn't even register as a standard dialer or provide autostart.

Browser settings modifiers- Trojans that change the browser start page, search page or other settings, open additional browser windows, simulate clicks on banners, etc.

• Example. Trojan-Clicker.JS.Pretty is usually contained in html pages. It opens additional windows with specific web pages and refreshes them at a specified interval

Logic bombs- often not so much Trojans as Trojan components of worms and viruses, the essence of which is to perform a certain action under certain conditions (date, time of day, user actions, external command): for example, data destruction.

• Examples:. Virus.Win9x.CIH, Macro.Word 97.Thus

Worms and viruses can perform all the same actions as Trojans (see the previous paragraph). At the implementation level, these can be either individual Trojan components or built-in functions. In addition, due to their widespread nature, viruses and worms are also characterized by other forms of malicious actions:

Overload of communication channels- a type of damage characteristic of worms, associated with the fact that during large-scale epidemics, huge numbers of requests, infected letters or direct copies of the worm are transmitted over Internet channels. In some cases, using Internet services during an epidemic becomes difficult. Examples: Net-Worm.Win32.Slammer.

DDoS attacks- due to their widespread nature, worms can be effectively used to implement distributed denial of service attacks (DDoS attacks). At the height of an epidemic, when millions and even tens of millions of computers are infected, access by all infected systems to a specific Internet resource leads to a complete blocking of this resource. Thus, during the MyDoom worm attack, the SCO company website was unavailable for a month.

• Examples: Net-Worm.Win32.CodeRed.a - not entirely successful attack on www.whitehouse.gov, Email-Worm.Win32.Mydoom.a - successful attack on www.sco.com

Data loss- behavior more typical of viruses than of Trojans and worms, associated with the intentional destruction of certain data on the user’s computer.

• Examples: Virus.Win9x.CIH - deleting starting sectors of disks and Flash BIOS contents, Macro.Word97.Thus - deleting all files on drive C:, Email-Worm.Win32.Mydoom.e - deleting files with certain extensions depending on the counter indicator random numbers

Software malfunction- also a trait more characteristic of viruses. Due to errors in the virus code, infected applications may work with errors or not work at all.

• Examples: Net-Worm.Win32.Sasser.a - reboot the infected computer

- intensive use of computer resources by malware leads to a decrease in the performance of both the system as a whole and individual applications.

• Examples: to varying degrees - any malicious programs.

The presence of destructive actions is not at all a mandatory criterion for classifying program code as viral. It should also be noted that the virus can cause colossal damage by the process of self-replication alone. The most striking example is Net-Worm.Win32.Slammer.

Copyright MBOU "Gymnasium No. 75", Kazan 2014

Study

Research objectives:

to identify the level of knowledge of teachers and students of the gymnasium about biological and computer viruses, about methods of preventing and combating computer and biological viruses.

Trojan horse

The war between the Trojans and the Danaans began because the Trojan prince Paris stole the beautiful Greek Helen from the city of Sparta. Her husband, King Menelaus of Sparta, with his brother Agamemnon, gathered an army of Greeks and went to Troy. The Spartans went against the Trojans.

After ten years of exhausting war and siege, one fine morning the Trojans, not believing their eyes, saw that the Greek camp was empty, and on the shore stood a huge wooden horse with a dedicatory inscription: “In gratitude for the future safe return home, the Achaeans dedicate this gift to Athena.” .

The priest Laocoont, seeing this horse and knowing the tricks of the Danaans, exclaimed: “Whatever it is, be afraid of the Danaans, even those who bring gifts!” and threw his spear at the horse. However, at that moment, 2 huge snakes crawled out of the sea and killed Lakoont and his two sons, since the god Poseidon himself wanted the destruction of Troy.

Ancient people treated sacred gifts with great reverence, and, by the decision of King Priam, the horse was brought into the city and installed in the citadel dedicated to Athena. When night came, the armed Achaeans sitting on horseback got out and attacked the sleeping inhabitants of the city. Thus, thanks to the horse, Troy was captured, and thus the Trojan War ended.

Data

One class of malicious computer programs are so-called zip bombs. These are archive files in .zip format, which increase in size many times over when unpacked. For example, one of the most famous zip bombs called 42.zip is only 42 KB in size, and the archive contains 5 layers of nested archives with 16 files per level. The size of each file at the last level is 4.3 GB, and the entire archive when unpacked takes up 4.5 Petabytes. The harmful effect of such archives is to overwhelm system resources when antiviruses or other system programs try to scan them, although currently all decent antiviruses recognize bombs in advance and do not try to open them completely.

The “I Love You” virus (that’s what it was called) was listed in the Guinness Book of Records as the most destructive computer virus in the world. It hit more than 3 million computers on the planet, becoming also the most expensive in history.

According to statistics, the computer of every third Internet user in developed countries is attacked by computer viruses at least once a year.

There is a funny computer virus operating in Israel, which was created supposedly for justice. It finds movies, music and photos illegally downloaded from the Internet on your computer and destroys them. Interestingly, when a user wants to remove this virus from a computer, he is asked to pay money for this service.

10 Legendary Attacks in Internet History

Top 10 legendary virus attacks on the Internet that threatened the security of tens, or even hundreds of millions of users around the world.

Data

Several years ago, a case was recorded when a computer virus caused the death of a person - in one of the hospitals in the Netherlands, the patient received a lethal dose of morphine because the computer was infected with a virus and was producing incorrect information.

The most famous virus lover in our country is a student at one of the universities in Voronezh. He created a website on the Internet on which he posted a whole collection of computer viruses (more than 4,000 pieces) for everyone. This site was discovered by the FSB and the student was sentenced to two years probation for distributing computer viruses on the Internet. Interestingly, the student himself also wrote his own virus, which is still not detected by security measures.

The first person arrested for spamming instant messaging systems (such as ICQ) was 18-year-old Anthony Greco on February 21, 2005.

In 1991, the famous virus maker Dark Avenger implemented MtE (Mutation Engine) - an algorithm that allows viruses to mutate into more than 4 billion different forms, making them much more difficult for antiviruses to find.

They chose an unusual method of distribution for their brainchild: the malware attacks fans of pirated content.

Sathurbot uses compromised WordPress sites to distribute malicious torrents by creating hidden pages for these purposes. Since before the hack the position and reputation of such sites in search engines was not bad, hidden torrent pages appear in search results in good positions, attracting more and more victims.

When yet another user takes the bait and decides to download a pirated movie from a criminal site, almost nothing arouses suspicion. The torrent has many distributors, and the list of files includes a video file with a movie, a text file with instructions, and an installer for a certain codec that the user supposedly needs to install.

As you might guess, Sathurbot disguises itself as a codec. When a victim tries to install such a “codec,” the malware will display a fake error message, but in reality the installation will be successful and Sathurbot will penetrate the system.

After infection, Sathurbot performs a DNS query and finds out the first address of the control server, which tells the malware one of two commands. The command and control server can order the Trojan to download additional malware (Boaxxe, Kovter or Fleercivet) to the computer or perform a series of search requests. The second option is more interesting, because it is the one that leads to brute force attacks on WordPress sites.

In the second case, the control server sends the malware a list containing about 5000 words. The infected machine selects 2-4 words from this list and begins to contact Google, Bing and Yandex with relevant search queries, paying attention only to the first pages of search results. The malware then selects 2-4 new words that are most often found on sites discovered during the first stage of the search (this time the phrase usually turns out to be more meaningful), and continues searching. Having narrowed down the sample in this way, Sathurbot retrieves the domain names of the remaining sites and tries to determine whether they are running WordPress, for example, by accessing the http://domainname/wp-login.php URL. When a WordPress site is detected, the Trojan reports success to the second command and control server.

The second command and control server is used to coordinate brute force attacks. It distributes credentials to each of the infected devices, which must be verified against each of the target domains. Each bot attempts to log in to the target site no more than once to avoid blocking and triggering security solutions. According to ESET analysts, the botnet currently numbers about 20,000 machines, which means that attackers have at least 20,000 attempts to select credentials. Researchers write that Sathurbot is “interested” not only in WordPress, but also in resources running Drupal, Joomla, PHP-NUKE, phpFox and DedeCMS.

General attack pattern

If the compromise of a resource is successful, the site becomes another node for distributing malicious torrents, which takes us back to the beginning of the attack. Moreover, the malware is equipped with a built-in libtorrent library, so infected devices also become participants in malicious distribution, helping to seed torrents with malware.

Trojans usually solve the problem of penetrating a user’s computer using one of the following two methods.

Disguise - a Trojan pretends to be a useful application, which the user independently downloads from the Internet and launches.

One of the disguise options could also be for an attacker to insert Trojan code into the code of another application. The method of introducing Trojans onto users' computers through websites is also common. In this case, either a malicious script is used that downloads and runs a Trojan program on the user’s computer, using a vulnerability in the web browser, or social engineering methods - the content and design of the website provokes the user to download the Trojan on his own. Cooperation with viruses and worms - the Trojan travels together with worms or, less commonly, viruses. Cooperation between worms and viruses is often observed, when the worm transports the virus between computers, and the virus spreads throughout the computer, infecting files.

13. Functions performed by Trojans.

Unlike viruses and worms, which are divided into types according to their methods of reproduction/distribution, Trojans are divided into types according to the nature of the malicious actions they perform. The most common types of Trojans are:

Keyloggers are Trojans that reside permanently in memory and store all data coming from the keyboard for the purpose of subsequently transmitting this data to an attacker. Typically, this is how an attacker tries to find out passwords or other confidential information.

Remote control utilities are Trojans that provide complete remote control over the user's computer.

Backdoors are Trojans that provide the attacker with limited control over the user's computer.

Anonymous smtp servers and proxies are Trojans that perform the functions of mail servers or proxies and are used in the first case for spam mailings, and in the second for covering their tracks by hackers.

Dialer utilities are a relatively new type of Trojan, which are dial-up utilities for accessing the Internet through expensive email services. Such Trojans are registered in the system as default dialing utilities and entail huge bills for using the Internet.

Browser settings modifiers are Trojans that change the browser start page, search page or other settings, open additional browser windows, simulate clicks on banners, etc.

Logic bombs are often not so much Trojans as Trojan components of worms and viruses, the essence of which is to perform a certain action under certain conditions (date, time of day, user actions, external command): for example, data destruction.

14. Damage from malware.

The following forms of malicious actions are also typical for viruses and worms:

Overload of communication channels is a type of damage characteristic of worms, associated with the fact that during large-scale epidemics, huge numbers of requests, infected letters, or direct copies of the worm are transmitted over Internet channels.

Data loss is a behavior more typical of viruses than of Trojans and worms that involves the intentional destruction of certain data on a user's computer.

Software disruption is also a more common feature of viruses. Due to errors in the virus code, infected applications may work with errors or not work at all. Examples: Net-Worm.Win32.Sasser.a - reboots the infected computer.

Loading of computer resources - intensive use of computer resources by malware leads to a decrease in the performance of both the system as a whole and individual applications. Examples: to varying degrees - any malicious programs.

Hello...Ritter3D is here.
This article will describe how you can spread the virus...
Of course, you can take your own virus and sell it to each person individually
But it’s better when people themselves are led and downloaded, and you just sit and wait.. (logs, of course)
There is such a solution!! You can upload it to some file hosting service and post it on websites.. YES, this is a solution, but not the best one the best!
We've all heard about torrent files...
They are stored on many sites and there are specialized places where these torrents are in abundance!
This and torrentino.com and many other sites...
But the VKontakte application also has a torrent.
There's something like that there too!!
This article will talk about torrent files...specifically how to make them and where to place them....
First you will need to install the uTorrent program


A window pops up in which you must select your file or an entire folder as you wish..

Have you chosen? then click Create and save in...

Then click close
All torrent file is ready!!
The first stage has been completed...let's go and have a drink on our chest))
and into battle!!
Now we need to put it up for distribution and post it on the internet...
Let's go to the website...


Go to your page and install the torrent application if you don’t already have it...

We go into it, choose a free nickname... we climb and figure it out...


Now you need to find the Create your own distribution section...


Click and see...


Here we look carefully at the fields...
the first field is to select your torrent file..click the review button..and select


Then we need to select a cover.. click the same thing and look for the cover.. on your computer or just a picture in *.jpg format
Then we need to come up with a name...
It should scream! but it shouldn’t contain any swear words or hack terms...
Then we write the description.. I advise you to take the description of some off-program from the off-site... and take the description.. then just change all the values ​​​​and your entire description complies with the VKontakte rules)))
Then you must select the section in which you will post..


I advise you to post it in the sections with games)) there are a lot of nerds there, you can say that this is a super cheat and voila)) a lot of logs))
Then we select screenshots and insert a video if desired..
and click "Create distribution"
Have you thought about it?
No!
Who will distribute?
Now we need to put the file for distribution...
To do this, go to your distribution and click download torrent file


Then you click open torrent file...


Then the uTorrent program window pops up


Here you must select the path on your computer to the virus in the top window...


and click ok
all after the file is checked by the program the distribution will begin...


I advise you to distribute as long as possible...over time, there will be more people who will distribute...and, accordingly, the lair too..
Ritter3D was with you!