[IS&T Security-FYI] Newsletter, November 23, 2007
Monique Yeaton
myeaton at MIT.EDU
Fri Nov 23 10:33:52 EST 2007
In this issue: Trojans
This past year has seen the number of malware attacks and
vulnerability exploits substantially rise. It's not just the number
of malware attacks increasing that we should be concerned about but
also the speed in which vulnerabilities are being exploited.
This special issue of Security FYI is the second in a series of
issues discussing some of the more recent malware attacks. The first
issue discussed the infamous Storm worm.
What is a Trojan?
Trojans are named for the Trojan horse in Greek legend. It is a
malicious program disguised as a normal application. Trojans do not
replicate themselves like a virus or worm, but they can be propagated
as attachments to a virus. In other words, a computer worm or virus
may be enfolded within a Trojan.
The basic idea is that you download a program, for example one
appearing to be some sort of game demo. When you run the demo, to
your surprise nothing happens. Or so you thought. What you might have
done is run some program that has planted itself on your hard drive.
How is it deployed?
Social engineering attacks (using tricks to gain someone's trust) is
the modus operandi for deploying a Trojan. Some come in by spam in
email attachments such as executable (.exe) files or PDF files.
Others come in from phony or exploited web sites, downloaded
software, through file-sharing services, Instant Messaging, and on
CDs. One of the most insidious types comes in a program that claims
to rid your computer of viruses but instead installs them.
A more recent trend is "targeted Trojans." These have become top
corporations' biggest nightmare. The stealthy attacks install
keystroke-logging or screen-scraping software, and they are often
used for industrial espionage and other financially motivated crimes.
They depend on exploiting unknown flaws in software, thereby by-
passing virus detection software (also known as a zero-day attack).
What happens if infected?
For the most part, Trojans today are designed to steal money from
unsuspecting victims. There are many strains of Trojans. Three
examples of Trojans that were discovered this past month include
"Gozi variant," "Pidief.A," and "Bayrob variant."
The Bayrob variant, for example, is a new strain of a Trojan that
appeared on eBay earlier this year that spreads as an attachment to
an email in response to an eBay bid. One Ohio victim of this Trojan
paid $8650 in a bank-to-bank transfer for a Jeep that was shown to be
located in California when she visited a spoofed Carfax site. The car
was actually located in Pennsylvania and the victim has yet to
receive delivery of the Jeep. The victim got infected after opening
the email attachment sent in response to her eBay bid.
Trojans can have other characteristics, such as "ransomware," in
which the Trojan encrypts files on a victim's hard drive, creates a
text file indicating what has happened and gives email addresses to
send the ransom money to, in an attempt to extort money when victims
try to obtain a decryptor tool to recover the documents.
Another type of Trojan is designed to hijack well known web sites to
steal money while masquerading as legitimate businesses. When
successful, the victim is brought to a fake site where payment is
made to the crooks via Western Union or MoneyGram.
Yet other types are not out for money, but give hackers full access
to a victim's hard drive and system or starts deleting the files. Or
they steal passwords.
What's being done about it?
Anti-virus software will detect and protect you from virus-like
malware. However, not all anti-virus software work the same or are
equally effective in detecting Trojans.
The problem is that a Trojan is not similar to a virus. A virus
replicates itself and spreads, whereas a Trojan does not. Software
that can detect virus-like characteristics of malware will not always
detect typical characteristics of Trojans. Make sure that your anti-
virus software has this capability. If your software does not detect
Trojans, send an email to the manufacturer and request that they do.
Are you at risk at MIT?
You'll remember that Trojans can infect your computer via spam. The
email servers at MIT block most of the spam at the border. However,
because about 97% of email is spam, there is a great likelihood that
some spam will still come through. The higher your spam threshold,
the more likely spam will get through. If set lower, more spam will
be caught, however, you also risk legitimate email from being blocked
as well. See spam filtering: <http://web.mit.edu/ist/services/email/
nospam/ >
Because scammers generally use social engineering attacks to deploy
Trojans, anyone who is not paying close attention can be exploited.
The majority of infections occur because the user was tricked into
running an infected program. For this reason, it is very important to
be aware of your computing behavior, especially when connected to the
Internet.
Prevention is the best medicine. Keep your operating system,
antivirus, firewall, and other security software up-to-date. Those
precautions will reduce the chances of infection.
Some Mac users may think they are immune to Trojans as most of them
are written for Microsoft computers. However, last month we saw a
Trojan deployed that specifically targets Mac computers, so don't be
fooled by a false sense of security.
If you think you've been infected by a Trojan, contact the Computing
Help Desk at computing-help at mit.edu. If you think you've been scammed
out of money, contact your local or MIT police <http://web.mit.edu/cp/
www/>.
Online resources:
To learn more about virus protection, firewall protection and
software updates at MIT:
IT Security Web page: <http://web.mit.edu/ist/topics/security/>
To read more about Trojans:
Webopedia: <http://www.webopedia.com/TERM/T/Trojan_horse.html>
Wired: <http://www.wired.com/techbiz/it/news/2001/05/43981>
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
More information about the ist-security-fyi
mailing list