Trojan programs.
.
Trojan programs
A Trojan is any program that secretly performs some unwanted actions for the user. These actions can take any form — from determining the registration numbers of software installed on the computer to compiling a list of directories on its hard drive. A Trojan can disguise itself as a text editor, or a network utility, or any program that the user wishes to install on his computer.
What in some circumstances causes irreparable harm, in others can be quite useful. Thus, a program that formats a hard drive cannot be called a Trojan if it is intended to format it (the format command of the DOS operating system of Microsoft Corporation). But if the user, executing a certain program, does not expect it to format his hard drive, then this means that it is a real Trojan.
Where do Trojans come from?
The main task of most Trojans is to perform actions that allow access to data that is not subject to public disclosure (user passwords, program registration numbers, bank account information, etc.). In addition, Trojans can cause direct damage to a computer system by rendering it inoperable.
The authors of such programs are usually teenagers who, although possessed by a passion for destruction, do not have deep knowledge of programming, therefore, the Trojans they create cannot cause significant damage to computer systems. For example, the same AOLGOLD erased itself from the hard drive when launched from any other disk partition except for the partition named C.
A much greater threat is posed by Trojans included in common computer applications, utilities and operating systems. Such programs are discovered purely by chance. The software of which they are a part is, in most cases, used not only by a single company that purchased this software, but is also installed on large government and educational Internet servers, distributed via the Internet, and therefore the consequences can be most disastrous.
It also happens that some utilities are compromised by programmers who have nothing to do with their development. For example, after the SATAN network analyzer was created, a Trojan program located in the fping utility somehow got into its distribution, intended for installation on computers with the Unix operating system. The very first launch of the modified fping utility for execution led to the fact that an entry was added to the /etc/passwd file for a user named suser, who could then log into Unix and secretly obtain administrator rights in it. However, the creator of the Trojan did not provide for the possibility of «shadowing» passwords in UNIX family systems. (In this case, service characters (for example, asterisks) are written to the etcpasswd file instead of encrypted user passwords, and all information about user passwords is hidden in another place and made inaccessible for reading using conventional means).
As a result, only two computers were compromised, on which this «corrupted» distribution of the SATAN network analyzer for Linux was installed (these computers did not use «password shadowing»).
A Trojan program (Trojan, Trojan horse) is:
• a program that, being part of another program with functions known to the user, is capable of secretly performing certain additional actions with the aim of causing him certain damage;
• a program with functions known to its user, which has been modified so that, in addition to these functions, it can secretly perform certain other actions with the aim of causing him certain damage;
• a program that, in addition to useful and necessary functions, secretly performs certain other actions with the aim of causing him certain damage
Where do Trojan programs live and how often are they encountered
Currently, Trojan programs are written for all operating systems without exception and for any platform. The method of distribution is the same as that of computer viruses. Therefore, the most suspicious for the presence of Trojans in them, first of all, are free and shareware programs downloaded from the Internet, as well as software distributed on pirated CDs.
There are currently a number of Trojan programs that can be freely downloaded by connecting to the global computer network, the Internet. The most famous of these are the Back Orifice, Net Bus and Subseven Trojans (Fig. 1-2). On the Web site of the Back Orifice development group, which calls itself «Cult of Dead Cow», you can even find a dozen posters that are intended to advertise its latest development — the Back Orifice 2000 Trojan
|
Fig. 1. General view of the Back Orifice 2000 Trojan program |
Fig. 1. General view of the SubSeven Trojan program |
Thus, Trojan programs are quite common and therefore pose a serious threat to the security of computer systems. Most Trojans are part of other programs that are stored on the computer in compiled form. The text of these programs is not intended for human perception and is a sequence of machine language commands consisting of zeros and ones. The average user, as a rule, has no idea about the internal structure of such programs. He simply launches them by specifying the name of the corresponding program in the command line or by double-clicking the «mouse», pointing its pointer to this program.
When it is discovered that a compiled program has been infected with a Trojan, bulletins with information about the detected Trojan immediately begin to spread on the Internet. Most often, these bulletins briefly report on the damage that the Trojan program can cause and where to find a replacement for the program infected with the Trojan.
Sometimes it is quite easy to estimate the damage that a Trojan can cause. For example, if it is designed to send the contents of the /etc/passwd file via e-mail, in which UNIX operating systems store information about user passwords, it is enough to install a «clean» version of the program instead of the one in which this Trojan has made its nest. Then users will have to update their passwords, and this successfully completes the fight against it.
However, it is not always so easy to determine the extent of compromise of a computer system in which a Trojan has taken up residence. Let us assume that the purpose of introducing a Trojan is to create a hole in the computer system's defense mechanisms, through which an intruder can, for example, penetrate it, having administrator privileges. If the hacker is cunning and resourceful enough to cover up his traces of his presence in the system by making appropriate changes to the registration files, then it will be almost impossible to determine the depth of his penetration.
The PC CYBORG Trojan lured unsuspecting users with promises of up-to-date information on how to combat the virus that causes acquired immunodeficiency syndrome (AIDS). Once inside a computer system, PC CYBORG counted down 90 reboots of that system, then hid all directories on its hard drive and encrypted the files there.
The AOLGOLD program was sent via e-mail as a zipped file. The cover letter stated that AOLGOLD was designed to improve the quality of services provided to its users by the largest American Internet provider America Online (A OL). The archive consisted of two files, one of which was called INSTALL.BAT. A computer user who launched INSTALL.BAT risked erasing all files from the C:, C:DOS, C:WINDOWSu C:WINDOWSSYSTEM directories on his or her hard drive.
It should also be taken into account that the Trojan program itself will not be detected until several months after its introduction into the computer system. In this case, it may be necessary to completely reinstall the operating system and all its applications.
How to recognize a Trojan program
Most software designed to protect against Trojans uses, to varying degrees, so-called object matching. In this case, the objects are files and directories, and matching is a way to answer the question: «Have the files and directories changed since the last scan?» During matching, the characteristics of objects are compared with the characteristics they had some time ago. For example, an archive copy of a system file is taken and its attributes are compared with the attributes of this file, which is currently on the hard drive. If the attributes differ and no changes have been made to the operating system, then the computer has most likely been infected with a Trojan.
One of the attributes of any file is its last modification time stamp: every time a file is opened, modified, and saved to disk, this time stamp is automatically updated accordingly. However, the time stamp cannot serve as a reliable indicator of the presence of a Trojan in the system. The fact is that it is very easy to manipulate. You can reset the system clock, make changes to the file, then reset the clock to its original state, and the file modification time stamp will remain unchanged.
Maybe the situation is different with file size? Not at all. Often a text file that initially occupied, say, 8 kilobytes of disk space, has the same size after editing and saving. Binary files obtained as a result of compiling programs behave somewhat differently. It is quite difficult to insert a fragment of your own code into someone else's program so that it does not lose its functionality and retains its size in compiled form. Therefore, file size is a more reliable indicator than the time stamp of the last changes made to it.
An attacker who decides to launch a Trojan into a computer usually tries to make it part of a system file. Such files are part of the operating system distribution and their presence on any computer where this operating system is installed does not arouse any suspicion in the user. However, any system file has a very specific length. If this attribute is changed in any way, this will alarm the user.
Knowing this, the attacker will try to get the source code of the corresponding program and carefully analyze it for the presence of redundant elements that can be removed without any noticeable damage. Then, instead of the redundant elements found, the attacker will insert his Trojan into the program and recompile it again. If the size of the resulting binary file is smaller or larger than the original, the procedure is repeated. And so on until a file is obtained whose size is closest to the original (if the original file is large enough, this process can take several days).
So, in the fight against Trojans, you cannot rely on the time stamp of the last file modification and its size, since an intruder can easily forge them. More reliable in this regard is the so-called file checksum. To calculate it, the file elements are summed up in some way, and the resulting number is declared its checksum. For example, in the SunOS operating system there is a special utility sum, which outputs to the standard output device STDOUT the checksum of the files listed in the argument line of this utility.
However, in general, it turns out that the checksum is not so difficult to forge. Therefore, to check the integrity of the computer file system, a special type of checksum algorithm called one-way hashing is used.
A hashing function is called one-way if the problem of finding two arguments for which its values are the same is intractable. It follows that a one-way hashing function can be used to track changes made by an intruder to a computer's file system, since an attempt by an intruder to change a file so that the value obtained by one-way hashing of that file remains unchanged is doomed to failure.
Historically, most utilities that help combat the penetration of Trojans into a computer system by means of one-way file hashing were created for UNIX operating systems. Among such utilities, one of the most convenient to use and effective is TripWire, which can be found on the Internet at http://tripwiresecurity/. TripWire allows for one-way file hashing using several algorithms, including MOD, MD5, Sherfu and SHA. The calculated file hash values are stored in a special database, which is, in principle, the most vulnerable link when using TripWire. Therefore, TripWire users are advised to take additional security measures to prevent intruders from accessing this database (for example, by placing it on a removable drive intended only for reading information from it).
Attention! Even after a Trojan is detected, its harmful effects on a computer system can be felt for a very long time. Often, no one can say for sure how much the computer system has been compromised by the presence of a Trojan.
| As for the Windows family of operating systems (95/98/NT), it so happens that the means of combating Trojans in them are traditionally part of the antivirus software. Therefore, in order to catch Back Orifice, NetBus, Subseven and other similar Trojan programs, you need to get the most up-to-date antivirus (for example, Norton Antivirus 2000 from Symantec) and regularly check your computer for viruses (see Fig. 3 — Norton Anthirus 2000 antivirus program allows you to detect the presence of the most common Trojans in your computer system and get rid of them). |
|
|
|
Those who want to have a utility designed specifically for catching Trojans in computers running Windows operating systems can use The Cleaner program from MooSoft Development (http://homestead.corn/moosoft/cleaner.html). This utility is specially «tailored» to combat more than four dozen varieties of Trojan programs (see Fig. 4 — The main working window of the Cleaner program). |
The panorama of anti-Trojan programs would be quite incomplete if we did not mention the software packages that have recently appeared on the market and are designed to provide comprehensive protection against threats that desktop users encounter when working on the Internet. One such package is eSafe Protect by Aladdin Knowledge Systems (a demo version of eSafe Protect can be found on the Internet at esafe.corn).
| Functionally, eSafe Protect is divided into three components — antivirus, personal firewall and computer resource protection module (see Fig. 5 — Working window of the eSafe Protect software package, through which access to the configuration settings of the components included in eSafe Protect is provided, the antivirus is launched and the level of protection of the computer system is risk-set). |
|
Antivirus rids your computer of malicious programs by using the VisuSafe antivirus module, certified by the American National Computer Security Agency. The personal firewall controls all incoming and outgoing traffic via the TCP/IP protocol, granting certain rights to the IP addresses used (for example, limiting access to the Internet at certain hours or prohibiting visits to certain Web sites).
January 1999. The popular utility TCP Wrapper, designed for administering UNIX systems and distributed free of charge via the Internet, was replaced on many ftp sites by a program that looked similar to it — a Trojan horse. After installation, the Trojan sent an e-mail to certain external addresses, notifying its owner of the successful implementation. Then it waited until a remote connection was established to port 421 of the computer it had infected, and granted privileged access rights through this port.
Another Trojan program was distributed among AOL users as an attachment to a letter sent by e-mail. Those who opened this attachment infected their computer with a Trojan, which tried to find the password for connecting to AOL and, if successful, encrypted it, and then sent it by e-mail somewhere in China
To protect computer resources, a special isolated area, the so-called sandbox, is created on the computer on which the eSafe Protect software package is installed. All Java applets and ActiveX components automatically downloaded from the Internet are first placed in the sandbox, where they are under the constant supervision of eSafe Protect. And if a program that has ended up in the sandbox tries to perform any unauthorized action, it will be immediately blocked. During a specified period of time (from 1 to 30 days), each application downloaded to the computer from the Internet undergoes a quarantine check in the sandbox. The information obtained during this check is recorded in a special log. After the quarantine expires, the application will run outside the «sandbox», but it will only be allowed to perform those actions, the list of which is determined on the basis of the available log entries.
Thus, compared to other similar software packages, eSafe Protect provides the most advanced and effective means of comprehensive protection against Trojan programs. The antivirus included in eSafe Protect helps to quickly identify Trojans and deal with them, using technologies that have proven themselves in the fight against viruses. A personal firewall completely blocks any attempts from the outside to contact Trojan programs that have penetrated the computer system. And finally, with the help of the «sandbox», the introduction of Trojans into computers under the guise of Java applets and ActiveX components is promptly prevented.