Click here to return to the James Madison University main page
 
 Computing Home | Self-Help | Accounts Info | Downloads | e-campus | Forms | Passwords | JMU  May 31, 2016


Search Computing
Site map
Updates
System Alerts
Security and Virus News
Computer Security
Computer Security Home
StartSafe
R.U.N.S.A.F.E.
Hot Topics - Current Issues
Critical Security Updates
Cleaning Windows Infections
Internet Fraud
SPAM
Report Computer Security Incidents
Security Awareness (only accessible on-campus)
Policies
 
Contact Us:
flynngn@jmu.edu
540.568.2364
Policy & Security
Computer Security
Computing Policies
R.U.N.S.A.F.E.
Report a violation
Computing Links
AVP Information Technology
CampusLink
CampusNet
Computer Purchases
Computing Support
Database Administration
Desktop Services
e-campus
HelpDesk
Information Systems
Labs
Network Engineering
PC Services
Systems and Operations
Technical Services

 

This page is no longer maintained and is preserved for archival reference purposes only.

 

Remote Control Trojan Horse Software

Contents

 

Problem Description

There are several programs going around that make any virus you have seen to date seem like harmless child's play. These programs will allow anyone on the Internet to remotely control your computer. They can collect all your passwords, access all your accounts including Email and PeopleSoft, read and modify all your documents, publish your hard drive so its shared across the Internet, record your keystrokes, look at your screen, and listen to your conversations on your computer's microphone. You'll never know its happening.

Consider for a moment the implications of someone controlling your computer. They would have access to any account  you access from your computer. If you access your employer's systems, they could use those accounts to perform fraudulent transactions. They could perform online stock or banking transactions with your personal accounts. They could read your email and send email in your name. They could use your computer as a stepping stone to another computer in which case you may get blamed. The victims of any abuse performed by the controller of your computer would only see your computer's network address. You may even be sitting in front of the keyboard when the computer is used in some crime. This would make it very difficult for you to prove your innocence, particularly if the actual perpetrator erased the evidence of their presence after performing the crime.

With these types of programs and the growing use of electronic banking and other critical functions on our desktops, Donn Parker's "automated crime", is just a short step away. They've already been used to spread distributed denial of service tools similar to those responsible for the early February 2000 disruption of major Internet sites.

The programs have been disguised as games, pictures, screen savers, holiday greetings, and other files. The three most popular are probably Netbus, Back Orifice, and SubSeven. However, there are hundreds more. We'll refer to all of them here as Remote Control Trojan Horse (RCTH) Programs. They can be used by anyone more sophisticated than a precocious ten year old to compromise your computer.

The good news is that YOU must run the programs in order for them to be installed. The bad news is that you may not know when you're running them because you have no way of determining what a program does before you run it. In addition, they are sometimes attached to "good" programs and install themselves in the background while you're running the good program. That neat screen saver you just received from a friend may have enabled persons unknown to you to control both your computers and access all your accounts. And as its passed around and installed, it lets the author know each time a new machine is compromised and available. Nefarious, eh?

There have been several instances of these programs found on campus computers; particularly on CampusNet machines. Common methods of receipt are via ICQ, IM, or email. Someone tells you they have a neat program or picture and sends it to you. When you open it, it may indeed have a neat program or picture. What you don't know is that it is simultaneously and silently installing a remote control Trojan horse program. Distribution can be by any means: ftp, web browser file download, email exe attachment, etc.

The vast majority of compromises can be prevented simply by regularly updating your anti-virus tools. Here at JMU, that means the Norton Antivirus and BOClean products available from the JMU Computing Support download page.

The only sure way of preventing infection is to refuse to run unknown programs because anti-virus and similar tools can only detect programs they have been told are harmful. New ones go undetected. The important point to keep in mind is that when you run any program, you're giving your computer to the person who wrote that program. What do you know about that person? How much would you trust them with your computer?

At this time, all known programs only run on the Windows platform. HOWEVER, there is nothing preventing someone from writing similar programs for Macintosh or Unix platforms. A proof-of-concept MacIntosh version of a remotely controlled keystroke logger was recently shown at a security seminar. Ergo. the cautions about running unknown programs apply to operators of non-Windows platforms, too.

Problem Prevention

The only sure solution is to refuse to run unknown programs (and update our computers so others can't do it without our help). Unfortunately, abstinence isn't always practical or desirable. I'll describe some protective tools you can use but keep in mind that none of them are completely effective. As newer, more sophisticated and deviant versions of the RCTH programs are released, these measures will become less and less effective. For that matter, a hostile program that succeeds in executing, may simply reconfigure or disable a protective program. As you'll read later on this page, detection and removal are not simple operations and the more infections we can prevent, the better. The following prevention measures are listed in order of effectiveness:

  • Don't run the programs which means don't run any unknown programs. Be very careful of email attachments particularly .exe files and documents with macros.
  • Run a program that firewalls your PC. I looked at McAfee Firewall (then called Conseal Private Desktop) in 1999 and ZoneAlarm lately and hope that as these and similar products mature we can provide one to the JMU population the way we do anti-virus software. Although their theoretical effectiveness is high, general usage mistakes may subvert that effectiveness. Also, alerts going to the desktop operator may cause either unnecessary concern or a cavalier attitude. However, they have two major advantages. First, they will protect against both known and unknown RCTH programs. All other tools require the vendor of the tool to update their product when a new RCTH program is discovered. This means that this type of program is the only effective tool for custom RCTH programs. The second advantage of firewalling software is that it provides secondary advantages unrelated to RCTH programs. These advantages are derived from the products' firewalling capabilities and generally act to increase access controls thereby providing extra protection against remote cracking and denial of service attempts. Keep  in mind, though, that they don't remove the trojan...they only prevent it from communicating.
  • Run an up to date virus detector. You should check for updates at least once a month. The new campus installation of Norton Anti-Virus will perform automatic updates. Norton and other traditional AV products will not protect you unless you elect to run the piece that runs in the background and checks all files as they're read. That would be File System Realtime Protection for Norton, WinGuard for Dr. Solomon, VShield for McCaffee, or the equivalent for other products. If you install the campus provided Norton Anti-Virus package and select all the default buttons, File System Realtime Protection will be installed to protect you. Installing or updating any of these virus protection programs after you're infected may result in a failure to remove the infection unless you enable the background protection and reboot. In my own tests last year, traditional AV products were not even close to the effectiveness or ease of use of BOClean and other dedicated anti-trojan tools but they now cover the most popular programs. Two online comparisons are at the Tauscan and Netsplit sites.

Problem Detection and Removal

RCTH Program Operation

Before outlining detection and removal procedures, I want to discuss the operation of the RCTH programs. I'm a firm believer that to solve a problem you must first understand it. More importantly, there is no absolute solution to these programs and definitely no "tell me what keys to press" solution. A good understanding of how the RCTH programs work and how they can hide is the best weapon.

There are now hundreds of this type of program. They all consist of two parts...a server that runs on your computer, and a client that runs on the controlling computer (shown below). They are all freely available on the Internet. The server silently opens up a virtual network port and listens for requests from clients. People running the clients can connect to the server from anywhere on the Internet and control your computer almost like they were sitting in front of it. In fact, some things are easier using these programs than they would be using your keyboard. For example, the program automatically decrypts passwords used to protect Microsoft shared directories.  They can also scan a range of addresses looking for listening servers so once you're infected, anyone can find you.

wpe4.jpg (28074 bytes)wpe5.jpg (27796 bytes) Click for close-up of Netbus and Back Orifice RCTH clients.

The server program can be named anything so you can't simply look for a list of names.

Detection

1. Install and run BOClean. The manual procedures below are for people who, for some reason, don't have access to BOClean.

There are four ways to detect RCTH programs:

1. Check the fingerprint of files for a match against a "Trojan database".

2. Check the fingerprint of running processes for a match against a "Trojan database".

3. Check for programs that are automatically started when you boot your computer.

4. Check for open virtual network ports.

Each has limitations and advantages. Many tools use a mixture of the methods.

The first two methods are traditional virus checking methods. They depend upon a database of code fragments or patterns that uniquely identify each of the suspect programs or behavior analysis that leads a file to be suspect. Of course, the database has to be constantly updated to keep up with new programs. The file check method can be time consuming because it has to check every file. However, most virus tools now do this only once when they're installed and then only in the background when a file is read. The process check only examines running programs so it can be quicker. Note that if the writer of the RCTH program obfuscated the fingerprint using compression, encryption, overlays, or some other method, the fingerprint may not be recognizable to the tool as a RCTH program. This possibility and the lag time associated with updating tools to detect new programs' fingerprints necessitates multiple checks using each of the detection methods. Keep in mind that "fingerprint tools" only work if they know the fingerprint. The fingerprint protection tools can find the highly publicized or otherwise discovered programs because they know about them. On the other hand, if someone wanted to target an individual or organization, had the ability to write their own program, and kept quiet about it, traditional fingerprint tools like virus checkers would never find it.

All the presently identified RCTH programs automatically restart when you boot your computer. To do this they have an entry in the registry, the win.ini file, the system.ini file, the autoexec.bat file, the startup folder or similar places. Of course, lots of other programs automatically start up when you boot so the challenge is identifying the ones that aren't supposed to be there. Since the RCTH programs can be renamed, this is not a small challenge. If the programs were installed with their default names, they are easy to spot. If they've been renamed, we have to verify that the file is actually something we want started. Sometimes there is no way to do this except to remove the entry and see what breaks. StartupCop is an easy to use tool that allows you to enable and disable the various startup items as you're investigating.

All the presently identified RCTH programs open a virtual network port to communicate. Every TCP/IP based system has a set of 131,070 ports it can use to communicate with other computers. Some ports are dedicated to particular uses. For example port 80 is used by a web server, port 25 by a mail server, and ports 137-139 are used by Microsoft file sharing services. Each of the RCTH programs also have default ports on which they listen for connections by other machines. If we find one of these default ports active, we're almost guaranteed that we've detected an infection. On the other hand, these programs allow the interloper to change the default port. In that case, we have to verify that any open port has been opened by a program that we authorized to run. Two tools to perform this task are Foundstone's FPort (free) and Winternal's TCPViewPro (fee).  Finally, some desktop firewalls will tell you what programs are opening what ports. Without such a tool, it becomes a matter of stopping services to see what ports close. Another problem occurs when the RCTH program doesn't hold the port open continuously. At least one program sits silently until it has some data to send (your passwords), opens a port, sends data, and closes the port.

As you can see there are ways around every detection method. That is why the only 100% effective solution to this problem is not to get infected in the first place. Of course, that is not too realistic unless we refuse to run any programs because there is always a chance, however slight, one of these RCTH programs might get by a big vendor. Besides, there are many, many useful programs written by shareware and freeware authors that would be a shame to ignore. However, the need for care has been exponentially increased due to these RCTH programs.

Another option is the ages old unix (and other host) system administration trick of fingerprinting your critical files and checking them for modifications once in a while using something like Tripwire. The practicalities of doing something like this across a diverse collection of "personal computers" is, well daunting to say the least.  These are the type of things system administrators do on "non-personal computers". Unfortunately, very little thought is usually given to administration of "personal computers". The marketers wouldn't be able to say "just pull it out of the box and plug it in". The truth is that they're every bit as vulnerable as larger computers and maybe more so.

Tools

1. Install and run BOClean. The alternate tools below are for people who, for some reason, don't have access to BOClean.

Running Norton Anti-Virus will detect some of the RCTH programs by their fingerprints. 

Two products with downloadable evaluation versions that are effective across a range of Trojans are "The Cleaner" which works by examining file fingerprints and ZoneAlarm which works by blocking virtual port access to unknown applications. Stay away from BOSniffer. It claims to be a Back Orifice removal tool but it actually installs it. How can you be 100% sure some other program doesn't do the same thing? You can't. Pathetic state of affairs, eh?

Desktop firewalls, such as Private Desktop and Zonealarm, are particularly interesting because they would stop all RCTH programs whether they're known or not. They can do this because they're not looking for particular trojans...only for unauthorized communications. All the other tools require the maker of the tool to be aware of the trojan and update their detection algorithm or fingerprint. They ask the operator if they want to allow any previously unseen types of communications when an application tries to use the network. Hence, the operator would probably allow netscape.exe or iexplore.exe to go ahead and use the network but not allow patch.exe or some other unfamiliar file name. It may get a little trickier if the trojan was named iexplorer.exe or email.exe though. Once again, it would be up to the operator to properly control access to their computer. Also keep in mind that desktop firewalls don't remove an RCTH which means if the computer is ever started without starting the firewall, the RCTH will be active. And it should go without saying that if any malware targets any desktop resident protective software, all bets are off.

Often the client (controlling) portion of the RCTH programs contain a scanner that helps the interloper locate infected machines. Using the clients to find out if you're infected is not recommended due to the source of the programs.

Some web sites will offer to scan your computer to see if one of these programs is running. These sites may not work for JMU computers and may tell you you're not infected even if you are.

If you don't have BOClean installed, I'm going to recommend a manual method to use in addition to any other tool that you use. This is not a operator friendly, push a button method but its the only one I trust right now. First, we'll look at the places where these programs are started up. Then we'll look for the virtual network ports that they use to communicate. As you'll recall, these are two of the four methods to detect these programs. The other two, fingerprint checks, aren't feasible to do manually and we'll have to depend upon continually updated virus detector software and similar tools for these functions.

Steps 1a and 2a will quickly detect the presently most popular programs in their default installation configuration.

1. Check for programs that are automatically run when you start your computer.

  1. Look in the registry for entries that start programs..
  2. If you're running Windows NT, look in the Services Control Panel for automatically started services.
  3. Look in autoexec.bat for entries that start programs.
  4. Look in win.ini for "run=" entries that start programs
  5. Look in the system.ini file for entries that start programs.
  6. Look in the startup folder for entries that start programs
  7. Check other places commonly used to start trojans. A list of these is available here.
  8. You can use a tool such as StartupCop to help in this process.

2. Check for open virtual ports

  1. Use netstat to see what network ports your computer is communicating on. If you have access to Winternals TCPViewPro, use that instead. It has the advantage of telling you what program is talking on each port...something netstat doesn't do in the Windows world. Recently, Foundstone released a similar tool called FPort that is free.

3. Verify all entries and open ports

Removal

1. Install and run BOClean. The manual procedures below are for people who, for some reason, don't have access to BOClean.

Again, if you don't have access to BOClean for automatic removal, I'm going to recommend a less friendly, manual procedure. I'd highly recommend this procedure to double-check the effectiveness of any automated program removal that you may have access to.

1. Remove the entries that automatically start the programs.

2. Reboot.

3. Remove the files associated with the programs.

4. Repeat the detection procedures to ensure that the Trojan is removed and that there are no others.

5. Cleanup

Cleanup

Change all passwords on resources accessed from the infected machine and all passwords stored on the machine including passwords for Microsoft file sharing. Everyone who used the machine must change any passwords they typed on the machine. For example, their email, network, and PeopleSoft passwords.

Additional action may be warranted depending upon the type of information accessible on your machine and available to operator IDs used on your machine. You must consider the fact that all information may have been compromised.  If you have privileged access to other systems used from the computer, those systems too will need to be examined to determine the level of compromisation. You should notify the administrators of those machines of the possible breach. In some cases, it may be necessary to completely erase everything on the computer and rebuild it from scratch.

If the interloper used the keystroke-logging feature, there will be at least one text file somewhere on the computer containing those keystrokes. If multiple people use the computer, this may inappropriately compromise information. Even if one person uses it, it is not a good idea to leave that text file(s) lying around since it may contain passwords or other sensitive data. The Back Orifice key log files contain the string "->["" (without outer quotes) at the beginning of the lines containing the application's name for which the captured keys pertain. So you could use the file finder to look for files containing that string to help locate the log file if Back Orfice was the RCTH program you found.

 


 

Registry Examination

You can use a tool such as StartupCop to help in this process.

Currently, almost all the RCTH programs use the registry to autostart during boot. To examine the registry, use the 'regedit' tool. You must be careful while editing the registry as it is used to control the internal operations of your computer. Accidentally deleting or modifying entries may result in an inoperative machine.

Step 1: Start -> Run

Step 2: Type 'regedit'. Click OK. You are now running the Microsoft Registry Editor.

wpe1.jpg (23994 bytes) Click for close-up of regedit when it starts.

Step 3: There is an explorer-like operator interface on the left hand side of the screen. You will traverse down through the tree. Click the following selections in order:

HKEY_LOCAL_MACHINE

SOFTWARE

Microsoft

Windows

CurrentVersion

Now you'll check each of the keys beginning with "Run", sequentially examining them as described below. For the "Quick Check", Run and RunServices are the default locations for the most popular programs.

In each of the Run* entries, files that are on the right side of the screen are started when you start your computer. If patch.exe or " .exe" (space dot exe) are listed in the "data" column, make note of the path name if it exists, right-click on the associated item in the "name" column, and select "delete". These are the default names of the Netbus and Back Orifice RCTH programs respectively. They are typically located in the \windows or \windows\system directory. Deleting the entry will prevent the program from starting when you reboot so you can delete the associated file.  In the example below, the Netbus RCTH program is indicated by the presence of the patch.exe entry. If you're performing the Quick Check, please return now and reread the entire page.

The patch.exe and " .exe names are the default file names for old versions of Netbus and Back Orifice and can be changed. You should verify that each entry in the Run* keys belongs there in case the default name was changed or you have a RCTH other than Back Orifice or Netbus.  Do this for all the entries in each of the keys beginning with "Run" (i.e. RunOnce, RunServices, etc.).  A cautious system administrator of a critical or multi-operator machine would probably fingerprint these files and check them periodically as part of normal system monitoring to assure they're the original files.

You can use the Start -> Find -> FilesorFolders utility if you have problems locating the files specified in the registry. After you delete the file, be sure to empty the Recycle Bin.

Note that the default filename used by Back Orifice is " .exe". Explorer’s default configuration is to show file names without their extensions. In this mode, you will not see anything except a blank space in a file list. In addition, the program has no icon, so it will not show up in explorer’s icon view except as a blank space. Other RCTH programs may be similarly hidden.

wpe3.jpg (53160 bytes) Click for close-up of regedit on a machine infected with Netbus.

 

 


 

Virtual Port Examination

We will use the DOS utility netstat to check for open ports. If you're using Windows NT4 or Windows 98 you can proceed to the checks below. Unfortunately, the original TCP stack that comes with Windows 95 doesn't produce accurate reports. It will tell you your computer isn't vulnerable when it actually is. To fix this problem, upgrade your Windows 95 TCP/IP stack by downloading and running the Microsoft Winsock2 patch before performing the rest of this procedure. This has been a rather simple and painless upgrade for everyone I've talked to. It may also increase your network performance and reliability.

The Microsoft Dial-up patch 1.3 also installs winsock2 but it is more complicated to install.

If you have access to Winternals TCPViewPro, use that instead. It has the advantage of telling you what program is talking on each port...something netstat doesn't do in the Windows world. Recently, Foundstone released a similar tool called FPort that is free.

1. Open an MSDOS window.

2. Close all other programs.

3. Type netstat -an

wpe2.jpg (38876 bytes) Click for close-up of a typical netstat display.

 

4. Examine the second column after the colon. In the listing above, the item of interest in the first line is "80" and in the second line is "135". These are the virtual port numbers by which programs communicate with the outside world. Other computers which want to communicate with your machine must use your IP address plus one of these virtual ports to form the equivalent of a telephone number to find you. In the example above, a personal web server is listening on port 80.

5. If you see the numbers '12345 'or '31337', you almost definitely have one of the programs installed (Netbus and Back Orifice respectively). The Netbus port is active below.

 wpe3.jpg (70908 bytes) Click for close-up of a netstat display on a machine infected with Netbus.

 

6. The list above has many additional ports open which makes it confusing. Most of these ports were caused by having a web and email browser open. To decrease the number of ports you need to examine its best to run netstat right after a reboot and before any other applications are started. Many Windows 95/98 machines will only have ports 137, 138, and 139 active for Microsoft file sharing use. If you don't use Microsoft file sharing, turn it off in the network control panel so you don't have those ports open. You can also delete the netbios protocol in the same place. Otherwise, you have to ensure that all open ports are supposed to be open which requires a familiarity with network protocols and services. Generally, you'll find that these ports are opened by programs that are automatically started in the registry. So the process of validating registry entries is related to the process of validating ports. Sometimes it just boils down to removing registry entries (after copying the information for restoration if needed) and seeing what breaks and what ports no longer open. Its a tedious process.

One helpful hint. If you telnet to a port on which Netbus is listening, it will answer "Netbus v1.x" depending upon the version.

Resources for default port assignments:

Norton Anti-Virus Procedures

A Norton or Dr. Solomon manual scan WILL NOT stop a running trojan or remove the associated file even if it says it deleted the file.  The trojan will continue to run and you'll continue to be exposed. If the File System RealTime protection feature is enabled, which it will be if you follow the default installation instructions below, the trojan should be detected and deleted during a reboot. 

If an RCTH program is found, clean the machine based on its contents.

Norton AntiVirus installation and usage instructions. 


 

Conclusion

I do not want to be an alarmist but it is evident that there will soon be some very sophisticated ways to hide this type of program. If you value your privacy, your computer data, and your reputation, it is imperative to refuse to run unknown executable programs.

It is unfortunate that the publishing of these easily used and abused programs has made our computing environment less friendly to sharing and open communication. However, if the programs hadn't been publicized, sneakier people could have used similar tactics without warning.

In one swoop,  a very dark cloud has been thrown over free exchange of software over the Internet.  This is NOT a Microsoft specific problem. Almost every existing operating system allows the sort of features that make RCTH programs possible. Operators run programs. Programs open sockets. Programs capture keystrokes. Operating systems provide mechanisms to automatically start programs.

The vulnerability that exists is that we (industry wide) use computers that don't have many internal controls. They let us do what we want. Without internal controls, it is up to us to control them. If we don't control them, we'll either have increasingly serious security breaches or the computer industry will go back to locked down mainframe type processing to force automatic controls. I suspect this latest threat will hasten the use of "certified applications", increased access controls to both organizational data and the Internet, locked down desktop configurations, the "Network Computer/Browser/Application Server architecture, and an  increased level of caution associated with our computing environment.

Maybe hackers will force us back to terminals (static browsers), mainframes(application servers), and service bureaus(application service providers).

Further discussion at JMU newsgroup jmu.computer.security.

Additional information:

Safe Email Practices

Joakim von Braun's Trojan Database

http://www.commodon.com/threat/

Privacy Software Corporation's BOClean product

Related CERT advisory on Back Orifice

Related CERT advisory on generic Trojan Horse Programs

http://www.nwi.net/~pchelp/bo/bo.html

McAfee Firewall (formerly Conseal Private Desktop)

 
JMU Division of Administration and Finance James Madison University Website