"Trojan Horses and Other "Trojan Horses and Other

Malicious Codes"Malicious Codes"

by by Song ChungSong Chung and and Adrianna Adrianna LeszczynskaLeszczynska

Examples of Malicious CodesExamples of Malicious Codes

Trojan HorsesTrojan Horses Viruses Viruses WormsWorms Logic Bombs - Time BombsLogic Bombs - Time Bombs

What are Trojan horses ?What are Trojan horses ?

Trojan Horses Trojan Horses are a are a relatively new and relatively new and probably the most probably the most dangerous strain of dangerous strain of viruses that have viruses that have appeared in recent timesappeared in recent times

They also threaten to They also threaten to overwhelm systems that overwhelm systems that only run anti-virus only run anti-virus applications and firewalls applications and firewalls as a means of combating as a means of combating the threatthe threat

Trojan Horse History BriefTrojan Horse History Brief

The name "Trojan Horse" The name "Trojan Horse" derives itself from a page derives itself from a page in Greek history when the in Greek history when the Greeks had lain siege to Greeks had lain siege to the fortified city of Troy the fortified city of Troy for over ten years. Their for over ten years. Their spy, a Greek called Sinon spy, a Greek called Sinon offered the Trojans a gift offered the Trojans a gift in the form of a wooden in the form of a wooden horse and convinced horse and convinced them that by accepting it, them that by accepting it, they would become they would become invincible. invincible.

History Brief (cont.)History Brief (cont.)

The horse though was hollow and The horse though was hollow and was occupied by a contingent of was occupied by a contingent of Greek soldiers. When they emerged Greek soldiers. When they emerged in the dead of night and opened the in the dead of night and opened the city gates, the Greeks swarmed in, city gates, the Greeks swarmed in, slaughtered its citizens and slaughtered its citizens and subsequently pillaged, burned and subsequently pillaged, burned and laid waste to the citylaid waste to the city

In IT EnvironmentIn IT Environment

Trojan Horse acts as a means of entering Trojan Horse acts as a means of entering the victim’s computer undetected and the victim’s computer undetected and then allowing a remote user unrestricted then allowing a remote user unrestricted access to any data stored on the user's access to any data stored on the user's hard disk drive whenever he or she goes hard disk drive whenever he or she goes onlineonline

In this way, the user gets burned and like In this way, the user gets burned and like the unfortunate citizens of Troy, may only the unfortunate citizens of Troy, may only discover that fact when it is too late.discover that fact when it is too late.

Examples of Trojan HorsesExamples of Trojan Horses

““Picture.exe”Picture.exe” ““RIDBO”RIDBO” “ “FIX2001“FIX2001“ ““AOL4FREE“AOL4FREE“

Origin of Trojan horsesOrigin of Trojan horses

These types of viruses These types of viruses were originally were originally designed as a means designed as a means of self expression by of self expression by gifted programmers gifted programmers and did little more and did little more than to cause the than to cause the system to lock up, system to lock up, behave abnormally in behave abnormally in a specific way or a specific way or perhaps cause loss of perhaps cause loss of data on the user’s data on the user’s machinemachine

Objectives of the HorseObjectives of the Horse

allow a remote user a allow a remote user a means gaining access means gaining access to a victim's machine to a victim's machine without their knowledgewithout their knowledge

Allows the intruder can Allows the intruder can do anything with the do anything with the machine that the user machine that the user can docan do

browse the user's hard browse the user's hard drive in order to drive in order to determine if there is determine if there is anything of value anything of value stored on itstored on it

Objectives ( cont.)Objectives ( cont.)

things of value are such as valuable things of value are such as valuable research papers, credit card details or research papers, credit card details or passwords to restricted web sites passwords to restricted web sites

If anything of value is found, then the If anything of value is found, then the intruder can copy the data to his own intruder can copy the data to his own hard drive in exactly the same way that hard drive in exactly the same way that the user can copy a file to a floppy diskthe user can copy a file to a floppy disk

cause havoc to the system by deleting cause havoc to the system by deleting (system) files, erasing valuable data or (system) files, erasing valuable data or ultimately destroying the hard driveultimately destroying the hard drive

Can Passwords Provide Can Passwords Provide Protection?Protection?

Passwords offer no Passwords offer no protection at all because protection at all because today's Trojans are capable today's Trojans are capable of recording the victim’s of recording the victim’s keystrokes and then keystrokes and then transmitting the transmitting the information back to the information back to the intruderintruder

Those passwords can Those passwords can subsequently be subsequently be deciphered by the Trojan deciphered by the Trojan and even changed in order and even changed in order to prevent the user getting to prevent the user getting access to his own files!access to his own files!

How does a Trojan Affect Your How does a Trojan Affect Your Computer?Computer?

In order to gain access to a user’s In order to gain access to a user’s computer, the victim has to be induced to computer, the victim has to be induced to install the Trojan himselfinstall the Trojan himself

The usual method is to offer a seemingly The usual method is to offer a seemingly useful system enhancement or perhaps a useful system enhancement or perhaps a free game that has the Trojan attached to free game that has the Trojan attached to itit

By installing it, the user also installs the By installing it, the user also installs the TrojanTrojan

Common SourcesCommon Sources

Executing any files from Executing any files from suspicious or unknown suspicious or unknown sourcessources

Opening an email Opening an email attachment from an attachment from an unknown sourceunknown source

Allowing a "friend" Allowing a "friend" access to your computer access to your computer while you are awaywhile you are away

By executing files By executing files received from any online received from any online activity client such as activity client such as ICQICQ

Main Parts of a TrojanMain Parts of a Trojan

Virtually every Virtually every Trojan virus is Trojan virus is comprised of two comprised of two main parts:main parts: the "server"the "server" the "client”the "client”

It is the server part It is the server part that infects a user’s that infects a user’s systemsystem

What Problems can Trojans What Problems can Trojans Cause?Cause?

The server part is the part of the program The server part is the part of the program that infects a victim's computer that infects a victim's computer

The client part is the one that allows a The client part is the one that allows a hacker to manipulate data on the infected hacker to manipulate data on the infected machinemachine

Let's suppose that you have already been Let's suppose that you have already been infected. How do intruders attack and get infected. How do intruders attack and get a full control of your computer?a full control of your computer?

Problems (cont.)Problems (cont.)

Intruders scan the Internet for an infected user Intruders scan the Internet for an infected user (technically speaking, an attacker sends request (technically speaking, an attacker sends request packets to all users of a specific Internet provider) packets to all users of a specific Internet provider) using the client part of the virususing the client part of the virus

Once an infected computer has been found (the Once an infected computer has been found (the server part of the virus that is located on infected server part of the virus that is located on infected machine replies to client part's request) machine replies to client part's request)

the attacker connects to that user's computer and the attacker connects to that user's computer and creates a "link" between the two just like the one creates a "link" between the two just like the one in an ordinary telephone conversationin an ordinary telephone conversation

Problems (cont.)Problems (cont.)

Once that has happened (this procedure may only Once that has happened (this procedure may only take a few seconds), the intruder will be able to take a few seconds), the intruder will be able to get unrestricted access to the user's computer get unrestricted access to the user's computer and can do anything he likes with it and can do anything he likes with it

The intruder becomes the master and the user The intruder becomes the master and the user the slave because short of disconnecting from the the slave because short of disconnecting from the Internet, the user is helpless and has no means at Internet, the user is helpless and has no means at his disposal to ward off an attackhis disposal to ward off an attack

Intruders can monitor, administer and perform Intruders can monitor, administer and perform any action on your machine just as if they were any action on your machine just as if they were sitting right in front of itsitting right in front of it

Analogy of a Trojan HorseAnalogy of a Trojan Horse

A Trojan Horse works a bit like the backdoor to A Trojan Horse works a bit like the backdoor to your house. If you leave it unlocked, anybody can your house. If you leave it unlocked, anybody can come in and take whatever they want while come in and take whatever they want while you're not lookingyou're not looking

The main difference with a backdoor installed on The main difference with a backdoor installed on your computer is that anybody can come in and your computer is that anybody can come in and steal your data, delete your files or format your steal your data, delete your files or format your hard drive even if you hard drive even if you areare looking looking

There are no visible outward signs that anything There are no visible outward signs that anything untoward is happening other than perhaps untoward is happening other than perhaps unusual hard disk activity for no apparent reasonunusual hard disk activity for no apparent reason

How do you protect yourself How do you protect yourself from a Trojan Horse ?from a Trojan Horse ?

You can try manual deletion, however, You can try manual deletion, however, they are both time-consuming and they are both time-consuming and monotonous. In addition, the user can monotonous. In addition, the user can never be absolutely certain that he has never be absolutely certain that he has covered every option. covered every option.

Even if he is successful in removing the Even if he is successful in removing the Trojan from his system, he may Trojan from his system, he may unwittingly reinstall it with the very next unwittingly reinstall it with the very next command he enterscommand he enters

How to Protect? (cont. )How to Protect? (cont. )

There’s many trojan horse protection programs available There’s many trojan horse protection programs available for download which perform various tasksfor download which perform various tasks

An example of an program is An example of an program is Tauscan, it is a Tauscan, it is a universal Trojan Horse scanner that detects and universal Trojan Horse scanner that detects and removes practically every type of Trojan virus removes practically every type of Trojan virus that may have infected your systemthat may have infected your system

Another example is Jammer, it is a network Another example is Jammer, it is a network analyser designed primarily to warn you if your analyser designed primarily to warn you if your system is under attack, but it also has a system is under attack, but it also has a secondary feature. That is to remove all known secondary feature. That is to remove all known versions of Back Orifice and Netbus from your versions of Back Orifice and Netbus from your system if detectedsystem if detected

Other Forms of Malicious CodesOther Forms of Malicious Codes

VirusesViruses WormsWorms Logic BombsLogic Bombs Time BombsTime Bombs

What is a virus?What is a virus?

A virus is a type of malicious code that will A virus is a type of malicious code that will attach itself to a file and then replicate in attach itself to a file and then replicate in order to spread to other files. order to spread to other files.

A virus is usually attached to an A virus is usually attached to an executable file so that it will spread rapidly. executable file so that it will spread rapidly.

Viruses are restricted to personal Viruses are restricted to personal computers.computers.

Characteristics of a virusCharacteristics of a virus

replication replication requires a host programrequires a host program activated by an external action activated by an external action replication limited to one system replication limited to one system

Virus HistoryVirus History

Viruses are increasing at a fast rateViruses are increasing at a fast rate 1986 – 1 known virus1986 – 1 known virus 1989 – 6 known viruses1989 – 6 known viruses 1990 – 80 known viruses1990 – 80 known viruses Today – between 10-15 new viruses discovered Today – between 10-15 new viruses discovered

every day.every day. Between 1998 and 1999 total virus count Between 1998 and 1999 total virus count

increased from 20,500 to 42,000.increased from 20,500 to 42,000.

Virus ExamplesVirus Examples

““W32/Vote@MM” W32/Vote@MM” - spread via email with an attachment - spread via email with an attachment

WTC.EXE. Email includes Subject: Fwd:Peace WTC.EXE. Email includes Subject: Fwd:Peace BeTweeN AmeriCa And IsLaM !" and asks toBeTweeN AmeriCa And IsLaM !" and asks to vote about the war issue by opening thevote about the war issue by opening the WTC.EXE attachment. WTC.EXE attachment. ““W97/Prilissa” W97/Prilissa”

- 10 Fortune 500 companies on three continents- 10 Fortune 500 companies on three continents have been hit with this virus have been hit with this virus

WormsWorms

A worm is a program that A worm is a program that replicates itself and causes replicates itself and causes execution of new copies of itself. execution of new copies of itself.

A worm enters an Internet host A worm enters an Internet host computer and mails itself to other computer and mails itself to other hosts. hosts.

The purpose of a worm attack is The purpose of a worm attack is to fill storage space and slow to fill storage space and slow down operationsdown operations

Characteristics of WormsCharacteristics of Worms

replication replication must be self-contained; does not require a must be self-contained; does not require a

host host needs a multi-tasking system needs a multi-tasking system

Examples of wormsExamples of worms ““I Love You” I Love You”

– – aka LoveLetter or LoveBug, sends itself toaka LoveLetter or LoveBug, sends itself to everyone in the Microsoft Outlook addresseveryone in the Microsoft Outlook address

““W32/Navidad” W32/Navidad” - spread using Outlook email. Usually sent from - spread using Outlook email. Usually sent from

a familiar source, including an attachmenta familiar source, including an attachment NAVIDAD.EXE. The virus affects the systemNAVIDAD.EXE. The virus affects the system tray and will attach itself to other messages.tray and will attach itself to other messages.

“I Love You” Worm1. Open email attachment “LOVE-LETTER-FOR-YOU.TXT.VBS”

2. The virus scans for certain files, replaces the content of these files with virus code, and adds extention .vbs to the end of files.

3. Virus sends itself to everyone in the Outlook address book

4. Infected files cannot be retrieved and must be restored by a backup copy.

Difference Between Worms and Difference Between Worms and VirusesViruses

A worm is similar to a virus but does not A worm is similar to a virus but does not need to attach itself to an executable file to need to attach itself to an executable file to replicate itself. replicate itself.

Also, unlike a virus, it attacks only multi-Also, unlike a virus, it attacks only multi-user systems.user systems.

Logic BombLogic Bomb

Logic bombs are Logic bombs are malicious codes that malicious codes that cause some cause some destructive activity destructive activity when a specified when a specified condition is met condition is met

Unlike viruses, logic Unlike viruses, logic bombs do their bombs do their damage right away, damage right away, then stop. then stop.

What can trigger a logic bomb?What can trigger a logic bomb?

The trigger can be a specific dateThe trigger can be a specific date Number of times the program is executedNumber of times the program is executed A random numberA random number Or a predefined event such as a deletion Or a predefined event such as a deletion

of a certain record. of a certain record.

Damage by Logic BombsDamage by Logic Bombs

The damage done by logic bombs can The damage done by logic bombs can range from changing a random byte of range from changing a random byte of data somewhere on the disk to making the data somewhere on the disk to making the entire disk unreadable. entire disk unreadable.

Time BombTime Bomb

A time bomb is a logic A time bomb is a logic bomb but unlike a logic bomb but unlike a logic bomb it may exist in the bomb it may exist in the system for weeks or even system for weeks or even months before it is months before it is detected. detected.

The damage is not caused, The damage is not caused, until a specified date or until until a specified date or until the system has been the system has been booted a certain number of booted a certain number of times.times.

Examples of Time BombsExamples of Time Bombs

"Friday the 13th" "Friday the 13th"

- 1980s, it duplicated itself every Friday the 13- 1980s, it duplicated itself every Friday the 13 thth, , caused system slowdown and corrupted all caused system slowdown and corrupted all available disksavailable disks

““Michelangelo “ Michelangelo “

- 1990s, tried to damage hard disk directories- 1990s, tried to damage hard disk directories ““Win32.Kriz.3862”Win32.Kriz.3862”

- written in 1999, damage included overwriting of - written in 1999, damage included overwriting of data on all data storage unitsdata on all data storage units

Virus Preventions TacticsVirus Preventions Tactics

Install a virus scannerInstall a virus scanner Update it oftenUpdate it often Program it to run automaticallyProgram it to run automatically Examples of virus scanners include:Examples of virus scanners include:

• VirusScanVirusScan• AntiVirusAntiVirus• F-ProtF-Prot

Virus Preventions Tactics Cont.Virus Preventions Tactics Cont.

Do not run unknown programs from the Do not run unknown programs from the InternetInternet

Don’t open unknown mail attachmentsDon’t open unknown mail attachments If an unknown mail attachment is received If an unknown mail attachment is received

delete it immediatelydelete it immediately

Virus SymptomsVirus Symptoms

Virus scanner detects a virusVirus scanner detects a virus Programs stop working as expectedPrograms stop working as expected Computer crashes more frequentlyComputer crashes more frequently Unknown files appearUnknown files appear Disk space gets smaller for no reasonDisk space gets smaller for no reason

What if a virus is detected?What if a virus is detected?

On a network system: On a network system: - contact the network administrator- contact the network administrator

On a personal computer: On a personal computer: - Use the disinfect function of the virus- Use the disinfect function of the virus

detection software, so it can try todetection software, so it can try to restore the program to it’s original state restore the program to it’s original state

- Erase the infected program and reinstall from - Erase the infected program and reinstall from the original disk after virus scan confirms that the original disk after virus scan confirms that no viruses have been foundno viruses have been found

ConclusionConclusion

5 types of malicious codes:5 types of malicious codes:

- Trojan Horses- Trojan Horses

- Viruses- Viruses

- Worm- Worm

- Logic–Time Bombs- Logic–Time Bombs

Both replicate and attach themselves to files, but unlike viruses, worms attack multi-user systems

Destructive codes hidden inside other programs

Set-off when a specified condition is met

ReferencesReferences

http://http://www.agnitum.com/products/tauscanwww.agnitum.com/products/tauscan// http://http://www.cyberangels.org/hacking/trojan.htmlwww.cyberangels.org/hacking/trojan.html http://ksi.cpsc.ucalgary.ca/courses/547-96/http://ksi.cpsc.ucalgary.ca/courses/547-96/

cochrane/present/#LINK1cochrane/present/#LINK1 http://www.mpip-mainz.mpg.de/~bluemler/extra/thttp://www.mpip-mainz.mpg.de/~bluemler/extra/t

eaching/virus.pdfeaching/virus.pdf http://www.google.com/url?sa=U&start=2&q=httphttp://www.google.com/url?sa=U&start=2&q=http

://getvirushelp.com/iloveyou/&e=7249://getvirushelp.com/iloveyou/&e=7249 http://csrc.nist.gov/publications/nistir/threats/http://csrc.nist.gov/publications/nistir/threats/

section3_3.htmlsection3_3.html

Questions?

? ?

?

??

?

??

??

?