Intelligent Security Solutions

Last Updated: Thursday, August 28, 2008 12:14 PM  

 

Trojans

What is a Trojan Horse?

A Trojan horse is a malicious program that is disguised as or embedded within legitimate software. The term is derived from the classical myth of the Trojan Horse. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed. Often the term is shortened to simply trojan, even though this turns the adjective into a noun, reversing the myth (Greeks, not Trojans, were gaining malicious access).

There are two common types of Trojan horses. One, is otherwise useful software that has been corrupted by a cracker inserting malicious code that executes while the program is used. Examples include various implementations of weather alerting programs, computer clock setting software, and peer to peer file sharing utilities. The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives.

Trojan horse programs cannot operate autonomously, in contrast to some other types of malware, like viruses or worms. Just as the Greeks needed the Trojans to bring the horse inside for their plan to work, Trojan horse programs depend on actions by the intended victims. As such, if trojans replicate and even distribute themselves, each new victim must run the program/trojan. Therefore their virulence is of a different nature, depending on successful implementation of social engineering concepts rather than flaws in a computer system's security design or configuration.

 

Example of a simple trojan:

A simple example of a Trojan horse would be a program named "SEXY.EXE" that is posted on a website with a promise of "hot pix"; but, when run, it instead erases all the files on the computer and displays a taunting message.

Example of a somewhat advanced trojan:

On the Microsoft Windows platform, an attacker might attach a Trojan horse with an innocent-looking filename to an email message which entices the recipient into opening the file. The Trojan horse itself would typically be a Windows executable program file, and thus must have an executable filename extension such as .exe, .com, .scr, .bat, or .pif. Since Windows is sometimes configured by default to hide filename extensions from a user, the Trojan horse's extension might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file. Icons can also be chosen to imitate a different file type. When the recipient double-clicks on the attachment, the Trojan horse might superficially do what the user expects it to do (open a text file, for example), so as to keep the victim unaware of its unknown objectives. Meanwhile, it might discreetly modify or delete files, change the configuration of the computer, or even use the computer as a base from which to attack local or other networks - possibly joining many other similarly infected computers as part of a distributed denial-of-service attack.

Types of Trojan horses:

Trojan horses are almost always designed to do various harmful things, but could be harmless. They are broken down in classification based on how they breach systems and the damage they cause. The seven main types of Trojan horses are:

  1. Remote Access Trojans
  2. Data Sending Trojans
  3. Destructive Trojans
  4. Proxy Trojans
  5. FTP Trojans
  6. Security software disabling Trojans
  7. Denial-of-Service attack (DoS) Trojans

 

Some examples are:
  1. erasing or overwriting data on a computer.
  2. encrypting files in a crypto viral extortion attack.
  3. corrupting files in a subtle way.
  4. upload and download files.
  5. allowing remote access to the victim's computer. This is called a RAT. (remote administration tool)
  6. spreading other malware, such as viruses. In this case the Trojan horse is called a 'dropper' or 'vector'.
  7. setting up networks of zombie computers in order to launch DDoS attacks or send spam.
  8. spying on the user of a computer and covertly reporting data like browsing habits to other people (see the article on spyware).
  9. make screenshots.
  10. logging keystrokes to steal information such as passwords and credit card numbers (also known as a keylogger).
  11. Phish for bank or other account details, which can be used for criminal activities.
  12. installing a backdoor on a computer system.
  13. opening and closing CD-ROM tray.
  14. harvest e-mail addresses and use them for spam.
  15. Restarts the computer whenever the infected program is started.

Time bombs and logic bombs:

"Time bombs" and "logic bombs" are types of trojan horses."Time bombs" activate on particular dates and/or times. "Logic bombs" activate on certain conditions met by the computer.

Droppers:

Droppers perform two tasks at once. A dropper performs a legitimate task but also installs a computer virus or a computer worm on a system or disk at the same time.

 

How you can be infected:

  • Websites: You can be infected by visiting a rogue website. Internet Explorer is most often targeted by makers of trojans and other pests. Even using a secure web browser, such as Mozilla's Firefox or Opera, if Java is enabled, your computer has the potential of receiving a Trojan horse.
  • Instant message: Many get infected through files sent through various messengers. This is due to an extreme lack of security in some instant messengers, such of AOL's instant messenger.
  • E-mail: Attachments on e-mail messages may contain Trojans. See the paragraph entitled "Precautions against Trojan horses" for details on how to prevent Trojan horses via SMTP.

Precautions against Trojan horses:

Trojan horses can be protected against through end-user awareness. Trojan Horse viruses can cause a great deal of damage to a personal computer but even more damage to a business, particularly a small business that usually does not have the same virus protection capabilities as a large business. Since a Trojan Horse virus is hidden, it is harder to protect yourself or your company from it, but there are things that you can do.

Trojan Horses are most commonly spread through an e-mail, much like other types of common viruses. The only difference being of course is that a Trojan Horse is hidden. The best ways to protect yourself and your company from Trojan Horses are as follows:

  1. If you receive e-mail from someone that you do not know or you receive an unknown attachment, never open it right away. As an e-mail user you should confirm the source. Some hackers have the ability to steal address books, so if you see e-mail from someone you know, it is not necessarily safe.
  2. When setting up your e-mail client, make sure that you have the settings so that attachments do not open automatically. Some e-mail clients come ready with an anti-virus program that scans any attachments before they are opened. If your client does not come with this, it would be best to purchase one or download one for free.
  3. Make sure your computer has an anti-virus program on it and update it regularly. If you have an auto-update option included in your anti-virus program you should turn it on; that way if you forget to update your software you can still be protected from threats
  4. Operating systems offer patches to protect their users from certain threats and viruses, including Trojan Horses. Software developers like Microsoft offer patches that in a sense "close the hole" that the Trojan horse or other virus would use to get through to your system. If you keep your system updated with these patches, your computer is kept much safer.
  5. Avoid using peer-to-peer or P2P sharing networks like Kazaa , Limewire, Ares, or Gnutella because they are generally unprotected from viruses and Trojan Horse viruses spread through them especially easily. Some of these programs do offer some virus protection, but this is often not strong enough. If you insist on using P2P, it would be safe to not download files that claim to be "rare" songs, books, movies, pictures, etc.

Besides these sensible precautions, one can also install anti-trojan software, some of which is offered free.

Keyloggers

Types of keyloggers

Keyloggers are applications that monitor a user's keystrokes and then send this information back to the malicious user. This can happen via email or to a malicious user's server somewhere on the Internet. These logs can then be used to collect email and online banking usernames and passwords from unsuspecting users or even capture source code being developed in software firms.

While keyloggers have been around for a long time, the growth of spyware over the last few years means they warrant renewed attention. In particular, this is due to the relative ease at which a computer can become infected -- a user simply has to visit the wrong website to become infected.

Keyloggers can be one of three types:

  1. Hardware Keyloggers. These are small inline devices placed between the keyboard and the computer. Because of their size they can often go undetected for long periods of time -- however, they of course require physical access to the machine. These hardware devices have the power to capture hundreds of keystrokes including banking and email username and passwords.
  2. Software using a hooking mechanism. This type logging is accomplished by using the Windows function SetWindowsHookEx() that monitors all keystrokes. The spyware will typically come packaged as an executable file that initiates the hook function, plus a DLL file to handle the logging functions. An application that calls SetWindowsHookEx() is capable of capturing even autocomplete passwords.
  3. Kernel/driver keyloggers. This type of keylogger is at the kernel level and receives data directly from the input device (typically, a keyboard). It replaces the core software for interpreting keystrokes. It can be programmed to be virtually undetectable by taking advantage of the fact that it is executed on boot, before any user-level applications start. Since the program runs at the kernel level, one disadvantage to this approach it that it fails to capture autocomplete passwords, as this information is passed in the application layer.