Trojan Zoo @EHugin

Quick Links
Trojan Zoo   Security @EHugin
Hack'a'Tack

Additional Info:

Current exhibits:
Sub7
Back Orifice
Hack'a'Tack

Hack'a'Tack

This analysis is based on Hack'a'Tack version 1.10.

Hack'a'Tack is your typical remote-control trojan horse, permitting the intruder to do things like capture your screen, run commands remotely, reboot your machine, etc.

A full list of its capabilities, along with some screen shots of the client, are available on the Client Info page.

Ports Used

The Windows "netstat -an" command shows the Hack'a'Tack server listening on the following ports:

TCP    31785
       31787
       31789
       31791

UDP    31789
       31791

Scan Signature

I ran the Hack'a'Atack client's scanner multiple times, and in all cases found that the client used UDP port 31790 on its side, and tried to connect to UDP port 31789 on every host that it could reach. Log entries generated by a Hack'a'Tack client scanning your machine will therefore look like:

    from: remotehostaddr udp 31790
    to  : yourhostaddr   udp 31789

Note: This signature is specific to the Hack'a'Tack client performing a scan. The remote port might not be 31790 if the person is using some other program to do the port scanning. Similarly, someone with an independent scanner might not look for UDP 31789 on your machine, but might instead search for one of the other Hack'a'Tack ports.

Best bet is to consider all scans of the Hack'a'Tack ports to be hostile.

Trojan Detection

The easiest way I can think of to determine if your machine is infected with Hack'a'Tack is simply to open up a DOS Command window and run "netstat -an". If you see any of the ports listed in the Ports Used section above then you've probably got Hack'a'Tack on your machine.

(See the Server Info page for screen shots of the netstat output.)

You can also use the registry editor to look for Hack'a'Tack. The server adds an entry to the:

    HKEY_LOCAL_MACHINE
        \Software
            \Microsoft
                \Windows
                    \CurrentVersion
                        \Run

section that looks like this:

    Name          Data
    Explorer32    "C:\WINDOWS\Expl32.exe"

This is how the Hack'a'Tack server launches itself automatically.

Because of this, the presence of a C:\WINDOWS\Expl32.exe file on your machine should also be considered suspicious. This file is not present in a normal Win98 installation.