This chapter discussed Trojan horses, which are computer programs that appear to be benign, but really include hidden malicious code. The term Trojan is often abused, being applied to any type of backdoor. However, the term should only apply if that backdoor is disguised as some benign program. Attackers use Trojan horses to sneak onto systems and hide there, without triggering the suspicion of administrators or users.
One of the simplest Trojan horse strategies involves giving a malicious program the name of a benign program. By including many spaces between the program's name and suffix on a Windows machine, such as just_text.txt .exe, an attacker can trick some users into running an executable application, thinking it's just text. Also, attackers choose program suffixes or names from those programs that would normally be installed and running on the victim machine, such as init, inetd, iexplore, and notepad. To defend against this technique, system administrators must become very familiar with their systems, so that they know what programs should normally be running on them. With this detailed familiarity, a counterfeit can be spotted and investigated. The Fport tool helps this process by showing which programs are listening on TCP and UDP network ports. Additionally, filter .EXE, .COM, .SCR, and other related programs at your Internet gateway.
Attackers also use wrapping programs to combine two or more executables into a single package. The victim is duped into thinking that the combined package is sweet and innocent. When it's run, however, the package first installs the malicious code, and then executes a benign program. Wrappers let an attacker create Trojan horses by marrying malicious code to benign programs, without writing a single line of code themselves. Antivirus tools are one of the best defenses against wrapper programs.
Attackers are also increasingly targeting software distribution channels to distribute Trojan horses, including snail-mail and Web site downloads. The main OpenSSH, sendmail, and tcpdump Web sites were all conquered by an attacker and used to distribute malicious code. The Trojan horse built into the tcpdump distribution communicated with an attacker across the network and supported shoveling a shell back to the attacker. To defend against this type of attack, make sure you check the integrity of all downloaded software across multiple mirrors using MD5 hashes. Also, test software before putting it into production to look for squirrelly functionality, such as backdoor listeners and sniffers.
If attackers get jobs with or break into software development firms, they could even Trojanize the source code of a product, infecting unsuspecting users of the code with malware. This trend is exacerbated by the enormous complexity of today's software, the limitation of relying solely on software testing (as exemplified by the large number of Easter eggs), and the move toward international software development. To defend against this attack vector, make sure you have strong integrity controls and test regimens for software used in your environment.
The Setiri tool is an extremely powerful Trojan horse. Although it was never publicly released, concepts from Setiri are trickling into other Trojan horse tools. The Setiri code runs an invisible Internet Explorer window to send requests for commands through a personal firewall and any network filtering devices to a connection broker. The attacker plants commands on the connection broker for the Setiri victim to execute. To defend against Setiri and related tools, make sure to keep anti-virus programs up to date and consider blocking access to the more popular anonymizing Web surfing proxies.
The Hydan tool embeds messages of any kind inside of executable programs using polymorphic coding techniques. Hydan stores data by selecting from different sets of functionally equivalent instructions. To defend against tools like Hydan, guard the integrity of your critical system files using tools such as Tripwire, Osiris, and AIDE.