malware: troy revisited
TRANSCRIPT
Computers & Security, 18 (1999) 105-108
Malware: Troy Revisited Richard Ford
Senior Editor
Greek mythology holds that the term ‘Trojan Horse’ can be traced back to a series of events instigated by Eris, the goddess of strife. Through a bizarre series of events involving a golden apple, known as the Apple of Discord, Paris, a shepherd boy, and Helen, the most beautiful woman in the World, the Greeks finally sacked the city of Troy by leaving a huge wooden horse at the gates of the city.The Trojans, assuming the horse to be a gift, moved it into the city, unaware that it was filled with enemy warriors. That night, the warriors struck, and the rest, as the expression goes, is history.. .
While the myth of the Trojan Horse is interesting from an academic viewpoint, I intend to draw two important points from it, which we shall apply to modern day Trojan Horses. First, that the Trojan Horse is ancient history, and second, that as the Trojan Horse is history, one tends to have rather rigid and fixed ideas about it.
We shall begin with looking at a history of Trojans. A more complete treatment of this issue and indeed several of the other issues discussed in this paper are discussed in “Where There’s Smoke There’s Mirrors: The Truth About Trojan Horses on the Internet” [Virus Bulletin Conference Proceedings, Gordon and Chess, 19981.
A Brief History of Trojans While we all instinctively know what a Trojan Horse is, defining one in computer terms has traditionally
proven to be quite difficult, judging from the variety of available definitions. One definition, and a rather good one, is taken from a recent CERT advisory:
A Trojan horse is an “apparently useful program containing hidden functions that can exploit the privileges of the user [running the program], with a resulting security threat. A Trojan horse does things that the program user did not intend”
Unfortunately even this good a definition leaves the idea of what precisely a Trojan is as a matter of opinion. For example, on my test machine, I have a series of executables that carry out various alterations to my fixed disk at a very low level. These tools do not display any warning messages before the make the changes.. . are they Trojans? If you know what the file does, it is not; if you do not, it is. More to the point, if the file was renamed from qfdisk.exe to sexy.exe is it now a Trojan? If so, why? Is the function of Trojan based on the external appearance of the file, or the internal properties of it? While there is, just in this definition, enough material for an entire column, let it suffice to say that for the intents of this paper, we will stick with the CERT definition.
Trojan Horses have been around for a long time in computer terms. In “Reflections On Trusting Trust” [Thompson, Ken, “Reflections on Trusting Trust”, Communications of the ACM 27(S) pp. 761-763 (Aug. 1984); Turing Award lecture], a ‘must read’ for
0167-4048/99$20.00 0 1999 Elsevier Science Ltd. All rights reserved 105
Ma/ware: Troy Revisited/Richard Ford
anyone interested in this topic, Ken Thompson discusses the implications of a Trojan Horse within the C compiler of a computer.The sort of issues discussed by Thompson can be traced back to the 1970’s and early 80’s.
As people began to share files, the problem ofTrojans began to move from a mental puzzle to a practical threat. Most of these early Trojans were directly destructive, deleting files and formatting disks. As the numbers increased, the Dirty Dozen list was born. This list attempted to identifjiTrojanized files by name so that users could avoid them. This state of affairs continued pretty much unchanged until the Internet began a paradigm shift in the way that we must consider Trojans.. . in fact, the Trojan has now come of age.
The first large resurgence ofTrojan activity occurred on AOL, where Trojans that snatched AOL passwords began to be distributed. Indeed, there was even a press release from the US-based National Computer Security Association (NCSA), appropriately titled “NCSA and AOL warn of significant prevalence of AOL passwordTrojan”, which warned users about this threat.
Why AOL seems to have been the focal point for the development of new Trojans is something of a mys- tery. While people point to the closed community and the standardization of software, there is no obvious single factor. Nevertheless, Trojan activity became common, and the anti-virus industry began to cash in, providing scanner-based detection for the most com- mon Trojans. This worked fairly well in the case of AOL Trojans, as many of them are essentially derived from similar source code.
How much of a problem these Trojans have become depends on how one gathers statistics. Some believe that these are the future of malware on the Internet in general, whereas others think that they a minority threat that is only a part of a greater problem. Wherever one draws the line, it should now be clear that Trojans are a definite threat to information secu- rity, and things look set to get worse as the Internet becomes ubiquitous.
This comment was illustrated with perfect timing by the first two CERT Advisories of 1999, CERT Advisory CA-99-02-Trojan-Horses, and CERT Advisory CA-99-Ol-Trojan-TCP-Wrappers.The for- mer advisory warns of “an increase in the number of incident reports related to Trojan horses”, while the latter describes the following scenario:
“The CERT Coordination Center has received confirmation that some copies of the file tcp_wrappers_7.6.tar.gz have been modified by an intruder and contain a Trojan horse. This file contains the source code for TCP Wrappers ver- sion 7.6. This Trojan horse appears to have been made available on a number of FTP servers since Thursday, January 21, 1999 at 06: 16:00 GMT. Copies downloaded prior to this time are not affected by this particular Trojan horse.”
“The Trojan horse version of TCP Wrappers provides root access to intruders initiating connections which have a source port of 421. Additionally, upon compilation, this Trojan Horse version sends E-mail to an external address.This E-mail includes information identi- Ging the site and the account that compiled the program.”
A More Connected World So, what does all this have to do with ancient Greeks? Well, firstly, we can see that the Trojan problem is nothing new. For as long as people have been assign- ing trust to others, people have been ready and willing to exploit it. As we stated above, the Trojan problem has a lorzg history.The problem with this is that people tend to have fixed ideas about what a Trojan can and cannot do - ideas that may not be valid in the evolv- ing connected world.
The Internet brings provides the ‘new age’Trojan with two vital abilities:
l The ability to become widespread, effected a large number of machines.
l Much more dangerous triggers.
106
Computers & Security, Vol. 18, No. 2
Consider the Trojan Horse as compared to a virus. While a virus contains the ability to spread quasi- autonomously from one object to another, the Trojan relies on a victim either being sent the file directly from an attacker or inadvertently obtained the file from an innocent third party. Thus, all things being equal, a virus infection may be self-sustaining, where- as a Trojan is likely to remain isolated. However, as computers became more networked, it has become increasingly easy to distribute aTrojan to many tens of thousands of machines in one operation. Network- wide services like Usenet provide a massive popula- tion for a would-be attacker. Furthermore, little resources are required to carry out this distribution - the system will ‘replicate’ the file worldwide in a matter of hours. Indeed, this large degree of spread has caused some researchers to consider the Internet analogous to the infection mechanism of computer viruses.
While it is certainly true that the Internet has given anyone the ability to spread a piece of malware to lit- erally millions of potential victims with one point and click, the effect is secondary to the following point: the Internet provides Trojan Horses (and viruses) with potentially much more damaging triggers.
In 7’he Risks D&es&Volume 20, Issue 19, Fred Cohen made the following claim:
“I just got a look at a Word file (CALIG.DOC) that contains user IDS and passwords to porno- graphic sites. In addition to these pointers, it has a Trojan Horse that finds the user’s private PGP key ring and ftp’s it to: 209.201.88.110 (code- breakers.org)“.
While the sample I received was of the virus Caligula, the veracity of the claims made are relatively unim- portant.Virus or Trojan, it is easily possible to create a file with the described behaviour. Fortunately, the trigger described is relatively harmless, as the secret ring is protected by a pass-phrase. However, it does give a taste of what may be to come.
The homogenization of the desktop platform, such that a single executable will run pretty much
anywhere within the Microsoft product range is both a blessing and a curse.The compatibility makes com- munication and sharing of software much easier; on the flipside, one can write a Trojan designed around a single API that will have an almost limitless number of potential hosts. Furthermore, that API allows for quick and simple creation of sockets and connections, with the underlying OS taking care of details like host resolution and routing. The result is that a Trojan does not have to now concern itself with isolated damage - it can now go about the task of allowing intruders into the network.
The ability for Trojans to essentially compromise the security of a network is a very dangerous one. While the AOL Trojans simply obtain an account password and send it back to a predetermined mail-drop, more complexTrojans could simply and easily provide a way in to a network for a hacker.
Let The Walls Fall Down.. .
While it is too soon to tell how often such a strategy might be used when attempting to gain access to a particular network, the potential is there. I have exper- imented with Trojans as an attack mechanism during penetration tests with mixed results - while there are few sites which cannot be taken by other means, they are a useful weapon. Unless a firewall allows no out- going services whatsoever, it is possible to construct a Trojan that can circumvent that particular protection even if all outgoing services are handled by a proxy! Thus, having even the latest and greatest firewall in place is not sufficient to make up for poor host-based security - a fact that is as true in the general securi- ty arena as in just this facet of it.
Given that a ‘secure perimeter’ is not enough to protect from Trojans, we must focus our attention on something that works more effectively at a host level. One propose solution offered by several of the larger anti-virus vendors is to treat Trojans as one would a virus, making use of pattern recognition, expert systems and heuristics. While this approach seemed to be fairly successful in the case of AOL Trojans, the scope is too wide for this to be suitable for generic Trojans.There is one possibility though which makes
107
Ma/ware: Troy Revisited/Richard Ford
this solution potentially useful: behaviour. While there is not enough research available to be conclusive, it appears that in general it is the same set ofTrojans (or minor variants thereof) which are circulated. If this remains the case, known-Trojan detection is of some limited value, as it will provide protection from a casu- al attack. However, the drawback with this technique is that it provides little or no detection of new or custom-built Trojans, thereby engendering a possibly false sense of security
Other anti-malware solutions seem equally far behind, either rendering a computer effectively unusable, or requiring the user to approve manually virtually every action a new program takes. Before this evokes a howl of outrage from all such vendors, I am absolutely happy to be proved wrong in this respect: if any vendor thinks they have a bulletproof and practical solution to the Trojan problem for either Win95 or Win98, they are welcome to E-mail me their products. If I cannot devise a way around their system arrd the computer is not reduced in nor- mal functionality, I will try and report my error in a later column.. . I suspect few, if any, will take up the challenge.
Conclusions The Trojan problem is a tough one to crack. I person- ally believe that because any usable definition of a Trojan will include what a user believes a file will do, it
will be impossible to create a purely technical solution that is bulletproof. That said, it is possible to signifi- cantly lower the risk that Trojan Horses pose to your organization. Any unknown executable can contain a Trojan. While the risks are mitigated by the Java sandbox concept, there are still plenty of under- exploited vistas for the Trojan writers, including Office documents and ActiveX components.
While there are tools that can help limit your exposure, there is no substitute for good host-based security and good user practices. Teach your users to be suspicious of all incoming executables, and, more importantly, teach them what an executable is. Make hosts as secure as possible, to limit the damage caused by executing a Trojanized program, and employ monitoring tools which at least let you know when something has changed on your network.
At this time, the good news is that Trojan attacks are fairly rare; however, as the recent CERT advisories indicate, that may be changing. Having the ‘wrong ideas’ about Trojans and their risks might get you and your users into a lot of trouble. Even the advice of obtaining software from trusted sources is not bullet- proof - on a critical Unix system, there is increasing pressure to actually check the source of utilities received. Finally, it is worth noting that the cliche that “security is only as good as its weakest link” is such because it is true. How vulnerable are your systems to a Trojan Horse?
108