Trojan Horse Programs
Overview
Like the horse of Greek Mythology, a Trojan Horse
program is more than it appears to be. Trojans, as they are often called
in the parlance of the computer security world, are malicious programs
underneath the guise of a useful or fun piece of software such as a
screen saver or game. Trojan Horse programs often install a back
door as mentioned previously under root kits.
Unlike viruses and worms, Trojans are generally non-replicating meaning
that they can't spread by their own methods and require user interaction.
They instead rely on the rather common human trait of trust, or at
least to be more trusting than critical, in things that are appealing
to us. In short, human gullibility.
From Hence They Come - Some Common Sources
of Trojans
The fact is a trojan can end up installed on
your computer in a number of ways. If it's a computer program it can
in all likely hood be trojaned. The term often used for indicating
that a trojan program is embedded in a piece of software.
Such programs often arrive via email and appear to be interesting or
useful thus motivating the recipient to install it. If your web browser
has known programming flaws that aren't quickly patched (a problem
that has plagued Internet Explorer in particular) it's generally only
a matter of time before enterprising programmers develop programs to
attack that flaw.
After an attack has been developed simply visiting a malicious web
site will allow the installation of programs such as trojans on your
computer. This method has in fact become the most common way of infecting
computers.
Another formerly common method was for a hacker to discover a way to
access your computer directly from the Internet and directly install
malicious code. Let's look at some real examples of each of these as
illustrations of how these attacks have occurred.
Social Engineering by Email
"Fake Lycos screen saver harbours Trojan". This
headline from a December 2004 news post at "The Register" tells the
tale. The article continues..
The fake screen saver emails contain an attachment with a
RAR SFX archive that has embedded key logger Trojan inside, antivirus
firm Sophos warns. Infected emails come in emails with subject lines
such as "Be the first to fight spam with Lycos screen" and an attachment
called "Lycos screen saver to fight spam.zip".
Upon successful installation, the key logging Trojan (Mdropper-IT)
sends a message to an Indonesian email address confirming its status.
The screen saver file, rather than displaying the Lycos screen saver,
displays a blank screen.
Who doesn't want to fight spam, right? And here's
your chance having just landed right in your email inbox. By gosh all
you have to do is click and install and you're a member of the righteous
anti spam army marching to victory! Actually you've just been a victim
of what hackers refer to as social
engineering. By installing the program you've just infected your
own computer with the trojan program.
A similar scenario is also played out with the attached program claiming
to be a fun game. A well known example is the NetBus backdoor trojan
installed by a "game" called "whackamole." You're expecting just an
entertaining little game for a break in the day. Instead you also install,
unbeknownst to you, a program called a server that opens a backdoor into
your computer.
Installation via Browser Flaws
Internet Explorer (IE), due to certain bad design
decisions made by Microsoft, has experienced a lengthy list of programming
flaws that open the computer system to attack. Because of IE's vast
utilization, as a built in component that ships with every installation
of the Microsoft Windows operating system, it's long been a favorite
target of system attackers.
Once attack code has been developed to exploit a specific, unpatched
flaw it typically circulates rapidly through the "Internet Underground" finding
it's way onto numerous websites. In this case something as simple as
visiting such a site whether by intent or accident is sufficient to
infect the user's computer. To facilitate this latter point it's common
for attackers to send out an email with a link to a malicious website.
One curious click and you're the newest victim if your system isn't
patched or otherwise protected.
A very recent example of using websites as methods of attacking users
was the Microsoft
Windows Metafile flaw. This flaw in a particular Microsoft graphics
format known as WMF (Windows Meta File) allowed an attacker to develop
a specially crafted WMF graphic and take control of the attacked system.
Open Ports
This last method of attack has become less used
with the general rise of user awareness for the need to use some sort
of firewall protection, be it hardware or software based, when connecting
to an untrusted network such as the Internet.
As we'll be covering firewalls in detail later in this series I'll
not cover this in depth. Suffice to say that a computer system not
protected by a firewall was literally an "open target" to which even
hackers of moderate experience could easily gain access and install
malicious code. This method of attack is much more labor intensive
and increasingly difficult with the rise of awareness in Internet security
and the installation of firewalls. As such it has become more the method
of choice for high value targets such as systems containing credit
card databases and similar highly saleable information.
Staying Secure - Preventing Trojan Attacks
and Infections
To paraphrase the maxim "Prevention is worth
pounds of cure." And fortunately prevention is neither expensive nor
necessarily difficult. Here's a few steps that everyone using the Internet
would be wise to take.
- Install good antivirus software such as Computer
Associates eTrust EZ antivirus or Kaspersky
antivirus. This provides an essential item in catching inbound
emails infected with viruses, worms and some trojans.
- Install a proven high quality anti spyware program such as Spy
Sweeper or Spyware
Doctor.
- Install either a hardware firewall device or at a minimum firewall
software. For always on high speed connections such as cable or DSL
we strongly recommend a hardware firewall as a minimum and prefer
to have both the hardware and software firewall components in place
as they fulfill different functions when properly configured.
- Keep your system software updated (patched) on a regular basis.
Microsoft Windows users in home and small office environments should
generally set the system to automatically update. Subscribers to
our News-Alerts Newsletter are
kept informed of necessary patches and other security measures as
they arise.
- Practice safe computing by developing good computer security habits.
It's a common maxim in the IT Security world to stress that "Security
is a process, not a product".
The process of practicing good computer security habits include being
suspicious of anything that arrives in your email inbox. Particular
scrutiny should be exercised for any email containing an attachment.
Likewise don't click on links that arrive from unknown sources. A
large number of exploits have been propagated by just such a method
of mass mailing a small email with a link to a malicious site.
Summary
The Internet need not be an overly perilous place
to travel but like all travel an enjoyable trip depends upon some basic
knowledge, staying informed of changing conditions and some appropriate
measures of protection such as proper clothing and medical details
such as vaccinations.
In traveling the Internet the equivalents are keeping informed of new
threats by subscribing to a security newsletter such as our News-Alerts
letter or other source and having some basic protections in place
such as antivirus and antispyware software.
Here's to safe travels!
|
Trojan
Horse Programs
- Overview
- Sources of Trojans
- Staying Secure - Prevention
- Summary
|
