"Trojan Horses and Other Malicious Codes" by Song Chung and Adrianna Leszczynska Examples of Malicious Codes Trojan Horses Viruses Worms Logic Bombs - Time Bombs What are Trojan horses ? Trojan Horses are a relatively new and probably the most dangerous strain of viruses that have appeared in recent times They also threaten to overwhelm systems that only run anti-virus applications and firewalls as a means of combating the threat Trojan Horse History Brief The name "Trojan Horse" derives itself from a page in Greek history when the Greeks had lain siege to the fortified city of Troy for over ten years. Their spy, a Greek called Sinon offered the Trojans a gift in the form of a wooden horse and convinced them that by accepting it, they would become invincible. History Brief (cont.) The horse though was hollow and was occupied by a contingent of Greek soldiers. When they emerged in the dead of night and opened the city gates, the Greeks swarmed in, slaughtered its citizens and subsequently pillaged, burned and laid waste to the city In IT Environment Trojan Horse acts as a means of entering the victim’s computer undetected and then allowing a remote user unrestricted access to any data stored on the user's hard disk drive whenever he or she goes online In this way, the user gets burned and like the unfortunate citizens of Troy, may only discover that fact when it is too late. Examples of Trojan Horses “Picture.exe” “RIDBO” “FIX2001“ “AOL4FREE“ Origin of Trojan horses These types of viruses were originally designed as a means of self expression by gifted programmers and did little more than to cause the system to lock up, behave abnormally in a specific way or perhaps cause loss of data on the user’s machine Objectives of the Horse allow a remote user a means gaining access to a victim's machine without their knowledge Allows the intruder can do anything with the machine that the user can do browse the user's hard drive in order to determine if there is anything of value stored on it Objectives ( cont.) things of value are such as valuable research papers, credit card details or passwords to restricted web sites If anything of value is found, then the intruder can copy the data to his own hard drive in exactly the same way that the user can copy a file to a floppy disk cause havoc to the system by deleting (system) files, erasing valuable data or ultimately destroying the hard drive Can Passwords Provide Protection? Passwords offer no protection at all because today's Trojans are capable of recording the victim’s keystrokes and then transmitting the information back to the intruder Those passwords can subsequently be deciphered by the Trojan and even changed in order to prevent the user getting access to his own files! How does a Trojan Affect Your Computer? In order to gain access to a user’s computer, the victim has to be induced to install the Trojan himself The usual method is to offer a seemingly useful system enhancement or perhaps a free game that has the Trojan attached to it By installing it, the user also installs the Trojan Common Sources Executing any files from suspicious or unknown sources Opening an email attachment from an unknown source Allowing a "friend" access to your computer while you are away By executing files received from any online activity client such as ICQ Main Parts of a Trojan Virtually every Trojan virus is comprised of two main parts: the "server" the "client” It is the server part that infects a user’s system What Problems can Trojans Cause? The server part is the part of the program that infects a victim's computer The client part is the one that allows a hacker to manipulate data on the infected machine Let's suppose that you have already been infected. How do intruders attack and get a full control of your computer? Problems (cont.) Intruders scan the Internet for an infected user (technically speaking, an attacker sends request packets to all users of a specific Internet provider) using the client part of the virus Once an infected computer has been found (the server part of the virus that is located on infected machine replies to client part's request) the attacker connects to that user's computer and creates a "link" between the two just like the one in an ordinary telephone conversation Problems (cont.) Once that has happened (this procedure may only take a few seconds), the intruder will be able to get unrestricted access to the user's computer and can do anything he likes with it The intruder becomes the master and the user the slave because short of disconnecting from the Internet, the user is helpless and has no means at his disposal to ward off an attack Intruders can monitor, administer and perform any action on your machine just as if they were sitting right in front of it Analogy of a Trojan Horse A Trojan Horse works a bit like the backdoor to your house. If you leave it unlocked, anybody can come in and take whatever they want while you're not looking The main difference with a backdoor installed on your computer is that anybody can come in and steal your data, delete your files or format your hard drive even if you are looking There are no visible outward signs that anything untoward is happening other than perhaps unusual hard disk activity for no apparent reason How do you protect yourself from a Trojan Horse ? You can try manual deletion, however, they are both time-consuming and monotonous. In addition, the user can never be absolutely certain that he has covered every option. Even if he is successful in removing the Trojan from his system, he may unwittingly reinstall it with the very next command he enters How to Protect? (cont. ) There’s many trojan horse protection programs available for download which perform various tasks An example of an program is Tauscan, it is a universal Trojan Horse scanner that detects and removes practically every type of Trojan virus that may have infected your system Another example is Jammer, it is a network analyser designed primarily to warn you if your system is under attack, but it also has a secondary feature. That is to remove all known versions of Back Orifice and Netbus from your system if detected Other Forms of Malicious Codes Viruses Worms Logic Bombs Time Bombs What is a virus? A virus is a type of malicious code that will attach itself to a file and then replicate in order to spread to other files. A virus is usually attached to an executable file so that it will spread rapidly. Viruses are restricted to personal computers. Characteristics of a virus replication requires a host program activated by an external action replication limited to one system Virus History Viruses are increasing at a fast rate 1986 – 1 known virus 1989 – 6 known viruses 1990 – 80 known viruses Today – between 10-15 new viruses discovered every day. Between 1998 and 1999 total virus count increased from 20,500 to 42,000. Virus Examples “W32/Vote@MM” - spread via email with an attachment WTC.EXE. Email includes Subject: Fwd:Peace BeTweeN AmeriCa And IsLaM !" and asks to vote about the war issue by opening the WTC.EXE attachment. “W97/Prilissa” - 10 Fortune 500 companies on three continents have been hit with this virus Worms A worm is a program that replicates itself and causes execution of new copies of itself. A worm enters an Internet host computer and mails itself to other hosts. The purpose of a worm attack is to fill storage space and slow down operations Characteristics of Worms replication must be self-contained; does not require a host needs a multi-tasking system Examples of worms “I Love You” – aka LoveLetter or LoveBug, sends itself to everyone in the Microsoft Outlook address “W32/Navidad” - spread using Outlook email. Usually sent from a familiar source, including an attachment NAVIDAD.EXE. The virus affects the system tray and will attach itself to other messages. “I Love You” Worm 1. Open email attachment “LOVE-LETTER-FOR-YOU.TXT.VBS” 2. The virus scans for certain files, replaces the content of these files with virus code, and adds extention .vbs to the end of files. 3. Virus sends itself to everyone in the Outlook address book 4. Infected files cannot be retrieved and must be restored by a backup copy. Difference Between Worms and Viruses A worm is similar to a virus but does not need to attach itself to an executable file to replicate itself. Also, unlike a virus, it attacks only multiuser systems. Logic Bomb Logic bombs are malicious codes that cause some destructive activity when a specified condition is met Unlike viruses, logic bombs do their damage right away, then stop. What can trigger a logic bomb? The trigger can be a specific date Number of times the program is executed A random number Or a predefined event such as a deletion of a certain record. Damage by Logic Bombs The damage done by logic bombs can range from changing a random byte of data somewhere on the disk to making the entire disk unreadable. Time Bomb A time bomb is a logic bomb but unlike a logic bomb it may exist in the system for weeks or even months before it is detected. The damage is not caused, until a specified date or until the system has been booted a certain number of times. Examples of Time Bombs "Friday the 13th" - 1980s, it duplicated itself every Friday the 13th, caused system slowdown and corrupted all available disks “Michelangelo “ - 1990s, tried to damage hard disk directories “Win32.Kriz.3862” - written in 1999, damage included overwriting of data on all data storage units Virus Preventions Tactics Install a virus scanner Update it often Program it to run automatically Examples of virus scanners include: • VirusScan • AntiVirus • F-Prot Virus Preventions Tactics Cont. Do not run unknown programs from the Internet Don’t open unknown mail attachments If an unknown mail attachment is received delete it immediately Virus Symptoms Virus scanner detects a virus Programs stop working as expected Computer crashes more frequently Unknown files appear Disk space gets smaller for no reason What if a virus is detected? On a network system: - contact the network administrator On a personal computer: - Use the disinfect function of the virus detection software, so it can try to restore the program to it’s original state - Erase the infected program and reinstall from the original disk after virus scan confirms that no viruses have been found Conclusion 5 types of malicious codes: - Trojan Horses Destructive codes hidden inside other programs - Viruses - Worm - Logic–Time Bombs Both replicate and attach themselves to files, but unlike viruses, worms attack multi-user systems Set-off when a specified condition is met References http://www.agnitum.com/products/tauscan/ http://www.cyberangels.org/hacking/trojan.html http://ksi.cpsc.ucalgary.ca/courses/54796/cochrane/present/#LINK1 http://www.mpipmainz.mpg.de/~bluemler/extra/teaching/virus.pdf http://www.google.com/url?sa=U&start=2&q=http ://getvirushelp.com/iloveyou/&e=7249 http://csrc.nist.gov/publications/nistir/threats/sect ion3_3.html Questions? ? ? ? ? ? ? ? ? ? ? ?