 |
|
|
| Anti Trojan source - How to protect your network against trojans |
|
Introduction
This white paper outlines what Trojans are and why they pose a danger
to corporate networks. As early as 2001, an eWeek article reported that
tens of thousands of machines are infected with Trojans. This is still
the case today - and the use of more sophisticated technology makes them
all the more alarming: Trojans can be used to steal credit card information,
passwords, and other sensitive information, or to launch an electronic
attack against your organization. The white paper discusses the need for
a Trojan and executable scanner at mail server level in addition to a
virus scanner, to combat this threat.
What is a Trojan horse?
In the IT world, a Trojan horse is used to enter a victim's computer undetected,
granting the attacker unrestricted access to the data stored on that computer
and causing great damage to the victim. A Trojan can be a hidden program
that runs on your computer without your knowledge, or it can be 'wrapped'
into a legitimate program meaning that this program may therefore have
hidden functions that you are not aware of.
What the attacker looks for
Trojans can be used to siphon off confidential information or to create
damage. Within the network context, a Trojan is most likely to be used
for spying and stealing private and sensitive information (industrial
espionage). The attacker's interests could include but are not limited
to:
- Credit card information (often used for domain registration or shopping
sprees)
- Any accounting data (email passwords, dial-up passwords, Web services
passwords, etc)
- Confidential documents
- Email addresses (for example, customer contact details)
- Confidential designs or pictures
- Calendar information regarding the user's whereabouts
- Using your computer for illegal purposes, such as to hack, scan, flood
or infiltrate other machines on the network or Internet.
Different types of Trojans
There are many different types of Trojans, which can be grouped into
seven main categories. Note, however, that it is usually difficult to
classify a Trojan into a single grouping as Trojans often have traits
would place them in multiple categories. The categories below outline
the main functions that a Trojan may have.
Remote access Trojans
These are probably the most publicized Trojans, because they provide the
attacker with total control of the victim's machine. Examples are the
Back Orifice and Netbus Trojans. The idea behind them is to give the attacker
COMPLETE access to someone's machine, and therefore full access to files,
private conversations, accounting data, etc.
The Bugbear virus that hit the Internet in September 2002, for instance,
installed a Trojan horse on the victims'machines that could give the remote
attacker access to sensitive data.
The remote access Trojan acts as a server and usually listens on a port
that is not available to Internet attackers. Therefore, on a computer
network behind a firewall, it is unlikely that a remote (off-site) hacker
would be able connect to the Trojan (assuming that you have blocked these
ports, of course). HOWEVER, an internal hacker (located behind the firewall)
can connect to this kind of Trojan without any problems.
Data-sending Trojans
(passwords, keystrokes etc.)
The purpose of these Trojans is to send data back to the hacker with information
such as passwords (ICQ, IRC, FTP, HTTP) or confidential information such
as credit card details, chat logs, address lists, etc. The Trojan could
look for specific information in particular locations or it could install
a key-logger and simply send all recorded keystrokes to the hacker (who
in turn can extract the passwords from that data).
An example of this is the Badtrans.B email virus (released in the wild
in December 2001) that could log users' keystrokes.
Captured data can be sent back to the attacker's email address, which
in most cases is located at some free web-based email provider. Alternatively,
captured data can be sent by connecting to a hacker's website - probably
using a free web page provider - and submitting data via a web-form. Both
methods would go unnoticed and can be done from any machine on your network
with Internet and email access.
Both internal and external hackers can use data-sending Trojans to gain
access to confidential information about your company.
Destructive Trojans
The only function of these Trojans is to destroy and delete files. This
makes them very simple to use. They can automatically delete all the core
system files (for example, .dll, .ini or .exe files, and possibly others)
on your machine. The Trojan can either be activated by the attacker or
can work like a logic bomb that starts on a specific day and time.
A destructive Trojan is a danger to any computer network. In many ways,
it is similar to a virus, but the destructive Trojan has been created
purposely to attack you, and therefore is unlikely to be detected by your
anti-virus software.
Denial of service (DoS) attack
Trojans
These Trojans give the attacker the power to start a distributed denial
of service (DDoS) attack if there are enough victims. The main idea is
that if you have 200 infected ADSL users and you attack the victim simultaneously
from each, this will generate HEAVY traffic (more than the victim's bandwidth
can carry, in most cases), causing its access to the Internet to shut
down.
WinTrinoo is a DDoS tool that has recently become very popular; through
it, an attacker who has infected many ADSL users can cause major Internet
sites to shut down; early examples of this date back to February 2000,
when a number of prominent e-commerce sites such as Amazon, CNN, E*Trade,
Yahoo and eBay were attacked.
Another variation of a DoS Trojan is the mail-bomb Trojan, where the main
aim is to infect as many machines as possible and simultaneously attack
specific email address/addresses with random subjects and contents that
cannot be filtered.
Again, a DoS Trojan is similar to a virus, but the DoS Trojan can be created
purposely to attack you, and therefore is unlikely to be detected by your
anti-virus software.
Proxy Trojans
These Trojans turn the victim's computer into a proxy server, making it
available to the whole world or to the attacker alone. It is used for
anonymous Telnet, ICQ, IRC, etc., to make purchases with stolen credit
cards, and for other such illegal activities. This gives the attacker
complete anonymity and the opportunity to do everything from YOUR computer,
including the possibility to launch attacks from your network.
If the attacker's activities are detected and tracked, however, the trail
leads back to you not to the attacker - which could bring your organization
into legal trouble. Strictly speaking, you are responsible for your network
and for any attacks launched from it.
FTP Trojans
These Trojans open port 21 (the port for FTP transfers) and let the attacker
connect to your machine via FTP.
Security software disablers
These are special Trojans, designed to stop/kill programs such as anti-virus
software, firewalls, etc. Once these programs are disabled, the hacker
is able to attack your machine more easily.
The Bugbear virus installed a Trojan on the machines of all infected users
and was capable of disabling popular anti-virus and firewalls software.
The destructive Goner worm (December 2001) is another virus that included
a Trojan program that deleted anti-virus files.
Security software disablers are usually targeted at particular end-user
software such as personal firewalls, and are therefore less applicable
to a corporate environment.
How
can I get infected?
For a network user who is protected by a firewall and whose ICQ and IRC
connections are disabled, infection will mostly occur via an email attachment
or through a software download from a website.
Many users claim never to open an attachment or to download software from
an unknown website, however clever social engineering techniques used
by hackers can trick most users into running the infected attachment or
downloading the malicious software without even suspecting a thing.
An example of a Trojan that made use of social engineering was the Septer.troj,
which was transmitted via email in October 2001. This was disguised as
a donation form for the American Red Cross's disaster relief efforts and
required recipients to complete a form, including their credit card details.
The Trojan then encrypted these details and sent them to the attacker's
website.
Infection via attachments
It is amazing how many people are infected by running an attachment
sent to their mailbox. Imagine the following scenario: The person targeting
you knows you have a friend named Alex and also knows Alex's email address.
The attacker disguises a Trojan as interesting content, for example, a
Flash-based joke, and emails it to you in your friend's name. To do so,
the attacker uses some relaying mail server to falsify the email's FROM
field and make it look like Alex is the sender: Alex's email address is
alex@example.com so the attacker's FROM field is changed to alex@example.com.
You check your mail, see that Alex has sent you an attachment containing
a joke, and run it without even thinking that it might be a malicious
"because, hey, Alex wouldn't do something like that, he's my friend!"
Information is power: Just because the attacker knew you had a friend
Alex, and knew and guessed that you would like a joke, he succeeded in
infecting your machine!
Various scenarios are possible. The point is that it only takes ONE network
user to get your network infected.
In addition, if you are not running email security software that can detect
certain exploits, then attachments could even run automatically, meaning
that a hacker can infect a system by simply sending you the Trojan as
an attachment, without any intervention on a user's part.
Infection by
downloading files from a website
Trojans can also be distributed via a website. A user can receive
an email with a link to an interesting site, for instance. The user visits
the site, downloads some file that he thinks he needs or wants, and without
his knowing, a Trojan is installed and ready to be used by attacker. A
recent example is the ZeroPopUp Trojan, which was disseminated via a spam
broadcast and enticed users to download the Trojan, describing it as a
product that would block pop-up ads. Once installed, the Trojan would
send a mail to everybody in the infected user's address book promoting
the ZeroPopUp URL and software. As this email is sent from a friend or
colleague, one is more likely to check out the URL and download the software.
In addition, there are thousands of "hacking/security" archives
on free web space providers like Xoom, Tripod, Geocities and several others.
Such archives are full of hacking programs, scanners, mail-bombers, flooders
and various other tools. Often several of these programs are infected
by the person who created the site. Again, a single network user could
infect your whole network.
In January 2003, TruSecure, the risk management firm that also owns ICSA
Labs and InfoSecurity Magazine, warned that malware code writers will
increasingly disguise remote access Trojans as 'adult' entertainment,
for example, and post these programs to pornography sites or news groups,
to target new users. Specific users will also be targeted in this way,
as the attacker can then send the URL containing the disguised malware
to an unsuspecting victim.
On similar lines, the Migmaf or "migrant Mafia" Trojan that
emerged in July 2003 hijacked about 2,000 Windows-based PCs with high-speed
Internet connections, allowing them to be used to send ads for pornography.
The Migmaf Trojan turns the victim computer into a proxy server which
serves as a sort of middleman between people clicking on porn email spam
or website links - it allows the victim computer to fetch porn web ads
from an undisclosed server and pass on the ads to other computers either
through a spam mail or a web browser.
How
to protect your network from Trojans
So how do you protect your network from Trojans? A common misconception
is that anti-virus software offers all the protection you need. The truth
is anti-virus software offers only limited protection.
Anti-virus software recognizes only a portion of all known Trojans
and does not recognize unknown Trojans.
Although most virus scanners detect a number of public/known
Trojans, they are unable to scan UNKNOWN Trojans. This is because
anti-virus software relies mainly on recognizing the "signatures"
of each Trojan. Yet, because the source code of many Trojans is easily
available, a more advanced hacker can create a new version of that Trojan,
the signature of which NO anti-virus scanner will have.
If the person planning to attack you finds out what anti-virus software
you use, for example through the automatic disclaimer added to outgoing
emails by some anti-virus engines, he will then create a Trojan specifically
to bypass your virus scanner engine.
Apart from failing to detect unknown Trojans, virus scanners do not detect
all known Trojans either - most virus vendors do not actively seek new
Trojans and research has shown that virus engines each detect a particular
set of Trojans. To detect a larger percentage of known Trojans,
you need to deploy multiple virus scanners; this would dramatically increase
the percentage of known Trojans caught.
To effectively protect your network against Trojans, you must follow a
multi-level security strategy:
- You need to implement gateway virus scanning and content checking
at the perimeter of your network for email, HTTP and FTP - It is no
good having email anti-virus protection, if a user can download a Trojan
from a website and infect your network.
- You need to implement multiple virus engines at the gateway - Although
a good virus engine usually detects all known viruses, it is a fact
that multiple virus engines jointly recognize many more known Trojans
than a single engine.
- You need to quarantine/check executables entering your network via
email and web/FTP at the gateway. You have to analyze what the executable
might do.
Fortunately there are tools available that will automate a large part
of this process.
Malicious
executable analysis - Trojan and executable scanner
Detecting unknown Trojans can only be done by manually reviewing the
executable, or by using a Trojan and executable scanner.
The process of manually reviewing executables is a tedious and time-intensive
job, and can be subject to human error. Therefore it is necessary to tackle
this process intelligently and automate part of it. This is the purpose
of a Trojan and executable analyzer.
An executable scanner intelligently analyses what an executable does and
assigns a risk level. It disassembles the executable and detects in real
time what the executable might do. It compares these actions to a database
of malicious actions and then rates the risk level of the executable.
This way, potentially dangerous, unknown or one-off Trojans can be detected.
The Trojan and executable scanner deals with advanced hackers who create
their own versions of Trojans, the signatures of which are not known by
anti-virus software.
Gateway protection, together with multiple anti-virus engines AND a
Trojan and executable scanner will guard your network from the dangerous
effects of Trojans.
© 2003 GFI Software Ltd. http://www.gfi.com
back to top
|
