[IS&T Security-FYI] Newsletter, November 23, 2007

[Monique Yeaton]

In this issue: Trojans

This past year has seen the number of malware attacks and  
vulnerability exploits substantially rise. It's not just the number  
of malware attacks increasing that we should be concerned about but  
also the speed in which vulnerabilities are being exploited.

This special issue of Security FYI is the second in a series of  
issues discussing some of the more recent malware attacks. The first  
issue discussed the infamous Storm worm.


What is a Trojan?

Trojans are named for the Trojan horse in Greek legend. It is a  
malicious program disguised as a normal application. Trojans do not  
replicate themselves like a virus or worm, but they can be propagated  
as attachments to a virus. In other words, a computer worm or virus  
may be enfolded within a Trojan.

The basic idea is that you download a program, for example one  
appearing to be some sort of game demo. When you run the demo, to  
your surprise nothing happens. Or so you thought. What you might have  
done is run some program that has planted itself on your hard drive.


How is it deployed?

Social engineering attacks (using tricks to gain someone's trust) is  
the modus operandi for deploying a Trojan. Some come in by spam in  
email attachments such as executable (.exe) files or PDF files.  
Others come in from phony or exploited web sites, downloaded  
software, through file-sharing services, Instant Messaging, and on  
CDs. One of the most insidious types comes in a program that claims  
to rid your computer of viruses but instead installs them.

A more recent trend is "targeted Trojans." These have become top  
corporations' biggest nightmare. The stealthy attacks install  
keystroke-logging or screen-scraping software, and they are often  
used for industrial espionage and other financially motivated crimes.  
They depend on exploiting unknown flaws in software, thereby by- 
passing virus detection software (also known as a zero-day attack).


What happens if infected?

For the most part, Trojans today are designed to steal money from  
unsuspecting victims. There are many strains of Trojans. Three  
examples of Trojans that were discovered this past month include  
"Gozi variant," "Pidief.A," and "Bayrob variant."

The Bayrob variant, for example, is a new strain of a Trojan that  
appeared on eBay earlier this year that spreads as an attachment to  
an email in response to an eBay bid. One Ohio victim of this Trojan  
paid $8650 in a bank-to-bank transfer for a Jeep that was shown to be  
located in California when she visited a spoofed Carfax site. The car  
was actually located in Pennsylvania and the victim has yet to  
receive delivery of the Jeep. The victim got infected after opening  
the email attachment sent in response to her eBay bid.

Trojans can have other characteristics, such as "ransomware," in  
which the Trojan encrypts files on a victim's hard drive, creates a  
text file indicating what has happened and gives email addresses to  
send the ransom money to, in an attempt to extort money when victims  
try to obtain a decryptor tool to recover the documents.

Another type of Trojan is designed to hijack well known web sites to  
steal money while masquerading as legitimate businesses. When  
successful, the victim is brought to a fake site where payment is  
made to the crooks via Western Union or MoneyGram.

Yet other types are not out for money, but give hackers full access  
to a victim's hard drive and system or starts deleting the files. Or  
they steal passwords.


What's being done about it?

Anti-virus software will detect and protect you from virus-like  
malware. However, not all anti-virus software work the same or are  
equally effective in detecting Trojans.

The problem is that a Trojan is not similar to a virus. A virus  
replicates itself and spreads, whereas a Trojan does not. Software  
that can detect virus-like characteristics of malware will not always  
detect typical characteristics of Trojans. Make sure that your anti- 
virus software has this capability. If your software does not detect  
Trojans, send an email to the manufacturer and request that they do.


Are you at risk at MIT?

You'll remember that Trojans can infect your computer via spam. The  
email servers at MIT block most of the spam at the border. However,  
because about 97% of email is spam, there is a great likelihood that  
some spam will still come through. The higher your spam threshold,  
the more likely spam will get through. If set lower, more spam will  
be caught, however, you also risk legitimate email from being blocked  
as well. See spam filtering: <http://web.mit.edu/ist/services/email/ 
nospam/ >

Because scammers generally use social engineering attacks to deploy  
Trojans, anyone who is not paying close attention can be exploited.  
The majority of infections occur because the user was tricked into  
running an infected program. For this reason, it is very important to  
be aware of your computing behavior, especially when connected to the  
Internet.

Prevention is the best medicine. Keep your operating system,  
antivirus, firewall, and other security software up-to-date. Those  
precautions will reduce the chances of infection.

Some Mac users may think they are immune to Trojans as most of them  
are written for Microsoft computers. However, last month we saw a  
Trojan deployed that specifically targets Mac computers, so don't be  
fooled by a false sense of security.

If you think you've been infected by a Trojan, contact the Computing  
Help Desk at computing-help at mit.edu. If you think you've been scammed  
out of money, contact your local or MIT police <http://web.mit.edu/cp/ 
www/>.


Online resources:

To learn more about virus protection, firewall protection and  
software updates at MIT:

IT Security Web page: <http://web.mit.edu/ist/topics/security/>

To read more about Trojans:

Webopedia: <http://www.webopedia.com/TERM/T/Trojan_horse.html>
Wired: <http://www.wired.com/techbiz/it/news/2001/05/43981>


=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security