Overview

this

Trojan horse applications aid attackers in gaining access to a remote computer, or server. Many times, unskilled attackers will enlist the help of Trojans in order to gain access to machines they are not allowed access. Trojans, like viruses are deployed utilizing many techniques.

Linux Trojans:

Most of the time Linux Trojans come bundled in with Rootkits, or rootkit like functions. In a Linux / Unix environment; there are a few venues you can undergo to assure that your system is safe. However, checking some boot scripts, and boot up locations is key, and essential. Before we begin to explain how Trojans attack and infect Linux systems, we will go over some basic strategies and techniques. Of the techniques involved, we will take a look at a few things. We will look at how we can use Tripwire, Netstat, nmap, and utilizing a Linux LiveCD in conjunction with ClamAV, chkrootkit, and other applications to find the presence of Trojan applications under the Linux environment.

Although Linux Trojans can use ICMP, TCP and UDP, they cannot utilize the shatter attack method (available in windows) however, they can utilize packet sniffers (like their windows counterparts) and become more dangerous. As, most of the information found on Linux and Unix operating systems are servers, and databases. Unix systems are much more rewarding, and worth the challenge to attackers; due to the fact that if the environment is owned, a lot more tools are available to Linux to perform attacks than in windows.

Running Tripwire:

This section for TripWire is assuming that you have already installed and configured your version of Tripwire. If not, please see the Installing Tripwire documentation. In regard to protection Tripwire can offer a plethora of protection; against Trojans, and especially against rootkits (or Trojanized version fo software applications). The whole basis behind tripwire is to take inventory on checksums, and logging all changes made to files, folders and the file system itself. Tripwire also has the ability to send emails if files have been changed, or altered. Utilizing tripwire can also speed in the recovery, and dissection of how an attack has been mitigated against your system (not just for Trojans, or Trojanized applications). It should be noted that Tripwire should be installed prior to an attack, and not during or after as the information cannot be trusted.

If you want to run Tripwire, in a shell prompt, enter tripwire -v --check to have the information placed to a file, you can enter tripwire -v --check >> /foo/name.txt so save the information external from the shell prompt. Below is a screen shot of the tripwire process.

Tripwire before being run with verbose and check flags set.


Tripwire being run checking files

Any changes or apparent threats found on your system will be alerted to you via Tripwire.

Although the techniques mentioned here can provide that you have not yet been attacked, it would be wise to point out that utilizing the Linux LiveCD"s would be a best practice; as the live CDs are in Read-Only format and cannot be effected by a rootkit, or Trojanized software. As, you are running clean code. You can also make backups of system files and use them on the infected machine by renaming them. However, this too, is not recommended.

Linux Netstat:

The netstat command can offer some insight as to what connections are coming in and out of your machine. You can run the netstat command utilizing a shell prompt, and entering netstat you can use the netstat command with a number of arguments. You will normally want to use the -a to show all sockets and states of active connections. And, -n to show server connections and server / network numbers. You can view a sample of the netstat -a -n commands by clicking on this document.

To determine which ports are open, on the local host; look at the log. In the log, you will notice IP.ADDRESS.OF.SERVER:PORT on either side will be the port number(s) (either local, or foreign). Here, you can ascertain which ports are open. To solidify this, you can run an nmap scan on the local host, this will be discussed next.

Nmap:

All the negative hype that has been surrounding Nmap since it"s feature in matrix; and then the FBI riding it, it"s not just a hackers tool. Nmap does have legitimate and legal purposes as well. Even though it"s risky to leave a machine connected to the internet (more over the network environment) with an infection; if you are taking this route, you should be aware of the dangers involved. More so, and more over, you should place this computer if possible in a DMZ, or by itself. When you have done this, you should start an nmap from another system. To launch an nmap scan from another machine, you can use the following options: nmap -sT / (either T or U, T for TCP, U for UDP. This can also be mixed with sS for syn, and others)-sU, -A, -p 1-65535 if you don"t want to start an unintentional DoS against both machines, use the -T3/4 (either 3 or 4) option to keep it running smoothly.

The output from an nmap scan can give you some enlightenment as to what services are listening, and port numbers. With this information in hand, you can start a google search and determine what type of Trojan has infected your system. It should also be noted that you can use your firewall logs to determine when the ports started to appear (if you hold logs for that log) and work out a time frame around when the attack has started. Eventually attempting to trace the attack; or even attempting to find a cause as to how the application got on the system by a recreation of events (even with the snort logs, as this can help isolate where the files were when they were modified, or tampered with.)

ClamAV / clamscan:

Clamscan / ClamAV scanner can help detect viruses, and Trojans. However, clamav like all anti-virus scanners. The only problem with the current version of ClamScan / av is that each time you need to update the database and it"s dat files you have to uninstall and re-install the entire application.

ClamScan (red) being run from the command line
and it"s output in the shell (yellow)

Given that clam scan is updated weekly, and your signatures are up to date, you should have no problem detecting a Trojan (per-se). However Anti-virus applications are not the only lines of defense in which you can utilize to take affirmative action against such malicious applications. Common knowledge and User Education & Awareness is key to avoiding potential problems and attacks.

Chkrootkit:

Chkrootkit is a unix-based application (shell script) which compares files within /proc and checks files for known rootkit signatures. If found, these signatures will be alerted upon. It should be noted again, these tools and utilities should be pre-installed before the machine hits the internet, and not when the machine is attacked. Failure to do so may cause the scanner to skip over files which have been trojanized, or have rootkit signatures in them. Below is a list from starting chkrootkit, to a scan running:

chkrootkit running in expert mode, with -r option set checking root folder /


Chkrootkit running a scan in expert mode


Rootkit scan in normal mode issuing the command chkrootkit

It should also be known that certain files are prone to false positives with chkrootkit, and if anything is in question, please google the results. Also, check your operating systems online help pages for free support and insight. If you are working in the corporate sector, go through your license in which you purchased with support. As, posting to the internet can have adverse side-effects, as shown in the Public Documents - Public Help section.

Linux Live CD:

Linux live CD"s can offer insight into the machine after an attack as all of the data on the CD is in read-only format. Thus the tools on the CD"s cannot be trojanized or effected by a rootkit. Normally, running chkrootkit, or clamscan from the live CD would prove to be one of the best venues to investigate an attack (given the tools you are running can scan the mount points.) *Please note that from a forensics stand point playing or examining the actual disk should not be done as the information can become contaminated. Thus, hampering the effects of a forensics.* Due to this article becoming rather large, and in depth; please check with your version of linux to see if they support live CDs or USB thumb drives / devices. Click here for a listing of LiveCDs and other resources.

Trojan applications work as executable applications (.exe, .com or embedded shs files which share an executable ending.) [Windows side] And, Trojans share .sh endings which need to be compiled [Unix Side]. All Trojans share a basic means of operation. A user must execute the application in order for it to work properly. Without execution an application such as a Trojan may lay dormant on a system and not become active. So, in essence, you may download the application and retain it on your disks but, once it is executed it becomes active.

In all cases, Trojan applications will use either a TCP or UDP connection. In many cases you will come across a Trojan application which will implement a TCP connection for the simple fact that the TCP layer can send data across a wire securely and rarely loses data packets. UDP on the other hand will cause the attacking end more trouble. You will be in a constant state of suspense weather you are connected or not. While, UDP is a rare issue for some administrators on networks, and is rarely ever checked, it is highly possible to sustain an attack where an attacker can bury his or herself in a UDP state and have access and only become discovered when it"s too late.

For connections, Trojans will open any port range from 1 through 65,535. If you have a network which runs an IDS (Intrusion Detection System) and you have sustained an attack via a Trojan, the IDS log will pick it up. But, this is not so true. Here is why, because IDS logs only monitor traffic which is unencrypted (plain-text like this document) you may discover some activity which will set off a flag. If on the other hand the Trojan application used an MD5 Encryption algorithm to encrypt it"s data (or uses encapsulation) the IDS log will take this traffic and allow it as normal network traffic. Therefore, you may not notice.

Trojans will also come across as e-mail attachments from a reliable source, and may also become executed by end users, or, the application may come across as a valid application.

Spotting a Trojan Attack:

Unlike viral attacks Trojan attacks are mainly easy to discover. This also depends on how well crafted they are, and how smart the programmer of the application is. In addition to which, it also depends greatly on the simple question, "did the attacker utilize a rootkit?" Here is what you can look for when you execute an application (given you have scanned it, and no threats / threat agents were found.:

Most Trojan authors will in fact code a ""fake"" error message into their application to trick the user into thinking that the application was not loaded, thus, if the application generates the error the application is in fact erroneous and should not be further scrutinized or dealt with.

If you execute an application and it does not display anything on the screen, you can be sure that something odd is going on. ALL applications will load and display some sort of GUI (Graphical User Interface). If it was a picture, you will see the picture viewer and you will be prompted with an error if the picture has not been loaded properly.

If the application errors or not, are you able to delete the file in which you downloaded? If not, you can guarantee that it is loaded in memory awaiting an active connection and instruction from the source of the application.

On many new systems weather home or office, will come with some sort of internet protection (firewall or anti-virus) If you have a firewall on your system and it is working properly, it should automatically alert you and block the connection / listening state of the application. If you do not notice this, the file in which you have executed may contain a virus.

If after you have executed the program and it does what Trojan applications normally do, did you receive a warning from your Firewall? If the firewall does appear asking you what to do for a certain file, you can be sure that you definitely have a Trojan horse on your system. If your firewall does not prompt you and you notice that your firewall is not working properly, the Trojan horse may have initialized a DoS (Denial of Service) against your Firewall rendering it useless. You will have to look into this aspect.

Installation Methods:

Many Trojan applications will bury themselves into a system folder, weather it be C:\Windows\ or C:\Windows\System32\ or C:\Windows\System. For NT users, just replace ""windows"" with ""WinNT"" and you will see where this is going.

Because Trojans are dependent on loading each time windows loads, it will leave a trace on the system where you will be able to discover the whereabouts of the application and further yourself in the removal of such an application.

New distributions of windows (From windows 98 up to the current) have a tool called MSCONFIG, but, before we talk of the tools in which you can use to uninstall / remove an application as such, let me point out a few key factors.

Every user should familiarize themselves with the netstat command. The netstat command will display all the connections on your computer, to issue this command simply open a dos prompt and type in "netstat." In your netstat, The following is an image of netstat:

Utilizing netstat and understanding it can also help you discover what port rangers belong to which states (as listed in the above). Another valuable tool is the nmap for windows. Which can be found at Nmap Downloads. Utilizing nmap will help you determine the ports you have open, and listening for connections; allowing you to take action in shutting them down, filtering or even blocking them at the firewall.