6.2 What Are Trojan Horses and Worms?

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes
	Table of Contents
	Chapter 6.  Trojans and Worms

The story of the infamous Trojan horse comes from Greek mythology about a battle between the Greeks and the people of Troy (Trojans). For ten years the Greeks had unsuccessfully tried to get into the city of Troy to rescue Helen, queen of Sparta. Troy was surrounded by an impenetrable stone wall. The Greeks decided to play a trick. They built a two-story wooden horse with their best soldiers hidden inside, left it as a gift to the Trojans, and pretended to sail away. Against the warning of a few Trojan wise men, the Trojans hauled the wooden horse inside. The whole city of Troy celebrated their defeat over the Greeks and feel asleep in a drunken stupor. In the wee hours of the morning, the Greek warriors came out of their hiding place and began the slaughter of Troy. The returning Greek army easily overcame the tricked Trojans and gained control of the city. All males were killed and females were enslaved.

A Trojan horse program, shortened to Trojan for simplicity, is any program that intentionally hides its malicious actions while pretending to be something else. Simple Trojans claim to be a game or some sort of program, and when the user runs the program it immediately does something malicious to their system. These types of basic Trojans don't spread far because they destroy themselves in the process, or are so noticeable that users don't send them to friends . Today's sophisticated Trojans are attached to legitimate programs and compromised users may never notice them.

A Trojan is differentiated from a virus because it does not copy its coding into other host files or boot areas. A Trojan masquerades as something else, whereas, a virus becomes part of the other program. A virus contains coding to copy itself to other files. A Trojan does not. The difference is in their replication methods . A Trojan begins its life attached to a host file and only spreads using that file. A Trojan depends on the user to send the Trojan program to other people. Some hackers write their own front-end programs, hiding its true intent. Others find legitimate programs to attach Trojans to and then place the new combination on the Internet to be spotted and picked up. Cute little joke programs are excellent hosts . They are tiny enough to be sent around in email without slowing down email servers, and they provide humorous incentive for others to send to friends.

Trojans are hidden in games , utilities, and programs. To date, a malicious program hasn't successfully spread inside of a legitimate graphic, movie, or sound file, although it might be possible in some unusual situations. But if those same files have an executable extension (i.e. .EXE ), then the program displays the data while running the Trojan.

Another common target of hackers are hackers themselves. Hacker web sites contain hundreds of hacking programs available for download. It's unusual if at least one or two of those programs aren't Trojan programs in hiding. The hacker wannabes download the program thinking they are getting some file to help them hack someone else. It often doesn't work as advertised, but a Trojan has been dropped. I don't have a lot of sympathy in these sorts of cases.

Worms are often treated as Trojans because they don't infect other files. But whereas a Trojan masquerades as another program, a worm uses its own coding to spread. It doesn't necessarily rely on a user's gullibility to spread. Instead, it contains self-propagating routines that will use systems already in place to break in. Early worms, like the Morris Internet worm of 1988, used a multitude of methods to gain access into new networks. The Morris worm used a few different methods. First, it tried using holes in finger and sendmail programs. If that failed, it would often pose as other users and try different passwords to gain access. Today, most worms don't bother. They simply email themselves from user to user.

The line between worm and Trojan is blurred because each form has used the other's advantages to spread. Today, a worm is often a Trojan and a Trojan is often distributed by a worm. A typical Internet worm travels as a file attachment in an email. The user runs the attached file, and the worm invades the user's system and sends itself to recipients on the user's email address book lists. An email arrives in the new victim's inbox, sent by a known acquaintance. It implores the new victim to run the attached file or web link. The W32.Melting.Worm is typical of such programs. It appears in a user's Outlook inbox with the subject line, "Fantastic Screensaver." The body includes the follow text, "Hello my friend! Attached is my newest and funniest Screensaver, I named it MeltingScreen. Test it and tell me what you think. Have a nice day my friend." If a user runs the attachment, the worm copies itself as MeltingScreen.exe to the user's Windows directory and begins renaming .EXE files to .BIN , while executing a graphics routine that makes the screen appear to melt. Upon reboot, the system is likely to lock up. It emails itself to everyone in the victim's email address book as an attachment called MeltingScreen.exe or Melting.exe .