© The Author(s), under exclusive license to APress Media, LLC, part of Springer Nature 2021
A. SheikhCertified Ethical Hacker (CEH) Preparation Guidehttps://doi.org/10.1007/978-1-4842-7258-9_5

5. Trojans, Backdoors, Viruses, and Worms

Ahmed Sheikh1  
Miami, FL, USA

A number of malicious programs contain features of viruses, worms, Trojans, and rootkits. These malicious programs are written for a number of reasons including pranks, financial gains, or to distribute political messages. In this chapter, you will learn the various ways a Trojan can infect a system, specific countermeasures to be aware of, and how to recognize a virus, including virus detection methods and countermeasures.

By the end of this chapter, you will be able to
  1. 1.

    Explain how a Trojan infects a system.

  2. 2.

    Identify ports used by Trojans and Trojan countermeasures.

  3. 3.

    Identify the symptoms of a virus.

  4. 4.

    Describe how a virus works.

  5. 5.

    Identify virus types, virus detection methods, and virus countermeasures.


Trojan Horses

Trojans are malicious programs that can cause considerable damage to both the hardware and software of a system. Backdoors are ways to access a device without following the usually required security and authentication procedures.

A legitimate communication path on a network or within a computer system that transfers data is referred to an overt channel . A channel that transfers information and violates the security policy is referred to as a covert channel. To create a covert channel, an overt channel can be manipulated. The Trojan is a simple type of a covert channel.

A Trojan horse, or simply a Trojan, is a malware that is apparently a normal, useable program but actually contains a virus. During the Trojan War, the Greeks used a Trojan horse to obtain access to the city of Troy. Likewise, a Trojan horse enters the victim’s computer undetected and has the same level of privileges as the victim. It can falsely implicate a remote system as an attack source.

A Trojan steals sensitive information, stores illegal materials, and is used as an FTP server for pirated software. A Trojan runs in stealth mode and can alter the registry or other auto-starting methods.

A backdoor is a method used to bypass the usual authentication methods on a system. There are numerous ways that a Trojan can infiltrate a system, including instant message applications, Internet relay cache, attachments, physical access, browser and email software bugs, file sharing, fake programs and freeware, and accessing suspicious sites.

Indicators of a Trojan Attack

It is important to be aware of the symptoms that indicate a Trojan attack.
  • CD-ROM drawer opens/closes automatically

  • Computer screen blinks or is inverted

  • Backgrounds/wallpaper settings change automatically

  • Color settings change automatically

  • Anti-virus is automatically disabled

  • Date and time change

  • Mouse pointer disappears

  • Pop-ups suddenly appear

If a system experiences any of the symptoms mentioned, it warrants a closer look as to what exactly is going on with that system.

Ports Used by Trojans

A basic understanding of the state of an active connection and the ports used by Trojans will enable you to determine if the system has been compromised. Review Table 5-1 for ports used by Trojans.
Table 5-1

Ports Used by Trojans




Back Orifice


31337 or 31338

Deep Throat


2140 and 3150



12345 and 12346



12361 and 12362

NetBus 2












Sub Seven


6711, 671, 6713

Portal of Doom


10067, 10167

Netstat Command

The netstat command can be used to determine which ports are listening. Figure 5-1 shows the results of a netstat command, indicating active connections and identifying which ports are listening.
Figure 5-1

Netstat results

Types of Trojans

Trojans can be grouped into categories based on the manner in which they function:
  • Remote Access Trojans provide full control over the victim system.

  • Data-Sending Trojans can install a keylogger and can provide access to confidential data.

  • Destructive Trojans will delete files on the target system. A DoS Attack Trojan allows the attacker to start a distributed denial-of-service attack.

  • Proxy Trojans turn the target computer into a proxy server, making the computer accessible to the attacker.

  • FTP Trojans open port 21, allowing the attacker to connect via FTP.

  • Other Trojans can disable antivirus software, create ICMP tunnels, or permit attackers to bypass firewalls.

ICMP Tunneling

Arbitrary data is injected into an echo packet sent to a remote device via ICMP tunneling . In the same fashion, the remote machine responds by injecting a response into yet another ICMP packet and returning. Using ICMP echo request packets, the client conducts all communication, while the proxy utilizes echo reply packets. This vulnerability exists because the RFC for governing ICMP packets allows for an arbitrary data length for any echo reply or echo message ICMP packets.

By obfuscating the real traffic, ICMP tunneling could be used to circumvent firewall rules. Obfuscation implies that you conceal the actual meaning of communication. This form of communication can also be classified as an encrypted communication channel between two machines, depending on the configuration of the ICMP tunneling program. Network administrators can’t identify this kind of traffic from their network without sufficient deep packet inspection or log analysis. See Figure 5-2.
Figure 5-2

ICMP tunneling

Tools Used to Create Trojans

Some of the tools that can be used to create Trojans are listed here based on category. Needless to say, it is not difficult for an attacker to find a way to infiltrate a victim system with a Trojan.
  • Backdoor tools include Tini, Icmd, NetBus, and Netcat.

  • Concealment tools include Wrappers, EXE Maker, Pretator, Restorator, and Tetris.

  • Remote access tools include VNC, RemoteByMail, and Atelier Web Remote Commander.

  • Shell and tunneling tools include Windows Reverse Shell, Perl-Reverse-Shell, XSS Shell, XSS Tunnel, and Covert Channel Tunneling Tool.

  • Other tools include SHTTPD Server, Trojan Horse Construction Kits, Rapid Hacker, SARS Trojan Notification, and T2W (Trojan to Worm).

Trojan Countermeasures

There are a number of countermeasures available to lessen the chances of being a victim. A Trojan infection can be avoided by implementing the measures listed.
  1. 1.

    Do not download files from unknown sites.

  2. 2.

    Do not use the preview panes in programs.

  3. 3.

    Run antivirus, firewall, and intrusion detection software on your desktop.

  4. 4.

    Delete suspicious device drivers.

  5. 5.

    Scan for suspicious open ports, running processes, and registry entries.

  6. 6.

    Run a Trojan scanner.

  7. 7.

    While downloading useful files, do not download other programs; this may result in infections of viruses that can steal your personal data.


Detecting Tools

To detect a Trojan, scan for suspicious open ports. Then scan for suspicious processes that may be running. Scan the registry. Use a tool such as Wireshark to scan for suspicious network activity. Finally, run a Trojan scanner. A few more tools that can be used to detect a Trojan are Netstat, fPort, TCPView, CurrPorts, PrcView, Msconfig, Autoruns, and HijackThis.

Backdoor Countermeasures

The countermeasures listed will help protect a system from having a backdoor created and thereby providing access to an attacker. Care should always be taken when downloading email attachments or installing applications downloaded from the Internet. If the site provides a hash value for a file download, make sure that you verify the value after downloading the file to insure that the file has not been tampered with. You should use an antivirus package that can recognize a Trojan signature and keep your applications updated with the latest security patches.

Countermeasure Tools

There are a number of countermeasure tools available. Anti-Trojan software designed to help detect Trojans can be run alongside an antivirus program. As with antivirus software, Anti-Trojan software must also be kept up to date.
  • Anti-Trojan software includes TrojanHunter, Comodo BOClean, Spyware Doctor, and SPYWAREfighter.

  • Backdoor tools include Tripwire, System File Verification, MD5sum.exe, and Microsoft Windows Defender.

Process Monitor

A Trojan can be hidden in any number of .exe files within the Microsoft operating system. A tool such as Process Monitor can be used to monitor system process files. It is a free download from the Microsoft site. It shows real-time file system, registry, and process or thread activity. See Figure 5-3.
Figure 5-3

Process Monitor summary example

Malware Tool: Poison Ivy

User-friendly malware applications such as the Poison Ivy Remote Access Trojan are often used by cybercriminals to enable them to conduct a lot of post-exploitation activities, such as loading malware, executing programs, deactivating services, disrupting processes, and stealing information.

Poison Ivy is a highly dangerous malware tool because it allows hackers to establish a continuous connection to a victim’s machine via an encrypted connection. Poison Ivy has been used as an attack tool in many high-profile incidents, including an attack on the RSA network in 2011.

In the lab, you can set up the Poison Ivy Client, entice the victim to launch the malicious file, and exploit the victim machine with Poison Ivy. See Figure 5-4.
Figure 5-4

Poison Ivy listening to ports

Viruses and Worms

While both viruses and worms are malicious programs that can cause damage to a computer, knowing the differences between them is important. As this chapter continues, the focus will be to take a close look at the virus vs. the worm.
  • A virus requires a host, a program or file that enables it to spread from one computer to another. A virus is spread by human action, like opening an attachment or running a program.

  • A worm is self-replicating. Human action is not required. A worm spreads from computer to computer via the network utilizing a security hole.

Symptoms of a Virus

Recognizing the symptoms of a virus means you can act faster to limit the damage to your system or your network.

Symptoms to be aware of include the following:
  1. 1.

    Programs take longer to load.

  2. 2.

    Hard drive is always full.

  3. 3.

    Unknown files keep appearing.

  4. 4.

    The keyboard or computer emits strange or beeping sounds.

  5. 5.

    The computer monitor displays strange graphics.

  6. 6.

    File names turn strange, often beyond recognition.

  7. 7.

    A program’s size keeps changing.

  8. 8.

    The memory on the system seems to be in use.

Damage from virus and worm infections can fall into three categories:
  • Technical damages because resources such as memory, CPU time, and network bandwidth are wasted.

  • Ethical or legal damages result due to unauthorized data modification, copyright, or ownership problems.

  • Psychological damages such as trust problems and lack of knowledge round out the mayhem.

Stages of a Virus’ Life

Anyone with basic programming knowledge can create a virus, and there are numerous tools available for designing a virus. Replication occurs over a period of time. With a virus, human action is required to launch the virus. A virus is identified as a threat after a user notices one of the symptoms previously mentioned. Antivirus software companies incorporate a fix into their products so that users can install the updates and eliminate the virus. Figure 5-5 shows the stages of a virus throughout its life.
Figure 5-5

Stages of a virus’ life

Infection Phase

A virus has two phases, really. The first is the infection phase and it is followed by the attack phase. Once a virus is triggered, the sequence of events will continue until the user notices the symptoms and takes the proper steps.

Once a virus has been triggered, it can corrupt the files and programs of its host or perform tasks that are unrelated to the applications running. See Figure 5-6.
Figure 5-6

Infection phase

Types of Viruses

Viruses are different based on how they add themselves into the target host’s code and how they act upon the target system. Here are three types of viruses:
  • Shell virus: In a shell virus, the virus code forms a layer around the target host program’s code, the original code moves to a new location, and the virus assumes its identity.

  • Add-on virus: An add-on virus appends code to the beginning of the host code so the virus code is executed before host code.

  • Intrusive virus: An intrusive virus overwrites its code over the host’s program code so the original code does not execute properly.

What Viruses Attack

Another way that viruses can be classified is based on what they infect. A common target is the boot sector, which is an area on the disk that is executed when a computer is started up.

Program viruses infect executable program files or files with .exe, .com, or .sys, for example. Multipartite viruses infect program files which in turn affect the boot sector. Network viruses use the commands and protocols of a computer network to replicate.

Source code viruses are more unusual due to the skill required to write them, and there are many types of source code out there. Macro viruses perform a sequence of actions when an application is run.

How Viruses Infect

Viruses can also be classified according to how they infect the target system. A terminate-and-stay resident virus remains in memory until the system is restarted. A transient virus has a life that depends on its host. When its attached program ends, the virus terminates. A companion virus has the identical file name as the target program file. As soon as the particular program is executed, the virus infects the computer. Polymorphic viruses change their characteristics to evade antivirus programs. Stealth viruses alter and corrupt service call interrupts when they are being run. When a request to perform an operation involves these service calls, the virus interrupts and replaces that call.

Cavity viruses fill the empty spaces of a program and are more difficult virus to write. Tunneling viruses attempt installation beneath the antivirus program by intercepting the interrupt handlers of the operating system and evade detection. Camouflage viruses cover themselves as genuine applications and are easily traced by antivirus programs. There are also bootable CD-ROM viruses that can enter a system by being loaded on a CD-ROM.

Self-Modification Viruses

Antivirus programs scan for patterns or a virus signature, a byte that is part of the virus. If a pattern match is found, the antivirus program flags that file as infected. With self-modification viruses, the code is modified upon each infection. Encryption with a variable key uses encryption keys and each infected file uses a different combination of keys. To manipulate freshly executed files, metamorphic code viruses rewrite themselves whereas polymorphic code viruses infect a file with a copy of a polymorphic code that is encrypted.

The Worst Computer Viruses

Take some time to review some of the most famous viruses and worms.
  1. 1.

    The ILOVEYOU worm was a VBScript. It spread by using Microsoft e-mail clients. It utilized a file attachment named LOVE-LETTER-FOR-YOU.TXT.vbs that when opened, copied itself to the Windows system directory. The worm modified the registry so that it would run when the system booted.

  2. 2.

    The Melissa virus also spread through accessing the victim’s contacts in Microsoft Outlook. This virus lowered the computer’s security settings. The virus targeted a Word document template. Melissa overwhelmed many servers due to the volume of e-mail that it generated.

  3. 3.

    SQL Slammer exploited the buffer overflow vulnerability in Microsoft SQL Server. Although the worm did not contain a destructive payload, it did produce a massive amount of network traffic.

  4. 4.

    Nimda used five different methods of infection and became the Internet’s most widespread worm, affecting workstations and servers running the Windows operating system. The name “nimda” is actually the reverse spelling of “admin.”

  5. 5.

    Anna Kournikova computer worm used a promise of a picture of the tennis play as an enticement to open the attachment.


File Extensions

Checking the file extension of an unknown file is a good way to determine the safety of a file.

Are you familiar with the file types in the list below?














A virus scanner is a must-have. After a new virus is discovered, the signature strings of the virus are identified. Your antivirus software must be updated with the new signatures in order to scan your memory files and system sectors. Although virus scanners can check programs before they are executed and are the easiest way to check new software for known viruses, they are a reactive solution.

Integrity checkers read and record integrated data to develop a signature for those files and system sectors. Some are also capable of analyzing the types of changes that viruses make.

Interception looks at requests to the operating system for actions that cause a threat to a program. If it finds a request, the interceptor pops up and asks for user interaction before continuing.

The standard incident response when dealing with a virus or worm is outlined. Antivirus software is a must in detecting the attack. To trace the processes, the following utilities are useful:
  • Handle.exe: Displays information about open handles for any process in the system.

  • Listdll.exe: Shows the command line parameters and all the associated DLLs that are used.

  • Fport.exe: Reports all open TCP/IP ports and maps them to an application.

  • Netstat.exe: Displays network connections and network protocol statistics.

Antivirus Software

Antivirus software (Figure 5-7) needs to be installed, updated, and run to be most effective. There are many options available.
Figure 5-7

Microsoft Security Essentials

Utilizing Malware

Hackers often use malware programs like Dark Comet to maintain a connection to a victim’s machine. The hacker is then able to perform malicious tasks on the victim over that connection.

In Figure 5-8, Windows 7 is using a public IP address on the WAN. Windows 2003 SQL is NATed behind the firewall, and the firewall is redirecting traffic to SQL.
Figure 5-8

Windows 7 using a public IP address on the WAN

In Figure 5-9, SQL injection provides a Dark Comet connection to a victim.
Figure 5-9

SQL injection and Dark Comet

Exploiting the Connection

A connection to the victim machine offers a number of possible actions. Once connected to a victim machine, the attacker can manipulate the target machine as though they were sitting behind the keyboard (Figure 5-10).
Figure 5-10

Dark Comet connection


Malicious programs are written to benefit the attacker and are created for a multitude of reasons. These programs contain features of viruses, worms, Trojans, and rootkits. In this chapter, you learned the ways Trojans infect a victim’s system, countermeasures, and the ports used by Trojans. You can now identify symptoms of a virus, virus types, and virus detection methods in countermeasures. Lastly, you understand how a virus works and are familiar with the concepts of backdoors and worms.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.