Malware: Trojans

00:00

Hey, everyone, welcome back to the course. So in this video, we're to talk about Trojans, so we'll go over briefly what Trojans are. We also talk about how attacker might use Trojans.

00:10

We'll talk about the difference between droppers and rappers who will cover that at a very high level. And then we'll talk about some of the different types of Trojans as well.

00:19

So what is a Trojan?

00:22

Well, essentially, this is just malicious code that's wrapped inside of a program that looks pretty harmless, right? So if we think about the city of Troy and the Trojan horse where the soldiers hit hit inside of this giant wooden horse that looked harmless and the outside but on the inside there was that malicious code or the soldiers.

00:41

So this is all a Trojan is. It's just that malicious code that's hidden inside some kind of program that doesn't look like it's malicious.

00:49

Usually, a Trojan requires some kind of a user action to actually install it, so that could be having Joe and Accounting open that file. That invoice that you sent him via phishing email

01:00

could be having them download some software from a website telling them. It's like a security update, for example. But usually there's some kind of user action involved in that

01:11

and think that might indicate a Trojan being installed on the system. Just abnormal activity of the system. Abnormal network activity. So things like the host machine getting the anti virus or anti Mauer solution disabled

01:23

could be. Every time you go thio, try to go to your favor. Thai restaurant website. It redirects you to some other page so these aren't necessarily a Trojan, but they are an indicator that there might be a Trojan infection on the device.

01:38

Now the Trojan essentially creates a covert communication channel between that target machine and the attacker. And so that way, the attacker can exfiltrate sensitive data or install malware or escalate privileges, or do any number of objectives that they may have on their end.

01:55

So how could an attacker actually like use a Trojan like What can they do with it? Well, they might do things like deleting or replacing the operating system. Critical files. They may generate fake traffic to create a down Nile service attack. They might record screenshots of the victim or audio or video of the victim and then try to

02:14

either sell that or exploit that victim and say, Oh, I caught you doing these things

02:19

that you don't want your family to know about, So you better send me $10,000 in Bitcoin.

02:23

They could use it to spend. They basically take over the victim machine and send spam email messages so it looks like it came from that target machine and not from the actual attacker.

02:34

They could install a number of other malware things, so they install spyware at where or just other malicious files that install Ransomware. For example, they could disable the anti virus. They could disable firewalls on the host machine. They can create back doors to keep that remote access open.

02:51

They could also use the victims machine as a proxy server, so doing replay attacks,

02:54

they can use it as part of a botnet to perform DDOS attacks. They can also steal information, right, so data theft things like credit card information or your user name and password for your bank, where security codes if you're typing in, and they do this by installing those key loggers that we talked about earlier in the course,

03:12

so What is the dropper and what is a rapper? Well, the main difference here is the dropper is

03:16

what's installing that malicious code. So you think of it like a raindrop. So when the malware is installed, it's dropping like little raindrops and installing malicious code on your device,

03:27

and it's often disguised as a trusted application, and then it drops.

03:30

Female are on your device. Now the rapper

03:34

is

03:35

what wraps up the innocents looking software with the malicious software, right? So, for example, it could be like a game file. So you think you're installing a game so it looks like an innocent gaming file. Instead, though, the Trojan itself is wrapped with that innocent looking game file,

03:53

and now you've got an infection on your machine

03:57

because you've installed that file on your device.

04:00

So think of rappers basically like glue, right? Or like a candy wrapper. So let's say that the

04:04

the candy wrapper itself

04:06

is

04:09

the game software, right? So it looks regular, looks friendly. It's candy, right? Everyone loves candy, but on the inside

04:15

it's malware. It's malicious, right? And if we if we take a little health nut

04:20

kind of you on this thing, right, sugar, A lot of people say is bad, especially processed sugar, which I do agree with, but

04:29

that's not important here. What's important here is that that would be considered malware, something malicious for your body, right, even though candy makes us feel good and all that stuff. But the rapper of the Candy is that rapper that we're talking about here. It's given us that illusion that there it's a good thing. And then on the inside, though, is that little

04:49

starburst of death, right? For lack of better words, since we're using a picture of Starburst here,

04:54

Starburst of Death, which is full of that process sugar, that if we eat too much of it, it can cause different health problems.

05:00

So that's the main difference between a dropper and a rapper. So just think of candy. When you think of those, they're not a sweetest candy. They're not delicious like candy. But think of Candy and the aspect of the rapper of the Candy is the rapper that we're talking about here that's binding that malicious file with

05:16

something that we think is not malicious and then inside of that is that malicious stuff that sugar that processed sugar, which is our dropper. That's actually installing the malicious code on the device.

05:28

So where does some of the different types of Trojans will we ever command? Shell Trojans. He's basically give remote control of a command shell to the attacker. Basically, they put this command shell on the victim machine, and it opens into port back to the attacker so the attacker can connect to that port and install additional malware or just

05:46

steal data from that victim.

05:48

Then we have defacement trojans, and so resource senators allow your typical user to view edit, extract, etcetera, icons or logos or strings from Windows programs So the Attackers exploit this. And essentially, they're able to view and edit almost

06:03

any aspect of that compiled Windows program. And so again, it's just attacking that program itself to make it where the user can't use that particular application, for example, like the calculator on Windows.

06:16

Then we have our botnet trojans, and he's basically infect a large number computers across the large geographical area, hence the name but net on these air controlled, usually through command, control center, server or infrastructure on these can be launched thio. These could be used to launch many attacks. So things like denial of service or DDOS attacks

06:34

spanning attacks, click fraud, Bitcoin related attacks, Cryptocurrency mining attacks, just a lot of different types of attacks that they could be used for. One notable one from several years ago is called Chewbacca, which was stealing payment card information. We have proxy server Trojan, So basically,

06:54

these are

06:56

infecting the victim machine and then starting a hidden proxy server on the victim's computer. And so that allows the attacker to be obfuscated in their their riel.

07:05

I p address the rial information. They're able to use that that victims device for things like details attacks right there ableto Come on, dear that infrastructure and use it to launch an attack. So it looks like it came from the victim and not the actual attacker.

07:19

We have FTP Trojans, which basically just installed on FTP server on the victim's machine, and then it opens FTP Fort Sports for the attacker, and basically the attacker connects to the victim machine using that port, and they can download any files that are on that target computer.

07:34

We have the N C. Trojans, which basically just allow the attacker to connect to the victim using any V NC viewer software. And a lot of times, anti virus may not detect this because V N. C. Is considered a utility. It's considered something that is legitimate and should be running. So it may be difficult for your antivirus solution to detect thes.

07:53

We have our http or https trojans basically these with https that's encrypted so they could go past the firewall. And essentially, what they're doing is the effect the victim machine, and then the traffic is coming from the inside. So your firewall assumes that this is a legitimate user traffic that's going out to the Internet.

08:11

And this allows the attacker to

08:13

come contact back on the command control server to send additional instructions to the victim machine or have the user machine connect to a malicious website to download additional malware. But as far as a firewall is concerned, it's legitimate traffic because it was opened on the victim machine, going out to

08:33

the Internet and not from the Internet to the victim machine,

08:35

and then we have our remote access trojans. These basically allow the attacker to get remote, gooey access to the remote system. And there's many of these out there, like the pro rat the Hell Raiser rat from years ago, Punisher Rat Pandora, rat health by rat, etcetera, etcetera. So just a quick, quick question here for you.

08:54

Skynet is an example of which type of Trojan

08:58

It's a botnet, FTP or proxy. So it's an example of botnets. So again, some of the bottle and ones of Chewbacca, Skynet as, well, a cyber gate. So in this video, we just talked about what Trojans are. We also talked about how an attacker might use a Trojan. We briefly talked about the difference between droppers and rappers. Again, Think of Candy. So think of the candy wrapper as the rapper,

09:18

and it's wrapping. That malicious software was something that looks legitimate.

09:22

And then inside of that is the dropper, which installs the malware. So that's that sugary candy on the inside, which, depending on who you talk to, could be malicious and may cause a lot of health problems.