| Trojan Horse - One Mans "Worse Case Scenario" | | | | system privilege it is running at, it modifies the |
| Prediction | | | | communication protocols and services on the system |
| --------------------- | | | | to prevent any type of external communication to its |
| This is a fictional article about a Trojan Horse Virus, or | | | | local peers and external (Internet) hosts. It does this in |
| you could say it is one mans prediction of a "worse | | | | such as way that the only immediate method to |
| case scenario". Because of the field I'm in, I maintain a | | | | recover from this is a system roll-back, system repair, |
| personal list of my top 10 "worse case scenarios". | | | | or restore from near-line media, such as tape or disk. |
| Every time I perform a security assessment I run into | | | | And as far as system recovery is concerned, I can tell |
| something new or identify a situation that is ripe for a | | | | you that many people even in corporate entities do not |
| potential vulnerability. I think we could all agree that no | | | | perform the most basic steps to be prepared for a |
| respectable or ethical company would intentionally | | | | quick system disaster recovery. In some cases, some |
| deliver a malicious piece of code as part of a helpful | | | | of the most important recovery services have been |
| update solution. However, the reality is that human | | | | disabled because of lack of system resources or disk |
| beings are behind technology and human beings are | | | | space (which is amazing given how inexpensive this is |
| unpredictable and fallible.Many major operating system | | | | anymore).What Could Be The Impact Of This |
| vendors have automatic update services. Many | | | | "Trusted" Trojan Horse |
| hardware vendors and other software packages | | | | --------------------- |
| have followed this trend, incorporating automated | | | | Just about every time you install a new application or |
| update services into their products. In some cases, the | | | | piece of software you increase the time it takes to |
| services for automatic updates run as the local | | | | boot your PC and in some cases decrease its |
| "system" account. This account has the ability to | | | | performance. On thing that drives me crazy is printing |
| access and modify most of the operating system and | | | | software. For the life of me I cannot understand how |
| application environment. When automatic updates | | | | or why printer support software could total 400MB in |
| were relative new, many people would perform the | | | | size, but they sometimes do. Not only that, they tend to |
| updates manually, however, as time has progressed, | | | | load all kinds of unnecessary real-time running applets. |
| many now trust these services and allow the updates | | | | HP printers are notorious for this. Be very aware of |
| to proceed in a truly automated fashion.The Final Step | | | | what it is you are loading and only load those |
| Before The Hammer Falls | | | | components that you need. Even some off-the-shelf |
| --------------------- | | | | software packages load adware and other not so |
| So let's expand upon our "worse case scenario". A | | | | helpful applets. Also, when you uninstall software, not all |
| new service pack is just about ready for release. The | | | | the software gets uninstalled in many cases. One thing |
| last step prior to public release is quality control / | | | | I suggest is to purchase a registry cleaner. This can |
| validation. The team of people performing this task | | | | dramatically decrease boot times and in many cases |
| includes a significantly disgruntled employee (Or may | | | | increase the overall performance of your PC.People |
| he/she is going through a horrible life crisis and has not | | | | are already concerned about identity theft, or at least |
| much to lose). When people are in pain or distress it is | | | | they should be. I recently spoke with a business |
| not uncommon for them to project this same feeling | | | | associate that told me that even with everything he |
| onto others in any way they can. So, instead of | | | | does to keep his identity secure he has been the |
| performing their job in the normal fashion, they decide | | | | victim of identity theft not once, but twice. If your user |
| to incorporate a malicious payload into the forthcoming | | | | id's, online accounts, passwords, financials, or other |
| update.The First Step For The Trojan Horse: Evasion | | | | confidential information winds up on the Internet for any |
| --------------------- | | | | anonymous person to see, you can bet it will be used |
| This payload has some unique characteristic, three to | | | | in a way to cause you problems. Even if only 10% of |
| be precise. First, it is constructed in such as way to not | | | | the global systems fell victim to this Trojan Horse, the |
| appear as something malicious. The anti-virus and | | | | cut off of communications could cost businesses |
| anti-spyware programs currently on the market won't | | | | billions of dollars and potentially impact their reputation |
| be able to detect it through anomalous detection | | | | as "secure" institutions.Conclusion |
| techniques.The Second Step For The Trojan Horse: | | | | --------------------- |
| Information Collection | | | | If we don't think that this "worse case scenario" can |
| --------------------- | | | | happen, then we're kidding ourselves. Recently, one of |
| Secondly, it has been instructed to wait 12 hours to | | | | the market leaders in the perimeter defense business |
| activate to start searching your computer an network | | | | had to recall a service pack because it contained a |
| for important files that may contain financial, healthcare, | | | | significant "bug" that could result in a security breach; a |
| and other confidential information such as user | | | | service pack that can be delivered through and |
| accounts and passwords. It then sends this information | | | | intelligent update service. Obviously there has to be a |
| to anonymous systems on the Internet. Because this | | | | certain level of trust between us, the consumer, and |
| "Trojan horse" has been incorporated into an | | | | the vendors of hardware / software we rely on. I'm |
| automated update by someone with reasonable skills, | | | | not entirely sure what "fail-proof" solution can be put in |
| it is instructed to only perform the collection of data for | | | | place to prevent something like this from happening. |
| 12 hours. Given the number of global systems that | | | | Although I'm sure there are quite a few checks and |
| allow automated updates, 12 hours should be more | | | | balances in place already. The bottom line is, if you or I |
| than enough. The person behind this realizes that | | | | can image a scenario like this, there is always a |
| someone will quickly identify that something malicious is | | | | chance of it happening. In my case, I usually wait for |
| going on and start to roll-out a defense solution to halt | | | | several days to apply new service packs and |
| the process.The Final Step: Incapacitate | | | | hot-fixes. Hopefully someone else will find the problem, |
| --------------------- | | | | correct it, and then I'll apply it.You may reprint or publish |
| Finally, the Trojan Horse will cease it's data collection | | | | this article free of charge as long as the bylines are |
| and deliver it's final blow. Because of the level of | | | | included. |