Monday, November 28, 2005

Lesson III - Tales Of Trojan Horses

Sometimes you should look a gift horse in the mouth. If you let a Trojan horse onto your system, you’ll soon discover that it’s a type of malware (software written for a malicious purpose, such as destroying files). Like its namesake, a Trojan horse looks like a gift, but in reality, its designer created it for sinister reasons and filled it with code that’s waiting to invade and attack your computer.

Sunday, November 27, 2005

Within The Belly of a Beast

To understand how a Trojan horse works, let’s look at the classic tale about a wooden horse the Greeks used to end the Trojan War. According to the legend, Greek soldiers tried for years to get behind the impenetrable walls of Troy, and after numerous failures, they built a giant wooden horse for the Trojans as an offering of peace before boarding their ships and pretending to sail back home. Believing the horse was a gift, the Trojans moved it inside the gates of Troy. What they didn’t know was that an army of Greek soldiers was hiding inside the hollow belly of the horse, waiting patiently for its chance to open the gates of Troy to let in the rest of the Greek army and attack the Trojans.
The type of Trojan horse that might find its way onto your computer system is similar to the Trojan horse described in the classic Greek tale. In most cases, a Trojan horse arrives as an email attachment, accompanied by a message that claims the attachment is a fun program or graphic. A user also can receive a Trojan horse by downloading bogus software from a web site. In 1989, the AIDS Trojan arrived on a floppy diskette mailed in an envelope, waiting for victims to take the bait (more about this particular Trojan horse in a moment). Unless the Trojan horse includes another type of malware (such as a worm or virus), it will do nothing until you open the file to accept it on your system.
Because a Trojan horse only works when users accept and open it, the creator of a Trojan horse must find a way to entice users. For this reason, Trojan horses rely on social engineering, the “art” of understanding human psychology well enough to design a claim so tempting that numerous recipients will want to see or try it.
In other words, just as a clever marketing firm will try to make a sales pitch so good that consumers can’t help but buy a product, a hacker (savvy computer user who breaks into systems for illegal and/or malicious reasons) will try to use social engineering to create a Trojan horse that most users will open to see what it does or displays. The difference is that consumers usually know what a particular marketer is really selling, whereas Trojan horse recipients typically don’t know what the Trojan horse really is or does—until the attack starts (and even then, some Trojan horse recipients are still unaware of what happened).
When a Trojan horse arrives as an email attachment, the message might claim that the attachment is something intriguing, such as a cool screen saver, a program update, or a fun game. For instance, one Trojan horse called AOL4Free was allegedly a program that would grant the recipient free access to AOL (America Online) Internet service. This is a good example of social engineering. Unless a user suspects that the attachment is too good to be true and there must be a catch, why wouldn’t he run the program? On the other hand, a Trojan horse masquerading as nothing more than a picture of a certain singing purple dinosaur would be less likely to elicit curiosity from a recipient. Therefore, between these two examples, the AOL4Free Trojan horse incorporates a better approach to social engineering.
If a Trojan horse’s social engineering approach is successful, several users will double-click the attachment or program to open or launch it. This is the first time that a user might discover that the attachment or program contained harmful code. In other cases, a user may not notice a problem until much later when he/she tries to find a particular file the Trojan horse deleted, for example. And sometimes, a user never realizes a Trojan horse entered his/her system.
Depending on its programming, a Trojan horse may do any number of things to the infected user’s system. We’ll discuss some well-known Trojan horses and the consequences of running them later in this article.
Because Trojan horses are executable files, they generally have file extensions such as .BAT (batch), .COM (command), .EXE (executable), .PIF (program information file), and .VBS (Visual Basic script). Don’t simply trust that the letters you see at the end of a file name are the file extension, either. For instance, if you see a file name such as ForbiddenPicture.jpg, the “.jpg” portion may not actually be the file extension; it might only be the text at the end of the file name, as is the case with a ForbiddenPicture.jpg.vbs file.
By default, Windows 98 and newer OSes (operating systems) don’t display file extensions. Although it isn’t the default, Windows 95 may also hide file extensions.
To view file extensions in Win95, open a folder and click Options from the View menu. Choose the View tab and deselect the checkbox next to Hide MS-DOS File Extensions for File Types That Are Registered. Click Apply and OK.
To view file extensions in more recent Windows OSes, open a folder and click Folder Options from the View menu (in Win98) or from the Tools menu (in Windows Me and Windows XP). In the resulting dialog box, choose the View tab and deselect the checkbox next to Hide Extensions for Known File Types. To make these settings apply to all folders, click the Like Current Folder button (in Win98/Me) or the Apply to All Folders button (in WinXP) at the top of the dialog box. Click Apply and OK.
You can investigate an attachment’s true file type by viewing its properties. Right-click the file’s icon and click Properties. At the top of the General tab, see the Type of File line for the true file type.

Saturday, November 26, 2005

Today’s Trojan Horses

Trojan horses are nothing new. In fact, many of the famous “viruses” you hear about actually might be Trojan horses. Although people often refer to all malware as viruses, there are distinct differences between a true virus and Trojan horse. A virus typically attaches to data files and copies itself when you launch the designated program; whereas a Trojan horse disguises itself as a useful program, and multiplying generally isn’t part of its mission. For example, you might activate a virus by opening an infected Microsoft Word file, but you will only activate a Trojan horse by launching an actual Trojan horse masquerading as a cool application.
Many of today’s Trojan horses are an exception because they arrive bundled with another type of malware, the combination of which many experts refer to as blended threats. For instance, if a Trojan horse and a virus work as a team, when a user opens a virus-infected file, the now-activated virus could launch the Trojan horse automatically. For more information about viruses, see “Self-Replicating Code Viruses”.
A sophisticated Trojan horse also might team up with a worm, which could copy and send the Trojan horse from one system to the next, from user to user, using a network or the Internet.
For more information about worms, see “Worms Are True Parasites”.
In each of these examples, the Trojan horse is part of a blended threat, which generates much discussion and concern nowadays. For more information about blended threats, see “Blended, Not Stirred,”
Because today’s Trojan horses are likely to arrive as part of a blended threat, they tend to be more dangerous than those that lurked five or 10 years ago. Users may not need to unwittingly launch a Trojan horse in order for it or its bundled malware to infect the system. If coupled with a virus, code may instruct the Trojan horse to launch automatically after the user opens the virus-infected file. If coupled with a worm, the Trojan horse may even multiply and travel from computer to computer, threatening other users, as well.

Friday, November 25, 2005

Backdoor Trojans

One newer type of Trojan horse is a backdoor Trojan, which installs an executable file on systems. By altering the Registry (Windows central database for system settings and user preferences), the backdoor Trojan also launches when you start your computer.
A backdoor can be any “loophole” in software code that lets an unauthorized user access a system by opening a port or connecting to the Internet. Some programs contain backdoors that developers accidentally created while writing the software code. This is why users should check companies’ web sites regularly for any new software patches they can download and install. As software manufacturers find such security threats, they release patches that correct errors. Of course, not all backdoors appear accidentally within software; hackers purposely create backdoors for malicious purposes.
Hackers can use programs called sniffers to locate open ports and gain access to systems using backdoors. When hackers activate backdoor Trojans on infected systems, its code opens a port or connects to the Internet. Normally, these actions take place in the background, so a user doesn’t realize immediately that his computer is infected. In fact, often after the Trojan horse runs, nothing happens right away. Instead, the system waits for a hacker (either the originator of the Trojan or a different hacker using a sniffer) to take control of the system and start an attack.
The most obvious reason why a hacker might use a backdoor Trojan to access a system is to gain access to sensitive files and data, such as financial records, passwords, and credit card numbers. Another common use of backdoor Trojans is to turn computers into virtual zombies a hacker could use to launch a DoS (denial of service) or DDoS (distributed denial of service) attack. To define what zombies and DoS attacks are and explain how a hacker could use a backdoor Trojan as the means to these ends, let’s break down the process step by step.
First, a backdoor Trojan opens a system to outside access so a hacker can control the computer remotely from his/her computer. When a hacker manipulates a system in this way, it becomes a zombie. The hacker can use a zombie to launch a DoS attack by sending abnormally large quantities of data or PING (Packet Internet Groper; echo request message to a target to check the status of a network connection) requests to a specified computer or server. If a hacker simultaneously uses multiple zombies for this purpose, the process becomes a DDoS attack, which makes it harder to trace the true source of the attack. Such a flood of Internet traffic may slow down a server (causing a degradation of service) or cause the server to crash.
Even if the hacker only succeeds at causing a degradation of service rather than causing a server to crash, the results are still costly. For instance, if traffic on Amazon.com slows to a certain level, the company will lose money as customers become frustrated with the site’s online service and decide to take their business elsewhere.
A hacker might target other types of servers or home computers, as well. Sometimes a hacker’s goal isn’t to bring down a company, but simply prove that he/she can use zombies to control the Internet service others receive. He/she will likely avoid detection because it is difficult to trace this type of activity when a hacker distributes it among many zombies.
Although backdoor Trojans are a relatively new type of Trojan horse, that doesn’t mean that they are rare. Let’s look at just a few backdoor Trojan horses to further analyze this type of malware.

Thursday, November 24, 2005

1. Backdoor/Slydude

In mid-1999, the Backdoor/Slydude Trojan horse (also known as Pws-Z) made the rounds. Slydude arrives as an email attachment called Nude.jpg that appears to be a JPEG (Joint Photographic Experts Group) file, but in reality, .JPG isn’t the actual file extension; it’s just part of the file name. The actual file extension is .SHS, but because Windows doesn’t recognize .SHS as a file extension, it doesn’t display it.
When a user double-clicks the Nude.jpg icon, a picture of a nude woman appears on-screen, but in the background, a Trojan horse installs a file in the System folder and adds a Registry setting that launches a Trojan horse whenever the user starts his computer. As a result, this Trojan horse sends passwords stored on the system to a designated email address

Wednesday, November 23, 2005

2. NetBus

This backdoor Trojan first appeared in 1998 as a way to play pranks by flipping a user’s screen upside down, opening and closing the tray to the optical drive, and performing other seemingly harmless actions. However, installing the server version of NetBus lets a hacker use a remote computer to manipulate and control the victim’s computer.
There have been many reincarnations of NetBus over the last few years, and there are other backdoor Trojans, such as Back Orifice, that use similar techniques. The social engineering varies, but some messages entice users to launch NetBus by claiming it is a patch to repair a software problem or by coupling it with a game called Whack-A-Mole.
Once a user installs NetBus, a hacker can access files, programs, and even printers via his system. And because a victim’s computer essentially becomes a zombie, a hacker also can use it to transmit DoS attacks. NetBus behaves very much like networking software in that it installs server software on a victim’s computer that interacts with a hacker’s client software.

Tuesday, November 22, 2005

3. SubSeven

This backdoor Trojan (sometimes called Sub7 or Backdoor-G) gained prominence in 1999. As with NetBus, SubSeven opens port 1243 and installs server software that lets a hacker with the installed client software control a victim’s computer.
SubSeven arrives in many forms. For example, users might believe the file is a movie clip. After Oklahoma City bomber Timothy McVeigh’s execution, some users received email messages claiming the SubSeven attachment was a video of McVeigh’s execution. SubSeven also has masqueraded as a network update and, ironically, as anti-virus software.

Monday, November 21, 2005

Keystroke Loggers

Another group of Trojan horses you need to know about are keystroke loggers. This type of malware is exactly what it sounds like: When a user launches a keystroke-logging Trojan horse, it installs a program that logs all the keystrokes the user makes. Periodically, the program transmits the log to a remote email address (as the Backdoor/Slydude Trojan horse did), letting the person at that email address see everything the user typed. Yes, this is an invasion of privacy, but more importantly, it gives unauthorized individuals a way to find out usernames, passwords, and credit card numbers.
An example is the Girlgif Trojan horse, which arrives in an email message with two attachments, Girl.exe and Girl.gif. The file with the .GIF extension is not really a GIF (Graphics Interchange Format) file. Instead, it’s a DLL (dynamic-link library) file that remains harmless until the user double-clicks the Girl.exe attachment.
After the executable file launches, it moves the Girl.gif DLL file into your System directory and renames the file Imnepr.dll. The Girlgif Trojan horse monitors all keystrokes, logs them in the System.dat file of the System directory, and occasionally transmits this file of logged keystrokes to a designated email account.

Sunday, November 20, 2005

Pull The Reins On Trojan Horses

Without some action on your part, a traditional (non-blended threat) Trojan horse will not cause damage or open a back door to your system. This is why, when armed with knowledge about Trojan horses, you stand a good chance of fending off a Trojan horse attack. The best advice we can give you, however, is to stay current on the most recent threats and never open a suspicious program or email attachment without first investigating what it truly is.