Thursday, March 4, 2010

Trojans and Backdoors - 5 :Wrappers


Wrappers



  • How does an attacker get BO2K or any trojan installed on the victim's computer? Answer: Using Wrappers


  • A wrapper attaches a given EXE application (such as games or orifice application) to the BO2K executable.


  • The two programs are wrapped together into a single file. When the user runs the wrapped EXE, it first installs BO2K and then runs the wrapped application.


  • The user only sees the latter application.

Wrappers are used to bind the Trojan executable with a legitimate file. The attacker can compress any (DOS/WIN) binary with tools like "petite.exe". This tool decompresses an exe-file (once compressed) on runtime. This makes it possible for the Trojan to get in virtually undetected, as most antivirus are not able to detect the signatures in the file.
The attacker can place several executables to one executable as well. These wrappers may also support functions like running one file in the background while another one is running on the desktop.
Technically speaking though, wrappers can be considered to be another type of software "glueware" that is used to attach together other software components. A wrapper encapsulates a single data source to make it usable in a more convenient fashion than the original unwrapped source.
Users can be tricked into installing Trojan horses by being enticed or frightened. For example, a Trojan horse might arrive in email described as a computer game. When the user receives the mail, they may be enticed by the description of the game to install it. Although it may in fact be a game, it may also be taking other action that is not readily apparent to the user, such as deleting files or mailing sensitive information to the attacker.
Graffiti.exe is an example of a legitimate file that can be used to drop the Trojan into the target system. This program runs as soon as windows boots up and on execution keep the user distracted for a given period of time by running on the desktop.
Tool: EliteWrap



  • Elite Wrap is an advanced EXE wrapper for Windows 95/98/2K/NT used for SFX archiving and secretly installing and running programs.


  • With EliteWrap one can create a setup program that would extract files to a directory and execute programs or batch files to display help, copy files, etc.
Icon Plus is a conversion program for translating icons between various formats. Icon Plus now can read and save Windows XP icons. Icon Plus can also be worked at from the command prompt. This kind of application can be used by an attacker to disguise his malicious code or Trojan so that users are tricked into executing it.
There are numerous icon libraries available on the Internet that allows a user to change icons to suit various operating systems by aping their look and feel.
Tool: Restorator


It is a versatile skin editor for any Win32 programs: change images, icons, text, sounds, videos, dialogs, menus, and other parts of the user interface. Using this one can create one's own User-styled Custom Applications (UCA).
The relevance of discussing this tool here arises from its ability to modify the user interface of any Windows 32-bit program and thus create UCA's. The user can view, extract, and change images, icons, text, dialogs, sounds, videos, menus and much more.
Infecting via CD-ROM



  • When you place a CD in your CD-ROM drive, it automatically starts with some set up interface. An Autorun.inf file that is placed on such CD's is responsible for this action which would look like this:
    [autorun]  open=setup.exe  icon=setup.exe 


  • Therefore it is quite possible that while running the real setup program a trojan could be run very easily.


  • Turn off the Auto-Start functionality by doing the following:
    Start button-> Settings-> Control Panel-> System-> Device Manager-> CDROM-> Properties -> Settings 
The Autorun.inf file that is placed on such CD's can be configured to execute the Trojan. This makes it possible to infect a machine while running the real setup program. It looks like this:
[autorun]  Open= setup.exe  Icon= setup.exe 
Countermeasure is to stop auto start functionality by doing the following:
Start Button-> Settings-> Control Panel-> System-> Device Manager-> CDROM->Properties- > Settings 
Turn off the reference to Auto Insert Notification

0 comments:

Post a Comment