Trojan Horses Still Kicking After All These Years

Trojan Horses Still Kicking After All These Years
Trojan Horses Still Kicking After All These Years 

By Ryan Singel

About 3,000 years ago Thursday, some Greeks left the people of Troy a 
wooden horse at the walled city.s front gate -- a free gift, no cost, no 
obligation from would-be invaders who wanted their adversaries to think 
they had left in peace.

Accepting the Trojan horse at face value turned out to be a big mistake.

Some things never change. In the 21st century Trojan horses are made of 
electronic "1s" and "0s" but are still left for you in all innocence and 
in plain sight: your e-mail inbox, in IMs and on a web page. But the 
intent, and the outcome, is pretty much the same: to pillage and steal.

The computer security industry describes computer Trojans as any program 
that purports to be one thing -- a screensaver or a .pdf file or a video 
codec -- but which actually conceals a malicious payload, like a 
password logger or pop-up advertising software.

One might be tempted to think we've gotten smarter in the three 
millennia since the Trojans ignored Cassandra's warning and accepted the 
first one. But when it comes to a propensity to fall for a deal that is 
too good to be true, humans have made little progress.

Or none whatsoever, if you believe computer-security guru Peter Neumann.

"People are still just as stupid now as they were then," says Neumann, 
the chief scientist at SRI's computer-security lab. "They see something 
shiny or a website that offers something for free and then they are 

But don.t expect technology to save you from yourself any time soon, 
Neumann warns.

"We are dealing with computer systems incapable of giving us the 
security that we need and we are dealing with people doing things that 
should be or are illegal," Neumann says. "We are dealing with a nation 
of sheep that don.t even understand there is a problem and we are 
dealing with technologists that think making a fast buck is the optimal 
strategy, regardless of the consequences."

That explains why internet scammers can still get users to open fake 
e-greeting-card attachments. Once clicked, the attachment instead 
absorbs the less-than-savvy user's computer into a zombie clone army of 
remotely controllable Windows boxes.

The internet-security firm Sophos identifies this most recent threat as 
the Pushdo Trojan, which accounted for nearly 45 percent of all the 
malware in e-mail attachments in the first three months of 2008.

Microsoft's recently released Security Intelligence Report noted that in 
the first half of 2007 an explosion in the number of Trojans that its 
security scanning tool removed from users' computers. The numbers jumped 
from some 2 million in the second half of 2006 to more than 8 million in 
the next six months. Many of these were delivered to people who were 
lured to a web page rather than by opening a rogue attachment.

While online criminal gangs are still seeking out suckers on the net 
with e-mail blasts to millions of addresses, the newest tactic is to 
send more targeted Trojans to a more limited audience.

On April Fools' Day this year, employees at the nonprofit Committee to 
Protect Journalists got an e-mail purporting to be from Martin Seutcheu, 
a real human-rights officer for the United Nations. The e-mail with the 
subject line: "Beijing Olympics Tactical Campaign Meeting Report," had 
an attached PowerPoint file called Timeline May 21.

But that file, according to BitDefender anti-virus software, is just a 
carrier for Exploit.PPT.Gen.

CPJ employees didn't fall for the trick since there were enough clues it 
wasn't quite right, according to CPJ spokeswoman Abi Wright.

"Obviously their English isn't great and you get suspicious 
immediately," Wright says, noting that it's very odd to get a one-line 
e-mail with an attachment from someone you don't know, even if you know 
their organization.

That's not to say it's not worrisome or chilling, according to Wright.

"We haven't seen this kind of concerted effort to crash our system 
before," Wright says. "It's a change for the worse."

That attack is just one of many originating from and reporting back to 
servers hosted in China. Though the perpetrators aren't known, 
government agencies around the world -- along with defense contractors 
and Tibetan and Taiwanese independence groups -- have all experienced 
similar attacks, according to Patrik Runald, a senior security 
researcher for the Finnish-based security company F-Secure.

"In a lot of these cases, it's not just hit and miss -- it's more 
planned than what a lot of people think," Runald says. "They will find 
out what anti-virus software they are using, try to find out information 
from LinkedIn or Facebook, and send an e-mail saying, "Following up on 
our conversation at the conference in Japan, here's the info we talked 

Matt Richard, Verisign iDefense Lab's rapid response manager, has been 
tracking two gangs based in Romania that target corporations to steal 
files and hopefully get at company's money.

In a sort of inverse Trojan horse tactic, the groups pretend to be 
notifying executives about IRS issues, Better Business Bureau consumer 
complaints, and most recently, a notice that the company was being sued 
in federal court.

The Romanian groups, which have been operating for about a year, rely on 
being able to trick humans, a technique known as social engineering.

That's why Richard suggests that companies need to start testing 
employees with companies that have Trojans sent to them as a way to test 
whether they can be duped or not.

"Education becomes important at the executive level," Richard says. "If 
a C-level forwards a notice about the IRS on to one of his staff, not 
only is the IRS's name attached but also the CEO's name is attached to 
it as well."

Much of the problem can be traced back to software makers failing to 
heed the lessons first laid out more than 30 years ago by researchers 
who warned against letting programs have unchecked access to key 
operating files or user data, according to SRI's Neumann.

"Some of the mass-market operating systems haven't learned to protect 
the basic underlying systems from the applications," Neumann says. "We 
really need systems that are much more robust and secure and reliable, 
and you can't get there form here with minor incremental changes."

Which is just another way of saying that even when you get your flying 
car in the future, Trojan horses will probably still be around, 
successfully thumbing a ride from the gullible.

Subscribe to the InfoSec News RSS Feed 

Site design & layout copyright © 1986-2014 CodeGods