Trojan Horses
A Trojan horse portrays itself as something other than what it is at the point of execution. Although it might advertise its activity after launching, this information is not apparent to the user beforehand. A Trojan horse neither replicates nor copies itself, but causes damage or compromises the security of the computer. A Trojan horse must be sent by someone or carried by another program, and can arrive in the form of a joke program or software of some sort. The malicious functionality of a Trojan horse is anything undesirable for a computer user, including data destruction or the compromise of a computer by providing a means for another attacker to gain access, bypassing normal access controls. Like spyware discussed earlier in this chapter, Trojan horses might offer interesting new games, desktop themes, or all manner of other enticements to a user, to get the user to install the Trojan package.
Once installed, a Trojan horse typically provides some type of apparent functionality to the user, while performing many other tasks behind the scenes, leaving the user unaware. Trojan horse programs often communicate with their creator through Internet Relay Chat (IRC) communications, allowing the creator to modify these programs once installed and even to publish updates that can be applied automatically by the program itself. Table 2-2 lists a few of the more common security risks posed by Trojan horse infections.
Table 2-2 Common Risks Carried by Trojan Horses
Risk |
Examples |
Remote access |
Services can be enabled or ports can be opened. |
|
Remote-control utilities can be installed, allowing control of the computer’s console. |
Monitoring |
Console duplication can allow shoulder-surfing by remote operators. |
|
Keystrokes, URL history, and other data can be collected and relayed to the creator. |
Data relay |
Unauthorized file-sharing services can be implemented, allowing the creator to distribute contraband data through the compromised host. |
|
Spam relay programs can be implemented, allowing the creator to hide the origin of spam messages. |
Softening |
Trojan horse programs can replace common applications on the host computer, creating vulnerabilities and softening the host’s defenses. |
|
Trojan horse programs can also be used to coordinate mass network-scanning or network attack efforts, making it harder to detect the profiling scan or attack coming from tens of thousands of separate computers controlled by the creator of the program. |
A subtype of the Trojan horse is the "back door," which refers to a programmatically created mechanism for bypassing normal security measures in accessing resources on the vulnerable computer. Occasionally, programmers put into place various hidden shortcuts in their code, designed to ease the process of development or testing. Attackers might utilize one or more security risks to plant their own back-door program somewhere within the network.
Back doors are implanted by the attacker to allow later access to a computer. Remote-access tools can provide an attacker with a back door or allow the attacker to obtain sufficient information to bypass normal authentication measures using key-logged information. Back doors are particularly troublesome for network administrators responsible for tracking down the party responsible for network misuse.