Trojan Horses

Worming Horses

Most Trojans conceal viruses or worms, both of which exist primarily to replicate themselves , but may also cause damaging effects (see Malware Taxonomy). Trojans have become increasingly important to viruses, because most are now sent as e-mail attachments. A user must open an e-mail attachment, whereas earlier floppy disk-based viruses were loaded automatically when a PC booted .

With the exception of Bubbleboy, which was very rare and exploited a now-fixed security hole in Microsoft Outlook, it's impossible to catch a virus simply by reading an e-mail message. Users need to be tricked into running an attached file, something that virus writers have found to be embarrassingly easy. Many people automatically double-click everything that arrives by e-mail, and must be educated otherwise .

Most IT staff should already know that Windows files ending in .com (command), .exe (executable) and .dll (dynamic link library) are programs. They have the potential to do literally anything to a system, and so should be treated with extreme caution: run them only if you trust their source completely, and you know what the program actually does. The fact that a program was e-mailed to you by a friend or colleague is not reason enough to run it. A Trojan could have commandeered your friend's backdoor mail system and spammed itself to an entire address book.

To prevent infection, many organizations have a policy against users installing unauthorized software. However, this is often impossible to enforce, and can prevent employees from using the best tools available to do their jobs. Whether or not you do implement such a policy, it's important to make users aware of the dangers. If people are allowed to download software, they should know what is likely to be most dangerous; if they aren't, they're more likely to respect the rules if they understand the reason for them.

The most serious risk comes from pirated software, because its source is almost by definition untrusted. Angry programmers have been known to wreak revenge on pirates, distributing Trojans that claim to be illegal software. The first attack on the Palm platform fell into this category, with a program that claimed to be a popular GameBoy emulator called Liberty. Instead, it deleted all files and applications.

The list of file extensions used by programs is growing all the time, making it difficult for virus scanners to keep up. Most anti-virus software checks around 30 different types, but was still caught out by the .vbs (Visual Basic Script) files used in the Love Bug of 2000. If your anti-virus software is older than this, manually set it to scan all file types, or consider an upgrade. Automatic updates provided over the Internet usually only list new viruses and fixes, not new file types where they may hide.

The most dangerous file type is the shell scrap object, which seems to be designed as a Trojan. Though it is supposed to have the .shs or .shb extension, this remains hidden under Windows 98 and Me, disguising it as any other file type. The first program to take advantage of this vulnerability was the Stages worm, which struck in June 1998. Appearing to be a harmless text file, it was, in fact, a VB-Script that e-mailed itself to all a user's contacts.

Shell scrap objects are so dangerous that Symantec's Anti-Virus Research Center recommends not using them at all. They have so few legitimate applications that many users might want to disable them entirely, by deleting the file schscrap.dll from the Windows/system directory on every PC. Less drastically, they can be forced out of hiding by deleting the registry entry for HKEY_CLASSES_ ROOT\ShellScrap.

Pulling The Reins

As threatening as viruses and worms are, they're perhaps the least dangerous payload that can lurk within a Trojan. Many are instead designed to gain access to your network, concealing small server programs that run almost unnoticed. These can let a hacker spy on your secrets, or even take control of your PC.

The most infamous hacking tool is Back Orifice 2000, often known simply as BO2K, and produced by hacker collective the Cult of the Dead Cow (www.cultdeadcow.com). The authors describe the program as a "remote administration tool," which just happens to be able to administer a computer without its user's knowledge or consent . It can run almost undetected under any version of Windows, allowing an outsider almost unrestricted access to a system. As well as copying or altering files, hackers equipped with BO2K can record a user's every keystroke, and even receive a live video feed of their screen.

In an ironic twist, the Cult of the Dead Cow itself has fallen victim to a Trojan. The first Back Orifice 2000 CD-ROMs to be distributed were infected with Chernobyl, a nasty virus that can cause permanent damage to hardware. Aspiring hackers at 1999's DefCon convention found that far from gaining control over other people's computers, they lost control of their own as hard disks were over-written and BIOS chips erased.

The Microsoft hack in fall 2000 used a Trojan called QAZ, which disguises itself as the Notepad utility, the file notepdad.exe. Notepad itself is still available, but renamed note.exe, so that users won't notice a change. An administrator trying to fix the problem might know that this file is not part of the standard Windows installation and remove it, a course of action which would stop Notepad from working, but leave the Trojan intact.

Even if intruders aren't interested in your data, gaining control of a computer can still be a serious coup. The Distributed Denial of Service (DDoS) attacks that brought down leading Web sites in early 2000 were all accomplished by Trojan Horses. These attacks rely on thousands of computers all working together, and so can't normally be launched by any one individual. However, the attack becomes possible if that individual first gains control of thousands of computers.

Participation in a DDoS attack means more than just being a bad Netizen and opening your organization to lawsuits. Though the headlines told of Yahoo and eBay being knocked out, the thousands of individuals and businesses whose computers relayed the attacks also suffered. If your mail server is busy launching an attack, it won't be available for its intended purpose.

Any PC connected to a phone line is a valuable target for a financially motivated attack, because its modem can be reprogrammed to dial premium-rate numbers . Many Trojans change a user's dial-up networking settings to an international number, often charged at several dollars per minute. If the number actually connects to an ISP, victims may notice nothing until they receive their phone bills.

This kind of Trojan first struck in 1998, when thousands of European users downloaded a pornography slide-show , only to find their modems calling an expensive number in Ghana. It has since moved to number three on the Federal Trade Commission list of Internet frauds, and is considered more dangerous than phone slamming and pyramid schemes.

Shutting The Stable Door

Most Trojans signal their presence to a hacker using a preset TCP port, so a properly configured firewall may be able to detect or block them. Lists of ports used by popular Trojans are published on several Web sites (see Resources), and some will even scan for them automatically. However, the latest versions of many Trojans can vary their port, making detection more difficult.

Anti-virus software also detects Trojans, though it can pose risks. It needs regular updates, which gives the anti-virus company access to your network. In November 2000, an update for Network Associates' McAfee VirusScan caused certain versions of the software to crash their systems, losing unsaved data. This was due to a bug, rather than a deliberate act, but with already-compromised companies, such as Microsoft, moving into the anti-virus space, there is a risk that some Trojans may use this method of attack.

The German government believes that Windows 2000 may already harbor a Trojan Horse. It went so far as to threaten a ban on the software unless Microsoft removed the Disk Defragmenter utility, where the offending code allegedly hides. Microsoft refused to do this, but posted detailed instructions on its German support site for users to remove it themselves. Concerned managers should note there is no evidence that this Trojan actually exists. Indeed, the U.S. government is so confident of Windows 2000's security that it uses the program in many agencies, including the armed forces.

Malware Taxonomy

Though the media and some users often describe every damaging program as a "virus," security experts know otherwise. Here's a recap of the three most common malicious software types, any and all of which can hide inside a Trojan:

Viruses are technically self-replicating code that is attached to another file, in the same way that real viruses attach themselves to cells . Viruses originally targeted .com or .exe programs, but scripting languages have enabled them to hit office documents and even e-mail messages.

Worms are standalone programs that replicate, usually by copying themselves to another computer on a network. They are sometimes known as bacteria because they don't rely on other programs. The most widespread is happy99.exe, which paralyzed many computers two years ago, and still strikes occasionallyparticularly in the New Year.

Logic Bombs don't replicate, but can be very damaging. They are simply programs that perform a harmful function, such as deleting a user's files, when a given condition is met.

Resources

HackFix, a nonprofit organization dedicated to fighting Trojans, has some useful tools and information at www.hackfix.org. It specializes in Back Orifice and NetBus, but also deals with other threats.

If you're worried that a hacker might already be inside your network, go to www.trojanscanner.com. This site offers a free online scanner that can probe every TCP port on your system, and notify you of any that may be used by an intruder.

Want to break into (or as its authors claim, "remotely administer") a PC running Windows? Go to the official Back Orifice Web site, www.bo2k.com, to download the latest version.

The Federal Trade Commission has more information on "dot cons," including the premium rate dialer masquerading as a porn viewer, at www.ftc.gov/bcp/conline/edcams/dotcon/.

This tutorial, number 150, by Andy Dornan, was originally published in the January 2001 issue of Network Magazine.