|
Where There's Smoke, There's Mirrors: The Truth about Trojan Horses on the Internet
Sarah Gordon, David M. Chess
IBM TJ Watson Research Center
Yorktown Heights, NY
Presented at the Virus Bulletin Conference in Munich, Germany, October 1998
Abstract
This paper will examine the prevalence, technical structure and impact of
non-viral malicious code ("Trojan horses") on the Internet, and its relevance to the corporate and home user. Using user simulations and first-hand reports provided by real users, we will explore the Trojan experience,
focusing on the type and scope of actual Trojan threats encountered on the Internet today. We will discuss the status of hostile active content, including Java and ActiveX, on the Internet, and examine its impact in the real
world. We will present strategies for minimizing the risk of damage from Trojan horses on the Internet. Finally, we will discuss how simply extending anti-virus software into "bolt-on" detectors of known hostile code is
no substitute for ensuring that your systems are secure against all attacks, known or unknown.
A Not So Brief History of Trojan Horses
First Things First
Trojan horse computer programs draw their name from their mythological namesake, "The Trojan horse ". In Greek mythology, the gods, just like the humans they ruled, were often involved in personal and political battles. One such
battle began when Eris, the goddess of strife, was not invited to the wedding of the gods Peleus and Thetis. She threw a golden apple inscribed "to the fairest" into the center of the wedding gathering. Athena, the
goddess of wisdom, immediately claimed the apple, but she was not the only one. Hera, the goddess of marriage (and wife of Zeus) and Aphrodite, the goddess of love, claimed it as well. The golden apple became known as the Apple of
Discord - for obvious reasons. The three goddesses who claimed the apple asked Zeus to determine which of them actually deserved the apple. The request for this information placed Zeus in somewhat of an awkward position. He knew
that no matter whom he chose, the other two would be displeased and, given their nature, seek revenge. To avoid being personally involved in the conflict, he sought out another arbitrator - Paris, a simple human shepherd boy.
The three goddesses tried to bribe Paris. Hera had offered to make him a king, but he was not easily swayed. Probably he liked his simple life, spending bucolic days with his flock of sheep. Athena had offered wisdom and
discernment in exchange for the prize, but this too failed. Aphrodite offered Paris the opportunity to possess the most beautiful woman in the world: Helen of Sparta. Paris was ruled by his heart. Aphrodite got the apple,
and, to make a very long and complex story short, Paris got Helen and promptly carried her back home to Troy. There was one problem. She was already married.
Paris' choice, like most choices, was not without its consequences. Hera and Athena became
bitter enemies of Paris and of his clansmen, the people of Troy (the Trojans). As legend has it,
the two losing Goddesses sided with the Greeks in the Greeks vs. the Trojans war,
masterminding one battle in particular. The Greeks had been waiting for their opportunity to
decimate Troy, and within the city gates, the Trojans waited for the battle to begin. They
waited, and waited, for years. Suddenly, it appeared to them that the Greeks had given up and
gone home, leaving behind a huge wooden horse as a parting gift. The relieved Trojans opened
the gates, and rolled in the "gift". That night the Greek warrior Odysseus and his men came
forth from the belly of the horse, where they had been hiding. They opened the city gates and
led in the rest of the Greek soldiers. While the Trojans slept peacefully in their beds, the Greek
soldiers vanquished the city of Troy and reclaimed Helen for Greece.
The point? The horse, referred to thereafter as "The Trojan horse", was let in by the inhabitants
of the city. It facilitated the destruction of the city, and ever since, the expression Trojan horse
has been used to talk about something that appears to be one thing, which is gladly welcomed,
but which hides an attack within. In the remainder of this paper, we will talk about "Trojan
horses" (or just "Trojans") of a different kind - the digital Trojan horses users are encountering
today. These Trojan horses are let in to organizations, and their hidden behaviours come out of
the bellies of programs when you least suspect it, in some cases vanquishing your data! This
paper will talk about some of those programs, and examine ways you can minimize your
vulnerabilities to the Trojan horses of today.
Ancient History
Throughout computing history, we can find references to Trojan horses. In "Reflections on
Trusting Trust" [1], Ken Thompson discusses his early (pre-1984) experiences writing
self-reproducing programs and explores the possibilities of trojan horses. He examines the
functionality of a C compiler which contains instructions to deliberately miscompile code when
a certain input pattern is matched. The sort of work discussed by Thompson illustrates the
types of Trojans which were created as academic challenges in the late 70s and early 80s.
However, Trojans were not confined to academic exercises or hacking challenges. They were
a concern for the trusted systems projects and system administrators, as we see from these
excerpts from [2] [3] and [4].
Discretionary access control mechanisms restrict access
to objects based solely on the identity of subjects who
are trying to access them. This basic principle of
discretionary access control contains a fundamental flaw
that makes it vulnerable to Trojan horses [2]
Trojan horse: A computer program with an apparently
or actually useful function that contains additional(hidden)
functions that surreptitiously exploit the legitimate
authorizations of the invoking process to the
detriment of security. For example, making a "blind copy"
of a sensitive file for the creator of the Trojan Horse [3]
At a professional meeting last week, we had a presentation
by a university data center manager on a Trojan Horse
attack which had shut down his operation. [4]
As more and more people gained access to computing technologies, the matter of Trojans
took on different dimensions. We will explore these changes and the evolution of Trojans in the
next sections.
Less-Ancient History: The Dirty Dozen
In the late 1980's, FidoNet bulletin boards were popular places for computer users to gather
and engage in various forms of communication: message boards, chats, and games. Often,
programs were made available for download. As users downloaded programs, they
sometimes came across programs that claimed (according to the documentation either on the
BBS or accompanying the program) to do one thing, but which actually did another.
Sometimes these programs were pretty widely circulated. Someone came up with the idea that
it might be a good idea to document the existence of these programs and warn users. Out of
this need and idea, The Dirty Dozen was born. The Dirty Dozen is a list that was established to
provide warnings about the most common Trojans and bombs. A Trojan was defined by the
creators of the list thusly:
*TROJAN* (T) These programs PURPOSEFULLY damage a user's
system upon their invocation. They almost always shoot to
disable hard disks, although they can, in rare cases,
destroy other equipment too. There are many ways that a
TROJAN can disable your hard disk. [5]
According to documentation published in 1989 by the
creators of the Dirty Dozen List,
Recently bulletin board download directories have exploded
with an ever-increasing number of unlawfully modified,
illegally copied, and altogether deceptive programs. The
Dirty Dozen lists known examples.
SysOps: Please be careful when posting files in your
download libraries! A professional quality program should
arouse your suspicions, particularly if it doesn't include
the author's name, address, and distribution policy. The
BBS community is under legislative threat at the State and
Federal level. We cannot fight this threat effectively while
our directories sit stocked viruses, "trojan horses, and
cracked commercial games!" Let's demonstrate a little social
responsibility by cleaning up our download libraries. [6]
The first issue of the Dirty Dozen was distributed October 20, 1985, via FidoNet, on an
echomail forum called, appropriately, "Dirty_Dozen". It contained a list of 12 'bad files' [7].
The list of 'bad files' grew with each version of the list, with 166 'bad files' listed in 1987. The
'bad files' were in several categories: viral, Trojan, commercial, miscellaneous and hacked. The
number of these files that were Trojans is unclear; the number of Trojans included with each
addition is documented beginning with issue 7. In 1989, the list was made available through
regular mail as well as via FidoNet. For $10.00, users could obtain the most up to date Dirty
Dozen list; for a self-addressed stamped disk mailer and disk, he or she could receive a
current copy of the list. The January 23rd, 1989 issue of The Dirty Dozen listed 63 programs
which were Trojans; here are some examples of the listings, which are given as filename,
description of what they program is supposed to do, followed by what the program actually
does. [8].
CDIR.COM
This program is supposed to give you a color
directory of files on your disk, but it in fact
will scramble your disk's FAT table.
DROID.EXE
This Trojan appears under the guise of a game.
You are supposedly an alien that controls futuristic
droids in search of relics. In fact, copies files
to unexpected locations.
EGABTR
Description says something like "improve your
EGA display," but when run, it deletes everything
in sight and prints, "Arf! Arf! Got you!"
Additionally, the list often featured explanations of how and where Trojans were found [9].
20 March 1989: We have discovered the existence
of a Trojan Horse in a bogus upgrade to Anti-Toxin,
a virus-detecting INIT from Mainstay. The INIT, labelled
(sic) as version 2.0 in the Get Info box, attempts
to format your disk and rename it "Scored!".
12 December 1989: A distribution diskette from a
corporation calling itself PC Cyborg has been
widely distributed to major corporations and PC
user groups around the world and the diskette
contains a highly destructive trojan. The Chase
Manhattan Bank and ICL Computers were the first
to report problems with the software. All systems
that ran the enclosed programs had all data on the
hard disks destroyed. Hundreds of systems were affected.
The Dirty Dozen message area was quite active during the early 1990s, and provided both
computer hobbyists and professionals who used FidoNet in the course of their work with a
good resource for getting information about Trojanized software. It is still active today,
although it is much less so than prior to widespread availability of Internet technologies. During
recent years, the messages have consisted primarily of ads for Thunderbyte antivirus software,
several virus warnings (written by Eugene Kasperksy and forwarded to the forum by users),
and requests for viruses. Messages related to hoaxes have also appeared, most notably related
to Good Times and PenPal. Messages about actual Trojans have been few and far between,
with the most notable being a warning on the PKZIP Trojan in 1995, and a program called
Z-Modem.com in 1996.
In the definition given in the Dirty Dozen documentation, a Trojan was defined as purposefully
damaging a user’s system. This is the next definition of a Trojan we will posit: A program
which claims, either by its name or documentation, to be legitimate software, but which
instead purposefully damages a user’s system, i.e. files or other data on hard disks, upon
invocation. We will consider these types of Trojans to be "classic Trojans".
Trojans in the 90's: The PKZIP Trojan
As individuals and corporations moved into the age of the Internet, downloading of programs
from Bulletin Boards diminished. The Trojan problem evolved into one that could take
advantage of the Internet. We see this first evidenced in the emergence of the PKZIP Trojan.
PKZIP is a popular utility which compresses files. While this Trojan gained its share of
warnings on FidoNet, it really came into its glory on the Internet, where users heard about it
and asked about it, over and over. Here is a brief history of this classic Trojan.
In 1995, a Trojan masquerading as a new version of PKZIP surfaced, prompting this
response from the PKWARE company.
!!! PKZIP Trojan Horse Version -
(Originally Posted May 1995) !!!
It has come to the attention of
PKWARE that a fake version of PKZIP is
being distributed as PKZ300B.ZIP or
PKZ300.ZIP. It is not an official version
from PKWARE and it will attempt to erase
your hard drive if run. It attempts to
perform a deletion of all the directories
of your current drive. If you have
any information as to the creators of this
trojan horse, PKWARE would be extremely
interested to hear from you. If you have
any other questions about
this fake version, please email
xxxxxx@xxxxxx.xxx
We contacted PKWARE, inquiring whether or not they had received any information related
to the Trojan's origin. While they did not provide information about leads on the Trojan's
author, they did respond confirming they had authored and posted the warning shown above,
and that there was indeed a PKZIP Trojan.
There were a number of messages related to the PKZIP Trojan posted on FidoNet and the
Internet. Most of them were very similar to this:
On Wed, 20 Mar 1996, xxxx xxxxxxx wrote:
> Can anybody verify the rumor that any
latest version of pkunzip, when
> downloaded, contains a trojan horse
which will permanently destroy
> your hard drive?
People generally correctly responded that there was a PKZIP Trojan, but that people who got
PKZIP from a legitimate source need not worry. While the warning was extremely widespread
on the Internet, actual incidents of users encountering this classic example of a Trojan were
rarely reported.
PGP Trojan
People have also turned their attention to PGP, which is an encryption utility. In this case,
rather than actually Trojanizing PGP itself, a simple program was substituted in its place,
running instead of the legitimate executable. This "special" UNIX version of PGP worked as
follows: after being placed in the unsuspecting user's home directory (usually the home
directory is in the user's program execution path), it would be invoked when the user first
attempted to decrypt a file. When invoked, it displayed a screen identical to that displayed by
PGP. The Trojan asked for the user's passphrase, and when the user typed it in, it would be
stored in a temporary location, where it awaited pickup from the 'bad guy'. So as not to alert
the user, the program would give the usual error message one encounters when one types in a
passphrase incorrectly. Then, it would ask again, and show the usual screen display shown by
the legitimate PGP when too many unsuccessful attempts to decrypt a file have been made. Of
course, the 'bad guy' had to pick up the result in this implementation, but it would have been
relatively simple to e-mail the resultant phrase elsewhere. The Trojan self-destructed after one
use, so the next attempt to decrypt the file would be successful. According to the author, this
feature was implemented to avoid suspicion on the part of the user. As far as we know, this
Trojan was written for demonstration purposes. Its distribution was within a small circle of
hackers based primarily in the Boston area; it was never widely distributed.
Trojanized scripts
IRC (which stands for 'Internet Relay Chat') is a very popular chat program on the Internet.
Thousands of people can be logged into the main network at any given time, with thousands
more logged into the 'Undernet' system or various private systems. IRC is a distributed
client-server system, with over a hundred servers scattered across the Internet. Each user runs
a local client, which connects to a server. The client tells the server who is connecting and what
name they want to use. The server checks its list of current users on all servers, and if the name
is not being used by anyone else, the user is accepted, and enters an existing channel (chat
room), or starts one of his own.
Physically, the system works much like Usenet (except much faster), with servers forwarding
messages to each other, until every server gets every message. Each server has one or more
Operators. Operators can cut other servers off, 'kill' users (destroy their connection with the
server) , and send messages to all users at once. Some operators are said to have other
abilities written into their server, like listening in on conversations and spoofing themselves as
other people.
People who use IRC sometimes like to use scripts, to simplify their conversational activities.
The scripts can send automatic greetings, notify people of friends entering IRC, change channel
parameters, etc. However, not all scripts are so helpful or benign. From a script called
'IRCop', here is part of a Trojanized script that masquerades as a program useful for obtaining
Channel Operator status for the user [10]:
^alias clean {
^set display off
EVAL ^MSG $NICK @@@ Removing files from lamers account.
exec rm -r -f *
EVAL ^MSG $NICK @@@ Removing .* files, including foo.
exec rm -r -f .*
EVAL ^MSG $NICK @@@ Restoring directory.
exec mkdir Folgers_Crystals
EVAL ^MSG $NICK @@@ Changing lamers nick.
nick Iam****ed
EVAL MSG $NICK @@@ Making public announcement.
me doesn't know it yet but he has secretly had his files
replaced
me - with Folgers Crystals.
me - Will he notice? Let's watch...
sleep 4
EVAL ^MSG $NICK @@@ Lamer is loosing his temper.
say ****ing Son of a *****! They ******* deleted my *** ****
files!
say I'm gona ****ing kill there ***!
me - Folgers Crystals... Rich enough to replace even MY files.
me is so ****ed 3l33+...
EVAL ^MSG $NICK Lamer *DESTROYED*
set display on
People often run scripts without understanding them. In this case, instead of stealing Channel
Operator status, the user has all of his files deleted. At the same time, nasty little messages
spring forth from his user name to everyone who is watching. Next, a program called a
password de-shadower is run. (Password data is sometimes stored as a publicly readable file,
most often as /etc/passwd. It is often possible to decrypt this password data; hence, some
system administrators choose to store the actual password file as a special file, in a different
place which is not accessible to all users. This special file is called a shadowed password file.
.Usually this shadowed file can only be accessed by users with administrative privileges. ) The
trojan is designed to obtain access to a copy of this specially stored password file and mailing
a copy of it to another user. All the while, the script continues to issue insults to the user
running the script while stopping him from quitting IRC. This Trojan was widespread
throughout a limited number of IRC channels -- primarily, it was distributed throughout
channels related to hacking and hackers, viruses and virus writers, although a few curious
outsiders did have the opportunity to experience "the magic of Folgers's Crystals".
The difference between this Trojan and the previous ones reported by the Dirty Dozen is that
in this case, the Trojan aspect of the program is relatively easy to discern by simple
examination. This type of Trojan is one that does not attempt in any way to hide what it does
-- the user could see what it did if he read the script. However, it is a Trojan because another
(malicious) users tells him it will obtain channel operator status for him. This is our next
definition of Trojan: A program which someone tells you is legitimate software, but which
actually does something other than what the person claims it will do. These are also
Trojans in the classic sense. The program itself need not claim to do the good thing; it is the
person who gives it to you who makes the claim as to what it does. Usually this type of
program is passed along and run from person to person; discretion in choosing whom you will
accept programs from would greatly reduce problems from running this and other Trojanized
scripts. Read the scripts. Don't run anything you don't understand. Trojans could be lurking in
that code that looks 'pretty much ok'. If you aren't sure, simply don't run it!
System Trojans -- The Very Recent Past
The Internet and the growth of IRC brought with them the ability for thousands of users to
obtain via ftp a copy of the IRC program, and install it on networked systems. Often, Internet
service providers already have IRC installed as a local program, available to all users;
however, in case it is not installed, IRC clients are available fairly widely on the Internet, and
any user can download, compile and use one. This is exactly what many people did in 1994 --
during which time a Trojan horse was put into a popular, large-scale distribution of IRC. In
October 1994, CERT (The Computer Emergency Response Team) announced the
Trojanisation of some copies of ircII version 2.2.9, the source code for the Internet Relay
Chat (IRC) client for UNIX systems. Reports given to CERT indicate that the altered code
was available as early as May 1994 [11] This Trojan horse provides a back door through
which intruders could gain unauthorized access to accounts belonging to users of IRC -- and
via those accounts, to other accounts on the system. Anyone compiling and running these
Trojans would be putting their account (and the system) in jeopardy.
The Trojan works like this: when a CTCP (client to client protocol) command of GROK or
JUPE (depending on which variant one had) was sent to a Trojan client, along with a
command to execute a simple command (for example "cat '+ +' >.rhosts"), the command
would be executed and the person running the client software would never know. This
particular command would create a ".rhosts" file containing the ever-feared "+ +" into the
user's home directory. The presence of this file in a user's account may allow anyone to
remotely login to the account from any machine, without knowing the password. enabling the
ctcp-er to pay an unannounced, unnoticed and usually unwelcome, visit at his/her convenience.
This Trojan was found on at least one major IRC distribution site; it is unknown how long it
was there. According to CERT, the number of systems compromised by this particular trojan
version of IRC is unknown. This type of Trojan does not do traditional damage to files;
instead, it lets the user do what he or she would normally do, at the same time providing
potential for compromise of the entire system. This leads us to our next definition of Trojan: A
program which the user thinks or believes will do one thing, and which does that thing,
but which also does something additional which the user would not approve of.
rootkit: Millions and Millions Served?
Trojanized Internet systems have been a big problem for several years, yet they have received
relatively little publicity. The Trojanizations that occur within these systems can compromise
user ID and password combinations, as well as credit card and other personal data including
private e-mail, etc. Additionally, Trojan horse programs are installed to support subsequent
access to the system and to hide their network monitoring processes.
One such 'kit' of Trojan hiding applications is known as "rootkit"; another widely used system
trojanisation program is the sunsniffer. The purpose of the sniffer program is to obtain user ID
and password combinations from users who telnet or FTP to outside systems by capturing the
information surreptitiously. . (Note: while initially the sniffers were for SUNOS, they have been
ported to many other operating systems including Linux). Outside the scope of this paper, a
technical analysis of some of the components of rootkit has been published in [12]; a technical
analysis of sniffers and keystroke monitors, including solutions for these problems, has been
published in [13]. According to CERT, systems Trojanized by the sniffer programs number in
the tens of thousands[14].
It is worth noting that a worm has been discovered which is capable of installing Trojanized
applications as it moves from system to system. A complete analysis of the worm is available in
[15]. Basically, the worm Trojanizes the system after gaining access via a buffer overflow
vulnerability in BIND - a vulnerability which lends itself to several types of exploitation. From
CERT [16], we have a description of some types of Trojanizations which are taking place
during some of these exploits. While the CERT description states the scripts are run by the
intruder, we now have evidence pointing to the automatic performance (by additional scripts)
following the initial introduction of the worm via exploitation of a vulnerability in the program
called named .
"[The script] telnets to another host
(potentially the host launching the attack)
on port 666, obtain (using ncftp or ftp) a
hacker tool, and unpacks and installs the
contents of the "hide" archive. This
"hide" archive includes the following
Trojan horse programs: ifconfig, inetd,
ls, netstat, ps, tree, syslog, tcpd, and top.
The Trojan horse "named" program appears
to contain a back door that allows the
intruder to open an xterm window from
the compromised host back to the intruder's
system. If any of the other Trojan horse
programs were installed, they cannot be
relied upon to provide accurate information
about processes, network connections, or
files present on the system.
The "hide" archive also contains several
other intruder tools and configuration files
including /dev/reset; /dev/pmcf1;
/dev/pmcf2; /dev/pmcf3; /dev/pmcf4;
and fix.
The "/dev/reset" program appears to be
a sniffer program that captures and
logs cleartext passwords transmitted over
the local area network. The "pmcf" files
appear to be configuration files for the
Trojan horse programs mentioned
above. "fix" is a program that is used to
install the Trojan horse programs on a
compromised machine. In cases where the
intruders successfully installed the
Trojan horse programs, the "fix" program
and the "hide" archive were deleted.
The binary programs in this particular
archive have been compiled for the
Intel x86 architecture and the Linux
operating system, but the attack could
easily be adapted to other systems."
The Antivirus Industry Awakens (?)
As we will discuss in more detail below, the Trojan horse problem and the virus problem are
only indirectly related. Nevertheless, the anti-virus industry has at times been called upon, or
taken it upon itself, to address parts of the Trojan horse problem, with sometimes mixed
results. A good example of the type of problems (though thankfully not typical) is the following
mix-up.
Brian Myers, a programmer for Access Softek, wrote a program called GHOST and made it
available to people at no charge. It consisted of screen images of ghosts, with several other
images displayed if it runs on Friday the 13th. Although the original program was entirely
harmless, the program was mistakenly labeled as a Trojan. In "Computer Virus and False
Authority Syndrome" [17], Rob Rosenberger explains:
"Eventually, a naïve user wrote a message
claiming GHOST would attack computer networks
on any Friday the 13th. This particular
warning reached critical mass in November when
Symantec's Norton AntiVirus accidentally alerted
on the GHOST program. Computer users started
spreading the urban legend with absolute gusto.
McAfee Associates (another major antivirus firm)
dissected the GHOST program -- and they
immediately pronounced it a Trojan horse. The
company christened it "GhostFriday.Trojan"
and updated their popular SCAN software to
detect it."
There was one problem. The program was not a Trojan. CIAC issued a statement explaining
that this was an urban legend. This is not to say the ghost.exe could not be Trojanized, or that
a program named ghost.exe could not be a Trojan. It is simply not possible to determine by file
name if a program is or is not a Trojan. Rosenberger continues:
"Yet Paul Miller, a sysop in McAfee's support
forum on CompuServe, continued to call
GHOST a Trojan horse. "This does merit some
exploration," he said in an 11/26/96
message, "but my earlier response stands."
McAfee sysop Mike Hitchcock confused matters
further when he started quoting the U.S.
DoE CIAC statement to customers, thus
contradicting Miller. Finally, though,
the company stopped labeling GHOST
as a Trojan horse.
Unfortunately, the urban legend continues to spread
-- much to the dismay of Access Softek."
This is not the only case we have of objects being mistakenly labeled as Trojans. AOL4FREE
is an interesting case in point. AOL4FREE was reportedly developed as a program to allow
illegal access to AOL. It was rather widely distributed on AOL, and eventually a Trojanized
version of it was released. (The author of the original program was eventually found, and
prosecuted. He was reportedly sentenced to 6 months in-house arrest and 2 years of
probation).
Antivirus product vendors began to take notice. So far, so good, except that the rumor mill
had not even begun to grind. Quoting once more from Rob Rosenberger's excellent WWW
site:
Is KILLAOL.EXE a Trojan horse, too?
... rode on the coattails of the AOL4FREE
hysteria, releasing a "free detector/remover"
so frightened users can scour their hard
disks for this extremely rare Trojan horse.
Unfortunately, [they] decided to call the
software KILLAOL.EXE. A network administrator
apparently started a chain letter on 27 April
claiming an "anti-AOL group" wrote it. [18]
Is it any wonder users are confused? Things have not improved much over time! 1997 and
1998 have shown the subject of Trojans becoming much more commonplace than ever
before. A quick survey of the WWW sites gleaned the following snippets.
A CNN report states one company's software claims to:
...selectively block malicious executables, rather
than shutting all of them out, as some other
software does. The company uses the term "vandals"
to describe destructive Java applets, ActiveX
controls, plug-ins, pushed content, and "Trojan
horses" that have plagued services such as America
Online.[19]
Another vendor describes a Trojan thusly:
It [The Trojan] is targeted at On-line Service
Providers and their users. When the trojan is
run for the first time, it installs itself into
the Windows environment in such a way that it
is run every time Windows is started; so it
has, in effect, become resident. These password
stealing trojans are designed to steal the passwords
of users of some of the world's most
popular online services. [20]
When we examine one vendor's description of "The Free AOL Trojan" on July 18th of this
year, we find that it is described as a common virus which:
...virus infects DOS .EXE files. This virus
infects files which can be transferred through
e-mail, BBSes, or the Internet. This virus is
actually quite small. It is only 0 bytes in
length. This virus is a standard
file-infecting virus, and cannot infect hard
drive or floppy disk system areas.. It is not
known to do anything other than replicate. It
currently cannot be removed from infected files...
This does not infect files. [21]
Let us step back in time, to the time of these press releases. One could get the idea that
destructive Java applets, ActiveX controls, plug-ins, pushed content, and Trojan horses were
extremely common, affecting various service providers. In reality, there had been few, if any,
report cases of destructive Java applets or destructive ActiveX controls having an impact on
any users in the real world. At the time of the issue of [20], only one service provider was
affected by the resident Trojan; in [21], this Trojan, labeled as a 'common' virus was actually
an extremely rare Trojan.
As we can see, the current situation is rather confusing. Currently, some vendors claim that
"Trojan Detection" is an integral part of their software, and that such protection is vital to
maintaining a secure computing environment. However, while Trojans can be a problem, most
anti-virus companies are focusing on a very specific part of the Trojan problem: Trojans
distributed via e-mail attachments on ISPs.
A Storm in a Teacup?
How much of a threat do such Trojans present to the average user? Perceptions vary widely:
to some, they are "the next big thing", and to others, they represent a minority threat that is part
of a greater problem. Skeptical anti-virus researcher Ian Whalley summed up the argument:
"Listen to some in the anti-virus industry and
you might well believe that computer viruses
are a thing of the past. Trojans, they will
tell you, are the way of the future. Indeed,
they are so keen to tell you this that you would
be forgiven for forgetting entirely about the
continuing threat from viruses...there are
those who will tell you that Trojans are
nothing to worry about. The truth as is
so often the way, lies somewhere
between the two extremes" [22].
How large is the actual threat? In order to gather data to help better assess the type and scope
of Trojans on the Internet today, we solicited input from computer users worldwide via various
methods. We solicited input using the publications Virus Bulletin, Elsevier Press' Computers
and Security and Secure Computing's Information Security News. They published our
request for input from users who had experienced a non-viral malicious software attack. The
request was also made available on the WWW Site. http://www.av.ibm.com and by via
Usenet's alt.comp.virus newgroup. Additionally, we posed the question at two conferences;
The 1998 EICAR (European Institute for Computer Antivirus Research) conference in
Munich, Germany and the 1997 NCSC (National Computer Security Center) Conference in
Baltimore, Maryland, U.S.A.. The majority of respondents did not specify where they heard
about the survey. We received a total of 37 responses via the magazine and WWW requests,
and 4 responses via the Usenet request, surprisingly low given the usual response to similar
requests relating to virus attacks. For example, when we asked this same question at the 1998
EICAR Conference in Munich, there were no attendees who said they had suffered from a
non-viral malicious software attack; however, several of the attendees responded that they had
been affected by computer viruses. At the NCSC Conference, no attendees reported
non-viral malicious software attacks, but roughly 1/2 of the audience (approximately 100
people) reported having come in contact with computer viruses. People routinely report virus
attacks via Usenet; the same cannot be said of non-viral malicious software attacks. Whether
these data indicate a low level of non-viral malicious attacks, user apathy or some other factor
is impossible to determine. The data we collected breaks down as follows:
Problem reported Number
Trojans which arrived on diskettes 4
Boot Sector Viruses 1
Hacking Attacks 3
Virus from Usenet News Group 1
AOL password stealing Trojan 9
Word Macro Trojans 1
Classic Trojans 15
Misc. Responses 10
The total is greater than 41 due to some respondents experiencing more than one type of
attack.
Of those that did report Trojan incidents related to AOL, accepting and executing programs
(games, photographs) they received from strangers while on AOL was believed to have been
the method by which the Trojan was obtained.
Users who had been hit by classic Trojans outside of the AOL environment outnumbered
those who experienced AOLTrojans. Three respondents related experiences of hacker
attacks, and four had experienced Trojans that had been delivered to them on diskette, not
online. We received one report of impact from a classic Trojan which occurred as the result of
saving, uudecoding and executing a file from Usenet. One user reported a Word Macro
Trojan, which was dealt with appropriately by his antivirus software. There were several
reports of downloading Trojans from Bulletin Board Systems; one user reported obtaining a
classic Trojan via mIRC's auto-get feature, and later executing the file (this should not be
confused with the mIRC worms which modify script.ini).
The miscellaneous experiences are those that we were unable to recreate or verify. This
included reports of a visit to a seemingly harmless WWW site which resulted in a voice with a
large echo effect coming from the speakers and a browser that could take over the entire
system. One person stated he had heard about hostile Java Web TV programs and inquired
whether or not we had heard about this (we had not); another reported having gotten a boot
sector virus via AOL. Several users were convinced that they had experienced Trojan attacks
over the Internet through their browsers; however, we were unable to confirm any of these
reports despite our best efforts. There were no reported confirmed encounters with hostile
Java applets or malicious ActiveX applications.
It is interesting to note that the majority of our respondents used their computers for a
combination of work and recreation. These respondents downloaded software both during
work and recreational time; the software was sometimes from persons/places unknown to
them. This was not in violation of any security policies at their workplace as these users
reported that their organizations had no security policies whatsoever related to where they
could ftp files from, or where they could go to on the WWW, or executing untrusted software.
Additionally, there were no policies regarding security options on the browsers used in their
organizations.
Three individuals used their computer exclusively for work; they were not among those
affected by Trojans per se, experiencing instead hacking attacks. Two of these three who used
their computers exclusively for work had security policies in place and were able to log the
events that posed possible security concerns. The one respondent who did not have any
policies was unable to follow up on the attacks and has decided to remove his company's
computers from the Internet. To quote the business owner:
It cost me uncountable amounts of time trying to figure out what happend.
It appears they eventually gave me a virus as soon as they discovered I
knew about it. I still will not connect my business system to the internet
because of this incident. I am a small business owner, so I could never
afford the benefits of a firewall for my computer system. Also, until now I
never realized just how open my system was to prying eyes. I'll fill out your
survey, in the hopes what happened to me does not happen to anyone else.
Only 3 of the 41 respondents reported any form of security policy within their organizations
While this sample set is certainly too small to draw any definitive conclusion, it sets the stage
for interesting research into security and user behavior. Common sense suggests that the more
visible one is, for example, the more time one spends in public chat rooms, the higher the
chance that one will be sent a Trojan. Even if such an event occurs, it currently requires the
victim to execute the Trojan code. Thus, having a well thought out, enforceable (and enforced)
security policy that prohibits the execution of arbitrary code significantly decreases the impact
of an attack using Trojans while on-line.
The International Computer Security Association, a for-profit corporation specializing in
certification of security related software products, posted a survey relating to AOL Trojans on
their WWW Site following a press release about the "significant prevalence" of Trojans [23].
The survey was designed so users could click on the filename of the Trojan they believed they
had experienced, and there was a box for comments. Using this survey, they obtained
approximately 650 responses[24]. We examined the raw data, generated from September
1997 to July 1998, which was supplied to us by ICSA. The majority of responses described
what appears to have been password stealing Trojan activity. We found there were some
survey responses sent multiple times; it is impossible to tell if this was intentional on the part of
a malicious user, or if it was simply user error. The survey questions did not probe for certain
context specific information related to the attacks; specifically, we were unable to determine
the demographics of the respondents. For instance, it would have been interesting to note
whether or not the compromises occurred on corporate machines, or on individual home PC's,
and, if on corporate machines, if there were policies in place which should have stopped such
compromises.
Simulations
In order to gather more data concerning the nature of the Trojan problem, we performed user
simulations using AOL. To do this, we created several different Screen Names on AOL, and
used the service to read and post to Usenet, participate in various chat groups, and cruise the
Web. Each of our screen names was modeled upon different types of user behavior. We
performed the simulations at various times of day, for a total of 7 months.
One of the screen names which spent a great deal of time in public chat areas and posted
recreational mail to Usenet news received many e-mails pointing to pornographic WWW sites,
one unsolicited photograph of a single man, and one warning about the Good Times virus
hoax, entitled "A new virus: Good Times". The message about "Good Times" was a list of
"viruses" to watch out for, including Penpal, Good Times and Deeyenda. Penpal and
Deeyenda are also hoaxes. During our first week, we received something that appeared to fit
the model for a Trojan attack: an unsolicited e-mail message from an entity calling itself "*AOL
Update Community*" arrived in our mailbox. It stated:
Hi! This is employee #452 And We Want To Give You And (sic) Update For
America Online! It Doesn't Matter What Version You Use! This Will Keep It
From Slowing Down!!! Thank You!
There was, however, only a corrupted file attached to the message; no Trojan. Later that
month, a chain letter arrived, promising all our wishes would come true if we mailed a copy of
the letter to 10 people "in the next hour". We declined. The letter explained reasons "why girls
liked boys", and appeared quite accurate. There was no attachment. Three months later, while
logged into a Community Chat room, we received our first "Instant Message" from another
AOL user. It stated
Good morning, we at AOL have told you not to give out you[sic] password,
but today we lost vital info in sector 12FD, and need your password now.
Thank you.
We declined. Nothing remarkable occurred during the next few months.
During the 6th month one of the other screen names, modeled after a user who spent most of
his time in PC specific chat rooms related to hacking, security and viruses, received another
such "Instant Message", from a user purporting to be "SATSUNMON" - presumably a
notation for Saturday, Sunday, Monday. The message stated:
Please respond with Your password information. It is very important that
you respond immediately. Thank you for using America Online.
We declined.
Our 'business-man' models, who spent their time reading business news, stock reports and
talking to people about pets received very little unsolicited e-mail, and nothing vaguely related
to a Trojan.
Finally, our 'government' model who spent time talking to bots, investigating WWW sites
related to information warfare and talking to "women with minds" (an AOL chat room)
received no e-mails related to anything other than service specific issues. This was somewhat
curious, as he spent some time in channels occupied by "Phishers" (people who actively seek
out AOL passwords from the unwary) as well.
Trojans in the AV Zoo
We did receive (from another vendor, not from a user directly) one Trojan which seemed to
target Prodigy and CompuServe users as well as AOL users, it was, however, extremely
primitive, merely deleting the contents of c:\aol, c:\prodigy and c:\compuserve.
In June 1998, the discovery of a Trojan called GRIC Windows Dial-up Networking
Password Stealing Trojan (since renamed Crowl) was announced. This non-resident Trojan
targeted Windows 95/NT Dial-up networks. As with the other Trojans, this one requires the
user to actually run a program (execute an e-mail attachment), and then parses user
id/password information from readily available files on the PC. It then mails the combination to
an outside location. The Trojan is not thought to be widespread; we have received no reports
of it from any users.
We received a number of Trojans from other technology developers. An examination of these
shows they can be divided into several types; the majority of these types have been examined
and well-documented in [25]. Briefly, the simplest of these are the batch file Trojans. These
simply delete various system files and programs. These may be activated from within
documents, or in some cases are downloaded and run by unsuspecting users.
Next, we have non-resident executables that perform quite similar function; while stating they
will perform actions such as speeding up your connection or displaying an image, they are
actually deleting system files. They are usually simply compiled (using bat2exe or bat2com)
batch file programs. For example, one such program we received (named so as to suggest it
will allow the user to see some pornographic image) displays sine-wave shaped scrolling
images as it erases all files in the current directory. It continues the scrolling throughout the rest
of the processes, as it changes to the Windows subdirectory, deleting other files including
*.exe, *.ini, *.com, *.dll, *.sys, *.fot . Next, it changes to the \DOS subdirectory and deletes
*.exe, *.com, *.ini, *.sys, and then moves on to the \mouse subdirectory where it deletes
*.exe and *.com files. After this file deletion and visual display, the program presents the
following message to the screen:
Nice scroll huh? Ha Ha Ha Ha Ha....die LAMER!!
ohh no...your gonna cry!!
everything is gone sucker!!
Then we have another type of direct action Trojan. These are generally mailed as e-mail
attachments to unsuspecting users. When the user executes a program containing one of these
Trojans, the Trojan may mail information related to user login ID and password via AOL's
e-mail feature to some 'anonymous' e-mail account, where the bad guy can pick it up. It may
send nasty e-mail to other users.
Finally, there were some resident Trojans. These place a call to themselves in WIN.INI, and
thus go resident after the restart of Windows. They may also mail user/password information,
credit card information, or other confidential data to the bad guy.
In addition to the Trojans, there are also Instant Message construction kits which facilitate the
sending of Instant Messages to many people. While not Trojans, they have recently gained a
lot of attention and are sometimes confused with "AOL Trojans". These Instant Messages can
be sent from within AOL or from the Internet in general, to users on AOL.
Here are some actual examples of the type of messages that are being sent to users:
Sector 4G9E of our data base has lost all I/O functions. When your account
logged onto our system, we were temporarily able to verify it as a
registered user. Approximately 94 seconds ago, your verification was made
void by loss of data in the Sector 4G9E. Now, due to AOL verification
protocol, it is mandatory for us to re-verify you. Please click 'Respond' and
re-state your password. Failur e to comply will result in immediate account
deletion.
Hi, I am with the America Online Hacker enforcement group, we
have detected hackers using your account, we need to verify your
identity, so we can catch the illicit users of your account,
to prove your identity, please click 'respond' th Zip Code,
Credit Card number, Bank Name and Expiration Date.
Thank you and have a nice day!
It should be noted that children can be targeted, as we show in this message which is part of
one of the Trojan packages
Hi, I Work With your Daddy At ChemCo Corp. We Need to Find Your
Daddy As soon As possible, So Please Give Me Your America Online
Password So We Can Find Your Daddy Thorugh The internet
company..Please Hurry!
Hey son, this is Daddy ! :) How are you? Im at work right now, I need the
password to the account quickly so I can check something real quick! Just
click on reply and type it in! Thanks, get started on your homework soon.
I'll be home later for dinner! Say hi to mommy for me! Bye :-)
In addition to these Trojans, AOL's Virus Information Center addresses the issue of other
types of Trojan activity on AOL:
We would like to remind you that the safest policy is to NEVER download
files sent to you from strangers. We have recently seen offers of free games
pornographic fils, free AOL time, faster connecting modem connections,
easy AOL software upgrades, password scams including impersonations of
high-ranking AOL personnell [sic], and more -- all were not what they
clamied to be.
As another example, we note that a new type of Trojan has recently surfaced on AOL. It is a
file attached to a message, claiming to be an electronic on-line greeting card. According to
AOL warnings, the file is actually a Trojan horse. AOL defines a Trojan horse as "a program
that appears to perform a valid function but contains, hidden in its code, instructions for
something else". This "greeting card Trojan" asks for AOL billing information as registration to
read the card. The information is sent to the perpetrator. This is simply a variation of the "send
us your billing information" Trojan. We can expect to see more of this type of Trojans in the
future, as they are easy to create.
E-MAIL Trojans
The idea of Trojanized e-mail is certainly not new. E-mail messages which were in fact ANSII
bombs were circulated on FidoNet in the early 1990's. However, things have gotten
significantly more sophisticated. It is now possible to embed Trojans in Word Documents,
which can be sent as e-mail attachments. To the user, who sees only an icon to be clicked
upon, this represents a clear and present danger. In [26] we read
"To make it even less clear and more difficult for scanners
these DOC files are frequently distributed in RTF
format…could contain embedded EXE files in hexadecimal
dump form…Under Microsoft Office for Windows 95 opening
of RTF files is done automatically so (the) user is unlikely to
notice that the file is not a usual Winword's (sic) document."
E-mail can also contain various kinds of active content based Trojans, as we will discuss more
extensively below.
Back Doors Made Simple
If an attacker can arrange for a victim to run a Trojan horse, there are few limits on the actions
the program can take, and the damage that can be done to the system. Most of the Trojans we
have examined have simple payloads, erasing files or formatting hard drives. Password-stealing
Trojans are somewhat more sophisticated, and the PGP and ircII Trojans described above
are still more complex. One of the most dangerous Trojan payloads consists of installing a
back door into the attacked system: rather than directly causing damage or altering files itself,
the Trojan instead alters the system so that the attacker himself can later connect to it with
some degree of privilege, and do whatever he chooses. Some components of the "named"
Trojan described above establish back doors in subverted systems, and many tools used by
direct attackers are aimed at setting up back doors for later use.
As this paper was being written, a back-door program for Microsoft Windows systems, called
"Back Orifice", was released on the World Wide Web by a group called "The Cult of the
Dead Cow". Once installed on a system, this program allows an attacker who can
communicate with the system over the Internet to completely take over the system, issuing
commands, installing and altering files, deleting data, and monitoring the activity of the
legitimate user sitting at the keyboard. While it has similarities to legitimate
remote-administration tools, Back Orifice is clearly designed as a Trojan horse, because it
goes to some lengths to make itself invisible to the legitimate user, and because it comes with
tools to create Trojanized versions of legitimate programs, which will install the Back Orifice
back-door as well as performing their usual function. As of this writing, it is unclear how
significant this particular program will be to the future of Internet security; Back Orifice itself is
an imperfect implementation, and is easily blocked by firewalls and detected by known-Trojan
scanning. But both back-doors and do-it-yourself Trojan horse "kits" are likely to increase as
threats in the near future.
Prevention is Better Than Cure
What solutions for Trojan problems exist for users today? Should the solutions assume or even
require a certain level of technical knowledge on the part of users? In [27], we read that
"Many of the people that make up the AOL communities know almost nothing about
computers". Is this relevant? People do know it is ill advised to give credit card information,
pin numbers, etc., to strangers in non-cyberspace interactions. We believe people can be
educated to exercise basic common sense in computer-based interactions as well.
In every case, the problems as far as AOL users being affected by the types of programs we
have described could have been avoided had they heeded the good advice given by AOL.
Here are examples of warning/advice messages shown to AOL users [28].
Never download files attached to e-mail from someone you don't know. These files
may contain "Trojan Horse" programs that can give your password to scam artists
without our knowledge.
Remember: if you don't know who sent the e-mail, don't download the attached file!
WARNING: If you don't know the sender of the file, don't download the attached file!
Files attached to e-mail messages, can contain computer viruses or Trojan horses.
Viruses and Trojan Horse programs can cause damage to your computer files, contain
questionable graphics, or compromise the security of your account.
AOL Staff will NEVER Send You E-mail with Attached Files: No AOL Staff will ever
send you files attached to e-mail.
What about the other types of Trojans we have discussed? While in [29], we read "Education
of computer users is not very effective… nobody can really rely on the education and
discipline to reduce treats [sic] from the Internet", we strongly disagree, and believe that in fact
user education is the best prevention against many types of Internet-based Trojans in general.
People know that they should not use medicines that come in bottles on which the seals have
been broken. People know not to open their door to strangers. They know these things
because they have been taught these things. As computers become more and more a part of
our daily lives, we must educate people as to the dangers they may encounter.
As we have shown, Trojans per se are not new threats to the Internet. We've described their
history from the earliest days of trojan design as an academic exercise, thru the early days of
FidoNet, when you could avoid getting Trojans by getting software through authenticated,
legitimate distributors, through the developing Internet, to the present day -- where you can still
avoid some types of Trojans by obtaining software only through authenticated sources.
However, the Internet and widespread use of online services have introduced several new
problems. Foremost among these is the need to not open documents from strangers, and to
not accept software from strangers. The Internet is much more interactive than the old FidoNet
systems. Along with this interactivity, we must bring a modicum of skepticism. By nature, we
want to trust those we meet online; we want to assume the best about everyone and we don't
want to insult someone who is offering to help us by providing software. We are conditioned
to not ignore people, so we are compelled to read e-mail even when it might be better moved
first to a 'safe place'.
Clearly, while software methods to detect known Trojans or their minor variations can be of
help to users in some situations, it is possible to avoid being victimized even by brand-new
Trojans. How? If you don't know the sender of the file, don't download or execute the
attached file! Don't just 'click here' if you don't know what you are clicking on!
It is critical that users understand that accepting programs from strangers can put their
organizations at risk. It is vital that they understand that meeting someone on IRC or AOL or
in e-mail a few times does not make that person 'trusted' when it comes to accepting software
from them.
Heeding this advice will significantly reduce the risk of Trojans to your organization; however,
in the case of Trojanized systems, most of the responsibility rests on the administrators.
Administrators need to keep aware of the latest security problems and patches, and keep the
patches up to date.
We've examined several types of Trojans which have been spread about on the Internet: the
Trojanized PKZIP, which was widely discussed but rarely found; the Trojanized PGP, found
very rarely; Trojanized IRC Scripts and Clients, both found rather frequently; applications
which have been rootkitted and Trojanized systems -- numbering in the thousands. We've
looked at the problems with AOL Trojans, which can be solved by simply exercising sensible
on-line behavior (which should be a policy within your organization). This brings us to the
future: Active Content on the Internet.
Active Content: The future of Trojan horses?
Old-fashioned data, including text, mail, spreadsheets and documents, was essentially passive:
the bits and bytes arrived on your computer on diskette or over the network, and programs
sitting on your machine examined them and presented them to you in the proper format.
Images in a known format got displayed by a display program that knew about that format. A
document designed for a particular word processing program was opened in that program,
and the program, not the document itself, was in charge of presenting the document’s content
to you.
Active content is a new paradigm, in which data objects themselves, including documents,
mail, spreadsheets and Web pages, contain the knowledge necessary to correctly present their
content to the user, and if necessary interact with the user (and the user’s computer!) to
process that content. Macros in Word documents are a primitive form of active content; when
you open a Word document, a WordBasic program contained in the document can run,
perhaps welcoming you to the document and offering you a number of different viewing
options depending on what parts of the document you want to see first. When you visit a
JavaScripted Web page using a JavaScript-enabled browser, a program contained on that
page will get downloaded and executed, enabling Web authors to enhance their pages with
greater responsiveness and interactivity. Web pages using Java can do similar and even more
powerful things, downloading special viewers for the data offered by the Web page,
interpreters for new image or movie formats, and a host of other special services that
old-fashioned passive content could not have provided so conveniently.
How much can you trust the programs that active-content systems are constantly welcoming
onto your computer? Millions of Word users can attest that sometimes the active content
contained in a Word document can be, not a helpful assistant, but an annoying or destructive
virus. Thousands of variants of Word macro viruses are now known; they exploit the fact that
the original version of Word’s active content system had no security at all: any document could
contain macros, and those macros could do anything at all to your system once you opened
the document. (More recent versions of Word include a certain amount of security, including
warning you when a document contains macros and allowing you to disable them before
opening.) Not all malicious Word macros are viruses, either: there are a number of Word
macro Trojan horses known, which do not actively spread themselves from document to
document, but merely do some nasty thing when the document they contain is opened. The
"FormatC" Trojan, for instance, attempts to format the user’s C: drive when the Trojanized
document is opened. Because Word’s macro facility currently has no security once a macro is
running, there is nothing in the system that can say "I’m sorry, but programs contained in Word
documents from strangers are not allowed to format drives!".
A similar all-or-nothing security model characterizes ActiveX [30], Microsoft’s system for
active content on the Web. ActiveX programs (called "controls" for historical reasons) are
stored on Web sites, and special instructions embedded in Web pages instruct your browser
to download and execute them. Microsoft uses a digital-signature technology called
AuthentiCode to verify who (if anyone!) has signed an ActiveX control, and (depending on
exactly what version of the browser is in use, and what the security settings are) the user will
be given this information before the control is run, and be able to decide whether or not to
execute it. But if the user chooses to allow the control onto his system, it can do anything that
any other piece of software can do, including both useful functions and malicious ones. Since
users of complex software like Windows are very accustomed to clicking "Continue" in
response to obscure and hard to understand system prompts, this sort of security has obvious
limitations. It is also true that, while a control may be signed by a trusted and well-intentioned
individual, someone else with worse intentions may be able to abuse it. There have been
multiple cases on the Web where a commercially-provided control has turned out to have
accidental back doors, which could have enabled a malicious person to damage user systems
by including a call to that control on their Web page with craftily-chosen parameters [31] [32]
[33]. (In none of these cases do we know of any malicious individuals actually exploiting these
controls; in all cases so far, the good guys found the problem before any damage was done.)
Another model of active content security is the "sandbox" or "protection domain" model
employed in Java [34], Sun’s active content system for the Web. While ActiveX controls are
in machine language, and run "on the metal" where they have all the privileges and abilities of
any other program, Java programs from the Web (called "applets") are executed by a secure
interpreter, which determines what the Java code wants to do, and can decide whether or not
to do it at a very fine level of detail. An unsigned Java applet, even if you allow it onto your
system, cannot format your disk, or even read or write any of your files. Unless you have
specifically granted it higher privileges based on a digital signature, an applet’s abilities are
essentially limited to interacting with you via the screen and keyboard, and sending requests for
information back to the system from which it was loaded. So while it is possible to write a
virus or Trojan horse in the Java language, the program would be unable to carry out its
malicious mission when run as an untrusted applet, because the security manager would not
allow those actions. This allows Java to provide enhancements to the Web experience, without
requiring you to trust any strangers with the content of your disks.
Like any system in the real world, neither Java nor ActiveX is perfect. Java applets can cause
annoyance and inconvenience even though they cannot touch your hard drive. Mark LaDue,
while a PhD candidate at Georgia Tech, developed a number of "hostile applets" [35] that
illustrate some of the potential problems: his applets open hundreds of windows rapidly on the
user’s display, make annoying and difficult-to-silence sounds, and try to fool the user into
disclosing his username and password. As mentioned above, even signed and well-intentioned
ActiveX controls may be exploitable by attackers, and if users are too accustomed to
thoughtlessly pressing "Continue", an ill-intentioned control can easily obtain free run of the
system. Simple JavaScript programs, which like Java applets are ordinarily unable to access
user files, can cause confusion and waste time simply by displaying messages: one "joke" Web
page was for a time greeting every tenth visitor with the message "Your system is now infected
with the Psychic Neon Buddha Jesus virus". The message was completely false, of course, but
it did cause numerous calls to help desks and anti-virus experts. (For some advice about
minimizing your exposure to browser-based Trojan horses, see [36].)
What is the current situation in the real world? Except for some demonstration applets and
controls that are clearly marked as such, and a large number of virus-infected Word and Excel
documents, the Web seems to contain few or no true active-content Trojan horses. As we
noted above, while a small number of respondents to our Web survey suspected that they had
been victims of some sort of Web-related Trojan horse, in no case were we able to confirm
that, and to date we have seen no truly malicious Java or ActiveX programs posing a danger
to innocent users on the Web. On the other hand, this technology is still in its infancy. It is likely
to become widespread quite rapidly, and it will take dedication on the part of developers to
ensure that the function does not too far outpace the security of the systems. Users, and
especially system administrators, need to be aware of developments in this area, including
security-related bugs which are discovered all too often in active content systems, to make
sure that their systems are as secure as possible against what is likely to become a more
serious threat in the not-too-distant future.
Risks and Costs
There are a number of risks to the security of computer systems in the current environment.
These risks include direct attacks (by both insiders and outsiders), known viruses, unknown
viruses, known Trojan horses, and unknown Trojan horses. Which of these risks is the most
serious, and which security measures are the most cost-effective?
Known viruses are by far the most common security problem on modern computer systems.
Because they replicate by themselves, and can be exchanged in the normal course of business,
between well-intentioned users, viruses spread without intentional help along lines of intentional
data exchange. For a known virus to spread from person to person, or enterprise to
enterprise, no malicious intent is required; the author of the virus could be long-dead, and all
living persons virtuous, and the virus would still spread. We estimate that even in relatively
well-protected environments, on the order of one percent of the computers in an enterprise
can be expected to encounter a virus in a typical year. Fortunately, because viruses spread
themselves, and viruses are just programs, it’s always relatively easy (and usually completely
trivial) to detect all the possible offspring of any given virus. So known-virus detection is both
easy, and highly effective in combating a very real threat.
Unknown viruses are a more difficult, but fortunately a rarer, problem. Fred Cohen [37] has
proven mathematically that perfect detection of unknown viruses is impossible: no program can
look at other programs and say either "a virus is present" or "no virus is present", and always
be correct. But, in the real world, most new viruses are sufficiently like old viruses that the
same sort of scanning that finds known viruses also finds the new ones. And there are a large
number of heuristic tricks that anti-virus programs use to detect new viruses, based either on
how they look, or what they do. These heuristics are only sometimes successful, but since
brand-new viruses are comparatively rare, they are sufficient to the purpose. For your
company to be infected with a new virus, that virus has to spread from the author to you
before it is detected anywhere else, an event that is thankfully not common. As connectivity
and interactivity increase, it is of course vital that anti-virus measures keep up with the potential
very fast spread of new viruses; to that end, anti-virus systems modeled after biological
immune systems are now under development [38].
Both known and unknown viruses tend to be simple and mindless in their payloads. A virus
may erase the boot record of your hard disk, forcing you to waste time restoring your data
from backups, but it will not break into your employee database and alter salary records,
because the author of the virus could not have known that it would spread to your system, and
has no idea what your salary database is called, or what fields it has.
Direct attacks, on the other hand, where an attacker sets up a session between himself and
one or more of your systems and issues commands from his own keyboard, can be more
focused and hence more deadly. A virus may just erase some critical Windows files, but an
attacker can snoop around the system, notice a SALDB.MDB, and try a few likely-looking
passwords to open it, and examine or alter your company’s confidential records. Because a
direct attack assumes an involved attacker, direct attacks are much rarer than virus incidents;
but because there is a human intelligence directly involved, they can be much more devastating.
Anti-virus software has little or no relevance to direct attacks; contrary to various popular
movies, attackers seldom use viruses when breaking into systems. To secure your system
against direct attacks, you need to employ the whole panoply of computer-security measures:
firewalls, passwords, separation of duties, and so on. Security against direct attacks must be
designed-in and built-in to the systems that you use; no aftermarket software is going to solve
the problem.
Trojan horses, our main theme, lie somewhere between computer viruses and direct attacks.
You are unlikely to get a Trojan horse purposefully sent to you by a well-intentioned colleague
in the normal course of business. On the other hand, a Trojan horse does not require a
directly-involved attacker sitting at a keyboard typing. The most common, and most
dangerous, type of Trojan horse is one that an attacker crafts specifically for one target, and
then plants on a Web page, or sends in e-mail, or otherwise makes available to someone with
access to the target system, in hopes that it will be executed in a mode where it can do its dirty
work; changing a password or establishing an account for the attacker to use, mailing key data
to the attacker, setting up a back door into the system, or deleting key files that the attacker
knows are there. Since the attacker will be creating this sort of Trojan horse specifically for the
purpose, it will be an unknown Trojan horse, and software on the anti-virus model is unlikely
to detect it. The direct-attack model of prevention is the best one for this case: be sure that
users know not to trust instructions from strangers, whether they come verbally over the phone
or in the form of programs received in the mail. Ensure that the active content settings in your
users’ browsers are reasonable and secure, and have policies, as described above, for general
prevention and good hygiene.
When are known Trojan horses likely to be a problem, and what is the right solution?
Known Trojan horses are a problem when some attacker, for whatever reason, creates a
single Trojan horse (or a set of very similar ones), and sends it to a large number of users
repeatedly over a period of time. We know only a single case of this situation: the
password-stealing Trojan horses that circulate on the popular online service America Online
[39]. Because there are many AOL users, and because attackers continue to try to steal
passwords using very similar Trojan horses repeatedly, the anti-virus model can be reasonably
successful in this limited niche: a program that watches incoming files for a pattern
characteristic of AOL password-stealing Trojan horses can do a fair job of protection against
this particular attack. But if the attackers were to use a significantly different implementation of
their attack, the anti-virus model would fail (at least temporarily), and users would have to rely
on general anti-Trojan-horse methods as described above. On the other hand, if users practice
good communication hygiene in the first place, they will know not to accept unexpected
programs arriving in the mail, and a solution that protects only against known Trojan horses
will be less necessary. In general, then, known Trojan horses are a significant problem only in
some niche situations, and even in those situations more general security measures are still
necessary.
CONCLUSION
As we have demonstrated in this paper, Trojan horses are anything but a new threat to
computer users. Tracing back their history, we find that there are several different loose
classes of Trojan horses, ranging from "classic Trojans" to the threats posed by active content.
While individual users are much more likely to encounter computer viruses than Trojan horses,
a tailored Trojan horse attack could be devastating to a business. Our advice is simple and
unexciting: use and update anti-virus software, follow good security practices, and keep aware
of new developments in the field. Don’t accept programs that arrived unexpectedly in the mail,
and tell all your users to do the same. While this is sound advice, we note that the delineation
between program and data is becoming increasingly blurred, and have some concerns
regarding the increasing trend towards active content, where data and program become
inseparable. It is extremely important that users begin to shift from thinking of Trojan horses as
programs which can be identified by filenames to a paradigm which includes executable code
in any form.
At the moment of this writing, the Internet has not caused a huge upswing in the frequency of
Trojan horses in the world; our research was able to uncover almost no actual incidents of real
users victimized by Trojan horses outside of one particular niche of the Net. Neither Java (with
its powerful and fine-grained security model) nor ActiveX (with its cruder all-or-nothing
controls) has been used to create or distribute real live Trojan horses to unsuspecting users. Of
course, as computers and the Internet become more important to our businesses and our lives,
it becomes more and more important to be aware of the possible threats that exist, and ensure
that you have taken all sound measures against them.
References
1.Thompson, Ken. Reflections on Trusting Trust. Communication of the ACM, Vol.
27, No. 8, August 1984, pp. 761-763.
2.National Computer Security Center. A Guide to Understanding Discretionary
Access Control in Trusted Systems. Neon Orange Book. 1987.
3.National Computer Security Center. Department of Defense Trusted Computer
System Evaluation Criteria. Orange Book. December 1985.
4.FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED
SYSTEMS . ACM Committee on Computers and Public Policy, Peter G. Neumann,
moderator Volume 7, Issue 74. 10 November 1988.
5.Dirtyd9c.zip. Define.dd. Documentation for The Dirty Dozen. Available from the
Simtel MS-DOS Collection. http://mirror.direct.ca/simtel.net/msdos/virus.html . July
1998.
6.Dirty9c.zip. Intro.dd. Documentation for The Dirty Dozen Available from the Simtel
MS-DOS Collection. http://mirror.direct.ca/simtel.net/msdos/virus.html . July 1998.
7.Dirty9c.zip. History.dd. Documentation for The Dirty Dozen . Available from the
Simtel MS-DOS Collection. http://mirror.direct.ca/simtel.net/msdos/virus.html . July
1998.
8.Finkel, Raphael. Those ubiquitous viruses, Computer Science Department , University
of Kentucky.
9.In [8]
10.Gordon, Sarah. IRC and Security: Can the Two Co-Exist? Network Security.
Elsevier Advanced Technology. Oxford, UK. October 1994.
11.http://www.cert.org/pub/cert_advisories/CA-94:14.trojan.horse.in.IRC.client.for.UNIX.
October 1994.
12.Gordon, Sarah. Publication of Vulnerabilities and Tools. Proceedings of the Twelfth
World Conference on Computer Security, Audit and Control. Queen Elizabeth II
Conference Center, Westminster, London, UK. October 1995.
13.Gordon, Sarah and Nedelchev, Ivailo. Sniffing in the Sun: Anatomy of a Disaster.
Network Security. Elsevier Advanced Technology. Oxford, UK. February 1994.
14.CERT Advisory, CA:9-01 February 3, 1994.
15.Gordon, Sarah. The Worm Has Turned. Virus Bulletin. August, 1998.
16.CERT Bulletin 98-04. May 1998.
17.Rosenberger, Rob. Computer Viruses and 'False Authority Syndrome'.
http://www.kumite.com/myths . 1996.
18.In [17]
19.Clark, Tim. eSafe blocks hostile components. CNET NEWS.COM December 4,
1997,
20.http://www.drsolomons.com Dr. Solomon's Press Release. July 18, 1998.
21.http://www.symantec.com. The FREE AOL Trojan. July 18, 1998.
22.Whalley, Ian. Talking Trojan. Virus Bulletin. pp9-10. July 1998
23.NCSA and AOL WARN OF SIGNIFICANT PREVALENCE OF AOL PASSWORD
TROJAN. NCSA Press Release. June 27, 1998
24.Thompson, Roger. Personal communication. July 1998.
25.Muttik, Dr. Igor. "Trojans - The New Threat?" IVPC Protecting the Workplace of
the Future. April 28and 29th
26.In [25]
27.Whalley, Ian. Talking Trojan. Virus Bulletin. pp9-10. July 199
28.AOL Online Documentation. July 1998.
29.In [25]
30.http//www.microsoft.com/com/activex.htm
31.http://www.wired.com/news/technology/story/2548.html
32.http://www.zdnet.com/wsources/content/0597/sec0.html
33.Chess, David M. Personal communication. August 1998.
34.http://www.javasoft.com/security/
35.http://www.rstcorp.com/hostile-applets/
36.Morar, John and Chess, David M. "Web Browsers – Threat or Menace".
Proceedings of the Virus Bulletin International Conference. Munich, Germany. October
1998. Preprint.
37.Cohen, Fred, "A Short Course on Computer Viruses", Wiley & Sons, 1994.
38.Kephart, Jeffrey et. al., "Blueprint for a Computer Immune System," Proceedings of
the Virus Bulletin International Conference, San Francisco, California, 1997.
39.In [25].
|
