Viruses and Worms

Viruses are one of the oldest forms of malicious computer software and were very prevalent in the 80s and 90s, spreading ferociously when users unknowingly swapped infected floppy disks with each other. A virus essentially has two primary objectives - survival, and propagation. It is the goal of the virus to remain alive as long as it can, and infect as many other computers as it can during its lifetime. When the virus is detected and killed, other computers it has infected carry on performing the role of host. Most propagation is carried out when files the virus has infected are transferred by a user from one location to another (usually by floppy disk in the 80s, but usually by email these days).

A worm is a type of virus, but usually these are self contained (the entire file is usually the worm, as opposed to a virus which only resides in a small section of a file) and don't infect other files on the system. However, they often create copies of themselves on a system as backups, again to increase chances of long-term survival.

When a system becomes infected by a virus, things often happen immediately - you may be informed that you are infected by a message or graphic, you may hear funny sounds coming from your PC Speaker, you may see funny visual effects on your screen, or many other effects. Many viruses will cause the system to become unstable if critical files are infected and then don't run correctly (viruses often 'break' files in the process of infecting them, not always intentionally). Most viruses also have a "payload", usually destructive code that is activated after infection. The payload may do things such as delete files, corrupt registry settings, and so on.

Trojans

Trojans are very different to viruses and worms. Destructive trojans do exist (which may delete files or format the computers hard drive, for example), however the most common and powerful type of trojan  is known as a Remote Access Trojan (RAT, or backdoor).

A Remote Access Trojan will typically consist of 2 main programs - a server that is placed on the target victims computer, and a client which sends commands to the server. When the server (which is a completely hidden program) is executed on the victims machine, the server starts listening for commands from the client. To do this it will usually open a TCP port (some trojans use UDP but it is not common as UDP is not suitable for file transfer, whereas TCP is). The client can then connect to that port and proceed to issue instructions to the server, which the server then performs.

In the early days of remote access trojans (the mid-to-late 90s), RATs had relatively simple features, such as file transfer options (send file, receive file, send screenshot, etc.), and also some "fun" functions (open/close CD tray, adjust volume, turn microphone/webcam on, send keystrokes, beep, etc.). Today, trojans are capable of anything and every couple of months it seems a new trojan is released that has a new feature that has never before used before. Recent trojan advances include anti-virus/anti-trojan/firewall killing, process hiding, LAN compatibility, and send SMS text notification messages.

Many remote access trojans also come with an EditServer - a utility that allows the hacker to make subtle modifications to the trojan, such as what filename the trojan will use on the victims computer, what port it will listen on, what password it will protect connections with, and so on. This 'configuration' must be saved in the trojan server executable itself - a serious weakness in the design of the trojan. DiamondCS analysts are able to extract the trojan configuration and provide trojan victims with any critical information that was embedded in the configuration, such as the hackers email address, ICQ UIN, mobile phone number, and more. To see which primary trojans can have information extracted from them at the DiamondCS lab, please see this page - http://www.diamondcs.com.au/web/htm/disassembly.php?service=extraction
If you have a trojan not listed on this page that you believe has a configuration built-in, please send it to us and we'll extract it for you.  

Why are trojans so dangerous?

Unlike viruses and worms, Remote Access Trojans are human controlled. After gaining access to a system, viruses and worms can't think what to do, at best they can only assess the situation in a pre-programmed manner before performing their primary functions (such as infection, deleting files, etc). In contrast, a human hacker controlling a trojan can make an accurate analysis of the system before taking any action. A human hacker also has the ability to identify particular files of interest (such as files with password or financial information) and can download these quickly. A worm/virus can only steal such information if it knows the exact filename and location (the human hacker knows this from a visual inspection of the file system).

When you become infected by a virus or worm, it is usually quite obvious - strange things might happen, such as increased hard disk activity, a dramatic increase in outbound email, strange visual/audio effects, explicit messages, and so on. However, when you become infected by a trojan it won't be at all obvious. The trojan is hidden - you won't see it on your screen anywhere, you may not even see it in the process list, and it will usually do its best to remain hidden. Generally speaking there are three main types of hackers that are likely to connect to your system:
 The curious/explorative hacker - This hacker will browse around your system looking for files of interest and will usually not cause any harm other than data theft.
 The malicious hacker -  This hacker gets enjoyment at the expense of you and your computer, and can be destructive, annoying, or both. The destructive type may delete files, replace existing programs with broken programs or trojans, or even attempt to format your hard drive. The annoying type may continuously open/close your CD tray, continuously print messages to your printer, send keystrokes (just as if the hacker was typing at the victims keyboard), close/start programs, and more. They could even send email from your address.
 The thief hacker - This hacker will try to steal information from your system for illegal personal gain. These people include known criminals and organised crime syndicates, but also 'regular hackers'. They may also use stolen information for identity theft, for example they might send mail to people in your name or attempt to gain access to your bank accounts.

Worms/viruses rarely create backdoors into systems, but trojans do. It only takes one backdoor into a system before a hacker can proceed to upload many trojans to execute on the victims system to create many backdoors, ensuring that even if several trojans are detected and removed, some will probably still survive. This means that after you have been infected with one trojan, you cannot be certain that you haven't been infected with others.

Worms/viruses typically don't attack firewall software, but trojans often do. Trojan authors are continually looking for and finding new ways to evade firewall detection and/or terminate firewall processes, and each new technique seems more insidious than its predecessor. Firewalls cannot be used as the only anti-trojan defence on your system, they must be backed-up by a dedicated anti-trojan program.

Worms/viruses do not spy on victims, trojans do. Key-logging trojans can capture your every keystroke, recording such details as your online banking login/password details, emails, and more, opening the way for identity theft. Trojans can turn on your microphone to record your voice, they can even turn on your webcam to capture you. Trojan data theft is an increasing problem and it is a crime that is quite hard to trace back to the attacker.

Port Explorer vs. Remote Access Trojans

Port Explorer, although not a dedicated anti-trojan system, is designed to help in the detection of Remote Access Trojans (in fact, some technology in Port Explorer was designed for the TDS-4 anti-trojan program) in several ways:
  Hidden Server Detection technology shows all hidden servers in red allowing for easy trojan identification
  Port-to-process mapping allows you to see which ports any given process has open
  Packet-sniffing with the Socket Spy utility allows you to see what data a process or socket is transferring/receiving
  Database of known trojan ports allows you to perform quick searches to see if a particular port number belongs to a known trojan

Hidden Server Detection technology was built for the TDS4 anti-trojan system but is included in Port Explorer. It is a powerful trojan detection method as virtually all known trojans run as hidden servers - programs that use sockets/ports, but don't have any visible components, such as an on-screen window.

Please see the Advanced section in the Port Explorer help manual for  comprehensive information regarding Port Explorer's Hidden Server Detection technology.

Anti-virus vs. Remote Access Trojans

Most antivirus software will detect some trojans, usually the most popular ones. Unfortunately, these usually only detect a trojan in its originally distributed form - a real problem because hackers usually modify and customise trojans in many ways before sending them to victims. The simplest modification is to compress the trojan using an 'executable packer' to make the file smaller (the trojan still runs the same). This makes the file contents very different and usually renders the file as undetected by anti-virus scanners.

The main reason for anti-virus scanners failing to strongly detect trojans is that firstly the techniques used to detect viruses and worms are very different to the techniques used to detect trojans, and secondly, anti-virus companies give viruses analysis/detection priority over trojans, whereas it is the other way around with anti-trojan scanning.

TDS - A complete anti-trojan solution

Ever since remote access trojans were conceived in the mid-to-late 1990s, DiamondCS has produced the worlds most powerful trojan detection program - TDS. Designed to overcome all possible ways to disguise trojans, to manipulate and modify trojans. See here for information on TDS, and a free 30 day trial of the current version of TDS: http://tds.diamondcs.com.au

TDS, along with Port Explorer and its ability to show you what is connected to your system and what is using sockets without a window, provides incredibly strong trojan detection capability - we believe it's the best in the world. Experienced TDS users should be able to detect virtually any trojan without any trouble, even if it's a new unknown trojan.

Give it a try today! http://tds.diamondcs.com.au