The "Trojan horse" applications discussed within this website are remote administration "hacker" utilities that will allow a user to control another user's computer across the Internet using the "client/server" approach. While it may be hard to believe, Trojan horse applications can provide equal, if not more control of a remote PC system than the person sitting at its keyboard.

Definitions

"trojan"
- A Trojan (or a Trojan horse) is a destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive.

"hacker"
- "Hacker" is a slang term for a computer enthusiast. Among professional programmers, the term hacker implies an amateur or a programmer who lacks formal training. Depending on how it used, the term can be either complimentary or derogatory, although it is developing an increasingly derogatory connotation.

"client/server" approach
- A client is defined as a requester of services and a server is defined as the provider of services.

Where the topic involves trojans such as Back Orifice or NetBus, would you like to take a guess at which PC is acting as the "server"?

"IP Address" (Internet Protocol Address)
- The address of a computer attached to a TCP/IP network (e.g. the Internet). Every client and server must have a unique IP address. Client workstations have either a permanent address or one that is dynamically assigned to them each dial-up session. IP addresses are written as four sets of numbers separated by periods; for example, 192.168.111.222 or 10.123.1.102 or 172.16.4.30, etc.

"port"
- In an TCP/IP network (e.g. the Internet), a port represents an endpoint in the establishment of a connection between two or more computers. For the computer acting as the client, the destination port number will typically identify the type of application/service being hosted by the server.

For example:
TCP port 21 is the destination port number used when communicating with an FTP server
TCP port 22 is the destination port number used when communicating with an SSH server
TCP port 23 is the destination port number used when communicating with an Telnet server
TCP port 25 is the destination port number used when communicating with an SMTP server
TCP port 80 is the destination port number used when communicating with an HTTP server
TCP port 110 is the destination port number used when communicating with a POP3 server
TCP port 5190 is the destination port number used when communicating with an AOL IM server
TCP port 6667 is the destination port number used when communicating with an IRC server

The above is a small selection from a possible 65,535 (64K) port numbers! To see a more complete list, click here.

Which PC's can be affected?

Depending on the trojan involved, they're designed to affect Windows 95/98 PC's, Windows NT PC's, or both.

How do the trojans work?

How a hacker establishes the connection to another user's computer, is that the hacker running the "client" portion establishes a connection to the IP address of a known PC that has the "server" portion installed upon it

If the hacker running the "client" portion doesn't know the IP address of the user's PC which has been compromised by the "server" portion. The hacker usually initiates a series of connections to a large range of IP addresses on the Internet (known as "scanning"), looking for any PC that responds back to the attempt. If a PC responds back, it responds with its IP address. Then all the hacker has to do, is to establish a connection to that IP address.

Keep in mind that 99% of the time, the hacker doesn't have a specific target (or victim) to begin with, so any PC that answers back to their attempted connections satisfy their goal of hacking into another's PC.

Because the "server" portion is configured to use (or "listen" on) a particular port number, it's the client who attempts a connection to that specific port number to initiate the connection between computers.

NOTE: Some trojans may use more than one port number. This is because one port is used for "listening" and the other/s are used for the transfer of data.

In their default configurations, the following trojans use:

Back Orifice - UDP port 31337 or 31338
Deep Throat - UDP port 2140 and 3150
NetBus - TCP port 12345 and 12346
Whack-a-mole - TCP port 12361 and 12362
NetBus 2 Pro - TCP port 20034
GirlFriend - TCP port 21544
Sockets de Troie - TCP port 5000, 5001 or 50505
Masters Paradise - TCP port 3129, 40421, 40422, 40423 and 40426

Devil - port 65000
Evil FTP - port 23456
GateCrasher - port 6969
Hackers Paradise - port 456
ICKiller - port 7789
ICQTrojan - port 4590
Phineas Phucker - port 2801
Remote Grab - port 7000
Remote Windows Shutdown - port 53001

If you know of another Trojan (and/or a corrections) to add to the above, please me.

Detecting the trojans can be difficult because once they're installed, they typically don't show in either the task list or close-program list, and are rerun every time the computer is started by means of an entry in a branch of the Registry.

How did my system become compromised?

"Have you downloaded and run any programs lately?"

Simply executing the "server" portion of either trojan, installs the software. To ease distribution, the "server" portions can be attached ("piggy-backed") to any other windows executable which will run normally after installing the server portion.

There have been several reports of ICQ users being compromised via the ability to send files to/from one another. I strongly suggest that you click here to read ICQ's latest End User Agreement, which discusses this topic.

The best defense to prevent your PC from becoming compromised by these or any other trojans, is to not download files from unknown sources!

Final words of advice

Acquire an antivirus software product.
Believe it or not, the major players (McAfee AntiVirus, Norton AntiVirus, Command AntiVirus, etc.) in the AV market are including the ability for their software to detect a static string of code within each trojan. Therefore, I'd strongly suggest insuring that you keep up-to-date with your virus signature files. If your AV product does not detect these trojans, send an email to the mfg'r and request that they do.

Acquire a firewall application for your PC.
As I work in this specific industry, I could recommend the firewall product I provide support for, but I don't think you'd want to spend $3,000 <grin> to protect your home PC. In honesty though, there are a few good "personal firewall" products (VisNetic Firewall, BlackIce Defender, ZoneAlarm, McAfee Personal Firewall, etc.) on the market.

The benefit of using a firewall, is that even if your system were to become compromised, the design of the firewall's rules would prevent the connections from being allowed through it.

FWIW, I personally use VisNetic Firewall for my home PC and find that it does exactly what it's supposed to (e.g. prevent those on the 'net from being able to establish unwanted connections to my PC when I'm online.