Trojan Horses can inflict serious damage to a computer system. But how is it possible to detect an infection? There are different methods of finding out whether a Trojan Horse managed to infect a computer or not. One thing's for sure: if your computer begins to do funny things, without you even touching the mouse, the chances of being infected are nearly 100 percent. Harmless pranks like opening and closing the CD-ROM-tray or swapping the mouse-axis might sound funny, but unfortunately serious issues like hiding or even deleting important system-files are also possible. Therefore it is very important to always have an eye on what's going on on or off the screen. If something unordinary happens, closing the internet-connection and checking the whole system might be a good idea.
Revealing Trojan Horses is an easy task, as long certain security rules were maintained. If this is not the case, tracking down Trojan Horses might be a little bit more difficult.
Most of the revealing-methods use the so called "object comparison principal." Objects would be files or folders. The objects are being compared with themselves on a sooner or later point of time. Let's take a backup tape or a burned CD-Rom, for instance. Some of the files on the backup-media are being compared to the actual files on the computer.
If those two files differ and the file on the computer has not been modified or replaced in any way, then there's a possible infection. Since we didn't modify it in any way, the file on the system should have the exact same file-size like the one on the backup-tape. This technique should be used on every system-file, since attackers like using them to get their Trojan Horses inside a running system.
Object-comparison is an easy method to check the file-integrity, which is based on the discovery of state-modifications of files. Alternative methods variegate from simple to very difficult. The integrity of a file can be verified by checking the date of the last modification, the creation date of the file and the file-size.
Unfortunately all three methods are insufficient, since the values can be easily manipulated in one way or the other. Each time a file is modified its values change. For example, if you open a file, change it and save it, a new date for the last modification is given. This date-stamp can easily be changed, by adjusting the computer's system time, and saving the file again. Therefore using the date-stamp on files is the most unreliable method to compare objects.
Another way to verify file-integrity is to check the file-size. This method too is unreliable, since this value as well can be manipulated. It's quite easy to start with a file which has approximately 1000KB, modify it and save the same file with the exact file-size from the start.
The question, you may ask yourself now is: Is there a sufficient technique? There is. The so called MD series, which is a compilation of algorithms, uses digital fingerprints by using different algorithms. One of the favourite techniques is called MD5-Coding. See
. http://www.csie.nctu.edu.tw/document/CIE/RFC/1321/3.htm or