Hiding places for Trojans
|
| 11.25.2009, 6:52 PM |
Exotic operating systems:
These operating systems or more accurately file systems are great
places to hide, since they cannot be read at all by the native
operating system, they will appear as unpartitioned areas of the hard
disk or (In some cases) not at all (See hard disk under size reporting)
Popular favorites for the Trojans are OS2 (IBM?s file system) Hidden
NTFS, A variant of Microsoft?s NT File system. And Linux-Unix variants,
many others (About 30 in all) are available to the Trojan.
The Windows Registry:
The Windows registry is a hodge-podge collection of software settings
and data that is crucial to the functioning of the windows computer. It
acts as a database for the Operating system, the hardware, and the
application programs, it is also a storage place for security settings
and user information. Casual computer users are rarely aware of this
data storage and are strongly cautioned (Quite rightly) from ever
browsing its contents, or changing anything in them. Nevertheless,
ordinary users can access this data, albeit via a round-about way. (Its
not dangerous to look at this stuff just don?t change anything unless
you know what you are doing)
Start--- Run--- C:\WINDOWS\system32\reged t32***** --- OK
For Windows 2000 & 2000 Pro
Start--- Run--- C:\WINNT\system32\regedt3 2***** --- OK
For Windows XP Home and XP Pro
This database is accessible by the Trojan too. It has many powerful
uses for Mal-Ware especially during a so-called ?escalation of
privileges? operation. A tweak to one ?Key? in the registry for example
can add a program name to be executed at the next boot-up. There are a
zillion other things the Trojans can do in here but we are digressing
from the subject which is storage and hiding places. Since few dare to
tread these Registry paths, The Trojan Masters have deemed it an
excellent place to store data. We have seen quite large binary files
stored here. In some cases, the Trojan operators being confident that
no one would be browsing the depths of this complex structure even post
?plain text? notes to their colleagues.
Print Spooler:
Part of the Windows operating system, Print Spooler accepts data from
any application destined for the printer. It stores the data then feeds
it to the printer at the printer?s own pace. Meanwhile your application
moves on to other things. This Storage area which is a locked file or
an area of RAM can be usurped for the storage of Trojan material. A
modified version of the Print Spooler can, under certain circumstances,
be used to temporarily store Trojan data in the printer itself then
read it back later. (Excellent for re-Inserting a Trojan after a
Re-Installation ?Nuke?)
USB Devices:
There are hundreds of USB devices: cameras, storage ?Dongles? printers,
scanners, hubs, and so on. Many of these devices offer RAM or EEPROM
storage opportunities for the Trojan Masters. The EEPROM chips
described in detail elsewhere are particularly valuable for the storage
of Mal-Ware since they are non-volatile and can survive ?Power Down?
periods. They are also almost impossible to view or remove without
special software tools from the manufacturer of the device.
System Volume Information:
On every hard disk volume or Logical drive on your system there exists
a portion of hard disk space reserved for the file system. This area
known as the ?System Volume Information? area is about 8 megabytes in
size. Quite a large area by Trojan Master standards. It does, of
course, have a legitimate purpose for the file system, acting as an
index for files and directories. Nevertheless, as can be expected, the
Trojan Masters have made good use of this very hard to access area.
Let us not forget the traditional places like the hard disk boot sector
and some of the newer places like the Over-Burn area on all of our CDs.
|
|
Category: Hacking tutorials | Added by: h4ckz0r
|
| Views: 1993 | Downloads: 0
| Comments: 96
| Rating: 0.0/0 |
|
|