Definition: What is a trojan horse and what are it's capabilities?
A Trojan Horse is a program, which appears to be a useful tool but is able to do various things hidden in the background without the computer owner knowing. Trojan Horses have been named after the "Trojan Horse" in Greek Mythology; a wooden horse was left behind by Troy's besiegers. Not knowing that the Greek had been hiding inside the horse. The people of Troy moved the horse to the inside of the town to celebrate their victory. Once within Trojan walls, the enemies left their hiding place to conquer the city. Nowadays, virtual Trojan Horse attacks work in a similar way.
Trojan Horses are often incorrectly treated like viruses. This is only true to a certain extend;as opposed to viruses, their main purpose is not to destroy any kind of information stored on a computer, but to transmit this data to the initiator of the attack for abusing purposes or to get control over infected computers.
Since the amount of data transmitted to the initiator is often too unfathomable, many Trojan Horses offer much more intelligent options. These so called Backdoor Trojans enable attackers to take control of foreign computers to do whatever they desire. It's just like as if the attacker would be sitting in front of the infected computer.
Well known Trojan Horses like Sub7, Netbus or Back Orifice consist of three parts:
This is the file which has to be installed on the computer, the attacker wants to control. Using this file, the attacker is able to take control of the computer. In most cases, this file is sent as an attachment via email. The attachment is an executable file appearing to be an useful program. Once started, the Trojan Horse installs itself automatically. An error message pops up to distract the user of the computer, telling them that the installation of the program was not successful. The disappointed user often deletes the program file and forgets about it. Unfortunately, they are not aware of the fact that a Trojan Horse has been installed which automatically starts on a system reboot. Everytime, the computer is turned on, the Trojan Horse loads itself into the main memory, waiting for a client to get in touch with it.
2. Configuration tool fort he serverfile
This is the program used to set up certain options for the serverfile. It is possible to adjust which way the server is supposed to start itself after successful infection, or which ports to use to gain access to a computer. Usually the serverfile is being created using this kind of configuration tool, where it is possible to select which options the Trojan Horse should offer after taking over control of a computer.
After successful infection of a computer, the client tries to build up a connection to the infected computer. If everything worked out fine, it is now possible to use the client program to gain access to the serverfile on a computer. There are many different types of Trojan Horses using different routines. Trojans, only sneaking around in foreign systems are as likely as Trojans, gathering important or valuable information to send it to a certain address via email. Oftentimes, these Trojans are able to do their destructive work for months without being recognized. Some of them only start, when an internet connection is being built up - a fact, which makes finding Trojans on the own system a very difficult task.
What is a port and why do Trojan Horses use them?
Although most of the computers only have one IP-address, it is possible to run many different services. This is possible because every single service uses a specific number (port) for the exchange of information.
Let's suppose a server machine, running the services www (world wide web) and ftp (file transfer protocol); when trying to exchange information without port numbers, none of the running services is able to recognize if certain incoming data is designated to them. Ports serve the purpose of channelling certain data into an application or service. Using these port numbers every single service knows, who the recipient of the information is.
Ports with the numbers 1 to 1024 are reserved for standard-programs (www, ftp,..). The maximum numeric value of a port would be 65.535. Thus, the complete port range begins with 1 and ends with 65.535.
Ports are used by Trojan Horses to sneak their way into a computer system. Since most of the computer owners have no idea of which ports are 'open' on their system, it is easy for a Trojan to invade a system over a certain open port. Unfortunately, Trojan Horses are able to use different ports. That allows a Trojan to be able to switch onto another port, in case the used one is closed.
What are Trojan Horses able to do?
This depends on what the attacker wants to do. If the intention is to gather information, infliction of damage to the system can be excluded. But if the attacker intends to cause trouble, he is going to use a Trojan Horse, which offers options to take control of the infected computer. This starts with remotely opening the CD-Rom-tray to even deleting files or the entire hard-disk. This shows that a Trojan Horse can be a powerful tool, which, in the wrong hands, can cause serious damage.
How can someone take control of my computer?
If an attacker manages to get his server-file on a foreign computer-system, the only thing left he needs is the computer's IP address. An IP address is a combination of numbers, which identify a computer on the internet. Computers get their IP addresses from their providers, when dialing into the internet. When using an advanced type of Trojan Horse, the server-file can be sent via email. Once installed on the foreign PC, the server sends the IP address of the infected computer to the initiator of the attack.
Many Austrian internet providers (Chello, A-Online,..) offer so called static IP addresses to their customers. Static IP addresses never change when dialing into the internet, since the dialing routine itself never takes place. The advantage of a static IP address is, that it is much more easier to install and use an own internet-server. But on the same time it makes causing damage on a computer a whole lot easier for potential attackers.
Identification: How to discover trojan horses
Trojan Horses can inflict serious damage to a computer system. But how is it possible to detect an infection? There are different methods of finding out whether a Trojan Horse managed to infect a computer or not. One thing's for sure: if your computer begins to do funny things, without you even touching the mouse, the chances of being infected are nearly 100 percent. Harmless pranks like opening and closing the CD-ROM-tray or swapping the mouse-axis might sound funny, but unfortunately serious issues like hiding or even deleting important system-files are also possible. Therefore it is very important to always have an eye on what's going on on or off the screen. If something unordinary happens, closing the internet-connection and checking the whole system might be a good idea.
Revealing Trojan Horses is an easy task, as long certain security rules were maintained. If this is not the case, tracking down Trojan Horses might be a little bit more difficult.
Most of the revealing-methods use the so called "object comparison principal." Objects would be files or folders. The objects are being compared with themselves on a sooner or later point of time. Let's take a backup tape or a burned CD-Rom, for instance. Some of the files on the backup-media are being compared to the actual files on the computer.
If those two files differ and the file on the computer has not been modified or replaced in any way, then there's a possible infection. Since we didn't modify it in any way, the file on the system should have the exact same file-size like the one on the backup-tape. This technique should be used on every system-file, since attackers like using them to get their Trojan Horses inside a running system.
Object-comparison is an easy method to check the file-integrity, which is based on the discovery of state-modifications of files. Alternative methods variegate from simple to very difficult. The integrity of a file can be verified by checking the date of the last modification, the creation date of the file and the file-size.
Unfortunately all three methods are insufficient, since the values can be easily manipulated in one way or the other. Each time a file is modified its values change. For example, if you open a file, change it and save it, a new date for the last modification is given. This date-stamp can easily be changed, by adjusting the computer's system time, and saving the file again. Therefore using the date-stamp on files is the most unreliable method to compare objects.
Another way to verify file-integrity is to check the file-size. This method too is unreliable, since this value as well can be manipulated. It's quite easy to start with a file which has approximately 1000KB, modify it and save the same file with the exact file-size from the start.
The question, you may ask yourself now is: Is there a sufficient technique? There is. The so called MD series, which is a compilation of algorithms, uses digital fingerprints by using different algorithms. One of the favourite techniques is called MD5-Coding. See
. http://www.csie.nctu.edu.tw/document/CIE/RFC/1321/3.htm or
Removal: How to ged rid of trojan horses
If a computer starts to do funny things, a Trojan Horse doesn't necessarily has to have something to do with it. But if programs, files or information start to disappear, it would be a good idea to check what's going on. If someone in a chatroom talks to you about information on your computer, the odds of being infected almost hit the roof. Time for a thorough system-check.
Removing Trojan Horses out of an infected system manually is a very tough task und requires loads of computer skills. Since they are able to hide themselves in different locations of the harddisk, there never is 100 percent evidence that all the components got removed from the system. Therefore, there are programs which main task it is to seek and destroy Trojan Horses.
Two of the most popular programs are called "The Cleaner" (http://www.mosoft.de) and "Trojan Defense Suite" (http://www.diamondcs.com.au). Both programs can be downloaded free from the internet as trial versions.
It is very important to disconnect from the internet, once the download of one of the programs finished. If an attacker was able to get connected to a computer, he technically would be able to prevent the installation of an Anti-Trojan tool, as long as the computer stays connected.
After successful installation of the software the first task should be scanning the whole system for Trojans. This can take quite some time since every file and folder on the harddisk has to be examined. It is very important not to interrupt or speed up this process ensuring that everything got scanned properly.
Once a Trojan Horse is found, the software tries to remove it from the system. In some cases removing a certain Trojan can cause serious damage to the operating-system, like complete or partial loss of data. Therefore important files and folders should frequently be backed up on CD-ROM's or backup tapes in case a virus or Trojan Horse infection deletes the whole harddisk.
Protection: How to prevent trojan horse infections
There are different ways of protection against Trojan Horses:
This works similar to virus infections. Since Trojan Horses have to sneak their way in, they often are sent as attachments in emails. To check every attachment in an email, a functionally Trojan scanning software, able to detect the most common Trojan Horses, is essential. Meanwhile even Antivirus tools are able to detect Trojan infections. But you should prefer the use of a Trojan specialized software in order to get the best results, since they act as scanner and memory-surveillance in one.
Another way to hunt down Trojans is the surveillance of system programs. There are a few tools, which show the user everything that is happening in the background, while working on the computer or surfing the internet. For instance it is possible to check if any data is being sent without starting any programs or working on the computer at all. Or if any programs get started, which never have been installed by the user or shouldn't start automatically at all.
3. No download or start of files with unknown origin
Under no circumstances should files from unknown sources be downloaded or started. If a file gets executed, the server file installs itself within seconds without the user sensing anything. The only thing unusual would be a short rattling sound from the harddisk and that's it. Smart versions of Trojans often activate an error message to make it look like the program could not run on the system.
When getting emails, which include attachments from friends, the source of the files should be questioned. If it is an executable file (file extension .exe), the website from where the file was downloaded should be searched to check the original file on the website for Trojan Horse infections.
4. Dangerous hyperlinks
Some links may lead to websites, which immediately start a download process without the user being asked. The downloaded file should be checked for Trojans instantly. This kind of downloads should not be installed, because most likely they are virus or Trojan Horse infected.
5. Installing a firewall
A firewall reduces the risks of undesirably access from outside, by defining a small network-segment, on which access is being released and which is being controlled. Most of the time this would be a second computer, separating the internal network from the internet to protect it from forbidden access. The firewall determines which type of data is allowed to pass either way, in or out. It is very important to setup the firewall properly, since a badly configured firewall would have the same effect like a high-security-lock on a door, standing wide open.
The All-Stars: Well known trojan horses
The most famous Trojan Horses are definately Sub7, Netbus and BackOrifice2000. This Trojans are so easy to handle and to configure, that even amateurs are able to inflict damage by using them. This makes it very easy to become a victim for unstable characters, which get offended in an internet chatroom or forum and feel the need to strike back in the only possible way: the virtual way, which, unfortunately seems to be pretty functional.
The fact that the internet is overflown by websites offering Trojans for download or instructions on how to install them is very annoying since people using this service are a potential threat to everyone using the internet. This makes it more and more important these days to protect the own computer against attacks out of the net, which seem to increase with every day passing by.
Fortunately there are also websites dealing with the issue of how to protect a computer against Trojan Horse attacks. These websites provide needful hints like port-lists, term-definitions or ways of protection. See
Trojan Horses or similar ways of virtual attacks will exist, as long there is the need to inflict virtual damage. This is a pity, as the Trojan originally was an ideal creation to control a computer via phone-line. This made a Trojan the perfect tool for long distance-maintenance of EDP-systems. That they have been misused ever since might be a good indicator for mankind's dark soul.