Researchers show a tool that could admit hackers by pretending to be a trusted Microsoft application.
LAS VEGAS--A new technology could let a Trojan horse disguise itself as Internet Explorer and let hackers steal data from your PC by fooling firewalls into thinking it's a trusted Microsoft application, say three security consultants.
The trio of South African researchers demonstrated the technique for breeching firewalls Sunday at DefCon. The annual security conference draws hackers, security professionals, and even cybercrime investigators.
Security pros have been warning for two years that a Trojan horse bypassing firewall detection is the inevitable next step in hacking technology. At DefCon, it appeared in the form of Setiri, a demo Trojan horse that can operate without a user or firewall detecting its actions. The researchers say they will not release Setiri into the wild for hackers to use, but called on Microsoft to change the IE features that permit it to operate.
Change of Command
The Trojan horse gets loaded onto a victim's PC in the same manner as other Trojan horses--either embedded in an e-mail attachment or downloaded file, or installed physically onto a PC via a disk.
But Setiri differs from other Trojan horses in that it does not contain executable commands that can cause its malicious actions to be blocked by the firewall.
Instead, the program launches an invisible window in Internet Explorer to connect stealthily to a Web server through an anonymous proxy site called Anonymizer.com. The site is intended to enable anonymous surfing, but Setiri uses it to execute commands on your PC without your knowledge. Such commands can include downloading a keystroke-logging program to your system or uploading files or passwords to a remote PC. Because the stolen data is passed back through the Anonymizer proxy, you cannot trace the location of the remote computer.
The Trojan horse exploits a standard feature in Internet Explorer that lets invisible browser windows open and connect to the Internet. The browser windows open in the background and don't appear on the desktop, so you can't see what they're doing. If you look for evidence of an open window in your Windows Task Manager, the window will be listed as IEXPLORE.EXE, just like a regular Internet Explorer window.
Internet Explorer uses invisible windows for many legitimate purposes, such as sending registration info to the Net. The e-mail program Eudora makes use of invisible browser windows to download pictures in e-mail.