Name: Lorenzo Figueroa Jr.

Date: 2 May, 2002

Word Count: 2915

Trojan Horse. The words Trojan horse can invoke the story by Homer on how the Greeks defeated the City of Troy. After years of war, the Greeks resorted to deception. They left a large wooden horse with a hollow belly filled with armed men. The citizens of the City of Troy brought in the horse inside their city walls and celebrated after the Greek army sailed away. However, during the night, the Greek soldiers within the Horse emerged. They killed the gate guards and then opened the city gates to the Greek army, which by this time had returned. So the people of Troy themselves were responsible for they own defeat and destruction.

In the computing world, Trojan Horse is used to denote a type of malicious software. In the next few pages I will define them, explain some of their effects and how they spread, using examples to further illustrate the effects and distribution. Plus giving some helpful ideas on avoiding becoming a victim to Trojan Horses. Lastly, an executive summary follows highlighting some of the important points.

These two words were used by Dan Edwards, of the National Security Agency, around 1972 to describe a new type of security violation. He stamped the term Trojan Horse on apparently benign macro or utility programs with undocumented side effects which have the capacity of violating security or being destructive. He named these programs, Trojan Horses, because of their need to be explicitly run by an unwitting user in order to perform their hidden side effects.¹ As a metaphor, the Greek war comparison works exceedingly well. It captures the deceptive nature of the programs, and resulting consequences of hidden elements within the program which work against the purposes of the owner.²

Since then, a Trojan horse has been defined as any malicious logic that is disguised as something innocent, such as a screen saver, game, or utility program.³ A Trojan horse is different from a virus (another form of malicious logic) in that the Trojan horse doesn't spread itself; thus they must be accepted and executed by the user before it causes damage.⁴ David Kroll of Finjan Software, a firm that develops security applications, calls Trojans the "silent killer". Trojan programs don't e-mail hundreds of copies of themselves out, nor do they necessarily interfere with a computer's performance. Additionally, antiviral programs don't always catch them; therefore, there probably exists a lot of infected users who have no idea their computers are harboring Trojan horses.⁵

Trojan horses can be crude affairs. It takes much less technical skill to put together a program that actually runs FORMAT than it does to create a complex polymorphic stealth virus. To create a Trojan program, all you need is a little knowledge of any programming language and the desire to violate another person's property.⁶ Trojan Horses can be written in any programming, macro, or scripting language and for any computer system in use.

Trojan horses can do anything that the owner or user can do. This includes: deleting files; transmitting files to the intruder; installing other programs, such as viruses, worms and other Trojan Horses; and executing attacks to increase the intruder's privileges. And if the intruder can gain administrative privileges and access to the operating system, then he or the Trojan Horse can do anything that the system administrator can do.⁷

Some of the common ways that Trojan Horses are spread are through download bulletin boards or web sites, arrive as file attachments by e-mail, internet chat rooms, instant messaging, and copies of pirated software.⁶ Other forms of installing Trojan Horses are tricking users or system administrators into installing or running the Trojan Horse, as copies of legitimate software that have been altered, by tricking users to connecting to their site by exploiting the Domain Name System, by collections of malicious software toolkits, Trojan Horse compiler programs, and any web content such as Java applets, JavaScript, and ActiveX controls.⁷

Once up and running, Trojan Horses begin their work. Effects of Trojan Horses range as minor as a joke to destroying computer/network systems and/or their hardware. Some are harmless but annoying, created to meet a challenge rather than to steal secrets,⁹ common ones aim at stealing passwords from a victim's computer and then e-mailing the passwords to an anonymous recipient.¹⁰ Others, to monitor, control, damage, or steal company data. Trojan horses may not even cause any damage, just sifting though your files, disabling virus-checking software, or even using your computer to conduct a distributed denial of service attack against a web server.¹¹

Attackers have even used Trojans to spy on the users of infected machines over their webcams and listen to conversations transmitted via the microphone, thus spying on business associates or stalking ex-lovers. Additionally, Trojan Horses have been used to siphon funds out of electronic bank accounts.⁵

Web applications themselves experience attacks. Starting with denial of service (DoS) attacks focusing on changing Web page content or stealing sensitive corporate or user information entered through Web usage. Parameter tampering involves manipulating URL (Uniform Resource Location) strings to retrieve information usually not available to the user. Malicious users can manipulate the SQL (Structured Query Language) code to potentially retrieve a listing of all users, passwords, credit card numbers, or other data stored within a database. Cookie poisoning is the modification of the data stored in a cookie. Included within this is changing the user values (poisoning), accessing user information, and outright stealing them for use of authentication. Input checking involves running system commands by manipulating input in HTML (Hyper Text Mark-up Language) forms processed by CGI (Common Gateway Interface) script, such as mailing the password file or deleting files on the system. A buffer overflow is a classic attack in which the amount of data received is larger than the buffer, thus causing any code to overflow onto the stack and then being executed. Direct access browsing is directly accessing a Web page that normally requires authentication. Web applications that aren't properly configured allow malicious user to directly access the site which could contain sensitive information or to avoid paying a fee for viewing.¹²

Best way to further illustrate the range of effects of Trojan Horses is through giving a short synopsis of Trojan Horses themselves. An example of a harmless but annoying Trojan Horse is the "cookie monster". This one announced its presence by simply, "I want a cookie". Merely typing the word cookie would satisfy the program and cause it to disappear as if nothing had happened. But if the user ignored the request, even though the monster seems to go away it returned a few minutes later with "I'm hungry, I really want a cookie!". If the user continued to ignore it, the monster appears more and more frequently with increasing insistent demands, until finally the most serious threat "I'll remove some of your files if you don't give me a cookie!". Finally the user will be forced into giving the monster a cookie to be able to continue on with his work.⁹

The util-linux Trojan Horse was placed in the file util-linux-2.9g.tar.gz between January 22 and January 24 of 1999. This Trojan Horse set of utility programs included a modified login program. The modifications included code to send an email containing the host name and user ID of users to an intruder. The code also provided anyone with access to a login prompt the capability of executing commands based on their input at the login prompt.⁷

There was wide distribution of an email message which claimed to be a free upgrade to the Microsoft Internet Explorer web browser. The message contained an attached executable program called "ie0199.exe". After installation, this program made several modification to the system and then attempts to contact other remote systems. Apparently there were multiple versions of the Trojan Horse which were explained by the multiple symptoms and effects. One version even included a message stating to be from Microsoft Corporation providing the upgrade with claims of fixing existing bugs in the browser.⁷

One of the earliest Trojan Horse was a file claiming to be version 3.00 of the popular PKZip software. This Trojan Horse was circulated in both .exe and .zip file formats. If you ran this program your computer hard drive was trashed within ten seconds.⁶

ChinaTalk is a program that claims to be a female voiced MacinTalk sound driver. This Trojan Horse would supposedly give the Macintosh speech synthesizer a gender change. The true effect was the erasure of directories from the hard drive. Another Macintosh virus is the NVP Trojan Horse. This program is sometimes named New Look, a legitimate program that enables users to customize their screen display. System 7, Mac's operating system, was changed so that upon restart, the user could not type vowels.⁶

America On-Line (AOL) was attacked in 1999. A Trojan Horse named "Picture.Exe" arrived via unsolicited e-mail message to AOL users. If the attachment was executed, this program would gather up the user's identification and password, every e-mail address from all stored e-mail, and a history of every web site visited by the user. After this, all the gathered information would be e-mailed to one of eight sites in China.²

An example of a Trojan Horse distributed by diskettes is the Aids Trojan. Over 20,000 diskettes were mailed worldwide from London in December 1989. These disks were labeled "Aids Introductory Information Diskette" and offered information on the human AIDS virus. When installed, a license agreement was displayed and invoices printed for either $189 or $378. Users were instructed to send the money to a fictitious PC Cyborg corporation in Panama, else their computer would become unusable. This was no empty threat, the Trojan Horse caused the computer to become inoperable after a random number of power-ups.¹

The so called "Love Bug" Trojan virus birthed in May 2000. If this Trojan Horse was opened, it would create a wide range of problems. It would send itself to everybody on the user's e-mail address book or IRC channel, erasing or modifying files, downloading other Trojan Horse programs for stealing passwords.⁴

Later on September 15, the Subseven 2.1 server Trojan Horse was released. This program is a remote-control program that allows an attacker to use the Subseven client to connect to the server and run just about any command on the user's computer. This Trojan Horse contains just about everything a malicious user could wish for. Two of the most deadly features are the port redirector and the port scanner. The port redirector allows the remote attacker to target any system by redirecting ports of the affected system to a new target. This gives the malicious individual the ability to use the user's virtual private network client software. The port scanner feature allows the attacker to turn the infected computer into his personal scanning system for accessing the corporate LAN. With these two features, the attacks will appear to be originating from within the system or trusted employee.¹³

A Trojan Horse that uses ActiveX is Offensive. Named because of the offensive references in the Windows registry. This Trojan Horse can arrive via e-mail as a link to a Web page ending in .html. Upon opening, the Web page displays a "Start" button. When pressed, Offensive severely damages the Windows operating system: no icons are visible on the desktop, no programs will execute, inability to shut down Windows and the effects remain in the Safe Mode of operating also.¹⁴

As I mentioned earlier, Trojan Horses can be used to attack any operating system. With the extensive use of Palm OS on personal data assistants (PDA), someone has now create a Trojan Horse for it. The first one is "Liberty Crack 2". Liberty is a popular application that emulates Nintendo Game Boy games on the Palm Pilot. The Liberty Crack 2 masquerades as an illegal, yet free, version of the Liberty application. When run, the Trojan Horse attempts to delete all of the programs stored on the PDA and then reboot the device.¹⁵

As you can tell from the examples, there apparently no computer system that has not experience some sort of Trojan Horse attack. Even as new emerging systems and computer applications are coming into use, so do the attacks upon them. The only sure way to completely prevent falling prey to such an attack is not to have a computer system or to avoid all software not written and installed by yourself with the addition of no interaction with other networks. Barring that, there are only preventive measures that you can use.

Preventive actions that you can use begin with being certain of both the source and content of each file you download. You shouldn't blindly download from people or sites who you aren't completely sure about. Also unhide file extensions and never use features that automatically get or preview files. Additionally, never type commands that others tell you to type or run programs or scripts, and avoid downloading executable programs just to check them out.³

Further precautions or rules to follow are: don't execute anything sent by unsolicited e-mail; use caution when executing Java applets, JavaScript, or ActiveX controls from web pages; use firewall and virus scanning products that include scanning for known Trojan Horses. System administrators should verify every piece of software installed is from a trusted source and arrived unmodified, apply the principle of least privilege in daily activities, and review the source code to any open source products.⁷ Additionally, administrators should test new software on safely conditioned computers and keep several generations of backups.⁹

Even home users need to have firewalls. Everyone should stay current with all vendor security patches for all installed software, from office applications to firewalls. To further reduce risk, home users with DSL or cable connections should turn them off when not actively in use.^5,12 Possibly the single most important thing you can do avoid becoming victim a to Trojan Horses is to educate yourself about them.

Trojan Horse was the term used by Dan Edwards, working at the National Security Agency, around 1972 to describe apparently benign macro or utility programs with undocumented side effects which have the capacity of violating security or being destructive. He named these programs, Trojan Horses, because of their need to be explicitly run by an unwitting user in order to perform their hidden side effects.

Since then, a Trojan horse has been defined as any malicious logic that is disguised as something innocent, such as a screen saver, game, or utility program. A Trojan horse is different from a virus (another form of malicious logic) in that the Trojan horse doesn't spread itself; thus they must be accepted and executed by the user before it causes damage. Additionally, antiviral programs don't always catch them; therefore, there probably exists a lot of infected users who have no idea their computers are harboring Trojan horses.

To create a Trojan program, all you need is a little knowledge of any programming language and the desire to violate another person's property. Trojan Horses can be written in any programming, macro, or scripting language and for any computer system in use.

Trojan horses can do anything that the owner or user can do. This includes: deleting files; transmitting files to the intruder; installing other programs, such as viruses, worms and other Trojan Horses; and executing attacks to increase the intruder's privileges. And if the intruder can gain administrative privileges and access to the operating system, then he or the Trojan Horse is able to do anything that the system administrator can do.

Trojan Horses are spread are through download bulletin boards or web sites, arrive as file attachments by e-mail, internet chat rooms, instant messaging, and copies of pirated software. Other forms of installing Trojan Horses are tricking users or system administrators into installing or running the Trojan Horse, as copies of legitimate software that have been altered, by tricking users to connecting to their site by exploiting the Domain Name System, by collections of malicious software toolkits, Trojan Horse compiler programs, and any web content such as Java applets, JavaScript, and ActiveX controls.

Preventive actions that you can use against Trojan horse attacks begin with being certain of both the source and content of each file you download. You shouldn't blindly download from people or sites which you are not completely sure about. Also unhide file extensions and never use features that automatically get or preview files. Additionally, never type commands that others tell you to type or run programs or scripts, and avoid downloading executable programs just to check them out.

Further precautions or rules to follow are: don't execute anything sent by unsolicited e-mail; use caution when executing Java applets, JavaScript, or ActiveX controls from web pages; use firewall and virus scanning products that include scanning for known Trojan Horses. System administrators should verify every piece of software that is installed is from a trusted source and arrived unmodified, apply the principle of least privilege in daily activities, and review the source code to any open source products. Additionally, administrators should test new software on safely conditioned computers and keep several generations of backups.

Everyone should stay current with vendor security patches for all installed software, from office applications to firewalls. To further reduce their risk, home users with DSL or cable connections should turn them off when not actively in use. Possibly the single most important thing you can do avoid becoming victim to Trojan Horses is to educate yourself about them.

1 - Richard E. Overill, Computer Crime - An historical survey, Defense Systems International 98, http://www.kc1.ac.uk/orgs/icsa/Old/crime.html

2 - Raymond Gozzi, The Trojan horse metaphor, Etc., vol 57 no 1, Spring 2000 pp 80-84, http://mdusa.lib/um.edu/WebZ/html/homeframe.html, WilsonSelect Plus Database

3 - Joseph Lo, Trojan Horse Attacks, http://www.irchelp.org/irchelp/security updated 21 Jan 2002, http://www.irchelp.org/irchelp/security/trojan.html

4 - Amanda Stirpe and Marcia Savage, Trojan Horse App Threatens Palm Platform, http://content.techweb.com/wire/story/TWB20000828S0025

5 - Michelle Delio, Viruses? Feh! Fear the Trojan, http://www.wired.com/news/infostructure/0,1377,43981,00.html

6 - Ed Tiley, Personal Computer Security, (IDG Books Worldwide, Inc, 1996)

7 - CERT Advisory CA-99-02-Trojan-Horses, February 5, 1999, http://www.cert.org/advisories/CA-99-02.html

8 - Wallace Wang, Trojan Horses 101, Boardwatch Magazine, Jan 2001 vol15 issue 1, pg150, http://mdus.lib.umd.edu/WebZ/html/homeframe.html, Computer Database

9 - Peter J. Denning, Computer Under Attack - Intruders, Worms, and Viruses, (ACM Press, 1990)

10 - Steve Alexander, Viruses, Worms, Trojan Horses and Zombies, Computerworld, 1 May 2000, p74(1), http://mdus.lib.umd.edu/WebZ/html/homeframe.html, Computer Database

11 - Andrew Brandt, Trojan Horses, PC World, May 2001, vol 19, issue 5, pg146B, http://mdus.lib.umd.edu/WebZ/html/homeframe.html, Computer Database

12 - Mandy Andress, Web apps are Trojan horses for hackers, InfoWorld, 9 April 2001, vol 23, issue 15, pg50, (Inforworld Publications, Inc., 9 April 2001), http://mdus.lib.umd.edu/WebZ/html/homeframe.html, Computer Database

13 - Stuart McClure and Joel Scambray, Here's a little advice to help you defeat the Internet's leading Trojan horse viruses, InfoWorld, 4 Dec 2000, no 49, pg58 (Infoworld Publications, Inc., 4 December 2000), http://mdus.lib.umd.edu/WebZ/html/homeframe.html, Periodical Abstracts Database

14 - Robert Vamosi, "Offensive" Trojan horse can seriously damage your PC, (CNET Networks, Inc., 2002), http://www.cnet.com/software/0-7760531-8-6954052-1.html

15 - David Harris, The "Liberty" Crack: The first Palm OS Trojan Horse, http://rr.sans.org/PDAs/liberty.php