If you cannot find what you are looking for. Please visit our sitemap

Backdoors, Trojans, Viruses and Worms

Backdoors, Trojans, Viruses and Worms


Trojans and backdoors are two ways a hacker can gain access to a target system. They come in many different varieties, but they all have one thing in common: They must be installed by another program, or the user must be tricked into installing the Trojan or backdoor on their system. Trojans and backdoors are potentially harmful tools in the ethical hacker’s toolkit and should be used judiciously to test the security of a system or network. Viruses and worms can be just as destructive to systems and networks as Trojans and backdoors. In fact, many viruses carry Trojan executables and can infect a system then create a backdoor for hackers. This chapter will discuss the similarities and differences among Trojans, backdoors, viruses, and worms. All of these types of malicious code or malware are important to ethical hackers because they are commonly used by hackers to attack compromised systems.


A backdoor is a program or a set of related programs that a hacker installs on a target system to allow access to the system at a later time. A backdoor's goal is to remove the evidence of initial entry from the system’s log files. But a backdoor may also let a hacker retain access to a machine it has penetrated even if the intrusion has already been detected and remedied by the system administrator.
Remote Administration Trojans (RATs) are a class of backdoors used to enable remote control over a compromised machine. They provide apparently useful functions to the user and, at the same time, open a network port on the victim computer. Once the RAT is started, it behaves as an executable file, interacting with certain registry keys responsible for starting processes and sometimes creating its own system services. Unlike common backdoors, RATs hook themselves into the victim operating system and always come packaged with two files: the client file and the server file. The server is installed in the infected machine, and the client is used by the intruder to control the compromised system.


A Trojan is a malicious program disguised as something benign. Trojans are often downloaded along with another program or software package. Once installed on a system, they can cause data theft and loss, and system crashes or slowdowns; they can also be used as launching points for other attacks such as Distributed Denial of Service (DDOS). Many Trojans are used to manipulate files on the victim computer, manage processes, remotely run commands, intercept keystrokes, watch screen images, and restart or shut down infected hosts. Sophisticated Trojans can connect themselves to their originator or announce the Trojan infection on an Internet Relay Chat (IRC) channel.

Overt Channel

An overt channel is the normal and a legitimate way that programs communicate within a computer system or network.

Covert Channel

A covert channel uses programs or communications paths in ways that were not intended.

Trojans can use covert channels to communicate. Some client Trojans use covert channels to send instructions to the server component on the compromised system. This sometimes makes Trojan communication difficult to decipher and understand.

Covert channels rely on a technique called tunneling , which lets one protocol be carried over another protocol. Internet Control Message Protocol (ICMP) tunneling is a method of using ICMP echo-request and echo-reply to carry any payload an attacker may wish to use, in an attempt to stealthily access or control a compromised system.

Different Types of Trojans

Trojans can be created and used to perform different attacks. Some of the most common types of Trojans are:
  • Remote Access Trojans (RATs)—used to gain remote access to a system.
  • Data-Sending Trojans—used to find data on a system and deliver data to a hacker.
  • Destructive Trojans—used to delete or corrupt files on a system.
  • Denial of Service Trojans—used to launch a denial or service attack.
  • Proxy Trojans—used to tunnel traffic or launch hacking attacks via other system.
  • FTP Trojans—used to create an FTP server in order to copy files onto a system.
  • Security software disabler Trojans—used to stop antivirus software.

Reverse-Connecting Trojans Work

Reverse-connecting Trojans let an attacker access a machine on the internal network from the outside. The hacker can install a simple Trojan program on a system on the internal network, such as the reverse WWW shell server. On a regular basis (usually every 60 seconds), the internal server tries to access the external master system to pick up commands. If the attacker has typed something into the master system, this command is retrieved and executed on the internal system. Reverse WWW shell uses standard HTTP. It’s dangerous because it’s difficult to detect—it looks like a client is browsing the Web from the internal network.

How the Netcat Trojan Works

Netcat is a Trojan that uses a command-line interface to open TCP or UDP ports on a target system. A hacker can then telnet to those open ports and gain shell access to the target system. Note: For the CEH exam, it’s important to know how to use Netcat. Make sure you download the Netcat tool and practice the commands before attempting the exam.

Indications of a Trojan Attack

Unusual system behavior is usually an indication of a Trojan attack. Actions such as programs starting and running without the user’s initiation; CD-ROM drawers opening or closing; wallpaper, background, or screen saver settings changing by themselves; the screen display flipping upside down; and a browser program opening strange or unexpected websites are all indications of a Trojan attack. Any action that is suspicious or not initiated by the user can be an indication of a Trojan attack.


Wrappers are software packages that can be used to deliver a Trojan. The wrapper binds a legitimate file to the Trojan file. Both the legitimate software and the Trojan are combined into a single executable file and installed when the program is run. Generally, games or other animated installations are used as wrappers because they entertain the user while the Trojan in being installed. This way, the user doesn’t notice the slower processing that occurs while the Trojan is being installed on the system—the user only sees the legitimate application being installed.

Wrapping Tools

Graffiti is an animated game that can be wrapped with a Trojan. It entertains the user with an animated game while the Trojan is being installed in the background.
Silk Rope 2000 is a wrapper that combines the BackOrifice server and any other specified application.
IconPlus is a conversion program that translates icons between various formats. An attacker can use this type of application to disguise malicious code or a Trojan so that users are tricked into executing it thinking it is a legitimate application.

Countermeasure Techniques in Preventing Trojans

Most commercial antivirus program have anti-Trojan capabilities as well as spyware detection and removal functionality. These tools can automatically scan hard drives on startup to detect backdoor and Trojan programs before they can cause damage. Once a system is infected, it’s more difficult to clean, but you can do so with commercially available tools.
It’s important to use commercial applications to clean a system instead of freeware tools, because many freeware removal tools can further infect the system. In addition, port-monitoring tools can identify ports that have been opened or files that have changed.

System File Verification Subobjective to Trojan Countermeasures

Windows 2003 includes a feature called Windows File Protection (WFP) that prevents the replacement of protected files. WFP checks the file integrity when an attempt is made to overwrite a SYS, DLL, OCX, TTF, or EXE file. This ensures that only Microsoft verified files are used to replace system files.
Another tool called sigverif checks to see what files Microsoft has digitally signed on a system. To run sigverif, perform the following steps:
  1. Click the Start button.
  2. Click Run.
  3. Type sigverif, and click Start. The results will be displayed.
System File Checker is another command-line–based tool used to check whether a Trojan program has replaced files. If System File Checker detects that a file has been overwritten, it retrieves a known good file from the Windows\system32\dllcache folder and overwrites the unverified file. The command to run the System File Checker is sfc/scannow.

Viruses and Worms

Viruses and worms can be used to infect a system and modify a system to allow a hacker to gain access. Many viruses and worms carry Trojans and backdoors. In this way a virus or worm is a carrier and allows malicious code such as Trojans and backdoors to be transferred from system to system much in the way that contact between people allows germs to spread.

Understand the Difference between a Virus and a Worm


A virus and a worm are similar in that they’re both forms of malicious software ( malware ). A virus infects another executable and uses this carrier program to spread itself. The virus code is injected into the previously benign program and is spread when the program is run. Examples of virus carrier programs are macros, games, e-mail attachments, Visual Basic scripts, games, and animations.


A worm is a type of virus, but it’s self-replicating. A worm spreads from system to system automatically, but a virus needs another program in order to spread. Viruses and worms both execute without the knowledge or desire of the end user.

Understand the Types of Viruses
Viruses are classified according to two factors: what they infect and how they infect. A virus can infect the following components of a system:
  • System sectors
  • Files
  • Macros (such as Microsoft Word macros)
  • Companion files (supporting system files like DLL and INI files)
  • Disk clusters
  • Batch files (BAT files)
  • Source code

Understand Virus Detection Methods
The following techniques are used to detect viruses:
  • Scanning
  • Integrity checking with checksums
  • Interception based on a virus signature

The process of virus detection and removal is as follows:
  1. Detect the attack as a virus. Not all anomalous behavior can be attributed to a virus.
  2. Trace processes using utilities such as handle.exe, listdlls.exe, fport.exe, netstat.exe, and pslist.exe, and map commonalities between affected systems.
  3. Detect the virus payload by looking for altered, replaced, or deleted files. New files, changed file attributes, or shared library files should be checked.
  4. Acquire the infection vector and isolate it. Then, update your antivirus definitions and rescan all systems.

Written by: Asad Hussain