Lesson 150: Trojan Horses

[Dwien]

something to read

peace


Trojan Horses appear harmless and can get around almost any firewall, authentication system, or virus scanner.


by Andy Dornan





Network Magazine
01/05/01, 12:30 p.m. ET
No matter what security measures you have in place, every network suffers from one serious weakness: human gullibility. Trojan Horses take advantage of this, hiding a malicious program inside something apparently harmless. If software has been installed in good faith, it can get around almost any firewall, authentication system, or virus scanner.

Trojans vary in the nefarious acts they perform once inside a machine. They can be harmless pranks that display an obscene or political message, or logic bombs that erase data and try to damage hardware. Some are coupled with viruses, spreading between systems by e-mail. The most insidious are stealthier, and often have a purpose beyond wreaking havoc. As well as hacking, Trojans have been used to spy on people, and have acted as the culprits in some spectacular frauds.

No one is safe. In fall 2000, Microsoft suffered a much-publicized attack in which hackers downloaded, and perhaps changed, the source code of a future operating system. This was the result of a Trojan concealing a worm - a program that copies itself onto other machines throughout a network. Once installed on a Microsoft machine, the code spread until it found a computer containing secrets worth stealing. The Trojan then signalled its presence to a hacker, opening a backdoor to the network.

So, how can you avoid becoming the next Microsoft? Short of banning all users from your network, you can't. But there are ways to minimize the risk, starting with vigilance and education. Regular backups are a must to undo the damage caused by those that only delete data. So is running a full suite of security software, as firewalls and virus scanners can catch some of the best-known offenders. Most importantly, you need to teach your users and yourself about Trojans. Find out their effects, and what kind of programs they hide inside. Then learn to how to distinguish a Trojan from a real gift horse, before it gets inside your network.

Worming Horses


Most Trojans conceal viruses or worms, both of which exist primarily to replicate themselves, but may also cause damaging effects (see Malware Taxonomy). Trojans have become increasingly important to viruses, because most are now sent as e-mail attachments. A user must open an e-mail attachment, whereas earlier floppy disk-based viruses were loaded automatically when a PC booted.

With the exception of Bubbleboy, which was very rare and exploited a now-fixed security hole in Microsoft Outlook, it's impossible to catch a virus simply by reading an e-mail message. Users need to be tricked into running an attached file, something that virus writers have found to be embarrassingly easy. Many people automatically double-click everything that arrives by e-mail, and must be educated otherwise.

Most IT staff should already know that Windows files ending in .com (command), .exe (executable) and .dll (dynamic link library) are programs. They have the potential to do literally anything to a system, and so should be treated with extreme caution: run them only if you trust their source completely, and you know what the program actually does. The fact that a program was e-mailed to you by a friend or colleague is not reason enough to run it. A Trojan could have commandeered your friend's backdoor mail system and spammed itself to an entire address book.

To prevent infection, many organizations have a policy against users installing unauthorized software. However, this is often impossible to enforce, and can prevent employees from using the best tools available to do their jobs. Whether or not you do implement such a policy, it's important to make users aware of the dangers. If people are allowed to download software, they should know what is likely to be most dangerous; if they aren't, they're more likely to respect the rules if they understand the reason for them.

The most serious risk comes from pirated software, because its source is almost by definition untrusted. Angry programmers have been known to wreak revenge on pirates, distributing Trojans that claim to be illegal software. The first attack on the Palm platform fell into this category, with a program that claimed to be a popular GameBoy emulator called Liberty. Instead, it deleted all files and applications.

The list of file extensions used by programs is growing all the time, making it difficult for virus scanners to keep up. Most anti-virus software checks around 30 different types, but was still caught out by the .vbs (Visual Basic Script) files used in the Love Bug of 2000. If your anti-virus software is older than this, manually set it to scan all file types, or consider an upgrade. Automatic updates provided over the Internet usually only list new viruses and fixes, not new file types where they may hide.

The most dangerous file type is the shell scrap object, which seems to be designed as a Trojan. Though it is supposed to have the .shs or .shb extension, this remains hidden under Windows 98 and Me, disguising it as any other file type. The first program to take advantage of this vulnerability was the Stages worm, which struck in June 1998. Appearing to be a harmless text file, it was, in fact, a VB-Script that e-mailed itself to all a user's contacts.

Shell scrap objects are so dangerous that Symantec's Anti-Virus Research Center recommends not using them at all. They have so few legitimate applications that many users might want to disable them entirely, by deleting the file schscrap.dll from the Windows/system directory on every PC. Less drastically, they can be forced out of hiding by deleting the registry entry for HKEY_CLASSES_ ROOT\ShellScrap.

[er0k]

nice read.. although vbs... look to quad's quick tip on that one..