The Trojan Horse DefenceFor the uninitiated, a Trojan horse or 'Trojan' is a malicious computer program that is disguised as legitimate software. In contrast to other types of malicious software, like viruses or worms, Trojan horse programs don't replicate themselves. A Trojan horse can be deliberately attached to otherwise useful software by a programmer, or it can be spread by deceiving users into believing that it is actually a useful program. For all the hype that surrounds the term, a Trojan is simply a delivery mechanism. It contains a payload to be delivered, which could be almost anything e.g. spyware, adware, or a program designed to create a hidden 'back door' (entry point for malicious user). Additional nasties such as keystroke loggers, packet generation tools (for denial-of-service attacks) and sniffers (eavesdropping software) may form part of the payload. Typical victims are PCs on broadband running unpatched versions of Microsoft Windows and Outlook. Some back doors are installed so that spammers can send junk email or launch Denial of Service attacks from the machines in question. Trojan makingSo Trojans are delivery vehicles for some form of payload. But how are they made? Which tools are available to do this? Many Trojans are created by Trojan-making 'kits' which are often referred to as wrappers because they 'wrap' the functionality of malicious software into other carrier software. The final innocent looking package is then distributed through whatever means the malicious software ('malware') author deems appropriate, be it to a mass audience, to targeted groups or direct to individuals. Typical distribution mechanisms are:
Trojan creation kits are widely available. Traditionally, we saw tools that would allow an attacker to take their own preconfigured backdoor and then wrap it with an executable of their (See figure 1):
Figure 1: The process of binding a backdoor to a game Changing shape, Anti-Virus & personal killersThe terms "packer" and "compressor" are often used interchangeably to describe utilities that essentially change the structure of a file by drawing out or compressing unnecessary space within a file. Simple examples of this are archive compression utilities such as WinZip. There are tools available designed to shut down or disable the protection afforded by traditional Anti-Virus and personal firewall software on the a victim machine. They exist in several forms including standalone AV killers, standalone Firewall killers or combination tools that address both at once. We now see all-in-one kits (name obscured, Figure 2) which builds the overall Trojan, configures an integral backdoor and has features such as AV killing:
Criminal IntentionsCriminal applications of using Trojans and their payloads are many. At the time of writing this article, Spanish police had just detained a 37 year old man they suspect of writing and distributing a Trojan horse across peer-to-peer networks. The Trojan allowed the man to steal confidential banking information from his victims and spy on people through their webcams. Often it is the accused who will claim that criminal evidence found on their hard drive must have been due to Trojan horse activity. This has become known in legal circles as the 'Trojan defence'. "The acquittal of a teenager accused of carrying out a high-profile hack attack has cast doubts over future computer crime prosecutions, say experts." The Trojan defence places a lot of pressure on the prosecution which in turn places pressure on computer forensic investigators to prove, beyond all reasonable doubt, that the accused is responsible for the evidence located on the computer. Mark Rasch comments in his article, "The Giant Wooden Horse Did It!" that this defence is all the more frightening because it could be true. He asks "…if you were a hacker, would you want to store your contraband files on your own machine, or, like the cuckoo, would you keep your eggs in another bird's nest?" Storing files on other systems has long been a tactic for attackers. 'Warez Dudez' store their illegal software on high-speed servers and hackers may store their tools on compromised systems or other publicly accessible servers. Rasch further points out, "In late December 2003, companies around the world began to report a new kind of cyber-attack that had been apparently going on for about a year. Cyber extortionists (reportedly from Eastern Europe) threatened to "plant" child pornography on their computers and then call the cops if they didn't agree to pay a small fee. Unless the recipient pays a nominal amount ($30), the hacker claims he will either wipe the hard drive or plant child porn. The possibility of Trojans and the relative ease with which they could be used to promulgate just such an attack made the threats credible." For those of us in the fields of Information Security and Forensic Investigation, the challenges continue to become increasingly more complex. Alan Phillips, 7Safe Information Security |
