| Quick Links | ||
| Trojan Zoo | Security @eHugin | |
|
Current exhibits: Sub7 Back Orifice Hack'a'Tack |
Welcome to eHugin's Trojan ZooThe ZooI've decided to call this section the Trojan Zoo, because each of the trojans I've captured out in the wilds of the net are brought here, let loose in a carefully reconstructed simulation of their natural habitat, then studied to learn more about their habits, reproduction, communications, etc. A brief discussion of how I'm conducting these studies can be found on the Zoo Tech page. The ZookeeperAs with the other pages on this site, I am your ever-humble host, Brett Dufault. Comments, suggestions, corrections, etc are all welcome, and can be directed to zookeeper-at-ehugin-dot-com.IntroductionOne of the big problems I've had with trojans (other than the fact that they exist at all :-) is finding information that I know is accurate. Prior to this series of experiments, all my data has been (at best) second-hand - newsgroup postings, other people's web sites, etc. And in most of these cases, the information was simply a summary of other people's lists, which in turn were probably made from still other lists, and so on and so on. Obviously this makes it difficult to verify the accuracy of the information. Indeed, in some cases a trojan is reported on half a dozen or more different ports. It's possible that various people have tinkered with the original version and altered the ports, but it's also possible that some of the data is erroneous: typos, mistaken identities, etc. So, ideally what I'd like is to have first-hand knowledge of exactly which ports a trojan is using. That leads to a bit of a problem though: I don't want to put a trojan on MY machine! So, what's a poor geek to do? Enter the virtual computerWell, if I don't want to put a trojan on one of my real machines, why not use a virtual machine? No, I haven't been sniffing white-board markers. Thanks to an interesting product called VMWare, I can run a fully-functional Windows machine on my Linux box. VMWare is not a Windows emulator, but instead creates an entire virtual machine that runs under your normal operating system (Linux in my case). The machine has its own drives, memory, even a custom BIOS that works very much like a real computer's BIOS. Since VMWare isn't emulating an operating system, you still have to install one to use it. For these tests I chose to use Windows 98, since it's the most recent version of Windows that I have access to. Thus were born two virtual machines, LOKI and BALDR (*). These are two Win98 machines, identical (at least initially) in every fashion except for their names and IP addresses. To test a given trojan program out, I simply install the intruder's control software on LOKI, and infect poor BALDR with the trojan horse code. I can now examine the two at my leisure, looking at the ports in use, taking screen shots, trying to find any identifying characterstics, etc. Even better, once I'm done I simply delete the virtual machine's files, restore a backup of the original machines, and I'm ready to move on to the next one! Note:In the interest of sanity, all communications between LOKI and BALDR take place on a virtual LAN internal to the machine they're physically running on. The packets don't even make it onto my LAN, never mind getting out onto the AT&T network. As an extra level of sanity (or is it paranoia? :-) my firewall specifically blocks and logs all packets originating from the virtual network addresses, just in case I should misconfigure something, or a trojan turns out to be a whole lot smarter than I expected. (*) If the names of the machines seem a trifle odd, find a good book on Norse/Teutonic mythology and see if they make more sense afterwards. If you read through the sections on Odin you might even find out where the name "Hugin" comes from. :-) |