Home > Articles > Security > Software Security

Trojan Horses

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Wrap Stars

Be afraid. Be very afraid.

—The movie, The Fly, 1986

Bad guys' Trojan horse ruses aren't limited to just playing games with names. Many attackers also combine their malicious code with an innocuous program to create a nice, cozy-looking package. By grafting together two programs, one malicious and one benign, an attacker can more easily trick unsuspecting users or administrators into running or ignoring the combined result. When unsuspecting victims receive the combined package and run it, the malicious executable embedded in the package will typically run first. Of course, the vast majority of back-doors don't display anything on the screen, so the victim will not see anything during this step, which usually takes less than a second. After the backdoor is firmly lodged on the victim machine, the benign program runs. For example, an attacker might take the Tini backdoor we briefly mentioned in Chapter 5 and combine it with Internet Explorer. Given Tini's small size, the resulting program would be only 3 kilobytes larger than the original browser.

To marry two executables together, an attacker uses a wrapper tool. The computer underground uses several terms to refer to these tools, including wrappers, binders, packers, EXE binders, and EXE joiners. Figure 6.6 illustrates how an attacker uses a wrapper program. In essence, these wrappers allow an attacker to take any executable back-door program and combine it with any legitimate executable, creating a Trojan horse without writing a single line of new code! Even the most inexperienced attacker can easily create Trojan horses using this technique. This is the stuff script kiddie attackers fantasize about.

For an analogy of the operation of wrapper programs, consider the classic movie The Fly. As you might recall, in that epic feature, a scientist tests his new teleporter invention to whisk himself across his laboratory at the speed of light. Sadly, a simple housefly zooms into the teleporter pod just as he initiates his first short journey. The machine cannot handle

Figure 6Figure 6.6 Wrapper programs: Two programs enter and one program leaves with the combined functionality of both input programs.

two living beings in a pod, so it just combines the scientist and the fly at their most fundamental level into one very ghastly mutant combination of the two. That's essentially what wrapper tools do: combine two or more separate programs at a fundamental level into one package.

Wrapper Features

Some wrappers allow for combining two, six, nine, or even an arbitrary number of programs together. Others allow for the addition of static files into the mix. When the wrapper is run, it executes all included programs, and also unloads the bundled static files into the attacker's chosen places on the file system. With such capabilities, these wrappers are actually becoming the functional equivalent of souped-up install shields and SetUp programs.

For most of the popular wrapper tools available today, when a combined package file is executed, the malicious program and benign program will each show up as separate running processes in Windows Task Manager or Fport output. The two programs only live together in the file on the hard drive. When a user is duped into running the package, the two wrapped programs become two separate processes. Therefore, to hide the malicious processes, attackers use wrappers together with the deceptive naming schemes we discussed in the last section.

Some wrappers go even further by encrypting the malicious code portion of the resulting package, so that antivirus programs on the target system have more difficulty detecting the malicious program. Of course, to make the malicious program run on its target, the wrapper must add a decryption routine to the resulting package. Antivirus programs therefore look for the decryption code added by these popular wrapping tools. Attackers raise the bar by morphing the decryption code so that it dynamically alters itself to evade detection, using polymorphic coding techniques, as we discussed in Chapter 2.

The computer underground has released dozens of wrapper programs available for free download from the Internet. Table 6.4 shows some of the most popular and powerful wrapper programs available today. To analyze these and other wrapper tools in more detail, you can check out http://www.tlsecurity.net/exebinder.htm, a comprehensive Web site devoted to the fine art of wrappers. It's important to note that not all of these programs are inherently evil. They also have a variety of entirely legitimate uses for packaging and distributing useful software, not just Trojan horses.

Table 6.4 Popular Wrapper Tools

Wrapper Tool Name

Function of Wrapper Tool

AFX File Lace

This wrapper encrypts an executable and appends it to the end of another, unencrypted executable.


This program is the premier wrapper tool, with gobs of features, including:

The ability to bind together an unlimited number of executables.

A function to start programs in a specified order, with each program waiting for the other programs ahead of it to finish running before executing itself.

Built-in integrity checks to make sure the package hasn't been altered.


This tool converts executable programs (in EXE format) into Visual Basic Scripts (VBSs or VB Scripts). By packing the EXE inside of a VB Script, the attacker might be able to transmit a Trojan horse through e-mail filtering programs that block standard EXEs, but allow VB Scripts to pass through.

PE Bundle

This program bundles together an executable with all the DLLs required by that executable to run. With this combined package, the malicious software will be able to run on the target system even if some critical DLLs are not installed there.


Using this tool, a developer can create standalone programs originally written in the Perl scripting language that do not require a Perl interpreter to run. Also, the original Perl code isn't included inside the resulting executable, making reverse engineering the functionality of the executable code significantly more difficult than simply analyzing more easily understood Perl scripts. This nifty tool is available for both Windows and UNIX, turning a Perl script into an executable binary program. Binary executables can be created that will run on Windows or UNIX.

Saran Wrap

This easy-to-use GUI-based wrapper combines two executables together.


This so-called Teflon Oil Patch program combines up to nine executables together and sports a simple GUI.

Trojan Man

This wrapper combines two programs, and also can encrypt the resulting package in an attempt to foil antivirus programs.

Wrapper Defenses

To defend your systems against attacks involving Trojan horses created with wrappers, antivirus tools are really your best bet. By detecting the malicious code wrapped into a combination package and preventing its installation, antivirus tools stop the vast majority of these problems. Following the antivirus recommendations we discussed in Chapter 2 goes a long way in dealing with this problem.

  • + Share This
  • 🔖 Save To Your Account