Malware 199
Tools for Creating Trojans
A wide range of tools exist that are used to take control of a victim’s system and leave
behind a gift in the form of a backdoor. This is not an exhaustive list, and newer versions
of many of these are released regularly:
■ let me rule—A remote access Trojan authored entirely in Delphi. It uses TCP port
26097 by default.■ RECUB—Remote Encrypted Callback Unix Backdoor (RECUB) borrows its name
from the Unix world. It features RC4 encryption, code injection, and encrypted ICMP
communication requests. It demonstrates a key trait of Trojan software—small size—
as it tips the scale at less than 6 KB.■ Phatbot—Capable of stealing personal information including e-mail addresses, credit
card numbers, and software licensing codes. It returns this information to the attacker
or requestor using a P2P network. Phatbot can also terminate many antivirus and
software-based firewall products, leaving the victim open to secondary attacks.■ amitis—Opens TCP port 27551 to give the hacker complete control over the victim’s
computer.■ Zombam.B—Allows the attacker to use a web browser to infect a computer. It uses
port 80 by default and is created with a Trojan-generation tool known as HTTPRat.
Much like Phatbot, it also attempts to terminate various antivirus and firewall
processes.■ Beast—Uses a technique known as Data Definition Language (DDL) injection to inject
itself into an existing process, effectively hiding itself from process viewers.■ Hard-disk killer—A Trojan written to destroy a system’s hard drive. When executed, it
attacks a system’s hard drive and wipes it in just a few seconds.One tool that should be mentioned as well is Back Orifice, which is an older Trojan-
creation tool. Most, if not all, of the antivirus applications in use today should be able to
detect and remove this software.
I thought it would be interesting to look at the text the manufacturer uses to describe its
toolkit. Note that it sounds very much like the way a normal software application from a
major vendor would be described. The manufacturer of Back Orifice says this about Back
Orifice 2000 (BO2K):
Built upon the phenomenal success of Back Orifice released in August
98, BO2K puts network administrators solidly back in control. In control
of the system, network, registry, passwords, file system, and processes.
BO2K is a lot like other major file-synchronization and remote control
packages that are on the market as commercial products. Except that
BO2K is smaller, faster, free, and very, very extensible. With the help of
the open-source development community, BO2K will grow even more
powerful. With new plug-ins and features being added all the time, BO2K
is an obvious choice for the productive network administrator.