Trojans and Backdoors – CompTIA Security+ SY0-401: 3.1

Trojan Horses are a special kind of malware that manages to infect our machines by tricking us into running the malicious software. In this video, you’ll learn about trojans and backdoors, and I’ll demonstrate how an application posing as a game can quickly infect our computer.

<< Previous Video: Adware and SpywareNext: Rootkits >>

A Trojan horse is a unique kind of malware that is able to sneak onto your computer to do the things that it wants to do. The name comes from the historical use of a Trojan horse. This is what the Greeks built. They built an enormous wooden horse and put it outside the gates of Troy, and when the Trojans found it, they pulled the horse inside. And once it was inside and night fell, the Greeks came out of the horse and they were inside. They didn’t have to now get through the gates of the city, and they were able to conquer Troy just by sneaking in in this enormous wooden horse.

This is the idea that we have in Trojan horses on our computers, except it’s a digital type of Trojan horse. It’s one that’s sneaks on to your computer pretending that it’s something else, so that they can then get inside. Once it’s inside your computer, you’ve given it rights to run the program that it’s running. You said absolutely you can run. It’s a video from somebody? Yes, I’d like to see that. Oh, this is a program that shows me a nice winter card that I can see or a spring card, or somebody sent me a birthday wish. I’ll open up this program to see what it is.

In fact, it may even show me a birthday card. It might even play music for me. It may show me a snowy wooded evening. Unfortunately behind the scenes, it’s also embedded itself.

Its primary purpose is to get on to your computer. And it’s not entirely concerned with replicating. This isn’t a virus or a worm. Its job is to get on your computer and to fool you into allowing it into the gates. It’s getting around your existing security.

And as soon as it gets on your computer, you’ll find one of the first things that the Trojan horses do these days is disable your antivirus. So if you happen to notice that your firewall isn’t working anymore on your computer and your built-in antivirus isn’t working anymore, it’s very, very possible that you’ve been infected with a Trojan horse, because now it can do whatever it likes. Because your firewall is turned off, it can now open up some back doors and let other devices in. Now that your antivirus is turned off, it can download other things on to the computer that may be malicious and be able to do other things, embed keyloggers, and do other types of methods of infecting your computer, because there’s no way to stop it now. It’s disabled your antivirus. It’s disabled your firewall.

And it’s those back doors that create such a problem for us. Once we get that one piece of malware on our computer. These malware manufactures, the writers have realized that once we get on a PC, this is great. We can open up a back door. We’ll go around the back of the house and just unlock the door and allow whatever we would like in through the back door of your computer.

And that way, they don’t have to worry about finding another vulnerability. They don’t have to worry about finding a way to authenticate properly to your computer. They’ve already got that first step in, and now that they’re inside of your computer, they’ll simply open up a back door around back and then put whatever they would like on your computer, add additional malware, additional spyware. And that’s why whenever you find a machine that’s been infected, it isn’t just one thing. It’s multiple things, because the malware manufactures, once they find that opening, they absolutely take advantage of that.

There is some software that includes a back door with it. And this isn’t something that is very common, but something you need to be aware of is that there was actually a Linux kernel version that’s somebody wrote a back door into. And it was one that was found very quickly. Thanks to open source, people were able to go through the code and say that looks funny. Why did somebody happen to put that in there? That gives them access into anybody’s Linux machine.

There’s also bad software. As part of the application, a manufacturer may have maybe not intentionally created a back door, but nonetheless found a way to have something there that they can access machines that had that software on them. And unfortunately, that is also a big problem. That’s why whenever you install new software onto your computer, especially in a large environment, there’s tests that you can do with that computer to make sure that it is as protected and secure after installing that software as it was before installing that software.

I recently had one of my computers infected with a Trojan horse. And so I collected that Trojan horse. I put it into a digital Mason jar and put it in the corner. I’ve got it running in this virtual machine. So this is not something you’ll want to do on your computer. I’ve taken and put it into a test environment. And now what I’m going to do is run it and show it to you. And when we’re done with this, I have a snapshot taken of this virtual machine. I’m going to revert back to a previous date and time, which essentially erases everything that we’re about to do here so that I maintain this protected system.

This Trojan horse that was found, I’m going to look at the properties of this. It’s called GBT. And you notice, Games for Windows Live splash screen. It’s a game. Who wouldn’t love to put a game on their computer? I’ll absolutely run that program. That sounds like a great thing.

And what you’re going to find is when that program executes on this computer, what you’ll notice is, first thing that pops up is your Windows security center. Your firewall is turned off. Your anti-spyware and anti-malware is turned off. And then another window pops up called XP anti-spyware. Well, what could be bad with anti-spyware? But oh, no, it’s identified programs on my computer that are infected with spyware. Here’s a worm. Here’s other spyware on my computer. It’s finding all kinds of infections on my computer.

Now the reality is, what we’re running on right now is a stock installation of Windows XP. There’s no additional programs that have really been installed here. What this is telling us is absolutely fake. None of these things are real. And because it used the Trojan, pretending it was these games, now it has disabled my real firewall, disabled my real antivirus. It’s created a back door and now it’s presenting to me this front end that’s telling me that I have all kinds of viruses, macroviruses, viruses, botnets, and a lot of different things on my computer, none of which is absolutely real.

This is a new type of malware that we’re seeing called scamware or ransomware, because at the end of this what it’s going to say is that I can absolutely remove this from you. You need to give me some money and I’ll be able to remove all of these problems from your computer. But of course, none of these problems existed to begin with. This is simply scaring me into providing a third party with credit card information or providing them with money in some way, shape, or form for doing nothing but embedding a malware onto my PC.

There, it’s now finished its scan. It says attention, danger. It found 26 critical system objects that were infected. Well gosh, I should probably register this so I can get rid of that. Obviously don’t do this. You don’t want to register this. And it pops up this very, very professional-looking XP anti-spyware I can buy now. There’s frequently asked questions. One-year licenses only $60 United States funds to be able to remove that. And look, they even have a Like button for Facebook. One million people like them. Well gosh, I’ll like them too. Let me click that. Doesn’t actually go to Facebook.

That’s a fake Like button that’s there. But doesn’t it look real? Follow us. Join the conversation on Facebook. It’s not going to let you to Facebook, to their page, because their page doesn’t exist. This is an absolute scam. None of this is real. All they want are $60, $70, or $80, to be able to get that money. And at the end of that, it may or it may not enable or disable this particular malware on your computer, because they don’t care. You can’t contact the company. You can’t get your money back. At that point, you are infected all because that Trojan presented to you that it was something like games, and that sounded great to me. And now my computer is really infected with this malware.

It becomes now, very, very difficult to remove this from a computer. It has embedded itself into the operating system so that any time you run a program, it will run and make sure this Trojan is running, which means you can’t simply remove the file that you happen to find associated with the Trojan. It’s hiding it in some temporary directories. It has now embedded itself in multiple places. If you turn off your computer and turn it back on, it’s going to start up automatically. And it’s going to constantly pester you that your system has been hijacked and security threats have been detected and you need to give them some money to remove these things.

Very often, what we end up doing is simply removing and taking off and backing up our personal files, our documents and other things where malware can’t be infected, securely backing those up somewhere and then completely nuking this hard drive, erasing everything on it and reinstalling the operating system from scratch. Very often that is the only way that you can be 100% sure that you have absolutely removed that Trojan from your computer.