"Trojan Horses and Other Malicious Codes"

advertisement
"Trojan Horses and Other
Malicious Codes"
by Song Chung and Adrianna
Leszczynska
Examples of Malicious Codes
 Trojan
Horses
 Viruses
 Worms
 Logic Bombs - Time Bombs
What are Trojan horses ?


Trojan Horses are a
relatively new and
probably the most
dangerous strain of
viruses that have
appeared in recent times
They also threaten to
overwhelm systems that
only run anti-virus
applications and firewalls
as a means of combating
the threat
Trojan Horse History Brief

The name "Trojan Horse"
derives itself from a page
in Greek history when the
Greeks had lain siege to
the fortified city of Troy
for over ten years. Their
spy, a Greek called Sinon
offered the Trojans a gift
in the form of a wooden
horse and convinced them
that by accepting it, they
would become invincible.
History Brief (cont.)
 The
horse though was hollow and
was occupied by a contingent of
Greek soldiers. When they emerged
in the dead of night and opened the
city gates, the Greeks swarmed in,
slaughtered its citizens and
subsequently pillaged, burned and
laid waste to the city
In IT Environment
Trojan Horse acts as a means of entering
the victim’s computer undetected and
then allowing a remote user unrestricted
access to any data stored on the user's
hard disk drive whenever he or she goes
online
 In this way, the user gets burned and like
the unfortunate citizens of Troy, may only
discover that fact when it is too late.

Examples of Trojan Horses
 “Picture.exe”
 “RIDBO”
“FIX2001“
 “AOL4FREE“

Origin of Trojan horses

These types of viruses
were originally
designed as a means
of self expression by
gifted programmers
and did little more
than to cause the
system to lock up,
behave abnormally in
a specific way or
perhaps cause loss of
data on the user’s
machine
Objectives of the Horse
allow a remote user
a means gaining
access to a victim's
machine without
their knowledge
 Allows the intruder
can do anything with
the machine that the
user can do
 browse the user's
hard drive in order
to determine if there
is anything of value
stored on it

Objectives ( cont.)
things of value are such as valuable
research papers, credit card details or
passwords to restricted web sites
 If anything of value is found, then the
intruder can copy the data to his own
hard drive in exactly the same way that
the user can copy a file to a floppy disk
 cause havoc to the system by deleting
(system) files, erasing valuable data or
ultimately destroying the hard drive

Can Passwords Provide
Protection?


Passwords offer no
protection at all because
today's Trojans are capable
of recording the victim’s
keystrokes and then
transmitting the
information back to the
intruder
Those passwords can
subsequently be
deciphered by the Trojan
and even changed in order
to prevent the user getting
access to his own files!
How does a Trojan Affect Your
Computer?
In order to gain access to a user’s
computer, the victim has to be induced to
install the Trojan himself
 The usual method is to offer a seemingly
useful system enhancement or perhaps a
free game that has the Trojan attached to
it
 By installing it, the user also installs the
Trojan

Common Sources




Executing any files from
suspicious or unknown
sources
Opening an email
attachment from an
unknown source
Allowing a "friend"
access to your
computer while you are
away
By executing files
received from any
online activity client
such as ICQ
Main Parts of a Trojan

Virtually every
Trojan virus is
comprised of two
main parts:


the "server"
the "client”
It is the server part
that infects a user’s
system
What Problems can Trojans
Cause?
The server part is the part of the program
that infects a victim's computer
 The client part is the one that allows a
hacker to manipulate data on the infected
machine
 Let's suppose that you have already been
infected. How do intruders attack and get
a full control of your computer?

Problems (cont.)



Intruders scan the Internet for an infected user
(technically speaking, an attacker sends request
packets to all users of a specific Internet
provider) using the client part of the virus
Once an infected computer has been found (the
server part of the virus that is located on infected
machine replies to client part's request)
the attacker connects to that user's computer
and creates a "link" between the two just like the
one in an ordinary telephone conversation
Problems (cont.)



Once that has happened (this procedure may
only take a few seconds), the intruder will be
able to get unrestricted access to the user's
computer and can do anything he likes with it
The intruder becomes the master and the user
the slave because short of disconnecting from the
Internet, the user is helpless and has no means
at his disposal to ward off an attack
Intruders can monitor, administer and perform
any action on your machine just as if they were
sitting right in front of it
Analogy of a Trojan Horse



A Trojan Horse works a bit like the backdoor to
your house. If you leave it unlocked, anybody can
come in and take whatever they want while
you're not looking
The main difference with a backdoor installed on
your computer is that anybody can come in and
steal your data, delete your files or format your
hard drive even if you are looking
There are no visible outward signs that anything
untoward is happening other than perhaps
unusual hard disk activity for no apparent reason
How do you protect yourself
from a Trojan Horse ?
You can try manual deletion, however,
they are both time-consuming and
monotonous. In addition, the user can
never be absolutely certain that he has
covered every option.
 Even if he is successful in removing the
Trojan from his system, he may
unwittingly reinstall it with the very next
command he enters

How to Protect? (cont. )



There’s many trojan horse protection programs available
for download which perform various tasks
An example of an program is Tauscan, it is a
universal Trojan Horse scanner that detects and
removes practically every type of Trojan virus
that may have infected your system
Another example is Jammer, it is a network
analyser designed primarily to warn you if your
system is under attack, but it also has a
secondary feature. That is to remove all known
versions of Back Orifice and Netbus from your
system if detected
Other Forms of Malicious Codes
 Viruses
 Worms
 Logic
Bombs
 Time Bombs
What is a virus?
 A virus
is a type of malicious code that will
attach itself to a file and then replicate in
order to spread to other files.
 A virus is usually attached to an
executable file so that it will spread rapidly.
 Viruses are restricted to personal
computers.
Characteristics of a virus
 replication
 requires
a host program
 activated by an external action
 replication limited to one system
Virus History






Viruses are increasing at a fast rate
1986 – 1 known virus
1989 – 6 known viruses
1990 – 80 known viruses
Today – between 10-15 new viruses discovered
every day.
Between 1998 and 1999 total virus count
increased from 20,500 to 42,000.
Virus Examples
“W32/Vote@MM”
- spread via email with an attachment
WTC.EXE. Email includes Subject: Fwd:Peace
BeTweeN AmeriCa And IsLaM !" and asks to
vote about the war issue by opening the
WTC.EXE attachment.
 “W97/Prilissa”
- 10 Fortune 500 companies on three continents
have been hit with this virus

Worms

A worm is a program that
replicates itself and causes
execution of new copies of itself.

A worm enters an Internet host
computer and mails itself to other
hosts.

The purpose of a worm attack is
to fill storage space and slow
down operations
Characteristics of Worms
 replication
 must
be self-contained; does not require a
host
 needs a multi-tasking system
Examples of worms

“I Love You”
– aka LoveLetter or LoveBug, sends itself to
everyone in the Microsoft Outlook address

“W32/Navidad”
- spread using Outlook email. Usually sent from
a familiar source, including an attachment
NAVIDAD.EXE. The virus affects the system
tray and will attach itself to other messages.
“I Love You” Worm
1. Open email attachment “LOVE-LETTER-FOR-YOU.TXT.VBS”
2. The virus scans for certain files, replaces the content of these files with virus code,
and adds extention .vbs to the end of files.
3. Virus sends itself to everyone in the Outlook address book
4. Infected files cannot be retrieved and must be restored by a backup copy.
Difference Between Worms and
Viruses
 A worm
is similar to a virus but does not
need to attach itself to an executable file to
replicate itself.
 Also, unlike a virus, it attacks only multiuser systems.
Logic Bomb

Logic bombs are
malicious codes that
cause some
destructive activity
when a specified
condition is met
 Unlike viruses, logic
bombs do their
damage right away,
then stop.
What can trigger a logic bomb?
 The
trigger can be a specific date
 Number of times the program is executed
 A random number
 Or a predefined event such as a deletion
of a certain record.
Damage by Logic Bombs
 The
damage done by logic bombs can
range from changing a random byte of
data somewhere on the disk to making the
entire disk unreadable.
Time Bomb

A time bomb is a logic bomb
but unlike a logic bomb it
may exist in the system for
weeks or even months
before it is detected.

The damage is not caused,
until a specified date or until
the system has been
booted a certain number of
times.
Examples of Time Bombs

"Friday the 13th"
- 1980s, it duplicated itself every Friday the 13th,
caused system slowdown and corrupted all
available disks
 “Michelangelo “
- 1990s, tried to damage hard disk directories
 “Win32.Kriz.3862”
- written in 1999, damage included overwriting of
data on all data storage units
Virus Preventions Tactics
 Install



a virus scanner
Update it often
Program it to run automatically
Examples of virus scanners include:
• VirusScan
• AntiVirus
• F-Prot
Virus Preventions Tactics Cont.
 Do
not run unknown programs from the
Internet
 Don’t open unknown mail attachments

If an unknown mail attachment is received
delete it immediately
Virus Symptoms
 Virus
scanner detects a virus
 Programs stop working as expected
 Computer crashes more frequently
 Unknown files appear
 Disk space gets smaller for no reason
What if a virus is detected?

On a network system:
- contact the network administrator
 On a personal computer:
- Use the disinfect function of the virus
detection software, so it can try to
restore the program to it’s original state
- Erase the infected program and reinstall from
the original disk after virus scan confirms that
no viruses have been found
Conclusion

5 types of malicious codes:
- Trojan Horses
Destructive codes
hidden inside other
programs
- Viruses
- Worm
- Logic–Time Bombs
Both replicate and attach
themselves to files, but
unlike viruses, worms attack
multi-user systems
Set-off when a specified
condition is met
References






http://www.agnitum.com/products/tauscan/
http://www.cyberangels.org/hacking/trojan.html
http://ksi.cpsc.ucalgary.ca/courses/54796/cochrane/present/#LINK1
http://www.mpipmainz.mpg.de/~bluemler/extra/teaching/virus.pdf
http://www.google.com/url?sa=U&start=2&q=http
://getvirushelp.com/iloveyou/&e=7249
http://csrc.nist.gov/publications/nistir/threats/sect
ion3_3.html
Questions?
?
?
?
?
?
?
?
?
?
?
?
Download