<!-- im too little for this code, by l.regburner html hacking newbie using editpad --!> TEAM COW Official Homepage


Internet-Security






Scroll to topicIntroduction - Scroll to topicDetection - Scroll to topicFight back - Scroll to topicProtection Concepts

Scroll to topicUse Ur Bain! - Scroll to topicSoftware - Scroll to topicSoftware other side - Scroll to topicLinks - Sample config of a (ATGuard)FirewallSample config of a (ATGuard)Firewall



[String-TC]
What is a Trojan and why could they be dangerous for my machine ?

Programms called Trojan Horses are working on the same princip as the same (physical) known Trojan Horse that was used to take the city Troja. Troja was a very good protected town and the enemies tryed to figure a way how to go past their defenses. To make it short, the enemies of Troja build a big wooden horse as present for that city. The Horse (while still beeing what it was and looked like: a wooden nice horse) had place inside for some men (enemies) that waited until the citicens took that horse inside Troja. When it became night, they went out of that horse, and opened the city gate for the enemies that were waiting outside.
You see: 1. The Horse looked like a nice thing to get (install)
2. It had hidden functions, that took all security down, and permetted the enemies to come in and manipulate (eh destroy) that city.

In the computer past, most Trojans were only viral programms, that infected your system, altered things, etc. while its main executable still seemed to be a nice tool.
Today with more and more internet connectivity, the Trojans develop exactly the same strategy as in that ancient history. They eliminate your security mechanisms and get past your defenses, while allowing an intruder all possibilities to alter, read, etc. your data.
Now there are more versions of these internet Trojans:
- You start the programm, but it gives you only an error code. ("dll not found," etc something like that).
- A Programm that is hiding inside that programm that made you execute it. The main programm has full functionality while you still get infected.

If some Trojan is installed on your system there are some starting methods of them, (they can run always, started when the system starts up, they become active if you run a certain application.).
Scroll to top

What can i do against a trojan
Where is it loaded ?
Autostart Folder.
(Windows STart -> Programms -> Autostart.) Its not usual that a Trojan is starting by that Autostart function, although it could hide there as an Application you know suggesting you that application would be started by Autostart)

System.ini/Win.ini
Win.ini = be aware that a programm can be loaded after the Load= or Run= String. Some Trojans are hiding their parameter after these strings by multiple spaces. So either make Wordwrap on in your editor or scroll horizontal to the right if possible.
example: "Load=c:\winnt\IMATROJAN.EXE" or "RUN=c:\winnt\IMATROJAN.EXE"

System.ini after the shell=Explorer.exe (the explorer.exe is normal to be there).
example: "shell=Explorer.exe mtmtask.dl" (That would be an example of default settings of SubSeven 1.9)
also here many spaces could be added after explorer.exe so you have to check if you can scroll horizontal for additional parameters)

(c:\or whatever your start drive is)c:\Autoexec.bat and c:\Config.sys
Here you should know what you are searching for. There could be many drivers in config.sys removing by try and error should be avoided.
example config.sys: "device c:\winnt\IMATROJAN\IMATROJAN.SYS"

Winstart.bat/Winninit.ini/progrman.ini/control.ini
all or some of these files may not exist on your system. The progman.ini comes from win 3.0 but is still executed if found. so if some of these files exist check the content.

Registry
go Windows Start->Run...->type "regedit" -> ok.
HKEY_LOCAL_MACHINE->SOFTWARE->Microsoft->Windows ->CurrentVersion->Run HKEY_LOCAL_MACHINE->SOFTWARE->Microsoft->Windows->CurrentVersion->RunOnce HKEY_LOCAL_MACHINE->SOFTWARE->Microsoft->Windows->CurrentVersion->RunServices
HKEY_LOCAL_MACHINE->SOFTWARE->Microsoft->Windows->CurrentVersion->RunServicesOnce
HKEY_CURRENT_USER->SOFTWARE->Microsoft->Windows->CurrentVersion->Run HKEY_CURRENT_USER->SOFTWARE->Microsoft->Windows->CurrentVersion->RunOnce
HKEY_CURRENT_USER->SOFTWARE->Microsoft->Windows->CurrentVersion->RunServices
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

are places where programms could be installed to be executed when you start your system.
Scroll to top
Fight Back
improve your security on your system/of your applications

There are multiplay ways to close some doors for intruders.
a) If you dont use Filesharing (in a local network) go in explorer. go on drive c:\ and any other drive and right klick on it. if you see "sharing" klick on it.
than klick on "disable sharing", and ok.
b) than go in your win start -> settings -> control -> network


depending on what configuration you have, you will see also your isdn/dfue adapter listed here.
Go on Files and Printer sharing.
(Besides that note: You can remove here the "Client for Microsoft Networks and Microsoft Family login !" That will remove some security holes. You can remove tham completly. if you klick ok, you will get an error message, but it will work. your system will now not be at all in the position to share files without reinstalling that from cd. Only drawback: you will not be able to save passwords (you shouldnt save passwords anyways)

and remove all toggels if something is toggeled for sharing!

b) Go in your Internet Explorer (If you dont use netscape, but for security the explorer gives more possibilities)

Config it manually

and turn all ActiveX and Java related stuff off.

all off
now there will be some sites that you still trust 100% and you will not be able to reach or display correctly without letting them do Java Code etc.
if you want to access these sites, go on trusted Sites on the Internet Config Securities, and add them there:

adding sites to trusted sites
for these sites you can allow Java and maybe some ActiveX stuff if you think you can trust them.
So all internet is handeled with highest security settings, and only these sites can do scripting and use applets etc.
c) If you use the OutlookExpress toggle than the security concept for whole internet, that you made now very secure:

that is now secure(but only cause you manually edited the "Internetzone" to very strong parameters. On default the security sucks there. So no activeX and other stuff can be passed now to you IN email (as attach you still have to be careful)

d) ICQ: Security options:

Dont show IP (although there is really no problem to find your ip if you have someone in contact list.

and some other toggles.

a01) If you use Win2k you can configure the build in firewall. I would recommend to use that to strenghten your other Firewall application (like ATGuard, that is atm the best Win2k Firewall i found(for reasonable price). (Netguard's win2k version isnt yet finished)

You can either specify Anti-Spoofing connection Checkup (we leave that now, cause if you are target to be spoofed because your uo account.. well than not much can be done for you. you deal with ppl that really knows what to do. usually that ppl isnt interested in your pc at home though. so we assume to deal with the "usingDaHackaSoft" Hacker.
a02) and configure it to only allow 3 protocols. ICMP, TCP, and UDP.

So it should look like. (Win2k Professional)

more to follow.
Scroll to top


now all these files and settings could have irritated you. its just the technical background to know the most usual ways for a trojan to be executed when your system starts so it could offer the hacker its server/whatever possibilities.

You can try to remove a trojan after you detected it manually on the manual way, which is with some trojans like "Sockets de Troie" or newer versions or altered versions of SubSeven or others relatively impossible, but i will get on that point at the end.
The most common and logical thing is to install anti-intruder software.
You should spend a moment thinking about security concepts for your machine, by analyzing the danger in relation to system ressources used for Anti Intruder Software.

What does that says?
Short: if you install a background virus scanner, a tracer/whois to intruding attemps, and/or a firewall on the same machine while using ICQ, Ultima Online etc. you will notice depending of the running software a decreased system performance in your application (sying UO) where you begin to lag sometimes, to freeze for 1 sec, etc. which doesnt leads you to yet unknown fun in the game.

Concepts
I will present some concepts to deal with that:
1. You have more computers at home.
Thats optimal. You install one of these computer as your ISP connector. (Only that computer connects to the internet, and its not the Computer you are working on. Its a dedicated firewall).
What can you do with that: You can install a big firewall on it. you can install detection software that traces all attackers back, you can be relatively sure that whatever attacks goes from out of your local network goes on that firewall, so you can define the strongest security parameters, that would normally decrease performance, and usability on a client.
The firewall can also masquarade the other computers behind it, so that nobody in the net can figure out what is behind that firewall (to say it , eh "short")
Software that could be used:
WinNT/Win2k, NetGuard Guardian (a very powerful coorporation firewall) OR Conseal PC Firewall OR SyShield OR ATGuard AND Lockdown2000 (to trace and whois intruders) AND Vshield(Mc Afee Virscanner) OR F-Risk F-Prot OR other AntiVir Software
The software and links will be presented in more detail at the end.
OR SuSe Linux OR RedHat Linux OR any other Linux distribution coming around with firewall and masquarading services and scripts.

Hardware that could be used:
Win: Pentium/AMD, 64 mb, 1gb hd, isnd or cable or whatever you use to connect to your isp and a network adapter for your local network
Linux(without X-Win):486,16mb,1gb, " - " - " -"

2. You have only one but powerful computer. much ram. much processor speed.
You can use a desktop firewall on your computer. Its still a security drawback to install the firewall on the same machine that is in potential danger and where you execute and run new software, but hey we dont protect a coorporation.
Software that could be used:
Win95(with socks update)/Win98/WinNT/Win2k, Conseal Private Desktop (very easy to use self configuring good firewall for less experienced persons. Dont understimate the danger of a wrong configured firewall. If you are new on that, and dont want to spend much time with it, get the trial version (listed down as software)
OR Conseal PC Firewall OR AT Guard OR SyShield AND Vshield (McAfee) OR F-Risk F-Prot OR Norton Anti Vir Or AVP etc

You notice that Lockdown2000 is not listed here. You can use Lockdown 2000 as Trojan scanner, which is great. (execute it manuall than), but its tracing/whois methods (which you can toggle off), and its trojan protection (you can turn that off), the icq/nuke protection takes a lot of system performance. In Ultima Online you get short freezes and lag when he traces an intruding attemp back (that is already blocked by the firewall so there is no real need for that) If you run only Nuke/ICQ protection you should be fine though. Depends of your system.

3. You have a small computer that has already problems running your default (Ultima Online) application.
You have a problem.
Execute a vir scanner manually or sheduled every night but not as background scan. Try Conseal Desktop Private and see if you have a great performance drawback.

Scroll to top

Be careful (Use your Brain)
1. Dont take files from icq. not even from your friends cause you could be spoofed. What does that mean ? Its easy to take in ICQ the name of a friend of you, maybe a guildmember and offer you some file over icq. you take the file thinking its your bud. You run it and will have fun.
If you wish to exchange files with other TC members first clear that in t2a chat.
2. Turn your explorer settings to high security or set manually all active-x, java, script and else to disabled. Always check for Win Updates, so you get the patches for security holes. Point to Point description in
Fight Back
3.Update your virscanner and firewall often.
4.Dont save passwords ! If ever you get a trojan or virus on your system its most likely that it will first send the password files to an adress.
5.Dont save emails that contain passwords. There are trojans scanning your email folder for keywords like "Password" etc.
6.If you dont have much clue of Computers and Software think twice if you really need to use IRC. The possibilities to hack, nuke throug IRC are eh various.
Thats why we use t2a chat.
7.On NT machines think about the possibilities to work as no-admin user, and only log on as admin when really needed, and rename the Admin account to another name. Remove all Guest/etc accounts.
8.Take care of Email Attaches.
Take care of pictures sent by email. it could be a "uo0001.jpg(100spaces).exe file.
install an email scanner (like provided with norton antivir or mcafee)
9.never open emails
from ppl like "support@microsoft.com" wanting to provide you with a "system update" or something like that. Microsoft never sends code through emails. Dont open. If your firewall/whatever provides the possibility, block that adress.
10.dont reply to support mails from OSI asking you for password/account name for administrative use/whatever.
11.dont trust applications you buy. the statistics of infections show that the possibility to infect your system running warez is as high as infecting with the files from a buyed commercial CD. Before installying anything, always run virscanners/trojanscanners on it. no matter where that file comes from, and even if it is the security software on the security disk of the highest trusted 1000$ Security Manufacturer.
12. dont save passwords.
13. if you dont save passwords please dont use some crap passwords
like the name of your dog, or your girlfriend "Michelle" written as "ellehciM". I would laught 2 times.
If you want to use a password that you can retain but is long and not easy, try to use different keys in it:
That means: saying your dog's name is Garfield. Your girlfriends name is Bonny. And your midlife crisis began on the 14.8.88 than you could build:
"GarFIELD14Bon8ny88"
even when someone would know 2 keys (your dogs name, and your girlfirends name, or use some crack tools that try first common names, all keys together would miss.
If you are militant concerning that, you could make an alghorythm for you moving keys or key parts or using different key parts in relation to political events, or anything like that. Like = its GarFIELD14Bon8ny88 when there is no war in Usbekistan but its Gar"9mm"14Bon8ny88 if there is war, altering the 9mm key to biger mm sizes for each month the war is ongoing.
14. dont save passwords.
15. dont save passwords.
16. in UO dont use the mail. if you give a guy your "mail-bag" you give him the account name. Account name + password are together your security. You provided him by giving him your bag already with the 1st of 2 keys controling your account.
Scroll to top

Software on your side
NetGuard Guardian Firewall. Sophisticated Corp. Firewall. You can get an evaluation CD and test it with no restrictions. (Or sign as win2k beta-tester)

with powerful net-diagnostics


and sophisticated rule/user/Strategy setup. Although its not an easy programm, and the pdf file is some mb big, the Wizard leads you fast to what you need.
Very interesting for ppl also having ftp-servers, web servers etc. on their network.


Conseal CDP and PC Firewall Very good firewalls.(Problems with sygate(CDP)


Conseal Desktop Private works application based. It locks all until you give the application the right to communicate. (It will ask you)
Only drawback: If you allow an application to communicate that hides a Trojan inside. You should know what you want to communicate and what not.


Esafe Protect Good Firewall(combines sand box and a (not so good virscanner) but not easy to configure right


>
SyShield a Firewall from the developpers of SyGate
ATGuard a very nice WWW, cookie, ADD and Firewall. Actually the firewall is better than you would think. Very powerful tool.

Thats How Atguard looks whenactive (you can toggle it in background of course)


The firewall settings. (dont moan about that color.. it doesnt looks like that here :)
You notice that ATGuard offers more than the usual port/portocol blocking. You can specify specify rulesets for applications, and also IP ranges and protocols for them, letting you close many doors.
If you look up to Fight back you see below also some settings for the internal firewall of Win2k Professional. If you combine ATGuard Firewall and the win2k firewall functions you improved the security even more, while win2k will only allow 3 protocols to pass, and ATGuard handles the rules of these protocols.
I didnt found yet any better combination for the win2k firewall isdn server.

Trojan Defence SuiteTrojan Scanner
lockdown2000 find, trace, and whois the hacker. while finding and blocking nukes, and trojans. not cheap tool but leading in trojan detection
On the webpage you find also a "Hacker Demo Tour" showing you from one screen shot to the other how a hacker connects and manipulates data. (Of course all leading to the point that lockdown is the greatest Software ever written. :)


The Cleaner pure Trojan scanner and cleaner
Mc Afee Virscanner with 2 engines. Leading.


F-Prot very good virscanner. free for private use
NukeNabber better install a real firewall and not nuke nabber(portlocker)
Scroll to top

Software on the other side
Only some shots are listed here. Ill not go in detail what every Trojaner is doing. A Trojaner Package in these days consists mostly of 3 elements.
The client. The Hacker uses it to control your computer.
The editserver. With this file he can generate a specific server version.
The server that is going to you.

Old Back Orifice:


Sockets de Troie (french product (the first remover came also from france))


SubSeven 2.0


And some sample examples of the tools that could be used against you:




Scroll to top


Interesting Links:
Virual Research University of Hamburg(german)
Internet-Security(german)
Trojan Info site(german)
Online Security check (scans for open shares on your comp, and usual netbus and bo ports
very intensive Firwall PortScan through web. detects your holes in your firewall config.


Scroll to top


Sample Firewall(ATguard) config
Mainly that fits for all Firewalls, but there are some specific settings for the ATGuard possibilities.
First go in your registry and change:
[HKEY_LOCAL_MACHINE\Software\WRQ\IAM\FirewallState
"BlockIGMP"=hex:01
"BlockIPFragments"=hex:01
by default they are turned off or not listed there. With these settings you put the BlockIPFragments:ON and block the IGMP.
After having done that, you should know if you need bootp(DHCP) to obtain dynamically IP adresses.
If your IP is static, you should not need this rule.
For ICMP you should permint as rule: inbound time-exceeded, inbound destination, unreachable and if you want the ability to ping also: inbound echo reply and outbound echo request.
all other ICMP can be blocked.
While not permitting an "outbound echo reply" no one is able to ping your machine.
After having done that turn the Rule-Assistant on and start all applications that are needed. You will get promted if they should get a rule or not.
Try to specify the rule in application services and range or ports as strict as possible.
After having done that, depending on your firewall software you can block with the last rules in the ruleset all TCP in/out, ICMP in/out, and UDP in/out knowing that what should be able to pass can pass by the first rules.
In atguard with rul-assisstant disabled, all communications not fitting in a ruleset is blocked by default though.
You need a trojan portlist only if you really want to get a notification or special log entry for that specific port query.
Hope that helps.
detailed introductions to tcp/ip and firewalls:
Firewalls
MS TCP/IP and firewalls


[String-TC]

Scroll to top