- Table of Contents
- Overview
- Web Application Security
- Operating System Security
- Operating System Overview
- OS Security Weaknesses
- OS Security Pointers
- Reverse Engineering
- How Antivirus Programs (Don’t) Work
- Malware
- Trojan Malware: From Non-profit to Commercial Criminals (A Brief History)
- Implementing IPSec under Windows Server, Part I
- Colinux
- Colinux, Part 2
- Colinux, Part 3
- Removing the Haxdoor.H Trojan: A Warez-misdirecting, Browser-hijacking, Porn
- Understanding Buffer Overflows
- Types of Overflows
- Inside Look at a 0-day Buffer Overflow
- Windows Genuine Advantage
- Windows Vista Security, Part 1
- Windows Vista Security, Part 2
- Windows Vista Security, Part 3
- Windows Vista Security, Part 4
- The Agony of Remotely Administering Vista Home Edition, Part 1
- The Agony of Remotely Administering Vista Home Edition, Part 2
- Windows 7 Firewall: A Glimpse of Light at the End of the Tunnel?
- USB Hacks
- Ulteo: Crossbreeding Your Favorite Operating Systems, Part 1
- Ulteo: Crossbreeding Your Favorite Operating Systems, Part 2
- Network Security
- Hardening Your System
- Wireless Security
- Mobile Security
- Data Forensics
- Legal and Ethical Issues of Security
- Home User Security
- Additional Resources
- Job Security for the IT Security Industry
- A Biased Book Review: Chained Exploits: Advanced Hacking Attacks from Start to Finish
- Security of Mechanical Locks
- Information Security in Academics
- Holiday Security: Hackers Don’t Take Holidays
- Gary McGraw on Building Secure Software
- Gary McGraw on Exploiting Online Games
- A Student-Hacker Showdown at the Collegiate Cyber Defense Competition
- The Collegiate Cyber Defense Competition Year 3: Revenge of the Red Cell
- Questions from RSA 2007
- How to Steal 80,000 Identities in One Day
Trojan Malware: From Non-profit to Commercial Criminals (A Brief History)
Last updated Oct 27, 2006.
Remote access trojans have come a long way since their first appearance in 1990s. The first trojans were very simple, and the author of one of the first popular Trojans, "NetBus," claimed his program was meant for pranks and nothing else. In fact, the word Netbus literally translates from Swedish to English to mean net prank.
During the late 90s the underground Trojan malware scene flourished. Many new trojans were constantly emerging. Most of these trojans were made by teenagers with only rudimentary programming skills. The script kiddies that used these trojans also had to worry about becoming infected themselves, as some of the trojans had backdoors in the client software.
Huge communities of Trojan authors and users sprang up. These sites would feature forums where the Trojan users would often brag about their victims, post screen shots, or share IP address of infected computers. These underground communities flourished unchecked. Techniques for infecting victims were discussed, as well as ways of making the different Trojan servers undetected by virus scanners.
Trojans for Free
Trojan authors at first never charged anyone to use their software. The free-for-all spirit of the internet was maintained during the early years of Trojan malware. Not only did Trojan authors give away their software for free, they often gave away source code and source code snippets. This source code and snippets enabled other coders to create more trojans.
At one stage it was not uncommon for a script kiddie to scan an IP range of 255 numbers and find at least 20 people infected with Back Orifice or Netbus. Infections were widespread, but initially the fact that there were only two main trojans made it a lot easier for script kiddies to have some fun. Virus scanners were optional, and the vast majority of people did not even know what a firewall was.
The Trojan explosion was its own demise in terms of infected people. Too many authors were making Trojans, and too many people were realizing that they needed antivirus scanners. Free trojans were no longer as popular as they used to be, as they were easily detected by victims. The large Trojan communities started closing down due to pressure from law enforcement agencies, ISPs, and members leaving.
By 2002/2003, being a Trojan author was no longer as glamorous or "elite." Trojan authors started being targeted by various law enforcement agencies. Trojan communities were a mine field of antivirus researchers trying to get the latest trojans as they were released. Trojan programmer groups had even been infiltrated by antivirus researchers. It is rumored that some of the more skilled programmers in the Trojan scene had even gone on to get jobs as programmers on commercial remote administration software projects.
The Commercialism of Malware
Trojan authors slowly realised that creating free malware would not pay the bills. The golden days of the Trojan scene were over — the Trojan users had in some cases exploited the Trojan software to gain financial benefit from their victims. Antivirus companies have been reported to love the Trojan explosion; more malware meant more press releases for them. They had never had it so good.
There was a demand by Trojan users for Trojan servers that could not be detected by antivirus software. Trojan authors realised this was a chance for them to get paid, and get paid they did. The Trojan scene moved from a freeware set up to a largely commercial type operation in a matter of a few months. Malware became a commodity and unless the AV industry wanted to pay for it, chances are the software would remain undetected. This is still the case today in the Trojan scene.
The Organized Crime Connection
It did not take long for organized criminals to realize there was money to be made with malware on the internet. Organized crime gangs either made up of hackers or with hired hackers/programmers started creating their own custom malware trojans. These Trojans were designed not for pranks, but for stealing files, distributed denial of service, and damaging remote computers.
These organized crime syndicates operate today, and one of their main objectives is to build large DDoS attack bot networks. The larger the better, as these networks allow them to have more control over potential victims. Once the criminals have a bot network large enough, they then start using it to extort money from sites. The types of sites they normally target are ones to do with gambling and pornography. They don’t target these sites because they have an interest in these areas; they target them because these types of sites have large cash turnovers and can afford exorbitant demands asked of them.
It is hard to get accurate figures on the amount of extortion that occurs online. The sites that do get extorted are often hesitant to go to the police, as they may not be declaring taxes etc. They are soft targets.
Trojans as Commercial Spy Tools
An extremely large — possibly the largest in world — spying and espionage Trojan attack was discovered in Israel in 2005. The criminals had used a custom-made Trojan that they had put on a Compact Disc presentation. Most people's computers are set to autorun CDs, and these Trojan coders used this to their advantage. They mailed out the infected CDs to companies, and when the CD was put in the computers and it autoran, they were instantly infected.
The Trojan was reportedly created by a software programmer living in England and developed for private investigators. The software developer would customize the Trojan to meet the private investigators' needs. The investigators used the Trojan to steal information for competing companies. It is estimated that over twenty different top Israeli companies had been infected with this Trojan, and the spying had gone on for quite some time.
Recently, another example of Trojan spyware just started to make waves in the gaming community. If you purchase the Battlefield Earth 2142 game, the first thing you get when you open the box is a warning that the game spies on various aspects of your browsing habits. Didn’t EA learn its lesson from Sony’s rootkit debacle? Unfortunately, many people seem not to care about this invasion of privacy, which means other companies will find the attractive nature of the spyware type of Trojan too much to pass up.
Lessons to be Learned
The main lesson that should be learned from this section is that the best antivirus software will not protect you from well-designed commercial trojans. Intrusion detection software, firewall, as well as registry and system monitoring software are essential in your security arsenal. Illicit Trojans are not the widespread threat they were back in the late 90s, they are however are more insidious and dangerous threat these days. Ironically, the biggest threat users have to fear is that the software companies they trust will start to use Trojan like program to "monitor" their activity. Stay secure.
Digg
Del.icio.us
Your Account
Account Sign In
View your cart