Sunday, November 27, 2005

Within The Belly of a Beast

To understand how a Trojan horse works, let’s look at the classic tale about a wooden horse the Greeks used to end the Trojan War. According to the legend, Greek soldiers tried for years to get behind the impenetrable walls of Troy, and after numerous failures, they built a giant wooden horse for the Trojans as an offering of peace before boarding their ships and pretending to sail back home. Believing the horse was a gift, the Trojans moved it inside the gates of Troy. What they didn’t know was that an army of Greek soldiers was hiding inside the hollow belly of the horse, waiting patiently for its chance to open the gates of Troy to let in the rest of the Greek army and attack the Trojans.
The type of Trojan horse that might find its way onto your computer system is similar to the Trojan horse described in the classic Greek tale. In most cases, a Trojan horse arrives as an email attachment, accompanied by a message that claims the attachment is a fun program or graphic. A user also can receive a Trojan horse by downloading bogus software from a web site. In 1989, the AIDS Trojan arrived on a floppy diskette mailed in an envelope, waiting for victims to take the bait (more about this particular Trojan horse in a moment). Unless the Trojan horse includes another type of malware (such as a worm or virus), it will do nothing until you open the file to accept it on your system.
Because a Trojan horse only works when users accept and open it, the creator of a Trojan horse must find a way to entice users. For this reason, Trojan horses rely on social engineering, the “art” of understanding human psychology well enough to design a claim so tempting that numerous recipients will want to see or try it.
In other words, just as a clever marketing firm will try to make a sales pitch so good that consumers can’t help but buy a product, a hacker (savvy computer user who breaks into systems for illegal and/or malicious reasons) will try to use social engineering to create a Trojan horse that most users will open to see what it does or displays. The difference is that consumers usually know what a particular marketer is really selling, whereas Trojan horse recipients typically don’t know what the Trojan horse really is or does—until the attack starts (and even then, some Trojan horse recipients are still unaware of what happened).
When a Trojan horse arrives as an email attachment, the message might claim that the attachment is something intriguing, such as a cool screen saver, a program update, or a fun game. For instance, one Trojan horse called AOL4Free was allegedly a program that would grant the recipient free access to AOL (America Online) Internet service. This is a good example of social engineering. Unless a user suspects that the attachment is too good to be true and there must be a catch, why wouldn’t he run the program? On the other hand, a Trojan horse masquerading as nothing more than a picture of a certain singing purple dinosaur would be less likely to elicit curiosity from a recipient. Therefore, between these two examples, the AOL4Free Trojan horse incorporates a better approach to social engineering.
If a Trojan horse’s social engineering approach is successful, several users will double-click the attachment or program to open or launch it. This is the first time that a user might discover that the attachment or program contained harmful code. In other cases, a user may not notice a problem until much later when he/she tries to find a particular file the Trojan horse deleted, for example. And sometimes, a user never realizes a Trojan horse entered his/her system.
Depending on its programming, a Trojan horse may do any number of things to the infected user’s system. We’ll discuss some well-known Trojan horses and the consequences of running them later in this article.
Because Trojan horses are executable files, they generally have file extensions such as .BAT (batch), .COM (command), .EXE (executable), .PIF (program information file), and .VBS (Visual Basic script). Don’t simply trust that the letters you see at the end of a file name are the file extension, either. For instance, if you see a file name such as ForbiddenPicture.jpg, the “.jpg” portion may not actually be the file extension; it might only be the text at the end of the file name, as is the case with a ForbiddenPicture.jpg.vbs file.
By default, Windows 98 and newer OSes (operating systems) don’t display file extensions. Although it isn’t the default, Windows 95 may also hide file extensions.
To view file extensions in Win95, open a folder and click Options from the View menu. Choose the View tab and deselect the checkbox next to Hide MS-DOS File Extensions for File Types That Are Registered. Click Apply and OK.
To view file extensions in more recent Windows OSes, open a folder and click Folder Options from the View menu (in Win98) or from the Tools menu (in Windows Me and Windows XP). In the resulting dialog box, choose the View tab and deselect the checkbox next to Hide Extensions for Known File Types. To make these settings apply to all folders, click the Like Current Folder button (in Win98/Me) or the Apply to All Folders button (in WinXP) at the top of the dialog box. Click Apply and OK.
You can investigate an attachment’s true file type by viewing its properties. Right-click the file’s icon and click Properties. At the top of the General tab, see the Type of File line for the true file type.


Post a Comment

<< Home