Malware: Fighting Malicious Code, Chapter 6 -- Trojan Horses

This excerpt if from Chapter 6, Trojan Horses from Malware: Fighting Malicious Code written by Ed Skoudis and Lenny Zeltser, and published by Prentice Hall PTR. Download the entire chapter here for free.

You might have thought to yourself, "I'd never run a program named Netcat or VNC on my machine, so I'm safe!" Unfortunately, it isn't that easy. Attackers with any modest level of skill will disguise the nasty backdoors we covered in the last chapter or hide them inside of other programs. That's the whole idea of a Trojan horse, which we define as follows:

  A Trojan horse is a program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality.

As you might expect, Trojan horses are called Trojans for short, and the verb referring to the act of planting a Trojan horse is to Trojanize or even simply to Trojan. If you recall your ancient Greek history, you'll remember that the original Trojan horse allowed an army to sneak right through a highly fortified gate. Amazingly, the attacking army hid inside a giant wooden horse offered as a gift to the unsuspecting victims. It worked like a charm. In a similar fashion, today's Trojan horses try to sneak past computer security fortifications, such as firewalls, by employing like-minded trickery. By looking like normal, happy software, Trojan horse programs are used for the following goals:

• Duping a user or system administrator into installing the Trojan horse in the first place. In this case, the Trojan horse and the unsuspecting user become the entry vehicle for the malicious software on the system.
• Blending in with the "normal" programs running on a machine. The Trojan horse camouflages itself to appear to belong on the system so users and administrators blithely continue their activity, unaware of the malicious code's presence.

Many people often incorrectly refer to any program that gives remote control of or a remote command shell on a victim machine as a Trojan horse. This notion is mistaken. I've seen people label the VNC and Netcat tools as Trojan horses. However, although these tools can be used as backdoors, by themselves they are not Trojan horses. If a program merely gives remote access, it is just a backdoor, as we discussed in Chapter 5. On the other hand, if the attacker works to disguise these backdoor capabilities as some other benign program, then we are dealing with a true Trojan horse.

Attackers have devised a myriad of methods for hiding malicious capabilities inside their wares on your computer. These techniques include employing simple, yet highly effective naming games, using executable wrappers, attacking software distribution sites, manipulating source code, co-opting software installed on your system, and even disguising items using polymorphic coding techniques. As we discuss each of these elements throughout this chapter, remember the attackers' main goal: to disguise their malicious code so that users of the system and other programs running on the machine do not realize what the attacker is up to.

Download this chapter for free here.

Submit your own malware question to one of our experts.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Spyware, Adware and Trojans Researchers develop cloud-based antivirus Web advertising exploits: Protecting Web browsers and servers SaaS startups enter Web security gateway market Ransomware: How to deal with advanced encryption algorithms Stolen data ending up in Google cache, say researchers Information security book excerpts and reviews Yahoo, McAfee to warn users of dangerous websites Botnets and ethics Security Services: Webroot Email Security SaaS Interview: Jim Kirkhope of NCR Spyware, Adware and Trojans Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary barnacle  (SearchSecurity.com) botnet  (SearchSecurity.com) browser hijacker  (SearchSecurity.com) crimeware  (SearchSecurity.com) DSO exploit  (SearchSecurity.com) government Trojan  (SearchSecurity.com) I-SPY Act  (SearchSecurity.com) keylogger  (SearchSecurity.com) PUP  (SearchSecurity.com) talking Trojan  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.