Trojan Horses – Beware of Geeks Bearing Gifts

by Bill Wall, STAT Operations, Harris Corporation


A Trojan horse is any program that appears to perform a desirable function, but actually performs hidden functions unknown by the user that could lead to a security threat. A Trojan horse usually contains an unauthorized program within a legitimate program. They can be disguised in executable programs. Trojan horses can delete files, transmit files, install other programs, or execute privilege-elevation attacks. The STAT Operations Center tests known Trojan horses to see how they work and are always looking for ways to detect and remove them. With the STAT-NT product and subscription service, our customers get the latest information on known Trojan horses, and a tool to detect and remove such programs. Here is a quick reference of known Trojan horses.

One interesting Trojan horse is a false upgrade to Internet Explorer. An email message is sent to a user which claims to be a free upgrade to the Microsoft Internet Explorer web browser. The email message contains an attached executable program called Ie0199.exe. If this program is run, modifications are made to the system and attempts are made to auto-dial to sites in Bulgaria. The program deletes a sound volume program and installs a program with a similar name. There is no upgrade to Internet Explorer with this program. Microsoft does not provide patches or upgrades via electronic mail. The program also comes disguised as photos. Don’t run executable programs attached with email if you do not know the source and function of the program. For further details on this Trojan horse, see CERT Advisory CA-99.02.

Another Trojan horse program is Back Orfice. This is a program aimed at Microsoft Windows 95 and 98 that can be used to control and monitor a Windows program. At present, it does not work on Windows NT. Because it is a Trojan horse, users must install part of Back Orfice themselves or be tricked into installing it. It can be disguised in a variety of ways, usually as a remote administration tool. Once the Trojan horse is on the user’s system, a malicious hacker can access the affected system with the privileges of the user who inadvertently installed it.

A similar Trojan horse program that works on Windows 9x and Windows 95 is NetBus. It does essentially the same thing as Back Orifice. A user can be tricked in installing this Trojan horse by playing a game called Whack-A-Mole. File names such as game.exe or yahoo.exe should be suspect when attached to email or already installed on your system. NetBus comes in many versions, the latest one being NetBus Pro 2.0. The default name of its Trojan horse is NbSvr.exe.

In the Unix world, the most recent Trojan horse is TCP Wrappers. This tool is commonly used in Unix system to monitor and filter connections to network services. Some copies of tcp_wrappers_7.6.tar.gz have been modified which contain a Trojan horse. The Trojan horse version of TCP Wrappers provides root access to intruders initiating connections with a certain source port. Additionally, upon compilation, this Trojan horse version sends email to an external address which identifies the site and account that compiled the program. CERT Advisory CA-99.01 provides more details on this Trojan horse.

To protect yourself from Trojan Horse programs, ask yourself if you trust the source of the software. Download programs only from sites you know and trust. Look out for email with programs attached that you are unfamiliar with. Avoid downloading software directly onto a network server. Transfer it first to a stand-alone computer, then test it. Monitor the registry for changes when running test programs. Keep track of what you’ve installed on your system so you can detect and remove it quickly if necessary. Don’t be tricked into installing Trojan horses because it was a neat program or you thought it was a patch or fun game. Remember that software distribution sites can be compromised by intruders who replace legitimate versions of software with Trojan horse versions.

STAT-NT by Harris examines an entire machine or domain for Trojan horse signatures and programs. Files and registries are carefully looked at that contain Trojan horse elements. Once a Trojan horse is detected, STAT-NT provides a description and solution, as well as an AutoFix to delete the Trojan horse file and/or clear the registry of any Trojan horse element.

For further information on the STAT Operations Center, visit our web site (http://www.STATonline.com) or call 1-888-725-STAT (7828).