- Email: [email protected]
Downloader Trojans
nesenovprint.qxd
13/11/2002
16:30
Page 4
hack of the month
Downloader Trojans David Duke, Cryptic Software In it's simplest form a Trojan works by infecting the victim’s computer with a 'SERVER' program. This server program then commonly opens a port or backdoor into your computer, which then allows the hacker who, is using the Trojan CLIENT program to connect to it. Once connected the hacker is then able to control the computer within the limitations of the client software. The early Trojans were created as 'fun' toys, causing mischief rather than damage by opening the CD tray, or turning off the monitor. Some Trojans had destructive capabilities, like deleting files or folders and even allowing the hacker to format the victim’s hard drive. As Trojans evolved to become more complicated, the server program increased in file size making their presence more obvious and therefore suspicious to a
potential victim. Most users wondered why they were being sent large files from strangers or even friends and many ignored them or refused to run them for fear of what they would do. Initially anti-virus software overlooked the Trojan but as the threat from this area increased it became necessary for antivirus products to expand their indexing to include Trojans within their fingerprint databases. As new Trojans developed and were released they were included in the AV database, as these Trojans were significant in size and any user definable areas were relatively small when compared to the total size of the executable it was not difficult to determine methods of detection. However, recently we have seen an increase in a new type of Trojan, called the 'Trojan Downloader'. This program is very simple in design but can be extremely
Figure 1: Screenshot of Smoke downloader v1.1 4
Figure 2: Screenshot of EES Polymorphic downloader
Figure 3: Screenshot of Institution v1.0 effective. There’s no special computer knowledge required to use them; all that’s needed is a file on the Internet and a URL to reference it. Some recent examples of Downloader Trojans are: • Smoke downloader v1.1. • EES Polymorphic downloader. • Institution v1.0. Whilst it is not a Trojan in itself, this program has the ability to infect the victim by causing the victim’s computer to download and run a program from the Internet. Because these servers contain such little code and can be as small as 4k, they can be easily hidden within other small harmless programs or even in active Web content where the victim may not suspect anything unusual. Some rules-based security systems have guidelines, stating that if an attachment is smaller than xxx bytes it is not a threat, with traditional Trojans this was not a problem. But with the advent of Downloader Trojans the validity of this rule needs to be reviewed. AV products also have a problem when attempting to detect this form of malicious attack; with so little code in the server and most of the changes depending on what data is entered by the hacker, these servers can be very difficult to detect. Each time a hacker created a unique adaption of the Trojan, this new type would
nesenovprint.qxd
13/11/2002
16:30
Page 5
hack of the month/ feature need to be added to the security software database. This is because each attacker would likely specify a different URL and a different file to be downloaded thus significantly changing the ‘profile’ (fingerprintable formula) of the attachment. To make matters even more complicated some Trojan Downloaders use polymorphic techniques to change the data and size of the ‘server’ each time one is created This makes it difficult if not impossible to detect Trojan Downloaders using traditional methods. The only accurate method for detecting this type of threat is to use capabili-
ty detection techniques, which do not rely on pattern matching in order to determine if a threat is present. Using this Trojan Downloader technique the hacker could remotely infect the victim with larger, more destructive material such as those that kill off firewalls and AV software, keyloggers, hard drive formatters, or DDOS software, in fact any executable file could be used. It is because the Trojan Downloader is so small that is becoming popular with the hacker community and we predict an in the use and development
VOIP the latest security concern: DoS attack the greatest threat Philip Hunter The wall that has divided voice and data is at last being torn down within both enterprise and public carrier networks, yielding massive savings in overall communication costs. Converged networks reduce the total management overhead and also allow enterprises and carriers to develop new applications that exploit the tighter voice/data integration. The technical hurdles appear to have been overcome — until security rears its ugly head. Indeed voice/data integration over common IP networks is the fastest rising security concern for both enterprises and carriers. The potential threats have been there for some years, but it is only in 2002 that they have become more widely appreciated. This is largely because this is the year during which by common consent the tide towards voice over IP (VOIP) has become inexorable. Although legacy circuit switched voice networks will survive for some time, there is hardly a carrier or enterprise that is not now expecting a progressive migration towards VOIP. As the time of reckoning approaches, attention has shifted from quality concerns to the new security threats that VOIP brings on both sides of the fence, i.e. for both voice and data. For put simplistically, the threats are of two types.
On the one hand the voice service could be jeopardized by sharing the same network with data and therefore become exposed to the same threats. On the other hand existing data applications are exposed to new forms of attack by having the same network opened to voice. So the concern extends to both the voice and data camps, leading to double resistance to VOIP within some enterprises. Yet as Paul Strauss, research manager for enterprise networks at IT analysis company IDC pointed out, organizations would be making a huge mistake if they allowed security considerations to deter them from migrating to VOIP, because the strategic benefits are so enormous. It is important therefore to tackle the security issues head on, rather than just hoping the horse won’t bolt through the open stable door.
of Trojan Downloaders over the coming months. Trojan Downloaders also have the dubious distinction of belonging to that group of attack tools which are not only used by the original creator but are deliberately designed for use by the computer illiterate See figures 1-3 for screenshots.
http://www.cry ptic.co.uk.
Taking the threats to voice first, the fundamental issue is that before VOIP all conversations were conducted along dedicated circuits that were either fixed for private networks, or set up temporarily and torn down afterwards in dial-up networks. Either way each call session was shielded both from other voice calls and from other forms of electronic traffic such as data. This made it easier both to protect voice networks from the kind of attacks that data networks were subject to, and also to ensure that the service was highly reliable. Having a dedicated circuit switched connection ensured that voice was transmitted with almost constant and low delay. These factors, coupled with the greater maturity of voice networks and the equipment that serves them, means that voice services have become extremely reliable, available for at least 99.999% of the time, which translates into less than five minutes downtime a year. Most data services are as yet nowhere near that level, except for highly critical applications where exceptional investment can be justified to achieve ultra high reliability through redundancy. The fear for many enterprise managers of voice services is that VOIP will bring voice availability down to the level of data rather than the other way round. There is also the fear that voice networks will become subject to denial-ofservice (DoS) attacks and other threats
5
13/11/2002
16:30
Page 4
hack of the month
Downloader Trojans David Duke, Cryptic Software In it's simplest form a Trojan works by infecting the victim’s computer with a 'SERVER' program. This server program then commonly opens a port or backdoor into your computer, which then allows the hacker who, is using the Trojan CLIENT program to connect to it. Once connected the hacker is then able to control the computer within the limitations of the client software. The early Trojans were created as 'fun' toys, causing mischief rather than damage by opening the CD tray, or turning off the monitor. Some Trojans had destructive capabilities, like deleting files or folders and even allowing the hacker to format the victim’s hard drive. As Trojans evolved to become more complicated, the server program increased in file size making their presence more obvious and therefore suspicious to a
potential victim. Most users wondered why they were being sent large files from strangers or even friends and many ignored them or refused to run them for fear of what they would do. Initially anti-virus software overlooked the Trojan but as the threat from this area increased it became necessary for antivirus products to expand their indexing to include Trojans within their fingerprint databases. As new Trojans developed and were released they were included in the AV database, as these Trojans were significant in size and any user definable areas were relatively small when compared to the total size of the executable it was not difficult to determine methods of detection. However, recently we have seen an increase in a new type of Trojan, called the 'Trojan Downloader'. This program is very simple in design but can be extremely
Figure 1: Screenshot of Smoke downloader v1.1 4
Figure 2: Screenshot of EES Polymorphic downloader
Figure 3: Screenshot of Institution v1.0 effective. There’s no special computer knowledge required to use them; all that’s needed is a file on the Internet and a URL to reference it. Some recent examples of Downloader Trojans are: • Smoke downloader v1.1. • EES Polymorphic downloader. • Institution v1.0. Whilst it is not a Trojan in itself, this program has the ability to infect the victim by causing the victim’s computer to download and run a program from the Internet. Because these servers contain such little code and can be as small as 4k, they can be easily hidden within other small harmless programs or even in active Web content where the victim may not suspect anything unusual. Some rules-based security systems have guidelines, stating that if an attachment is smaller than xxx bytes it is not a threat, with traditional Trojans this was not a problem. But with the advent of Downloader Trojans the validity of this rule needs to be reviewed. AV products also have a problem when attempting to detect this form of malicious attack; with so little code in the server and most of the changes depending on what data is entered by the hacker, these servers can be very difficult to detect. Each time a hacker created a unique adaption of the Trojan, this new type would
nesenovprint.qxd
13/11/2002
16:30
Page 5
hack of the month/ feature need to be added to the security software database. This is because each attacker would likely specify a different URL and a different file to be downloaded thus significantly changing the ‘profile’ (fingerprintable formula) of the attachment. To make matters even more complicated some Trojan Downloaders use polymorphic techniques to change the data and size of the ‘server’ each time one is created This makes it difficult if not impossible to detect Trojan Downloaders using traditional methods. The only accurate method for detecting this type of threat is to use capabili-
ty detection techniques, which do not rely on pattern matching in order to determine if a threat is present. Using this Trojan Downloader technique the hacker could remotely infect the victim with larger, more destructive material such as those that kill off firewalls and AV software, keyloggers, hard drive formatters, or DDOS software, in fact any executable file could be used. It is because the Trojan Downloader is so small that is becoming popular with the hacker community and we predict an in the use and development
VOIP the latest security concern: DoS attack the greatest threat Philip Hunter The wall that has divided voice and data is at last being torn down within both enterprise and public carrier networks, yielding massive savings in overall communication costs. Converged networks reduce the total management overhead and also allow enterprises and carriers to develop new applications that exploit the tighter voice/data integration. The technical hurdles appear to have been overcome — until security rears its ugly head. Indeed voice/data integration over common IP networks is the fastest rising security concern for both enterprises and carriers. The potential threats have been there for some years, but it is only in 2002 that they have become more widely appreciated. This is largely because this is the year during which by common consent the tide towards voice over IP (VOIP) has become inexorable. Although legacy circuit switched voice networks will survive for some time, there is hardly a carrier or enterprise that is not now expecting a progressive migration towards VOIP. As the time of reckoning approaches, attention has shifted from quality concerns to the new security threats that VOIP brings on both sides of the fence, i.e. for both voice and data. For put simplistically, the threats are of two types.
On the one hand the voice service could be jeopardized by sharing the same network with data and therefore become exposed to the same threats. On the other hand existing data applications are exposed to new forms of attack by having the same network opened to voice. So the concern extends to both the voice and data camps, leading to double resistance to VOIP within some enterprises. Yet as Paul Strauss, research manager for enterprise networks at IT analysis company IDC pointed out, organizations would be making a huge mistake if they allowed security considerations to deter them from migrating to VOIP, because the strategic benefits are so enormous. It is important therefore to tackle the security issues head on, rather than just hoping the horse won’t bolt through the open stable door.
of Trojan Downloaders over the coming months. Trojan Downloaders also have the dubious distinction of belonging to that group of attack tools which are not only used by the original creator but are deliberately designed for use by the computer illiterate See figures 1-3 for screenshots.
http://www.cry ptic.co.uk.
Taking the threats to voice first, the fundamental issue is that before VOIP all conversations were conducted along dedicated circuits that were either fixed for private networks, or set up temporarily and torn down afterwards in dial-up networks. Either way each call session was shielded both from other voice calls and from other forms of electronic traffic such as data. This made it easier both to protect voice networks from the kind of attacks that data networks were subject to, and also to ensure that the service was highly reliable. Having a dedicated circuit switched connection ensured that voice was transmitted with almost constant and low delay. These factors, coupled with the greater maturity of voice networks and the equipment that serves them, means that voice services have become extremely reliable, available for at least 99.999% of the time, which translates into less than five minutes downtime a year. Most data services are as yet nowhere near that level, except for highly critical applications where exceptional investment can be justified to achieve ultra high reliability through redundancy. The fear for many enterprise managers of voice services is that VOIP will bring voice availability down to the level of data rather than the other way round. There is also the fear that voice networks will become subject to denial-ofservice (DoS) attacks and other threats
5