|
||
 |
||
|
| Tales Of Trojan Horses |
 Email This
 Print ThisView My Personal Library |
|
Avoid & Defeat Viruses February 2003 • Vol.9 Issue 2 Page(s) 12-16 in print issue |
Tales Of Trojan Horses Why You Should Beware Of Those Bearing Gifts | ||
 Sometimes you should look a gift horse in the mouth. If you let a Trojan horse onto your system, you'll soon discover that it's a type of malware (software written for a malicious purpose, such as destroying files). Like its namesake, a Trojan horse looks like a gift, but in reality, its designer created it for sinister reasons and filled it with code that's waiting to invade and attack your computer.  Within The Belly Of A Beast. To understand how a Trojan horse works, let's look at the classic tale about a wooden horse the Greeks used to end the Trojan War. According to the legend, Greek soldiers tried for years to get behind the impenetrable walls of Troy, and after numerous failures, they built a giant wooden horse for the Trojans as an offering of peace before boarding their ships and pretending to sail back home. Believing the horse was a gift, the Trojans moved it inside the gates of Troy. What they didn't know was that an army of Greek soldiers was hiding inside the hollow belly of the horse, waiting patiently for its chance to open the gates of Troy to let in the rest of the Greek army and attack the Trojans. The type of Trojan horse that might find its way onto your computer system is similar to the Trojan horse described in the classic Greek tale. In most cases, a Trojan horse arrives as an email attachment, accompanied by a message that claims the attachment is a fun program or graphic. A user also can receive a Trojan horse by downloading bogus software from a Web site. In 1989, the AIDS Trojan arrived on a floppy diskette mailed in an envelope, waiting for victims to take the bait (more about this particular Trojan horse in a moment). Unless the Trojan horse includes another type of malware (such as a worm or virus), it will do nothing until you open the file to accept it on your system. Because a Trojan horse only works when users accept and open it, the creator of a Trojan horse must find a way to entice users. For this reason, Trojan horses rely on social engineering, the "art" of understanding human psychology well enough to design a claim so tempting that numerous recipients will want to see or try it. In other words, just as a clever marketing firm will try to make a sales pitch so good that consumers can't help but buy a product, a cracker (savvy computer user who breaks into systems for illegal and/or malicious reasons) will try to use social engineering to create a Trojan horse that most users will open to see what it does or displays. The difference is that consumers usually know what a particular marketer is really selling, whereas Trojan horse recipients typically don't know what the Trojan horse really is or does—until the attack starts (and even then, some Trojan horse recipients are still unaware of what happened). When a Trojan horse arrives as an email attachment, the message might claim that the attachment is something intriguing, such as a cool screen saver, a program update, or a fun game. For instance, one Trojan horse called AOL4Free was allegedly a program that would grant the recipient free access to AOL (America Online) Internet service. This is a good example of social engineering. Unless a user suspects that the attachment is too good to be true and there must be a catch, why wouldn't he run the program? On the other hand, a Trojan horse masquerading as nothing more than a picture of a certain singing purple dinosaur would be less likely to elicit curiosity from a recipient. Therefore, between these two examples, the AOL4Free Trojan horse incorporates a better approach to social engineering. If a Trojan horse's social engineering approach is successful, several users will double-click the attachment or program to open or launch it. This is the first time that a user might discover that the attachment or program contained harmful code. In other cases, a user may not notice a problem until much later when she tries to find a particular file the Trojan horse deleted, for example. And sometimes, a user never realizes a Trojan horse entered her system. Depending on its programming, a Trojan horse may do any number of things to the infected user's system. We'll discuss some well-known Trojan horses and the consequences of running them later in this article. Because Trojan horses are executable files, they generally have file extensions such as .BAT (batch), .COM (command), .EXE (executable), .PIF (program information file), and .VBS (Visual Basic script). Don't simply trust that the letters you see at the end of a file name are the file extension, either. For instance, if you see a file name such as ForbiddenPicture.jpg, the ".jpg" portion may not actually be the file extension; it might only be the text at the end of the file name, as is the case with a ForbiddenPicture.jpg.vbs file. By default, Windows 98 and newer OSes (operating systems) don't display file extensions. Although it isn't the default, Windows 95 may also hide file extensions. To view file extensions in Win95, open a folder and click Options from the View menu. Choose the View tab and deselect the checkbox next to Hide MS-DOS File Extensions For File Types That Are Registered. Click Apply and OK. To view file extensions in more recent Windows OSes, open a folder and click Folder Options from the View menu (in Win98) or from the Tools menu (in Windows Me and Windows XP). In the resulting dialog box, choose the View tab and deselect the checkbox next to Hide Extensions For Known File Types. To make these settings apply to all folders, click the Like Current Folder button (in Win98/Me) or the Apply To All Folders button (in WinXP) at the top of the dialog box. Click Apply and OK. You can investigate an attachment's true file type by viewing its properties. Right-click the file's icon and click Properties. At the top of the General tab, see the Type Of File line for the true file type. For more information about how to avoid a Trojan horse attack, see "Head 'Em Off At The Pass" on page 40. Trojan History. The best way to investigate how Trojan horses work is to look at some of the more notorious examples that have infected systems over the years, starting with the earliest known Trojan horse. PC-Write Trojan. The first Trojan horse, PC-Write Trojan, appeared in 1986, pretending to be version 2.72 of the shareware word processor, PC-Write. (Quicksoft, the company that made PC-Write, did not release a version 2.72.) When a user launched what she believed to be PC-Write 2.72, she really started the PC-Write Trojan, which then performed two actions: one, it wiped out the FAT (file allocation table; system a PC uses to organize contents on the hard drive); and two, it formatted the hard drive, deleting all saved data. AIDS Trojan. As we mentioned earlier, the creator of the AIDS Trojan distributed it via floppy diskette because relatively few people used email in 1989. Instead, unsuspecting PC users received a copy of the AIDS Trojan on a diskette in the mail. Allegedly, the diskette contained information about AIDS (acquired immune deficiency syndrome) and HIV (human immunodeficiency virus). Running the program on the diskette, however, actually activated a Trojan horse.
What is unique about the AIDS Trojan is that rather than destroy files, it held them hostage, demanding a ransom before the user could open and use the files again. AOL4Free Trojan. We previously discussed the social engineering approach to the AOL4Free Trojan, but what we didn't mention was the other reason why this Trojan horse was so sneaky: An earlier hoax known by the same name lowered users' suspicions. Originally, a message circulated about a virus (not a Trojan horse) called AOL4Free. Actually, there was no such virus; this was a hoax. And once word spread that the AOL4Free virus was only a hoax, someone created a Trojan horse and named it AOL4Free, knowing that many users would readily accept it after hearing that the AOL4Free virus scare was only a hoax. Then, the creator of the AOL4Free Trojan started circulating it as an attachment to the original hoax message and claimed that running the attachment would provide recipients with free AOL service. Users who believed the attachment would provide free AOL access double-clicked the AOL4FREE .COM icon and soon learned that the message duped them. The launched AOL4Free Trojan horse used the DELTREE command and deleted all the files on the hard drive. Polyglot Trojan. In 1999, many users received an email message that included a Y2Kcount.exe attachment and looked as if Microsoft sent it. Users believed double-clicking the attachment would launch a program that displayed a countdown to New Year's Day 2000. Instead, opening the file displayed an error message. Then, while users read the error message and tried to diagnose the "problem," a Trojan horse named Polyglot ran in the background, installing itself on the system and editing configuration files to monitor user Internet activity. Whenever Polyglot noted data transmission over the Internet, it would scan the data for passwords and other sensitive information and log the information into a TMP (temporary) file. Periodically, the Trojan horse sent this type of keystroke log to an email account, where a cracker could easily retrieve its contents. Liberty Trojan. In 2000, Trojan horses found their way onto PDAs (personal digital assistants) with the Liberty Trojan. This Trojan horse was allegedly a patch that let PDA users play Nintendo Game Boy games on the Palm OS. When users opened the file, however, it deleted personal information, as well as any third-party applications. Cytron. In September 2002, antivirus software developers (and others) discovered the Cytron Trojan horse. A user receives an email message that claims the user can pick up an ecard from a friend by clicking a graphic of a hand holding an envelope. When the recipient clicks the graphic, a designated Web site loads in the browser window. Then, if the user accepts the Digital Certificate that appears on-screen, Cytron begins sending full-screen pop-up ads for pornographic Web sites to the user. Today's Trojan Horses. Trojan horses are nothing new. In fact, many of the famous "viruses" you hear about actually might be Trojan horses. Although people often refer to all malware as viruses, there are distinct differences between a true virus and Trojan horse. A virus typically attaches to data files and copies itself when you launch the designated program; whereas a Trojan horse disguises itself as a useful program, and multiplying generally isn't part of its mission. For example, you might activate a virus by opening an infected Microsoft Word file, but you will only activate a Trojan horse by launching an actual Trojan horse masquerading as a cool application. Many of today's Trojan horses are an exception because they arrive bundled with another type of malware, the combination of which many experts refer to as blended threats. For instance, if a Trojan horse and a virus work as a team, when a user opens a virus-infected file, the now-activated virus could launch the Trojan horse automatically. For more information about viruses, see "Self-Replicating Code Viruses" on page 7. A sophisticated Trojan horse also might team up with a worm, which could copy and send the Trojan horse from one system to the next, from user to user, using a network or the Internet. For more information about worms, see "Worms Are True Parasites" on page 17. In each of these examples, the Trojan horse is part of a blended threat, which generates much discussion and concern nowadays. For more information about blended threats, see "Blended, Not Stirred," on page 22. Because today's Trojan horses are likely to arrive as part of a blended threat, they tend to be more dangerous than those that lurked five or 10 years ago. Users may not need to unwittingly launch a Trojan horse in order for it or its bundled malware to infect the system. If coupled with a virus, code may instruct the Trojan horse to launch automatically after the user opens the virus-infected file. If coupled with a worm, the Trojan horse may even multiply and travel from computer to computer, threatening other users, as well. Backdoor Trojans. One newer type of Trojan horse is a backdoor Trojan, which installs an executable file on systems. By altering the Registry (Windows central database for system settings and user preferences), the backdoor Trojan also launches when you start your computer.
Crackers can use programs called sniffers to locate open ports and gain access to systems using backdoors. When crackers activate backdoor Trojans on infected systems, its code opens a port or connects to the Internet. Normally, these actions take place in the background, so a user doesn't realize immediately that his computer is infected. In fact, often after the Trojan horse runs, nothing happens right away. Instead, the system waits for a cracker (either the originator of the Trojan or a different cracker using a sniffer) to take control of the system and start an attack. The most obvious reason why a cracker might use a backdoor Trojan to access a system is to gain access to sensitive files and data, such as financial records, passwords, and credit card numbers. Another common use of backdoor Trojans is to turn computers into virtual zombies a cracker could use to launch a DoS (denial of service) or DDoS (distributed denial of service) attack. To define what zombies and DoS attacks are and explain how a cracker could use a backdoor Trojan as the means to these ends, let's break down the process step by step. First, a backdoor Trojan opens a system to outside access so a cracker can control the computer remotely from her computer. When a cracker manipulates a system in this way, it becomes a zombie. The cracker can use a zombie to launch a DoS attack by sending abnormally large quantities of data or PING (Packet Internet Groper; echo request message to a target to check the status of a network connection) requests to a specified computer or server. If a cracker simultaneously uses multiple zombies for this purpose, the process becomes a DDoS attack, which makes it harder to trace the true source of the attack. Such a flood of Internet traffic may slow down a server (causing a degradation of service) or cause the server to crash. Even if the cracker only succeeds at causing a degradation of service rather than causing a server to crash, the results are still costly. For instance, if traffic on Amazon.com slows to a certain level, the company will lose money as customers become frustrated with the site's online service and decide to take their business elsewhere. A cracker might target other types of servers or home computers, as well. Sometimes a cracker's goal isn't to bring down a company, but simply prove that she can use zombies to control the Internet service others receive. She will likely avoid detection because it is difficult to trace this type of activity when a cracker distributes it among many zombies. Although backdoor Trojans are a relatively new type of Trojan horse, that doesn't mean that they are rare. Let's look at just a few backdoor Trojan horses to further analyze this type of malware. Backdoor/Slydude. In mid-1999, the Backdoor/Slydude Trojan horse (also known as Pws-Z) made the rounds. Slydude arrives as an email attachment called Nude.jpg that appears to be a JPEG (Joint Photographic Experts Group) file, but in reality, .JPG isn't the actual file extension; it's just part of the file name. The actual file extension is .SHS, but because Windows doesn't recognize .SHS as a file extension, it doesn't display it. When a user double-clicks the Nude.jpg icon, a picture of a nude woman appears on-screen, but in the background, a Trojan horse installs a file in the System folder and adds a Registry setting that launches a Trojan horse whenever the user starts his computer. As a result, this Trojan horse sends passwords stored on the system to a designated email address. NetBus. This backdoor Trojan first appeared in 1998 as a way to play pranks by flipping a user's screen upside down, opening and closing the tray to the optical drive, and performing other seemingly harmless actions. However, installing the server version of NetBus lets a cracker use a remote computer to manipulate and control the victim's computer. There have been many reincarnations of NetBus over the last few years, and there are other backdoor Trojans, such as Back Orifice, that use similar techniques. The social engineering varies, but some messages entice users to launch NetBus by claiming it is a patch to repair a software problem or by coupling it with a game called Whack-A-Mole. Once a user installs NetBus, a cracker can access files, programs, and even printers via his system. And because a victim's computer essentially becomes a zombie, a cracker also can use it to transmit DoS attacks. NetBus behaves very much like networking software in that it installs server software on a victim's computer that interacts with a cracker's client software. SubSeven. This backdoor Trojan (sometimes called Sub7 or Backdoor-G) gained prominence in 1999. As with NetBus, SubSeven opens port 1243 and installs server software that lets a cracker with the installed client software control a victim's computer. SubSeven arrives in many forms. For example, users might believe the file is a movie clip. After Oklahoma City bomber Timothy McVeigh's execution, some users received email messages claiming the SubSeven attachment was a video of McVeigh's execution. SubSeven also has masqueraded as a network update and, ironically, as antivirus software. Keystroke Loggers. Another group of Trojan horses you need to know about are keystroke loggers. This type of malware is exactly what it sounds like: When a user launches a keystroke-logging Trojan horse, it installs a program that logs all the keystrokes the user makes. Periodically, the program transmits the log to a remote email address (as the Backdoor/Slydude Trojan horse did), letting the person at that email address see everything the user typed. Yes, this is an invasion of privacy, but more importantly, it gives unauthorized individuals a way to find out usernames, passwords, and credit card numbers. An example is the Girlgif Trojan horse, which arrives in an email message with two attachments, Girl.exe and Girl.gif. The file with the .GIF extension is not really a GIF (Graphics Interchange Format) file. Instead, it's a DLL (dynamic-link library) file that remains harmless until the user double-clicks the Girl.exe attachment. After the executable file launches, it moves the Girl.gif DLL file into your System directory and renames the file Imnepr.dll. The Girlgif Trojan horse monitors all keystrokes, logs them in the System.dat file of the System directory, and occasionally transmits this file of logged keystrokes to a designated email account. Pull The Reins On Trojan Horses. Without some action on your part, a traditional (nonblended threat) Trojan horse will not cause damage or open a back door to your system. This is why, when armed with knowledge about Trojan horses, you stand a good chance of fending off a Trojan horse attack. The best advice we can give you, however, is to stay current on the most recent threats and never open a suspicious program or email attachment without first investigating what it truly is.  by Kylee Dickey View the infographic that accompanies this article.
|
|
Home Copyright & Legal Information Privacy Policy Site Map Contact Us