ArticlePDF Available

Abstract and Figures

Trojan virus attacks pose one of the most serious threats to computer security. A Trojan horse is typically separated into two parts - a server and a client. It is the client that is cleverly disguised as significant software and positioned in peer-to-peer file sharing networks, or unauthorized download websites. The most common means of infection is through email attachments. The developer of the virus usually uses various spamming techniques in order to distribute the virus to unsuspecting users. Malware developers use chat software as another method to spread their Trojan horse viruses such as Yahoo Messenger and Skype. The objective of this paper is to explore the network packet information and detect the behavior of Trojan attacks to monitoring operating systems such as Windows and Linux. This is accomplished by detecting and analyzing the Trojan infected packet from a network segment -which passes through email attachment- before attacking a host computer. The results that have been obtained to detect information and to store infected packets through monitoring when using the web browser also compare the behaviors of Linux and Windows using the payload size after implementing the Wireshark sniffer packet results. Conclusions of the figures analysis from the packet captured data to analyze the control bit, and check the behavior of the control bits, and the usability of the operating systems Linux and Windows.
Content may be subject to copyright.
World of Computer Science and Information Technology Journal (WCSIT)
ISSN: 2221-0741
Vol. 1, No. 3, 56-62, 2011
56
A Comparison of Trojan Virus Behavior in
Linux and Windows Operating Systems
Ghossoon. M. W. Al-Saadoon
Ass. Professor, Head Dep.of MIS:
College of Administrative Science, Applied Science
University
Manama, Kingdom of Bahrain
dr.ghoson@asu.edu.bh
Hilal M.Y. Al-Bayatti
Prof. of Computing, College of Arts and Science, Applied
Science University
Manama, Kingdom of Bahrain
dr.Hilal@asu.edu.bh
AbstractTrojan virus attacks pose one of the most serious threats to computer security. A Trojan horse is typically separated into
two parts a server and a client. It is the client that is cleverly disguised as significant software and positioned in peer-to-peer file
sharing networks, or unauthorized download websites. The most common means of infection is through email attachments. The
developer of the virus usually uses various spamming techniques in order to distribute the virus to unsuspecting users. Malware
developers use chat software as another method to spread their Trojan horse viruses such as Yahoo Messenger and Skype.
The objective of this paper is to explore the network packet information and detect the behavior of Trojan attacks to monitoring
operating systems such as Windows and Linux. This is accomplished by detecting and analyzing the Trojan infected packet from a
network segment -which passes through email attachment- before attacking a host computer.
The results that have been obtained to detect information and to store infected packets through monitoring when using the web
browser also compare the behaviors of Linux and Windows using the payload size after implementing the Wireshark sniffer packet
results. Conclusions of the figures analysis from the packet captured data to analyze the control bits and , check the behavior of the
control bits, and the usability of the operating systems Linux and Windows.
Keywords - Trojan horse behavior; Internet Security; Segment of Network; Pcap- Packet CAPture; Payload.
I. INTRODUCTION
A Trojan horse is a program in which malicious or
harmful code is contained inside apparently harmless
program or data in such a way that it can get control and do
its chosen form of damage, such as ruining or erasing data on
the hard drive. A Trojan can cause massive harm to
computing systems and worse still, may turn computing
system into a killing machine.
A Trojan can cause massive harm to computer systems
and worse yet, may turn a system into a killing machine as
well. Let us look at Back Orifice specifically so we can
highlight why a tool like this can become ugly if installed on
your systems.
A Trojan virus works by hiding within a set of seemingly
useful software programs. Once executed or installed in the
system, this type of virus will start infecting other files in the
computer. A Trojan virus is also usually capable of stealing
important information from the user's computer. The
developer will then be able to gain a level of control over the
computer through the Trojan virus [6]. While these things are
taking place, the user will notice that the infected computer
has become very slow or unexpected windows pop up
without any activity from the user. Later on, this will result
in a computer crash [3].
II. RELATED WORK
Internet security is an important element in networking. It
needs protection against intruders. Even though many anti-
virus software packets have been designed to detect
malicious codes, they still fail to do so. There are two
common methods that an anti-virus software application uses
to detect viruses. The first, and by far the most common
method of virus detection , to use a list of virus signature
definitions; the second method is to use a heuristic algorithm
to find viruses based on common behaviors. The use of
heuristic algorithm involves inspecting the code in a file (or
other object) to see if it contains virus-like instructions [10].
Back Orifice consists of two key pieces: a client
application and a server application. The way in which Back
WCSIT 1 (3), 56-62, 2011
57
Orifice works is that the client application runs on one
machine and the server application runs on a different
machine. The client application connects to another machine
using the server application. The confusing part is the server
installed on the victim. Many people may be confused by
this because it does not seem logical, but that is how it
works. The only way for the server application of Back
Orifice to be installed on a machine is for it to be installed
deliberately. Obviously, the Trojan does not come with a
default installation of Windows 2000, so you must find a
way to get the victim to install it [7].
III. TROJAN HORSE PROBLEMS
Trojans are difficult to detect because they appear to be
useful programs or application and user tend to download
them. Furthermore that database Trojans represents a
sophisticated attack because the attack is separated into two
parts: the injection of the malicious code and then calling it, -
which is one of the reasons for Trojans being difficult to
track.
This paper focuses on how it is possible to detect and
analyze packet network segments through e-mail
attachments, and gives a behavior comparison between
windows and Linux operating systems against the Trojan
attacks. This will be done through network packet
information capture, check, analysis, store and display.
IV.TYPES OF TROJAN
There are various types of Trojans that damage victim
machines or threaten data integrity, or impair the functioning
of the victim‘s machine. Multi-purpose Trojans are also
included some virus writers have created multi-functional
Trojans rather than Trojan packs. Some types of Trojans as
listed below; this research focused on the Backdoor type.
PSW Trojan [1,2].
Trojan Droppers [8].
Rootkits [2].
Arcbomb [8].
Trojan Downloaders [8].
Trojan Proxies [8].
Trojan Spies [8].
Trojan Notifiers [8].
Backdoors.
A. Backdoors Trojains are the most dangerous type of
Trojan and also the most widespread one. These
Trojans are remote administration utilities that open
infected machines to external control via a LAN or the
Internet. They function in the same way as legal remote
administration programs used by system
administrators. This makes them difficult to detect. The
only difference between a legal administration tool and
a backdoor is that backdoors are installed and launched
without the knowledge or consent of the user of the
victim machine.
B. Once the backdoor is launched, it monitors the local
system without the user's knowledge; often the
backdoor will not be visible in the log of active
programs. Once a remote administration utility has
been successfully installed and launched, the victim
machine is wide open. Backdoor functions can include
[6]:
Sending/ receiving files
Launching/ deleting files
Executing files
Displaying notification
Deleting data
Rebooting the machine
C. In other words, backdoors are used by virus writers to
detect and download confidential information, execute
malicious code, destroy data, including the machine in
both networks and so forth. In short, backdoors
combine the functionality of most other types of
Trojans in one package. Backdoors have one especially
dangerous sub-class: variants that can propagate like
worms [6, 9]. The only difference is that worms are
programmed to propagate constantly, whereas these
'mobile' backdoors spread only after a specific
command from the ‗master‘.
V. EXISTING NETWORK PACKET MONITORING TOOL ON
GNU/LINUX
Most commonly used desktop based network monitoring
tools are Tcpdump and Wireshark [10], the main features of
the Wireshark are:
1. It is distributed under the Gnu‘s Not UNIX (GNU)
General Public License (GPL) Open-source license.
2. It works in promiscuous and non-promiscuous modes.
3. It can capture data from the network or read from a
capture file.
4. It has an easy-to-read and configurable GUI.
5. It has rich display filter capabilities.
6. It runs on over 20 platforms, including Uniplexed
Information and Computing.
7. System (UNIX)-based operating systems (OSs),
Windows, and there are third-party packages available
for Mac OS X.
8. It supports over 750 protocols, because it is open
source, new ones are contributed frequently.
9. It can capture data from a variety of media (e.g.,
Ethernet, Token-Ring, 802.11 Wireless, and so on).
WCSIT 1 (3), 56-62, 2011
58
10. It includes a command-line version of the network
analyzer called tshark.
VI. THE PROPOSED SOLUTION
The aims of this paper as mentioned before are to capture
computer network packets from a network segment, check
each packet for Trojan virus detection, analyse the Trojan
packet and store its information for further viewing using
any web browser.
The methodology includes three main parts, 1st part
Ubuntu (Operating System) , 2nd part software design using
packet capture, and the last part analysis packets applied
under the operating systems Ubuntu and Windows. Ubuntu
is a computer operating system based on the Debian Linux
distribution; Ubuntu provides an up to date, stable operating
system for the average user, with a strong focus on usability
and ease of installation.
Pcap (packet capture) consists of an Application
Programming Interface (API) for capturing network traffic.
Unix-like systems implement pcap in the libpcap library;
Windows uses a port of libpcap known as WinPcap.
Monitoring software may use libpcap and/or WinPcap to
capture packets travelling over a network and, in newer
versions, to transmit packets on a network at the link layer,
as well as obtain a list of network interfaces for possible use
with libpcap, ALO support saving captured packets to a file,
and reading files containing saved packets; applications can
be written, using libpcap to be able to capture network traffic
and analyze it, or to read a saved capture and analyze it,
using the same analysis code. A capture file saved in the
format that libpcap and use can be read by applications that
understand that format.
Software Design
Software design is a multi-disciplinary activity that
develops tools through effective communication of ideas and
the use of engineering practices. The process is passing
through at five phases as below:
Phase 1: Capture and extract network packet information.
Phase 2: Check Trojan infected packet.
Phase 3: Analysis of Trojan packet.
Phase 4: Store Trojan packet information in a file
Phase 5: Display information using web browser.
Phase 1: Capture and extract network packet information.
Packet Sniffer is used to capture network packets
information and stored into a data buffer for further
processing. The Packet Sniffer module operates at the
network layer and captures network packets physically
across through the Network Interface Card (NIC). In this
module the NIC receives packets directly from a network
segment. The process of this module involves network hub
setting, packet capture and packet information extraction and
packet information storage into a file. The functionality of
the probe module is realized through the usage of libpcap
open source library [4].All processes in this module utilized
libpcap library functions, as shown in Figure 1.
1. Initialize Ethernet, IP, TCP and UDP beside
structure
2. Capture packet length
3. Capture source and destination MAC address
4. Check the Network layer protocol (IP or ARP)
5. If packet capture then :
i. Save Source and Destination IP
ii. Check Transport layer Protocol (TCP)
iii. Save the Source and Destination port
iv. Payload is displayed
6. Check the application layer protocol based on
Source and Destination port
7. Exit
Figure 1: The Algorithm Process for Packet Information Grabbing
Phase 2: Check Trojan infected packet.
Packets that have been captured through the network
segment are displayed in Figure 2. The packets crossing the
network are scrambled or not in readable mode, packets that
pass through are in binary form therefore Packet Sniffer is
designed to print data in hex and ASCII format. The data are
printed in rows of 16 bytes and the payload number (in
bytes) is defined in line 2. This type of definition is easier to
use in detecting normal packet and infected packets.
Figure 2: Packets captured through the network segment are
displayed
Phase 3: Analysis of Trojan packet.
The analyses of a Trojan packet in the previous method
entailed comparing two normal and abnormal packets. After
the abnormal packet had been is detected, the packets were
analyzed to determine whether they are Trojan packets or
not. Two types of Trojan (Trojan horse and Backdoor) were
ought, and both types were analyzed in the same way the
detection is explained on the TCP header.
The analysis involved four steps as follows:
Step 1: Analyzing Ethernet frame,
Step 2: Analyzing Internet Protocol,
Step 3: Analyzing TCP protocol, and
Step 4: Analyzing the payload pattern.
WCSIT 1 (3), 56-62, 2011
59
Phase 4: Store Trojan packet information in a file.
All the information obtained from the infected packets
was collected and stored into a valid file the web browser as
shown in Figure 3.
Figure 3: Infected Packet Storage Module
Phase 5: Display information using web browser.
Packet Sniffer can capture and extract all the packet
information that has been defined, then it will analyze all
infected captured packet information and store all necessary
required information into files for viewing. The possible
information includes the protocols being used on a network
segment, but it concerns mainly the behavior of network
TCP header protocol, IP header protocol and traffic between
each source and destination. The analyzed network traffic
information can be viewed through a web browser the data
transaction between web browser and Packet Sniffer consists
of some sequences of actions, which are shown in Figure 4.
Figure 4: Data Transaction between Web Browser and Server
A user‘s web browser issues an HTTP request for a
particular web page. The web server receives the request for
results. PHP script retrieves the file and sends it to the PHP
Engine for processing. The PHP engine will finish running
the script, which usually involves formatting the results in
HTML. It then returns the resulting HTML to the Web
Server. The Web Server passes the HTML back to the
browser, where the user can view the requested output. The
web pages are developed using PHP and HTML code. The
analyzer analyzes the packet information and stores it in
data log files. The PHP script reads the files according to
user selection and displays the internet traffic information.
For ease and efficiency, a web-based user interface is used.
A web-based interface eliminates problems of porting, while
a single script provides uniform results, regardless of the
operating system, wherever the user is located.
VII. RESULTS
The results of the implementation to the sniffer packet
network for the operating systems Linux and Windows are as
follows:
A. Results for Trojan horse attack payload
The attack payload is obtained by sending an e-mail to
the PC an (.exe) file named hp- ftp is attached in the
mail and sent to the PC and the file may be downloaded.
The attached file which contains the Trojan horse has
the following behaviors:
1) Contains net stat information to abort [at]
yahoo.com LinuxPir8 [at] yahoo.com, see Figure 5.
2) File size:14140 : the infected packets, i.e the Trojan
horse that was tested for this experiment has certain
information, such as length or file size and net stat
information. Figure 6 clearly shows the states from
the TCP segment byte 0230-12e0 the payloads are
not infected However, when the net stat information
is encrypted or the file is in process, the payloads
after that are infected. The same thing occurs to the
information available for the Trojan horse (file
name hp-ftp) where file size is 14140, when the
network protocols processes the file information it
becomes infected, as shown in Figure 6.
Figure 5: Sniffing Results for HP-FTP file Net sat inf.
Figure 6: Sniffing Results for HP-FTP file file size.
WCSIT 1 (3), 56-62, 2011
60
3) To establish whether or not this file has been
infected by a Trojan horse, the file is placed
independently in specified folder. After that Anti-
virus program is used to scan the specified folder
and examine whether the program is malicious or
not.
B. Results for Backdoor Trojan attack payload
An attack payload is obtained by sending an e-mail to a PC
an (.exe) file named backdoor is attached in the mail and
sent to a PC the file is then download. The attached file
which contains Backdoor Trojan has the following behavior.
The results for the Trojan Backdoor attack payload for
Windows based Wireshark, show that the Trojan
backdoor produce a different pattern of behavior
compared with Trojan horse of normal behavior. The
Trojan Backdoor output is empty payload. No data are
―backdoor‟based on the results the empty payload is
defined as an attack, compared with normal packets.
Figure 7 shows the control bit behavior.
Figure 7: Sniffing result for backdoor.
The flags analysis for backdoor is based on Linux and
Windows. The discussion is based on a comparison of
the control bits.
In the Windows operating system the flag captured at
time 10.438 shows the normal behavior of control bits. Flag
ACK is set at the time with sequence time 79225 the
acknowledgment number is 759 the TCP flow started off
well, without any abnormalities. With the same attempts in
Ubuntu , at time 16.479, 16.480 and 16.480 three- way
handshake occurs showing that a TCP connection is
established. Abnormalities occur in windows at time 10.712
only the SYN flag is set which means it has initiated a TCP
connection, as shown in Figure 8.
Figure 8: Analysis Graph for Backdoors based Windows
The port number changed from 80 to 82, which shows a
weird abnormal behavior. TCP by right should only
access to port 80 since there was no other network
access in the Internet compared with Linux based
Wireshark all the destination port numbers were 80.
From these abnormal behaviors it can be concluded that
Backdoor Trojan infects port numbers, also at time
10.710 till 10.712 the sequence number and
acknowledged number was 0.
Empty data are transmitted through the TCP flow.
According to this behavior, it can be concluded or
there can be strong agreement that this is an abnormal
behavior of TCP flow caused by a malicious code
(Backdoor Trojan).
Table 1 shows the behavior of Trojan horse and
Backdoor in both Linux and Windows.
Table 1: Comparison Trojan virus between Linux and Windows
Events
Linux
Windows
Operating System
behavior
GNU/Linux is more
stable than
windows.
Windows is easily
attacked without user‘s
knowledge.
Trojan horse
behavior
The packets are
infected after the
information enters
the network.
The packets are infected
after the information
enters the network.
Backdoor Trojan
behavior.
Flags analysis for
backdoor based
Linux. The
discussion is based
on comparison of
both figures based
on the control bits.
The flag captured at
time 10.438 shows
the normal behavior
of control bits.
Flag ACK is set at the
time with sequence time
79225 and
acknowledgment number
is 759, TCP flow stated
of well without any
abnormalities
WCSIT 1 (3), 56-62, 2011
61
The Trojan horse
attack. Packets
infected Sniffer -
Payload.
The packets are not
fully infected they
are just infected in
certain parts.
Both Wireshark and
Packet Sniffer have the
same results for Trojan
horse attack.
Execution the
Trojan Backdoor
(.exe).
In GNU/Linux
(Ubuntu), The file
unable to run and
shows an error
message.
File can only
execute in
Windows.
VIII. DISCUSSIONS
A. Trojan Backdoor which is in (.exe) is executed in both
GNU/Linux (Ubuntu) and Windows operating systems.
In GNU/Linux (Ubuntu), on should double click the
download file and try to run the file. The file cannot
run and shows an error message, where the programs
are in Windows can be executed. Upon execution of
the backdoor .exe file, the file will enter the system and
might be able to crash the system. The file has valid
icon which can be executed.
B. Analysis of infected packet using Linux based
Wireshark vs. Packet Sniffer: the results that were
obtained from Trojan horse show that it is attack
payload for Linux-based Wireshark and Packets
Sniffer. Both Wireshark and Packet Sniffer have the
same results for a Trojan horse attack. Windows-based
and Linux-based Wireshark also give the same output.
Therefore the output for Linux-based Wireshark and
Packet Sniffer is discussed together. A Trojan horse
change the behaviors of packets are infected after the
information enters the network. The packets are not
fully infected, only certain parts are infected, 00 means
that no packet has been sent to the destination port
from the source port. In this case, when downloading
the file TCP data transfer was interrupted by
comparison with the normal packet, the (.exe) file did
not interrupt TCP connection process. The only
difference is that the executable file can be executed in
Windows only and Linux does not allow the execution.
C. Analysis of infected packet in Windows-based
Wireshark the results will discuss the Trojan Backdoor
attack payload for Windows-based Wireshark .To
access the web page, first we have to type in the link as
stated the local host is used since in have created my
own server and have to insert the host PCs IP address
for access from another PC.
IX. CONCLUSION
The main target of this paper is to detect Trojan horse
infected packets from a computer network segment before
they can attack a computer and compare the attacked ―Trojan
horse and backdoorthrough Ubunto (Linux) and Windows.
From the implementation we can conclude that:
Linux and Windows have the same output for a Trojan
horse attack through the infected packet based
Wireshark vs. output.
The infected captured packet for both Linux and
Windows have the same behavior. Besides that, the
comparison between normal packets and Trojan packets
shows that there are differences between the payload
which is found only inside the packet payload.
The objectives of this paper have been partially
achieved in the following sense first infected packet
based Wireshark vs. output has been captured and
network information has explored and secondly Trojan
attack from a computer network segment has been
detected and monitored.
The Packet Sniffer that uses Linux command has
successfully captured live data, and this tool allows the
sniffing of more packets compared with Wireshark,
also Wireshark sniffs packets very fast, compared with
Packet Sniffer which allows the user to capture up to
1000 packets.
The designed code is able to capture TCP, IP, UDP and
also ICMP protocol information. The TCP payload was
used to obtain more in depth information of packets to
detect a Trojan attack.
REFERENCES
[1] Antivirus Scanner for Unices. cited; Available from:
http://www.bitdefender.com/world/business/antivirus-for-unices.html
[2] Bishop, M., ―An Overview of Computer Viruses in a Paper
Environment‖, p. 1-32, Technical Report: PCS-TR91-156-1999.
[3] Danchev, D. ,‖The Complete Windows Trojans‖, cited; Available from:
http://www.windowsecurity.com/whitepapers/The_Complete_Windows_Tr
ojans_Paper.html. Aug 29, 2005.
[4] Jacobson, V., Leres, C., & McCanne, S. Tcpdump Manual Page.
Retrieved January 10, 2008, from http://www.tcpdump.org ,1997.
[5] Li, X., Computer Viruses: The Threat Today and The Expected Future.
p. 71.,2003.
[6] P2P-Worm.Win32.BlackControl.g, Trojan Programs. [cited; Available
from:
http://www.securelist.com/en/descriptions/15243378/P2PWorm.Win32.Bla
ckControl.g, Aug 20, 2010.
[7] Shimonski R J, "Trojan Horse Primer",
http;//windowsecurity.com/articles/Trojan_horse_primer.html ,2004.
[8] Trojan Programs. cited; Available from:
http://www.viruslist.com/en/virusesdescribed?chapter=152540521, Oct
20,2010.
[9] Ubuntu Operating System. cited; Available from:
http://en.wikipedia.org/wiki/Ubuntu_(operating_system)
[10] Wireshark. cited; Available from:
http://en.wikipedia.org/wiki/Wireshark , November 2010.
WCSIT 1 (3), 56-62, 2011
62
AUTHORS PROFILE
Ghossoon M.W. AlSaadoon is senior
lecturer in Network security & DataBase,
Dr.Al-Saadoon is a Head Department of
Management Information Systems &
Director of Academic Staff Performance
Development Center at the Applied Science
University College of Administrative
Science, Manama, and Kingdom of Bahrain.
She holds PhD degree in computer science
from the Iraqi commission for computers &
informatics /institute for post graduate
studies in informatics, 2006 in addition; she is a membership of CSC-
journals & ISACA member. Dr. Al-Saadoon has more than 19 years of
experience including project management experience in planning and
leading a range of IT-related projects. Dr. Al-Saadoon supervised many
computer and communication engineering students leading to Ph.D. and
M.Sc. degree in computer and communication engineering in UniMap.
Dr. Al-Saadoon has three awards (two from Ministry of Science Technology
and Innovation (MOSTI) and One from UniMap University).
Hilal Mohammed Yousif Al-Bayatti is
university vice president and professor of
computer science with applied science
university, kingdom of Bahrain, where he
taught and conducted research in computer
and information security.
He earned his Ph.D. in computer science at
Loughborough University of Technology
(U.K), his M.Sc. in computer science at
University College London (U.K) his B.Sc.
in mathematics at Baghdad University
(Iraq). Prof. Hilal has been teaching for 25
years undergraduate and graduate students in computer science fields. Prof
Al-Bayatti supervised many computer science students leading to Ph.D. and
M.Sc. degree in computer science.
Prof. Hilal has published more than 50 referred research papers in leading
journals. He is member of many steering and technical committees of
national and international conferences.
... Berkaitan dengan anak, hal tersebut harus mengarah pada perubahan persepsi dimana anak tidak diperlakukan seperti kelompok calon konsumen lain, tetapi kelompok rentan pengguna internet. 29 Sorotan khusus tentang sifat persetujuan mereka untuk pemrosesan data tampaknya menjadi salah satu langkah besar ke depan. 30 3. Pengaruh GDPR secara tidak langsung kepada anak-anak Terdapat sejumlah ketentuan GDPR yang secara umum berdampak bagi anak-anak sehingga membuktikan bahwa rezim perlindungan data Eropa lebih baik jika dibandingkan dengan Arahan 1995, yang secara tidak langsung tetapi secara signifikan bermanfaat bagi anak-anak. ...
... (2016). 29 Frau-Meigs, Divina, and Lee Hibbard. "Education 3.0 and Internet Governance: A new global alliance for children and young people's sustainable digital development." ...
... Terkait kebocoran data oleh peretas telah disanggah oleh KOMINFO bersama BSSN (Badan Siber dan Sandi Negara) dalam artikel di website resmi KOMINFO. 29 Intinya mereka menyatakan bahwa tidak ada data breach atau data leak, sehingga data pasien Covid-19 aman, Namun mengingat sebaran data di Indonesia yang begitu luas, Kementerian Kominfo tentu melakukan koordinasi dan pengecekan apakah masih ada potensi dari sumber lain. 30 Data rekam medis pasien dikualifikasikan ke dalam data pribadi yang bersifat sensitif. ...
Conference Paper
Full-text available
... In the recent years, IS has attracted attention based on the fact that the Internet (and in turn, computer networking) has become an effective means of sending/receiving data and that a substantial number of entities depend on the capability to transmit sensitive data. Similarly, malware has informed the efforts of antivirus programs' advancement to address the potential threats [2] . However, Trojan horses have continued to circumvent the security toolsets of antivirus programs because of their operation modes. ...
... A Trojan code defeats the purpose of the conventional antivirus approach because it depends on the end user's perception of the code as genuine software for it to install. Furthermore, on installation, it reverses the client-server paradigm by turning the infected host into a server, while the antivirus toolsets continue to assume the end user's workstation as a client node [2] . In addition, while antivirus routines cast the operation modes of software as malicious when it exhibits the tendencies of self-replication -the Trojan code evades detection by desisting from creating its copies in favor of working as a standalone code that has the potential of creating backdoors for other malware [3] . ...
... The Trojan detectability function, however, assumes that the environment acts as a variable constant-such that, Trojan manifestations in one operating system like UNIX would not be similar to the manifestation in a different system; like Windows [2] . On the other hand, detectability does not mitigate the intrusion of systems, in the first place [7] . ...
Conference Paper
Malicious payloads and computer codes have conventionally strived to gain access to target systems for aims which the affected end user experiences as unwanted functions or loss of data. This paper will examine the major types of Trojan horses, their mode of operation, and consequently, propose a framework for attack prevention and handling. It will highlight the need for effective control based on the premise that since Trojan attacks pose as harmless software, they have the potential to cause damage of exceptional magnitude. Ultimately, the proposed prototype will employ functional modeling to illustrate its potential as a powerful approach to information security.
... Once activated it can launch several attacks and also go into hiding on the victim"s machine. It can pop up in several windows and, in some instances, open attachments from phishing emails [36]. These pop-ups are usually presented as adverts and warning alerts. ...
Article
Full-text available
This modern time has seen a rise in technology and its associated tools. The rapid development of technology has also grown along with what the researchers termed as diabolic computing. The advancement of technology has moved along with security risks and threats. Cybercriminals are aware of the prospects that the internet has in connecting billions of people across the world. Their operations have also focused on the exploitation of users since humans are perceived to be the weakest link to every firm or establishment. This human exploitation and attacks are termed social engineering. The internet community is the biggest casualty of social engineering attacks. Social Engineering attacks are dangerous and can lead to financial losses, data losses, and even denial of service. These can affect an organization’s reputation. The effects of social engineering attacks are very treacherous. Some have long standing effects and can also result in the closedown of businesses. The study gives a clearer view of social engineering attacks. This view creates awareness of social engineering. This awareness helps to mitigate the various social engineering attacks. The study is focused on computer and internet users. The study reviewed the concept of social engineering, its various attack methods, and how to mitigate them. The study was concluded with a summary of SE attacks and appropriate countermeasures.
... File diambil disimpan dalam format yang libpcap dan gunakan dapat dibaca oleh aplikasi itu yang mengerti format itu. [4] Ada beberapa jenis malware yang paling popular di tahun 2015 yaitu Trojan Ransomware, Exploit kits, Banking Trojans, worms, PoS (Point-of-Sale) Malware, Social Engineering Attacks, Fake Tech Support Services, Rogue Antivirus Software, Potentially Unwanted Programs, dan Adware. [5]. ...
Article
Full-text available
Penelitian ini bertujuan untuk mengatasi permasalahan penyebaran malware yang terdapat dalam jaringan kampus. Salah satu dampak adanya malware dalam jaringan kampus adalah overload traffic bandwidth, sehingga menyebabkan kendala bandwidth yang cepat habis atau lalu lintas transfer data baik yang masuk maupun yang keluar menjadi lambat dari biasanya. Umumnya sebuah kampus atau universitas memiliki struktur jaringan yang didalamnya dikelola oleh satu atau lebih router di dalam mengelola jaringan dan bandwidth. Beberapa router memiliki kemampuan pengaturan firewall yang sudah cukum mumpuni namun perlu dikelola lebih spsesifik berdasarkan kebutuhan skala jaringan dan bandwidth yang tersedia. Dengan menciptakan rule-rule yang baik di dalam firewall akan lebih mudah dalam melakukan filtering terhadap lalu lintas trafik jaringan dan bandwidth sehingga dapat menciptakan keamanan dan kenyamanan pengguna jaringan dan bandwidth.
... Later on, this will result in a computer crash. [7] As a result, Trojan horse attacks pose one of the most serious threats to computer security. ...
Article
Full-text available
Trojan horse is said to be one of the most serious threats to computer security. A Trojan horse is typically separated into two parts – a server and a client. It is the client that is cleverly disguised as significant software and positioned in peer-to-peer file sharing networks, or unauthorized download websites. The most common means of infection is through email attachments. In order to distribute the virus to unsuspecting users, the developer of the virus usually uses various spamming techniques. Malware developers use chat software as another method to spread their Trojan horse viruses such as Yahoo Messenger and Skype. This study aims to analyze and detect the behavior of Trojan attacks, provide ways on how to prevent, detect, and recover from Trojan attacks.
... Currently trojan horse attacks is considered as one of the most serious threats in cyber attacks. There are many definitions related with trojan horse such as by [3,14]. For this research, trojan horse is defined as a program that appears as a useful and harmless, and once it has been installed in a victim computer, it begins to carry out malicious acts such as stealing important information from victim's computer. ...
Article
Full-text available
For the past few years, malware or also known as malicious code is seen as one of the biggest threats of the cyber attacks. It has caused lot of damages, loss of money and productivity to many organizations and end users. Malicious code can be divided into many categories such as viruses, worms and trojan horses. Each of these categories has it owns implications and threats, and trojan horse has been chosen as the domain of this research paper. Prior to the formation of a new trojan horse detection model, an in-depth study and investigation of the existing trojan horse classification is presented in this paper. Surprisingly, not much research related with trojan horse has been done. On 16 th January 2013, Troj/Invo-Zip has caused chaos by masquerading as an invoice from Europcar and spreading via email. Therefore, in this research paper, a new trojan horse classification called Efficient Trojan Horse Classification (ETC) is developed. This ETC later is used as a basis to build a model to detect trojan horse efficiently. The methods used to develop the ETC are the static and dynamic analyses. As for the dynamic analysis, cuckoo sandbox has been integrated to speed up the analysis and reverse engineering processes.
Conference Paper
Full-text available
The invention of smartphone have made life easier as it is capable of providing important functions used in user's daily life. While different operating system (OS) platform was built for smartphone, Android has become one of the most popular choice. Nonetheless, it is also the most targeted platform for mobile malware attack causing financial loss to the victims. Therefore, in this research, the exploitation on system calls in Android OS platform caused by mobile malware that could lead to financial loss were examined. The experiment was conducted in a controlled lab environment using open source tools by implementing dynamic analysis on 1260 datasets from the Android Malware Genome Project. Based on the experiment conducted, a new system call classification to exploit call logs for mobile attacks has been developed using Covering Algorithm. This new system call classification can be used as a reference for other researcher in the same field to secure against mobile malware attacks by exploiting call logs. In the future, this new system call classification could be used as a basis to develop a new model to detect mobile attacks exploitation via call logs. Keywords-system calls, similarity analysis, exploitation of call logs using system calls, covering algorithm, data transformation, and system call classification.
Article
Full-text available
For any organization, having a secured network is the primary thing to reach their business requirements. A network is said to be secured when it can sustain from attacks, which may damage the whole network. Over the last few decades, internetworking has grown tremendously and lot of importance is given to secure the network. To develop a secure network, network administrators must have a good understanding of all attacks that are caused by an intruder and their mitigation techniques. This paper explores the most fatal attacks that might cause serious downtime to an enterprise network and examines practical approaches to understand the behavior of the attacks and devise effective mitigation techniques. It also describes the importance of security policies and how security policies are designed in real world.
Article
Acknowledgements ................................................................................................................................................. 4 Table of Contents.................................................................................................................................................... 6 Table of Figures ...................................................................................................................................................... 7 1
Article
The threat of attack by computer viruses is in reality a very small part of a much more general threat, specifically attacks aimed at subverting computer security. This paper examines computer viruses as malicious logic in a research and development environment, relates them to various models of security and integrity, and examines current research techniques aimed at controlling the threats viruses in particular, and malicious logic in general, pose to computer systems. Finally, a brief examination of the vulnerabilities of research and development systems that malicious logic and computer viruses may exploit is undertaken. 1. Introduction A computer virus is a sequence of instructions that copies itself into other programs in such a way that executing the program also executes that sequence of instructions. Rarely has something seemingly so esoteric captured the imagination of so many people; magazines from Business Week to the New England Journal of Medicine [39][48][60][72][135]...
Article
The study of compact active galactic nuclei (AGN) that possess convex radio spectra (the gigahertz-peaked spectrum radio sources) offers a unique opportunity to probe both the early evolutionary stages of relativistic AGN jets and their immediate nuclear environments. In this article I trace Ken Kellermann's early investigations of these sources, which played a major role in justifying the development of modern-day VLBI techniques. I describe how our understanding of these AGN has progressed since Kellermann's early discoveries, and discuss several ways in which the current classification scheme can be simplified to reflect intrinsic source characteristics, rather than observer-biased quantities. Finally, I discuss recent results from the VLBA 2 cm survey concerning the relativistic jet kinematics of the two-sided peaked-spectrum sources 4C +12.50 (PKS 1345+125) and OQ 208 (1404+286).
Available from: http://www.bitdefender.com/world/business/antivirus-for-unices.html
  • Antivirus Scanner
  • For Unices
  • Cited
Antivirus Scanner for Unices. cited; Available from: http://www.bitdefender.com/world/business/antivirus-for-unices.html [2] Bishop, M., ―An Overview of Computer Viruses in a Paper Environment‖, p. 1-32, Technical Report: PCS-TR91-156-1999.
[9] Ubuntu Operating System. cited; Available from: http://en.wikipedia.org/wiki/Ubuntu_(operating_system) [10] Wireshark. cited; Available from
Trojan Programs. cited; Available from: http://www.viruslist.com/en/virusesdescribed?chapter=152540521, Oct 20,2010. [9] Ubuntu Operating System. cited; Available from: http://en.wikipedia.org/wiki/Ubuntu_(operating_system) [10] Wireshark. cited; Available from: http://en.wikipedia.org/wiki/Wireshark, November 2010.
‖The Complete Windows Trojans‖, cited; Available from: http://www.windowsecurity.com/whitepapers/The_Complete_Windows_Tr ojans_Paper.html
  • D Danchev
Danchev, D.,‖The Complete Windows Trojans‖, cited; Available from: http://www.windowsecurity.com/whitepapers/The_Complete_Windows_Tr ojans_Paper.html. Aug 29, 2005.
‖The Complete Windows Trojans‖, cited
  • D Danchev
Danchev, D.,‖The Complete Windows Trojans‖, cited; Available from: http://www.windowsecurity.com/whitepapers/The_Complete_Windows_Tr ojans_Paper.html. Aug 29, 2005.