A quick question about trojans..

[mjk]

Hey everyone

I was wondering if it's possible for a trojan to "inject" its code into a trusted application, hiding it from the user and allowing it to access the net (if the application was trusted by the firewall). This would allow it to call home and the owner of the trojan could access the machine. But is it really possible? I was sort of curious about this but couldn't find anything in searches.

Thanks!

mjk

[therenegade]

The only way I can think of a trojan to 'inject' its code would be to bind itself with a trusted application and then get the application to run..ofcourse the firewall would show that the trusted application had changed from the last time it accessed the net

[mjk]

Originally posted here by therenegade
The only way I can think of a trojan to 'inject' its code would be to bind itself with a trusted application and then get the application to run..ofcourse the firewall would show that the trusted application had changed from the last time it accessed the net

Ah, that's right. I forgot that it would report that the file had changed. Guess that cleared that up I felt that I was missing something but I was unsure. Thanks

mjk

EDIT:
!mitationRust you make a good point too.. But if you just get a good free firewall like Sygate (what I use) or ZoneAlarm, then you won't have to worry about that.

[spurious_inode]

Until somebody writes the an agent-smith style trojan, probably not going to happen. This highlights the purpose for file integrity checkers though. Anti-Virus Software and Firewalls are great for new arrivals to the network, but _at_least_ half your headaches are going to come from the inside at any size installation.

Tripwire, properly configured would catch agent-smith immediately (provided it weren't games, pr0n, or some other user sludge). Then again, I have seen sites with all kinds of security measuers in place, get the pants hacked off them due to an utterly inept notification methodology.

-- spurious

[Dustinov]

only problem is, there are certain tools (stealth tools??) that have the ability to not only bind tojans to other files, but can also change key pieces of information that most AV's look for in detection, such as actual file size of the trojan (can add more bytes to the size of it) and the keywords in the code (which i think can also be modified somehow with tools out there...). this makes it difficult for SOME AV's to detect the trojan, but it will still most likely be caught.

hope that is along the lines of what you were asking about, i assume "injection" in this case would be synonymous with "binding."

-D

[Spyder32]

Or if they bind the application with the trojan. Although that would probably come up on any A/V scanner, it could be done. Cracker's/Script Kiddies try to do it all the time, binding it with game's, mp3 downloads, warez, whatever and half the time putting it on p2p network's such as Kazaa.

[Soda_Popinsky]

Hence the benifit of MD5 Hashes!

[cgkanchi]

The firewall that I use, Kerio, makes a MD5 hash of an application the first time it's granted access to the network. This hash is then computed every time the application accesses the network and checked against the original hash. Any changes to the application (even just a single byte) will result in a failure and a notification to the user that tells him that an application has changed.

Cheers,
cgkanchi

[trackit]

Originally posted here by mjk
Hey everyone

I was wondering if it's possible for a trojan to "inject" its code into a trusted application, hiding it from the user and allowing it to access the net (if the application was trusted by the firewall). This would allow it to call home and the owner of the trojan could access the machine. But is it really possible? I was sort of curious about this but couldn't find anything in searches.

Thanks!

mjk

Check out Stenography and you will learn a ton.

Trackit

[Galdron]

Originally posted here by mjk
Hey everyone

I was wondering if it's possible for a trojan to "inject" its code into a trusted application, hiding it from the user and allowing it to access the net (if the application was trusted by the firewall).

mjk

IMHO


Trusted is a relative term, if you are wise you will personally decide what proggies. are "Trusted", or not.

I have never read about or experienced a Trojan with the described characteristics. I have experienced many Boot Sector Virii, behave a little bit the way you describe. If you maintain current DAT. files, and actually pay for a decent, Antivirus Firewall combo. you should be in the clear, unless you are a high value target for Crackers. Which I am not. hehe

I can not promise it is impossible, nothing is impossible.

Heuristic technology or not.

P: