Trojans

[Carding]

A Trojan program (Trojan) is a malicious agent, the main difference of which from a classic virus is its propagation method: it usually penetrates the system under the guise of a regular, legitimate program, which is the reason for the tradition of calling it a "Trojan horse". After penetration, it is capable of many things: it can collect information about the device and its owner, steal data stored on a computer, block access to user information, disable the operating system, etc.

Trojan classification

One of the classification options is to divide into the following types:

1. RAT (Remote Access / Administration Tool)
2. Ransomware
3. Cryptographers (Ciphers)
4. Boot loaders (Downloaders)
5. Deactivators of protection systems
6. Bankers
7. DDoS Trojans

RAT is a spyware trojan. Once installed on the system, it provides an attacker with a wide range of options: capturing video from the victim's screen, accessing the file system, recording video from a webcam and sound from a microphone, stealing browser identification files (cookies), installing other programs, etc. Examples include DarkComet or AndroRAT.

Ransomware is a form of malicious objects that block access to a system or data, threaten the user with deleting files from a computer or spreading the victim's personal data on the Internet, and demanding a ransom payment to avoid such negative consequences. An example of this behavior is the WinLock family.

Cryptographers (Ciphers) is an advanced form of ransomware that uses cryptography as a means to block access. Whereas in the case of an ordinary "winlocker" it was possible to simply remove the malicious program and thereby regain access to information, here the destruction of the ransomware itself does nothing - the encrypted files remain inaccessible. However, in some cases, antivirus software can recover data. An example of a ransomware is CryZip.

Boot loaders (Downloaders) are a type of malicious agent designed to download other programs or files from the Internet. An example is Nemucode. Protection System Deactivators are Trojans that remove or stop antiviruses, firewalls, and other security tools.

Bankers are a type of Trojan horse that specializes in stealing bank data (account number, PIN, CVV, etc.).

DDoS Trojans (bots) are malicious programs that are used by hackers to form a botnet in order to carry out denial of service attacks.

All Trojans are loaded into the system under the guise of legitimate software. They can be specially uploaded by cybercriminals to cloud data storage or file-sharing resources. Also, Trojans can enter the system by installing them by an insider during physical contact with a computer. In addition, they are often disseminated through spam mailings.

Target of Trojans

Most often, the target of such a malicious agent is an ordinary PC and its user, but incidents are also possible in a corporate environment. There is the potential for spamming to infect multiple computers to form a botnet. Some Trojans are embedded in legitimate software and do not interfere with its functioning; thus, the victim does not even notice their actions in the system. In addition to personal computers, an attacker can infect mobile devices in order to spy on the victim or to steal their confidential information.

Source of threat

The source of the threat can be file sharing and torrent trackers, to which the attacker has downloaded malware disguised as legitimate software, fake websites, spam mailings, etc. An important rule for protection is not to click on dubious links or run suspicious programs. Most Trojan horses are successfully detected by anti-virus and anti-spyware software. Law enforcement agencies can install Trojans on a suspect's computer or other devices in order to collect information and evidence. The intelligence of many countries uses such means for espionage. In general, Trojans are very widespread due to the fact that there are a huge number of different tools for creating them. For example, there are utilities that allow you to add a malicious agent to existing legal software.

Risk analysis

Both home and corporate users are at risk. Trojan horses may pose a serious threat to the victim (RAT, bankers), or may not interact with it in any way (DDoS Trojans). Many of them are difficult to detect, since they are embedded in the code of a legal program and do not interfere with its functioning. A characteristic feature of a Trojan is autorun: as a rule, it needs to be launched automatically at system startup or when a user logs on. Another sign is a slow computer. The Trojan puts a load on the processor (especially DDoS Trojans), which can slow down the PC and increase the CPU temperature. If the anti-virus software does not help, then the only reliable way out is to reinstall the OS or contact a specialist.

 

[Carding]

Tracking Trojans for Windows, macOS, Linux, Android, iOS​

It would seem that the most obvious way to protect yourself from any computer or mobile spy is to install an antivirus and forget about the problem forever. But "obvious" is not synonymous with "effective." Most anti-virus programs catch Trojans in much the same way that counterintelligence detects real spies: by fingerprints, that is, by means of signature detection.

A signature is a unique file identifier stored in a special database, which can be used to distinguish it from others. If a sample of this malicious file has not been previously examined in a virus laboratory and its signature has not been added to the databases, the antivirus will not be able to identify it.

There are different ways to bypass signature detection - we have written about them more than once. There remains a heuristic. But heuristic threat search engines based on behavioral analysis, program execution in a sandbox and other tricks are not a panacea, otherwise antiviruses would not encounter false positives. In other words, even if your computer is equipped with the most advanced protection, this does not mean that you are safe.

What are the most popular commercial spyware on the market today and how can you calculate their presence in the system?

FinFisher tracking Trojan
A cyber-espionage software called FinFisher, aka FinSpy, was developed by the Gamma Group and is rumored to be used for political surveillance of journalists and dissidents around the world. The program was leaked to WikiLeaks by Julian Assange in 2011, after which it became the property of anonymous and was subjected to close scrutiny by information security specialists and other interested parties.

FinFisher can intercept the victim's correspondence on social networks, track email messages, work as a keylogger, provide access to files stored on the infected machine, and record video and audio using the built-in microphone and camera. FinFisher builds exist for Windows, macOS and Linux. In addition, mobile versions of the Trojan were created for almost all platforms existing today: Android, iOS, BlackBerry, Symbian and Windows Mobile.

The FinFisher distribution scheme is typical for Trojans: the spyware was distributed using downloaders, which were sent by e-mail under the guise of useful applications or arrived on the computer with updates to a previously installed safe program. One of the attacks investigated by the guys from ESET also used the implementation of the MITM scheme: when trying to download the necessary program, an unsuspecting victim was redirected to a phishing site, from where he downloaded the distribution package with the trojan. In the ESET example, FinFisher was built into the TrueCrypt distribution. The irony is that a user who wants to protect their data and encrypt the disk for greater security installed spyware on their own machine with their own hands.

The creators tried to make FinFisher's work as invisible as possible and make it difficult to detect the Trojan in every possible way. Its code contains functions of protecting the application from debugging, preventing it from running in a virtual machine, preventing disassembly, and the code itself is obfuscated. In addition, the program tries to act unnoticed in the infected system and once again does not attract the user's attention.

FinFisher Trojan protection
Catching a FinFisher on a device manually is a pretty tricky task. Known samples are successfully detected and removed by popular antivirus programs, but unknown ones ... It's more difficult with them.

No matter how trite it may sound, a properly configured firewall is an obvious (and very effective) means of protection against this spy. During operation, FinFisher establishes a connection not only with its control server (its address can change from sample to sample), but also with several other hosts, from where its components are loaded. If you configure your firewall to paranoidly block application connections to unknown hosts, FinFisher will not be able to work properly on such a device. Well, in order not to get a software programmed by well-wishers instead of a clean distribution, it is better to download programs via HTTPS and not be lazy to check the digital signature of the programs.

Tracking Trojan Adwind
This cross-platform program, which can be classified as remote control systems (RCS, Remote Control Systems) or RAT (Remote Access Tool), became known in 2016, and was revealed even earlier - in 2013. This Trojan is known by various names: Sockrat, JSocket, jRat, Unrecom, Frutas, and AlienSpy. In fact, all of this is a rehash of the same melody.

Since Adwind is written in Java, it targets almost all platforms that support it: Windows, Linux, macOS, and of course Android. The popularity of Adwind among anonymous users is primarily due to the fact that the Trojan was distributed for a long time using the SAAS (Software as a Service) scheme, that is, by subscription. The developers had their own online store, technical support service and even an advertising channel with vidos on PornHub YouTube. The price tag was quite democratic: from 20 to 300 evergreen American dollars, depending on the chosen service package. The second reason is the relative ease of getting a working, scripted binary that won't be fired by antiviruses - at least until someone uploads it to VirusTotal.

The main purpose of the Trojan is to provide well-wishers with unauthorized access to a compromised machine. In addition, it can take screenshots, capture keystrokes, steal saved passwords and form data from browsers, and play with the camera and microphone.

The main distribution channel of a spy is e-mail spiced with social engineering. Potential victims of the attack were sent letters either with a downloader in the .JAR format in the attachment, or containing HTML code with inserts in VBScript and JScript, which secretly pulled the JRE and trojan dropper onto the machine. Analysts from Kaspersky Lab have also documented cases of Adwind being distributed using RTF documents containing an exploit for the CVE-2012-0158 vulnerability.

Trojan protection Adwind
To protect yourself from the Adwind Trojan, you can disable Java on your computer or demolish the Java Runtime - without waiting, as they say, for peritonitis. And of course, don't run a competition to open attachments quickly in emails received from suspicious senders. If you really need Java, another primitive but effective method of protection against Adwind is to change the .JAR file association from JRE to, say, notepad.exe.

For obvious reasons, it is impossible to completely root out Java in Android, but there it is enough just not to root the device and not install anything from anywhere, limiting ourselves to Google Play as the main source of applications.

DroidJack Tracking Trojan
This is the name of probably the most popular commercial Android remote control Trojan, which is based on the Sandroid app. This tool has two components: the client and the server. One is installed on a smartphone or tablet as an APK file, the second is implemented as a regular Windows application that allows you to control the device. A lifetime license for this software costs $ 210.

DroidJack allows you to transfer the current GPS coordinates of the device, manage incoming and outgoing calls, record phone conversations, read and send SMS, messages in WhatsApp, view browser history, list of running applications, copy contacts, receive images from the built-in camera, control volume and much more. ...

Obviously, for DroidJack to work, you first need to install the app on your device. This can be done either by physically taking possession of it, or by somehow forcing the user to install the program on his own. Most of the currently known DroidJack samples lack any covert installation mechanisms.

The Trojan is freely sold, but the price is not particularly democratic. That is why good developers have developed cheaper analogs of this program - among them, for example, OmniRAT can be noted, which can boast almost the same set of functions, but four times cheaper.

DroidJack Trojan protection
The first thing the user should pay attention to is that both DroidJack and OmniRAT require a large number of permissions during installation. If you are trying to install a flashlight on your smartphone, it is reasonable to think about why it needs access to sending SMS and address book.

Secondly, even though the spy removes its icon from the list of applications, the running program can still be seen in the list of running processes. Finally, DroidJack is perfectly caught by most modern antiviruses for Android, so a regular check of the device can still be useful.

Pegasus Tracking Trojan
Pegasus is, as you know, a horse with wings. For Android and iOS, Pegasus is a Trojan horse, one of the most famous varieties of commercial mobile spyware.

Curiously, Pegasus can be installed on Apple mobile devices that have not been jailbroken. Several known targeted attacks attempted to deliver Pegasus to the iPhone using SMS messages containing a malicious link. The Trojan uses vulnerabilities to install it on the system, albeit for outdated versions of iOS (up to 9.3.5). However, no one knows for sure what the more modern editions of Pegasus are capable of, whose developers (and the Israeli company NSO Group is suspected of creating a spy) are still in good health.

The Trojan consists of several functional modules that are loaded onto the infected device as needed. The set of functions of Pegasus is generally standard for such spyware: keylogging, taking screenshots, reading SMS and email messages, copying browser history, listening to phone calls, and so on.

The Pegasus Trojan tries to behave as stealthily as possible and not show itself in any way on a compromised device. If she discovers that another SIM card is inserted into the phone, or fails to reach the control server within 60 days, the program will self-destruct. All this testifies to the fact that Pegasus is focused on targeted attacks, it is not a "weapon of mass destruction".

The well-known Pegasus samples for Android do not use vulnerabilities, but to obtain administrator privileges (without which they cannot steal anything from the device except the name of its model), they use traditional tactics - they get the user with annoying alerts until he agrees to press the coveted button.

Protection against the Pegasus Trojan
There are several methods of protection against Pegasus: for iPhone and iPad owners - to update the system in time, for Android users - not to grant administrative privileges to left-hand applications, even if they really ask for it.

Conclusion
Commercial Trojans have been, are, and will continue to be on user systems. Simply because demand, as one smart guy named John Maynard Keynes said, creates supply.

Antiviruses, as we have already found out, are not a panacea, so to protect against Trojans for surveillance, you should use the most powerful analytical tool available today - the brain.

Check the installed programs with antivirus utilities, watch what network addresses they knock on during operation, observe what processes are launched in the system, do not forget to update the OS in time, disable unnecessary components like Java Runtime and roll in the evenings not only zero five unfiltered, but also all current security patches.