Trojan horses A Trojan horse is a computer program which carries out malicious operations without the user's knowledge. The name "Trojan horse" comes from a legend told in the Iliad (by the writer Homer) about the siege of the city of Troy by the Greeks. Legend has it that the Greeks, unable to penetrate the city's defences, got the idea to give up the siege and instead give the city a giant wooden horse as a gift offering. The Trojans (the people of the city of Troy) accepted this seemingly harmless gift and brought it within the city walls. However, the horse was filled with soldiers, who came out at nightfall, while the town slept, to open the city gates so that the rest of the army could enter. Thus, a Trojan horse (in the world of computing) is a hidden program which secretly runs commands, and usually opens up access to the computer running it by opening a backdoor. For this reason, it is sometimes called a Trojan by analogy to the citizens of Troy. Like a virus, a Trojan horse is a piece of harmful code placed within a healthy program (like a false file-listing command, which destroys files instead of displaying the list). A Trojan horse may, for example: • • • •
steal passwords; copy sensitive date; carry out any other harmful operations; etc.
Worse, such a program can create an intentional security breach within your network, so as give outside users access to protected areas on the network. The most common Trojan horses open machine ports, allowing their designer to gain entry to your computer over the network by opening a backdoor or backorifice. Detecting such a program is difficult because you must be able to determine whether an action is being carried out by the Trojan horse or by the user.
Symptoms of infection Infection by a Trojan horse usually comes after opening a contaminated file containing the Trojan horse (see the article on protecting yourself from worms) and is indicated by the following symptoms:
• • • •
Abnormal activity by the modem, network adapter or hard drive: data is being loaded without any activity from the user; Strange reactions from the mouse; Programs opening unexpectedly; Repeated crashes.
Principle of a Trojan horse As a Trojan horse is usually (and increasingly) intended to open a port on your machine so that a hacker can gain control of it (such as by stealing personal data stored on the hard drive), the hacker's goal is to first infect your machine by making you open an infected file containing the Trojan and then to access your machine through the opened port. However, to be able to infiltrate your machine, the hacker normally has to know its IP address. So: •
•
Either you have a fixed IP address (as with businesses, or with individuals with a cable or similar connection, etc.) in which case your IP address can easily be discovered; or your IP address is dynamic (reassigned each time you connect), as with modem connections; in which case the hacker must scan IP addresses at random in order to detect those which correspond to infected machines.
Protect yourself from Trojans Installing a firewall (a program which filters data entering and leaving your machine) is enough to protect you from this kind of intrusion. A firewall monitors both data leaving your machine (normally initiated by the programs you are using) and data entering it. However, the firewall may detect unknown outside connections even if a hacker is not specifically targeting you.. They may be tests carried out by your Internet service provider, or a hacker randomly scanning a range of IP addresses. For Windows systems, there are two free high-performance firewalls: • •
ZoneAlarm Tiny Personal Firewall
In case of infection If a program whose origins you are unsure of attempts to open a connection, the firewall will ask you to confirm it before initiating the connection. It is important to not authorise connections for a program you don't recognise, because it might very well be a Trojan horse.
If this reoccurs, it may be helpful to check that your computer isn't affected by a Trojan, by using a program that detects and deletes them (called an anti-Trojan). One example is The Cleaner, which can be downloaded from http://www.moosoft.com.
List of ports commonly used by Trojans Trojan horses commonly open a port on the infected machine and wait for a connection to open on that port, so that hackers will be able to gain total control over the computer. Here is a (non exhaustive) list of the most common ports used by Trojan horses (source: Site de Rico): port 21 23 25 31 41 59 79 80 99 110 113 119 121 421 456 531 555 666 911 999 1002 1010 to 1015 1024 1042 1045 1090 1170
Trojan Back construction, Blade runner, Doly, Fore, FTP trojan, Invisible FTP, Larva, WebEx, WinCrash TTS (Tiny Telnet Server) Ajan, Antigen, Email Password Sender, Happy99, Kuang 2, ProMail trojan, Shtrilitz, Stealth, Tapiras, Terminator, WinPC, WinSpy Agent 31, Hackers Paradise, Masters Paradise Deep Throat DMSetup FireHotcker Executor, RingZero Hidden port ProMail trojan Kazimas Happy 99 JammerKillah TCP Wrappers Hackers Paradise Rasmin Ini-Killer, NetAdmin, Phase Zero, Stealth Spy Attack FTP, Back Construction, Cain & Abel, Satanz Backdoor, ServeU, Shadow Phyre Dark Shadow Deep Throat, WinSatan Silencer, WebEx Doly trojan NetSpy Bla Rasmin Xtreme Psyber Stream Server, Streaming Audio Trojan, voice
1234 port 1234 port 1243 port 1245 port 1269 port 1349 (UDP) port 1492 port 1509 port 1600 port 1807 port 1981 port 1999 port 1999 port 2000 port 2001 port 2001 port 2002 port 2003 port 2004 port 2005 port 2023 port 2115 port 2140 port 2155 port 2283 port 2565 port 2583 port 2600 port 2801 port 2989 (UDP) port 3024 port 3128 port 3129 port 3150 port 3459 port 3700 port 3791 port 3801 (UDP) port 4092
Ultor trojan Ultors Trojan BackDoor-G, SubSeven, SubSeven Apocalypse VooDoo Doll Mavericks Matrix BO DLL FTP99CMP Psyber Streaming Server Shivka-Burka SpySender Shockrave BackDoor TransScout TransScout TransScout Trojan Cow TransScout TransScout TransScout TransScout Ripper Bugs Deep Throat, The Invasor Illusion Mailer HVL Rat5 Striker WinCrash Digital RootBeer Phineas Phucker RAT WinCrash RingZero Masters Paradise Deep Throat, The Invasor Eclipse 2000 portal of Doom Eclypse Eclypse WinCrash
port 4321 port 4567 port 4590 port 5000 port 5001 port 5011 port 5031 port 5321 port 5400 port 5401 port 5402 port 5550 port 5512 port 5555 port 5556 port 5557 port 5569 port 5742 port 6400 port 6669 port 6670 port 6771 port 6776 port 6912 port 6939 port 6969 port 6970 port 7000 port 7300 port 7301 port 7306 port 7307 port 7308 port 7789 port 8080 port 9400 port 9872 port 9873 port 9874 port 9875 port 9876 port 9878
BoBo File Nail ICQTrojan Bubbel, Back Door Setup, Sockets de Troie Back Door Setup, Sockets de Troie One of the Last Trojans (OOTLT) NetMetro FireHotcker Blade Runner, Back Construction Blade Runner, Back Construction Blade Runner, Back Construction Xtcp Illusion Mailer ServeMe BO Facil BO Facil Robo-Hack WinCrash The Thing Vampyre Deep Throat Deep Throat BackDoor-G, SubSeven Shit Heep (not port 69123!) Indoctrination GateCrasher, Priority, IRC 3 GateCrasher Remote Grab, Kazimas NetMonitor NetMonitor NetMonitor NetMonitor NetMonitor Back Door Setup, ICKiller RingZero InCommand portal of Doom portal of Doom portal of Doom portal of Doom Cyber Attacker TransScout
port 9989 port 10067 (UDP) port 10101 port 10167 (UDP) port 10520 port 10607 port 11000 port 11223 port 12076 port 12223 port 12345 port 12346 port 12361 port 12362 port 12631 port 13000 port 16969 port 17300 port 20000 port 20001 port 20034 port 20203 port 21544 port 22222 port 23456 port 23476 port 23477 port 26274 (UDP) port 27374 port 29891 (UDP) port 30029 port 30100 port 30101 port 30102 port 30303 port 30999 port 31336 port 31337
iNi-Killer portal of Doom BrainSpy portal of Doom Acid Shivers Coma Senna Spy Progenic trojan Gjamer Hack´99 KeyLogger GabanBus, NetBus, Pie Bill Gates, X-bill GabanBus, NetBus, X-bill Whack-a-mole Whack-a-mole WhackJob Senna Spy Priority Kuang2 The Virus Millennium Millennium NetBus 2 Pro Logged GirlFriend Prosiak Evil FTP, Ugly FTP, Whack Job Donald Dick Donald Dick Delta Source SubSeven 2.0 The Unexplained AOL trojan NetSphere NetSphere NetSphere Sockets de Troie Kuang2 Bo Whack Baron Night, BO client, BO2, Bo Facil
port 31337 (UDP) port 31338 port 31338 (UDP) port 31339 port 31666 port 31785 port 31787 port 31788 port 31789 (UDP) port 31791 (UDP) port 31792 port 33333 port 33911 port 34324 port 40412 port 40421 port 40422 port 40423 port 40426 port 47262 (UDP) port 50505 port 50766 port 53001 port 54320 port 54321 port 54321 (UDP) port 60000 port 61466 port 65000
BackFire, Back Orifice, DeepBO NetSpy DK Back Orifice, DeepBO NetSpy DK Bo Whack Hack´a´Tack Hack´a´Tack Hack´a´Tack Hack´a´Tack Hack´a´Tack Hack´a´Tack Prosiak Spirit 2001a BigGluck, TN The Spy Agent 40421, Masters Paradise Masters Paradise Masters Paradise Masters Paradise Delta Source Sockets de Troie Fore, Schwindler Remote Windows Shutdown Back Orifice 2000 School Bus Back Orifice 2000 Deep Throat Telecommando Devil