Security on the Internet / Trojan horses

Definition

The Trojan horse, also known as Trojan, is the most current method of intrusion into a system. A Trojan horse is a malicious, security-breaking program that is disguised as something benign ( 1 ). Its name refers to the inhabitants of the antique city of Troy, who, according to the legend, saw their assailants abandon the battle field leaving behind a large wooden horse. Of inoffensive appearence, this trophy was unwisely introduced inside the walls of the city, which was going to cause their loss. Enemy soldiers had indeed hidden inside the horse. They waited for the night to come and opened the gates to the city so their fellow soldiers could take the inhabitants by surprise, set fire to the city and kill the enemy.

Modern time Trojan horse's method has not changed much. It is hidden in another program under false representations. It can be dissimulated in small programs of graphic animation, simply amusing or more often pornographic. It is accepted knowingly, and often sent in good faith by net surfers who are not aware of its contents. It is here, especially, that it differs from a virus, whose self-reproduction capacity enables it to be transmitted without any direct human intervention.

Harmful potential

The damage caused by a Trojan horse can have very serious consequences. It can grant complete access to your system to absolutely unknown persons who will act anonymously. For example, the contents of your system could be completely deleted. In a more insidious way, your personal or business data and certain passwords memorized in your computer could be discovered and modified. A Trojan horse can make it possible for a hacker to use your Internet connection to your detriment, under your identity, to commit criminal offences, whose investigation will go up to you.

Back Orifice

Back Orifice is undoubtedly the most talked about Trojan horse ever. Presented as a client/server application for remote administration by a group known as the Cult of the Dead Cow, it is in fact a very dangerous program. It allows hackers to do all you can do yourself from your computer keyboard, anonymously and from a distant computer.

Back Orifice opens communications ports known to most hackers allowing anyone with the know-how to enter your system. It becomes possible to specify communication ports and to protect their access with a username and a password. The hacker, therefore, reserves the right to illicit operation of your system without your knowing about it.

Back Orifice can only penetrate and attack systems under Windows. It modifies the following system file:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

The presence of an .exe apparently nameless file, in the directory c:\windows\system, is another sign of Back Orifice infection.

A functional version, capable of attacking Windows NT, called Back Orifice 2000 (BO2K) is available on the Net. The Microsoft Security Advisor has published a bulletin titled: How to Determine if Back Orifice 2000 Is Installed On Your System.

NetBus and others

NetBus is another very widespread Trojan horse. Just like Back Orifice, it sets itself insidiously on your computer to open entrances to anyone interested in exploiting the opportunity. Depending on the version, NetBus modifies the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

in Windows system files, or it creates the following key:

HKEY_CURRENT_USER\NetBus Server

One of the characteristics of NetBus is to make it possible for a hacker to remotely open and close the door of your CD-ROM drive. If you note such an erratic behavior without apparent reason, it would be preferable to proceed to a verification of your system.

Among other Trojan horses frequently met, there are winhelper.exe, dmsetup.exe and their multiple alternatives, as well as MSchv32.exe. For additional information on the subject, please refer to the Trojan Horse Attacks on IRC page, on the IRChelp.org site.

It is advisable also to note that even if the most frequent examples involve systems under Microsoft Windows, other operating systems such as Unix or Macintosh are not free of this type of threat.

What not to do

To guard against Trojan horses and viruses certain common errors must be avoided. First and foremost, never execute programs which do not originate from an entirely reliable source. Reliable to mean trustworthy companies, organisations or sites that are well known and of sound reputation. All recognized sites have an alphabetical address respecting the format name.network.domain. For example: www.canoe.com or ftp.videotron.com. A registered domain name is not a security warrantee, but a strictly numerical address (similar to 10.149.67.205) that cannot be associated with any alphabetical address would have all the appearances of a little known site. It could very well be a site for hackers. Servers with contents bordering on illegality or indecency should also be avoided. At least, do not accept program files from them that can be executed on your system.

Do not accept programs transferred on IRC, ICQ or via other types of on-line chat rooms, even if they are sent by a friend. Lets pretend that you are chatting with a friend you trust entirely. He himself knows a friend, who knows another friend, and so on. Could you trust a friend of a friend of a friend of a friend of your friend? Even if you were convinced of the good faith of all these people, the answer to the question should be NO because you do not know their level of exposure to risk, nor the security measures they apply to their system.

You must apply similar precautions to electronic mail, diskettes, and to self-copied compact disks (CD-ROM)), i.e. copied by a user rather than pre-recorded by a manufacturer. Unless you know their utility, unless you are sure of their source and are convinced that the sender applies reliable security measures, do not accept such disks and destroy program files attached to e-mails. If you have no other choice but to accept them, detach them and scan them with the lastest update of your protection software prior to executing them.

How to protect yourself

Although they have different modes of propagation, Trojan horses can now be detected by numerous anti-virus software. Certain software, however, are exclusively designed to guard against Trojan horses.

Although they are very useful, these tools are often strictly designed for repair after damages. Nothing could replace the basic rules of prudence which can prevent the occurrence of such evil before it strikes.

Useful links to protection resources, to verify your system's integrity, to disinfect it, if need be, or simply to familiarise with the Trojan horse, follow:

McAfee Anti-Virus
Norton AntiVirus
Tauscan
The Cleaner
Back Orifice help page
Trojan Horse Attacks on IRC

In summary:

• The Trojan horse is an apparently inoffensive program which hides another dangerous program. Beware particularly of pornographic programs or of programs of doubtful utility.
• Never execute programs unless they are sent by an entirely reliable source (i.e. companies, organisations or reliable sites that are well known and have a reputation to maintain).
• Do not execute programs sent by another user via electronic mail or via chat rooms such as IRC or ICQ unless it is absolutely necessary, and only after a scan with the latest update of your anti-virus software.

( 1 )

Free On-line Dictionary of Computing (FOLDOC), Security section