CEH-Bk2_Ch01-Review Question Answers

CEH-Bk2_Ch01-Review Question Answers

• What are the signs of Trojan infection?

A computer Trojan is defined as a “malicious, security-breaking program that is disguised as something benign.” A computer Trojan horse is used to enter a victim’s computer undetected, granting the attacker unrestricted access to any data stored on that computer and causing immense damage to the victim.

The following computer malfunctions are symptoms of a Trojan attack:

• The CD-ROM drawer opens and closes automatically. The popular Trojans that exhibit such activities are Netbus and SubSeven.• The computer screen blinks, flips upside-down or is inverted so that everything is displayed backward.• The default background or wallpaper settings change automatically. This can be done by using pictures either on the user’s computer or in the attacker’s program.• Printers automatically generate personal messages stored in the folder.• Web pages suddenly open without input from the user.• Color settings of the operating system change automatically.• Screensavers convert to a personal scrolling message.• Sound volume suddenly fluctuates all the way up or down.• Antivirus programs are automatically disabled, and data is corrupted, altered, or deleted from the system.• The date and time of the computer change.• The mouse cursor moves by itself.

• Name and describe three types of Trojans.

• Remote Access Trojans: Provides attackers with full control over the

victim’s system, enabling them to remotely access files, private conversations, and accounting data on the victim’s machine. The remote access Trojan acts as a server, and listens on a port that is not supposed to be available to Internet attackers; therefore, if the user is behind a firewall on the network, there is less chance that a remote attacker would be able to connect to the Trojan.

• Data-Sending Trojans: Provides attackers with passwords or other

(Ethical Hacking and Countermeasures, Threats and Defense Mechanisms, 2e EC-Council) 1 / 3

confidential data such as credit card numbers and audit sheets. Data- Sending Trojans can also install a keylogger on the victim’s system.Trojans that install keyloggers can record keystrokes and send them back to the attacker. The captured data can be sent to the attacker via e-mail, or by connecting to the attacker’s Web site by using a free Web page provider and submitting data via a Web form.

• Destructive Trojans: The sole purpose of writing this type of Trojan is to

delete files on the target system. These Trojans are destructive because they can delete core system files such as .dll, .ini, or .exe files. They can be activated by the attacker or generated on the basis of a fixed time and date.

• Denial-of-Service (DoS) Attack Trojans: This type of Trojan empowers

the attacker to start a distributed denial-of-service (DDoS) attack. The basic idea behind this kind of attack is that if there are more than 150 infected ADSL users on the network and the victim is attacked simultaneously by each user, it will generate heavy traffic that will eat up bandwidth, causing the victim’s access to the Internet to shut down.

• Proxy Trojans: These Trojans convert the user’s computer into a proxy

server. This makes the computer accessible to the specified attacker.Generally, it is used for anonymous Telnet, ICQ, or IRC in order to purchase goods using stolen credit cards, as well as other such illegal activities. The attacker has full control over the user’s system and can also launch attacks on other systems from the affected user’s network.

• FTP Trojans: These Trojans open port 21, which is used for FTP

transfers, allowing the attacker to connect to the victim’s system via FTP.

• Security Software Disabler Trojans: These Trojans are designed to

disable antivirus software or firewalls. After these programs are disabled, the attacker can easily attack the victim’s system.

• ICMP Backdoor Trojans: Internet Control Message Protocol is a

connectionless protocol. It is used to provide error messages to unicast addresses. The packets are encapsulated in IP datagrams.Attackers simply pass them, drop them, or return them. The Trojan packets themselves are masqueraded as common ICMP_ECHO traffic.The packets can encapsulate (tunnel) any required information.

• Reverse Connecting Trojan: These Trojans permit the attacker to bypass

corporate firewalls. They make use of ports that are authorized by corporate firewalls and connect with the outside world through a victim’s computer.

• What is a Trojan horse construction kit? 2 / 3

These kits help attackers construct Trojan horses of their choice. The tools in these kits can be dangerous and can backfire if not executed properly.

The following are some of the Trojan kits available:

The Trojan Horse Construction Kit v2.0: This kit consists of three EXE files: Thck-tc.exe, Thck-fp.exe, and Thck-tbc.exe. Thck-tc.exe is the actual Trojan constructor. With this command-line utility, the attacker can construct a Trojan horse. Thck-fp.exe is a file size manipulator. With this, the attacker can create files of any length, pad out files to a specific length, or even append a certain number of bytes to a file. Thck-tbc.exe will turn any COM program into a time bomb.

The Progenic Mail Trojan Construction Kit (PMT): This kit is a command-

line utility that allows an attacker to create an EXE (PM.exe) to send to a victim.

Pandora’s Box: This program is designed to create Trojans.

• Describe the function of wrappers.

Wrappers are programs used to bind Trojan executables to legitimate files. The attacker can compress any (DOS/Windows) binary with tools such as petite.exe.This tool decompresses an EXE file (once compressed) at run time. This makes it possible for a Trojan to get in virtually undetected, since most antivirus software is unable to detect the signatures in the file.

• How do RAT Trojans work?

RAT gives attackers the means to manipulate and control a target machine from a remote location over the Internet. The attacker can make unwanted changes to the victim’s system, install advertising-related add-ons, and insert advertising-related components into the Winsock Layered Service Provider chain.The attacker can also block or redirect the victim’s preferred network connections and collect potentially sensitive data without adequate notice and consent.

• Name three methods used to detect Trojans.

The following are the steps for detecting Trojans:

1. Scan for suspicious open ports using tools such as the following:

• Netstat • Fport • TCPView

2. Scan for suspicious running processes using the following:

• Process Viewer

• / 3