Wednesday, December 26, 2007

The Hacker's Tricks Of The Trade

Exposing The Hacker
It is our desire that by exposing these "tricks of the trade" the Internet user will be better prepared with the knowledge and tools needed not be fooled by the following hacker tricks. We will use the LockDown Millennium software as a basis for defeating these tricks, because every hacker trick and every trojan type has been taken into account during the years that it took for us to develop it.


Windows Hidden File Extensions
You might not be aware of this, but even if you tell Windows to show all file extensions there are still some that are hidden by default. Also, any installed program can configure extensions to be hidden. This is why you will find a special window in the Generics program that will show you what extensions are being hidden and allow you to toggle them unhidden. The Show Extensions window iin the LockDown Millennium Generics menu will automatically mark any potentially dangerous hidden extensions in red, so that you will know which ones to toggle to unhidden. Here are a couple of examples on how this works and why some hidden extensions could be a danger to some computer users. Assuming that you already configured Windows explorer to show all extensions:


SHS Extensions

1.

Make a copy of notepad.exe and put it on your desktop.
2.

Open Wordpad
3.

Click and drag notepad.exe into the open wordpad document.
4.

Click and drag it back to the desktop
5.

Rename the file that it created (Scrap) to Readme.txt

You now have what appears to be a text document icon and a clearly named readme.txt file showing on your desktop. Click on the text file and the notepad opens up. If this were a trojan, you would have been fooled and infected by what seemed to be a harmless text file. If the extension was allowed to be seen you would not have been fooled by the file Readme.txt.shs


PIF Extensions
Next, try renaming notepad.exe to anything.txt.pif You will only see the file name anything.txt on your desktop. This is because PIF is another extension that Windows hides by default. If you run the file it will execute the program, this is because Windows will also execute PIF extensions as if they were executable files.

SCR Extensions
Another extension to watch out for is SCR. Rename your copy of notepad.exe to notepad.scr and click on it. It will run notepad as an executable file. Many people have been fooled by hackers taking over a victim's account. The hacker sends email or other type of message to all of the victim's friends saying "Check out this cool new screen saver, you will laugh your butt off!" Because the message came from a trusted source, most were fooled and ran the SCR file and then ended up with a hacker connecting to their computer. LockDown Millennium scans all SCR files for trojan infections by default.


Dangerous Commands That Can Be Embedded

PIF Shortcut Extensions

Some hidden file extensions can easily be programmed with hidden commands that could do damage to your system. Following is a simple test:

1.

Right click your mouse on your desktop and select New
and then ShortCut
2.

In the command line type: format a: /autotest
3.

Click Next
4.

In the "Select a name for the shortcut" area type: readme.txt
5.

Click Next
6.

Select a notepad icon and click Finish

You now have a file on your desktop called readme.txt with a notepad icon. Make sure there is a disk in your drive that you do not mind being wiped and click on the icon. The file that you click on will do a format on the disk in the A: drive. Of course, the hacker's icon would target another drive, or maybe have a name such as 'game.exe' and with a command to delete your Windows directory or (deltree /y c:\*.*) your entire C drive!

If the PIF extension were not hidden, this would not be able to fool you. And if it was added to your startup folder waiting for a reboot, LockDown Millennium would warn you within seconds.


SHS Extensions

Scrap files can also hide embedded commands. Following is a simple test:

1.

Make a copy of notepad.exe and put it on your desktop.
2.

Open Wordpad
3.

Click and drag notepad.exe into the open wordpad document.
4.

Click on Edit and select Package Object, then select Edit Package
5.

Click on Edit and then Command Line
6.

Type a command in the box such as format a: /autotest and click on Ok
7.

The Icon can also be changed from this edit window
8.

Exit from the edit window and it will update the document
9.

Click and drag notepad back to the desktop
10.

Rename the file that it created (Scrap) to Readme.txt

You now have what will look like a text file. If it is run it will format the disk in the A: drive. As seen in the example above for PIF Shortcut Extensions, the hacker could use more dangerous commands.


Trojan Startup Methods
Most people do not know the many different ways that hackers are using to start trojan files. If a hacker infects your computer with a trojan, he will need to select a startup method so that the trojan will load when you reboot your computer. Common startup methods are the registry run keys, the Windows Startup folder, the Windows load= or run= lines found in the Win.ini file and the Shell= line found in the Windows System.ini.


Dangerous Startup Methods
Because there are only a handful of these startup methods, we find more hackers going to extremes to find new methods of startup. This includes using dangerous changes to the system registry, which will rend the system useless if the trojan file or it's companion file is ever removed. This is one reason not to use standard anti virus software to remove trojans. If one of these methods are used, and the file is removed without fixing the system registry, your system may not be able to run any programs after you reboot. LockDown Millennium detects and repairs all of these dangerous startup methods as seen with this Sub7 infection.


The ICQ Startup Method
Another startup method now commonly used is the ICQ netdetect. Many ICQ users are not aware that a hacker can add a configuration line to ICQ in order to have it start the trojan every time that the program is loaded. As a test you can try the following:

1.

Open ICQ
2.

Click on the ICQ icon and select Preferences
3.

Click on Connection
4.

Click on Edit Launch List
5.

Click On Add
6.

Click on Browse
7.

Find a file to add \Windows\Notepad.exe would work for this test.
8.

Click on Open, and then Ok

The file will run when you restart ICQ. If you go to your Startup Programs window in the Generics module, you can locate the program listed as a startup program. You will see "ICQ NetDetect" as the startup method. Simply select the file in the LockDown Millennium Start Programs window and click on the "Remove Program From Startup" button and it will be removed immediately.

Other Startup Methods
For information about other startup methods and dangers read the Startup Programs area of this help file under the topic The LockDown Millennium Program ; Generics ; Startup Programs

1 comment:

Lourine said...

Good words.