196 Chapter 8 ■ Trojans, Viruses, Worms, and Covert Channels
Types of Trojans include the following:
■ Remote access Trojans (RATs)—Designed to give an attacker remote control over a
victim’s system. Two well-known members of this class are the SubSeven program and
its cousin, Back Orifice, although both are older examples.
■ Data sending—To fit into this category, a Trojan must capture some sort of data
from the victim’s system, including files and keystrokes. Once captured, this data can
be transmitted via e-mail or other means if the Trojan is so enabled. Keyloggers are
common Trojans of this type.
■ Destructive—This type of Trojan seeks to corrupt, erase, or destroy data outright on a
system. In more extreme cases, the Trojan may affect the hardware in such a way that
it is unusable.
■ Proxy—Malware of this type causes a system to be used as a proxy by the attacker.
The attacker uses the victim’s system to scan or access another system or location. The
end result is that the actual attacker is hard to find.
■ FTP—Software in this category is designed to set up the infected system as an FTP
server. An infected system becomes a server hosting all sorts of information, which
may include illegal content of all types.
■ Security software disablers—A Trojan can be used as the first step in further attacks if
it is used to disable security software.Detecting Trojans and Viruses
A Trojan can be detected in many ways. Port scanning, which can prove very effective if
you know what to look for.
Because a Trojan is used to allow access through backdoors or covert channels, a port
must be opened to allow this communication. A port scan using a tool such as Nmap
reveals these ports and allows you to investigate them further.
The following ports are used for classic Trojans:
■ Back Orifice: UDP 31337 or 31338
■ Back Orifice 2000: TCP/UDP 54320/54321
■ Beast: TCP 6666
■ Citrix ICA: TCP/UDP 1494
■ Deep Throat: UDP 2140 and 3150
■ Desktop Control: UDP NA
■ Donald Dick: TCP TCP 23476/23477
■ Loki: Internet Control Message Protocol (ICMP)
■ NetBus: TCP 12345 and 12346
■ Netcat: TCP/UDP (any)