Zombies and bots are just the opening parries from an emerging form of malware

Dark Reading Staff, Dark Reading

May 19, 2006

4 Min Read

While the lines between viruses, worms, and Trojans get murkier every day, it's easier to consider them if you think about their underlying purpose. Typically, viruses spread via email and have benign payloads. Worms spread by other channels – instant messaging, SNMP, RSS (not yet, but coming), and any number of Microsoft protocols. Worms usually have benign payloads as well. Their purpose is to spread as rapidly as possible.

While the original Trojan Horse was used to sneak Greeks into Troy, the common meaning today actually refers to the payload that gets deposited on your computer. Trojans typically grant a hacker remote access to your computer. From there, they use this open door to install whatever they choose. Several of these allow the hacker to open the CD tray on your computer or make it beep just for fun.

It's not all fun and games. So-called zombie or bot programs quietly await a command and then launch an attack against some named target. Others are used to install adware to generate revenue for the hacker. And, of course, it is easy to install software to record everything you type or even everything you say into your laptop's microphone. Trojans are such a good source of revenue that many viruses and worms now install them.

Anti-virus companies employee legions of researchers, honey pots, and customers to find viruses as soon as they appear in the wild. It takes on average about six hours to find, classify, and push out a new definition to your desktop. The Achilles heel of the whole industry is that these research techniques can do nothing to protect you against a custom virus or Trojan.

Custom malware is easy to create. Take the source code of an existing Trojan or virus, and modify it so that existing anti-virus and anti-spyware programs do not recognize it. And even if you or your IT department finds the Trojan, it does no good to report it, because it is not "in the wild." So the developer of the custom Trojan can reuse his wares against other targets.

The infamous Trojan developed by Michael Haephrati and used to steal competitive information from dozens of companies in Israel was a custom Trojan. Now China is engaging in industrial-scale fishing expeditions against U.K. businesses and government agencies using a two-pronged attack.

The routine goes like this: First, a custom virus is sent in to harvest email addresses. It stays only within the target domain. Then, emails are sent to those addresses containing the custom Trojan. The reply-to addresses all appear to be within the same organization, making them more likely to be opened. Would you not open an email from your boss that said “Annual Appraisal Attached, Open Immediately”?

There is no real defense against these types of attacks. You could block all attachments, at great cost to productivity. You could squander resources on employee security awareness training. Today's AV and anti-spyware products are not designed to discover the custom Trojan.

Some effective measures might include:

  • Use firewalls and proxies to prevent internal communications from desktops back to the attacker. Block FTP, Telnet, and SSH sessions. While this has been working in the U.K. and would have worked against Haephrati's Trojan, it won't be long before the custom Trojan writers modify them to use any channel available to phone home: email, Skype, Web, etc.

  • Use various host intrusion-prevention systems that have a chance of recognizing the surreptitious behavior of the Trojan and blocking it. Sana Security, McAfee, eEye, Determina, and Symantec all have products designed to do that. They are not silver bullets but have a good shot at catching the custom Trojan.

  • Use a white list to only allow known good stuff to work. Websense has a client that enables this while also blocking outbound communication to known bad IP addresses.

Custom Trojans are part of the new face of cyber threats, and they're targeting your information, organization, and assets. If you thought zero-day worms were something to worry about, add these to the list, too. Custom Trojans do not need to rely on vulnerabilities to execute. They are undetectable with your current desktop or network protections. And the people behind them intend to do you harm.

— Richard Stiennon is founder of IT-Harvest Inc. Special to Dark Reading

Companies mentioned in this article:

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights