Welcome to Volume 2, Issue 21 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
Previous issues are posted here.
TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
Dave
In this issue, Todd Eastman explains how to find and remove five common Windows Trojans. Some might react to this column by saying "doesn't my anti-virus software do this for me?". The answer isn't that simple. Many 'net users still don't run anti-virus software. Others run A/V software that's not routinely or even occasionally updated with virus definitions. Until recently, this could entirely be attributed to laziness or lack of understanding, but as Anti-Virus vendors begin charging for automated A/V services via Internet connections, it's very possible that the numbers of single-license owners (read: consumers) currently protected will decrease. Allowing your A/V definition update service to lapse can be costly: the manual method of identification and eradication Todd presents in my opinion amply illustrates how valuable a subscription service can be: I can't imagine spending my time digging through a Windows Registry to eradicate the " Trojan of the Day".
Todd H. Eastman
Many people still don't know exactly what a Trojan Horse is. Even those in the IT industry often use the term incorrectly. A Trojan Horse is a means of delivery, not necessarily a program or virus in its own right. The name Trojan Horse comes from the legend of the fall of Troy and refers to the giant wooden horse that Ulysses used to defeat the people of Troy. Believing it to be a sacrifice to the Gods, the Trojans brought the horse into the city. But Greek soldiers, hidden inside the horse, opened the gates of Troy, and so the city fell not to the power of the Greek armies, but to a malicious deception. The term Trojan Horse has since come to describe malicious software that is stealthily installed on an unsuspecting host's computer.
Even mighty Microsoft has discovered itself vulnerable to the Trojan Horse. The recent disclosure that Microsoft's systems had been penetrated was a major news event. The intrusion began with a Trojan Horse program called QAZ. QAZ allowed the intruder to gather employee logins and passwords. The intruder used these accounts to eventually access confidential company information and software.
Methods of Infection
The Trojan Horse method of infecting a computer generally takes one of three forms. The most common is delivery via an email attachment. The infamous Love Bug and Melissa Viruses are two good examples. Another method is to trick someone into downloading and installing a program from a web site that is supposed to be a cute game or one that performs some other neat trick. Some of these programs even work as advertised while also installing a virus or back-door program. Some varieties of Back Orifice claim to disinfect a computer, when in fact it does the exact opposite by installing the back-door. A back-door is a program that provides an intruder with the ability to remotely control or misuse your computer. We'll consider several back-doors later in this column.
The third method can be potentially more dangerous than any of the others. This method entails accessing computers via NetBIOS and port 139. If your computer has file and printer sharing enabled without password protection, and port 139 is accessible, that computer is wide open to an intruder, who can browse your files as if it was on his own PC. This means he (or she) can read, delete, copy, and even write to your hard drive. Installing a back-door program is as simple as copying the installation program into your startup folder.
So how do you know if your system has been infected? Sometimes, the infection becomes very apparent -your entire network slows to a crawl and you discover that everyone in your Outlook address book is receiving strange email messages from your email account. But it is the more silent programs that may actually present the highest risk, as they don't always announce themselves so obviously. However, even these programs usually leave a trail of evidence.
Frequently Encountered Trojan Horse Software
The following are 5 very common Trojan Horse software, and I'll explain how to detect and remove them. These aren't ranked in any special order, and depending on your geographic location, you may find different ones. You may ask why geography is a factor. In many parts of the world, keeping up with anti-virus software is simply not done. It's not obvious whether this is a software distribution issue, economics, lack of knowledge or lax practices, but true nonetheless.
One of the most dangerous types of malicious software is the "back-door" programs. These not only provide an open door for intruders to come and go as they please, but they also allow the intruder to take remote control of your PC, giving them capabilities that even the user sitting in front of the PC does not have. These back-door programs can even give the intruder the ability to conduct additional hacking activities and distributed denial of service attacks from your computer, possibly resulting in legal action against you or your company!
Three of the most well known Trojan Horses are Back Orifice, SubSeven, and Hack-A-Tack. Locating and eradicating these programs can be complicated and usually requires familiarity with the Registry and how to edit it. If you are not already comfortable editing your Registry, now is NOT the time to learn. You can end up doing far more damage to your PC than the intruder would have. If you suspect your PC is infected with one or more of these programs, use a good search engine and you will find many websites that give step-by-step removal instructions.
You will most often find these programs in the following Registry keys. Back-door programs generally consist of a client component that resides on the malicious user's PC, and the server component that is installed on the victim's PC. Keep in mind that these programs usually allow the malicious user to rename the server component in an attempt to make discovery more difficult. Some detective work on your part may be required. Back Orifice is often named "umgr32.exe". SubSeven may be named "server.exe". Hack-A-Tack is usually named "expl32.exe".
The most common Registry entries modified to enable these Trojan Horses are located at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
A fourth well-known Trojan is NetBus. Like SubSeven, NetBus may be named "server.exe". NetBus creates its very own Registry entry at:
HKEY_LOCAL_MACHINE\SOFTWARE\UltraAccess Networks\NetBus Server\
The last of the 5 Trojan Horse software represents a very disturbing type of program. I have been encountering this worm with increasing frequency. It is officially called the "network.vbs" worm. Note the "vbs" extension, indicating that this is a Visual Basic Script. Script and macro viruses are disturbing because they are easy to write, easy to modify, and easy to conceal. If you do a file search on your PC for "*.vbs" files, you will find several on your computer. You should even find one named Network.vbs in the C:\WINDOWS\SAMPLES\WSH directory. Don't worry, this isn't the worm I am describing. Note the difference in capitalization of the "n".
The network.vbs worm is very simple. Utilizing the Port 139 NetBIOS vulnerability mentioned earlier, this script seeks out other computers on the network and the Internet with open access to Port 139. When it locates one, it creates a temporary drive J: and proceeds to copy itself to several locations on the infected computer, including the Startup folder. So far, this worm doesn't do any damage other than taking up bandwidth as it conducts port scans on random IP addresses. But it could very easily be modified to gather and report the vulnerable IP addresses it finds to a malicious hacker, or it could be modified to install one of the back-door programs described above.
How do you protect yourself from this type of attack? On Windows 9x and NT, one way is to open the Control Panel folder, choose "Options" under the View menu, select the File Types Tab, and change the default action for all files with the extensions of .vbs, .js, .shs, and .shh to Edit instead of Open.
Conclusions
Preventing viruses, worms, and back door programs from being installed through a Trojan Horse is actually pretty easy. First and foremost, purchase and install a good anti-virus program and make sure you keep the virus data files up to date. Checking for updated data files at least once a week is ideal. Next, never open any email attachments without knowing what it is, even if it comes from somebody you know. Be wary of the programs you download from the Internet, and make sure that those that you do download come from reputable sources. Finally, be proactive and check your Startup folder and win.ini file for suspicious entries. Remember, if the Trojans had taken 5 minutes to inspect their trophy, the Greek soldiers would have been discovered and history would be different.
© 2000 - 2006 Core Competence & Mactivity, Inc.