What is a faq? - Frequently Asked Questions - A faq should answer the most common questions about a particular subject.
What is a trojan horse? - A trojan horse is a program that allows someone to access your computer remotely over a network such as the Internet. A trojan has 2 parts: the client and the server. When the server is run, it loads into memory and listens for a connection on a certain port. Someone can then run the client from another computer and connect to the computer running the server on that port. When a connection is made, the person running the client can do all kinds of things to the computer running the server. He can view the screen, read from and write to the hard drive, and display messages to the screen. He can even see the person sitting at that computer if the computer has a webcam. The server only needs to be run once. After that, it will load into memory every time the computer boots.
Would I know if my computer had a trojan? - No. The trojan does not show up in the system tray, and if you press control-alt-delete the trojan will not be listed in the box that shows up.
How can I remove a trojan from my computer? - Go to the trojan removal part of this site.
Who uses trojans? - Trojans are usually used by people who are not quite intelligent enough to take a more low level approach to hacking. The majority of the people who use trojans are teenage boys, aged approximately 13 to 18. They are called Script Kiddies. They are considered lame by real hackers. Real hackers may also use trojans because trojans are the easiest way to gain almost complete control of a remote computer system, but a real hacker would not take over the computer of any random person for no reason except to cause damage or annoy the victim.. Script kiddies run a program called an ip scanner, which scans a block of ip addresses until an infected one is found. When they find an infected one, they connect to it, then snoop thru the victim's hard drive, erase files, display messages to his screen, and the like. This is considered lame because the script kiddie did not actually do anything that requires any talent. He simply scanned a subnet of ip's, connected to one, and annoyed the victim, or perhaps even wiped his hard drive and stole his passwords.
What should I do if it becomes apparent that I have a trojan horse on my computer? - The first thing to do is to immediately terminate your connection to the internet. If your computer is not connected to the internet, no one can access it remotely. Second, you need to install a firewall. A firewall (when properly configured) blocks all unwanted inbound connections on TCP and UDP ports. Firewalls neutralize trojan horses.
Where did trojan horses come from? - Trojans were originally meant for remote administration, which is why trojans are also know as RATs (remote administration tools). People immediately realized that with a few modifications, these remote administration programs could be used to access someone's computer without his knowledge. The difference between a trojan and a true remote administration program is that a trojan runs silently in the background, rather than displaying an icon on the screen to indicate that it is being accessed from outside.
How did my computer get a trojan? - A trojan server comes in the form of an exe file. When that file is executed on a computer, it listens on a certain port for a connection. You can avoid getting trojans by not accepting files from people you don't trust. Executable files can also be joined to image files, so when you look at it with Windows Explorer, it appears as a jpeg, but when you double click on it, it executes the trojan. Perhaps you got your trojan from downloading a file on a website, or perhaps your friend gave it to you because he wanted to spy on you. If your friend wants to give you a file, make sure you scan it with a good virus scanner before running it. If someone is very eager to get you to run a file, you should get suspicious.
Is a trojan like a virus? - No. A virus is simply any program that replicates. Most virii are malicious and will cause damage to your computer. A virus will not allow someone to remotely access your computer. A trojan does not replicate, therefore it is not a virus.
Could I have more than one trojan on my computer? - Yes, as long as the trojans do not use the same port. You could have two different trojans, or two of the same trojan running on two different ports.
What exactly can a script kiddie do to my computer? - That
depends on the trojan your computer has. Some trojans won't allow
him to do anything except read from and write to your hard drive.
Other trojans will allow him to see everything just as if he was
looking over your shoulder. I will now outline the Sub 7 trojan,
one of the more popular ones. Sub 7 allows a script kiddie to do
the following to a victim:
-copy/view/edit/delete files from the hard drive
-download files from your hard drive to his computer
-upload files from his computer to your hard drive
-execute any file on your hard drive
-view a list of all windows open on your computer, even hidden
ones
-open a new window, close an existing window window
-view your password file, which stores all cached passwords
-log your keystrokes in real time
-view a picture of what is on your screen
-get info about your pc, including cpu type, operating system,
disk sizes, and name of computer owner (if you entered this
information correctly when you installed your operating system,
he can get your real name).
-ip notify (your computer discreetly sends a message to his
computer when you establish an internet connection, so he knows
when you are online and what your ip is if you have a dynamic ip)
-disable certain keyboard keys, or mouse keys
-open a chat box and chat with you
-chat with his friend who is also connected to you (it is
possible for more than one script kiddie to connect to the same
victim)
-change the port that your computer listens on for connections
-set a password so no one else can connect to you except himself
-dislpay message boxes to your screen
-activate your screen saver
-spy on your incoming messages if you're using ICQ, AOL, MSN, or
Yahoo IM
-edit your sytem registry
-redirect a port on your computer (this can be especially
dangerous, because he can use your computer as a proxy, so if he
is doing illegal things thru your computer, anyone will think
it's actually you who is doing illegal activity, and it will be
difficult for you to prove otherwise
-text2speech engine (this allows your computer speakers to say
whatever he types, it sounds just like a real human voice
talking)
-run an IRC bot thru your computer
-view webcam (if your computer has a webcam, he can actually see
you!)
-use your computer to remotely scan for infected ip's (why waste
his bandwidth scanning for infected ip's and risk getting caught
by his isp, when he can tell your computer to scan for infected
ip's and notify him of any it finds)
-print something to your printer
-open a webpage with your browser
-change your screen resolution
-hide certain parts of your desktop, eg mouse pointer, start menu
-restart/shutdown your computer
-disconnect you from the internet (if you're on dialup)
-play a wav file thru your speakers
-display a jpeg/gif/bmp file on your screen
-change the time and date on your system
-some other annoying things like open/close your cd drive, beep
your speaker, turn on caps lock, scroll lock, num lock, etc.
As you can see, this trojan horse allows someone to almost
completely take over your computer. He can do almost anything
just as if he was actually sitting at the keyboard like you are
now. Many of the things he can do are just annoying (toggling
nums/capslock, hiding mouse pointer) but some are dangerous (wipe
your hard disk, get your passwords).
Aren't trojans illegal? - Accessing someone's computer without his consent is most certainly illegal anywhere. However, since the majority of script kiddies are aged under 18, there is little that can be done to chastise them. The person connecting to you may not necessarily be anywhere near your geographical location. You may be in Canada, and he may be in Germany or Taiwan or Iraq. Initiating legal action against someone in a foreign country will be very costly. Secondly, if someone connects to you, it will be difficult to prove it. You must note the exact time the connection was made, and the full ip address of the person connecting to you. Then you need to locate the internet service provider of that ip, which can be done by doing a reverse lookup. Click here to go to a site which allows you to do reverse lookups. Report the exact ip address to the isp and the exact time the connection was made. It's unlikely the the isp will do anything immediately. More likely, they will monitor all connections and then nab the guy the next time they notice him using a port associated with trojan horses. But even if an isp catches someone using a trojan horse, they still may do nothing except terminate his internet account, because it is difficult if not impossible to prove that he actually did any damage while he was connected to your computer.
What is being done to prevent script kiddies from annoying or causing damage to people? - Sadly, very little. If your isp notices you scanning subnets, they will check to see which port you are scanning on. If it's a common trojan horse port, then they will know you are using a trojan. It is unlikely they will do anything unless you scan subnets very often, because it takes up a lot of bandwidth. I don't know much about how isp's deal with people scanning for trojans, so if someone could email me with some information, I would be very appreciative.