Introduction
This white paper outlines what Trojans are and why they pose a danger to corporate networks. As early as 2001, an eWeek article reported that tens of thousands of machines are infected with Trojans. This is still the case today - and the use of more sophisticated technology makes them all the more alarming: Trojans can be used to steal credit card information, passwords, and other sensitive information, or to launch an electronic attack against your organization. The white paper discusses the need for a Trojan and executable scanner at mail server level in addition to a virus scanner, to combat this threat.
What is a Trojan horse?
In the IT world, a Trojan horse is used to enter a victim's computer undetected, granting the attacker unrestricted access to the data stored on that computer and causing great damage to the victim. A Trojan can be a hidden program that runs on your computer without your knowledge, or it can be 'wrapped' into a legitimate program meaning that this program may therefore have hidden functions that you are not aware of.
What the attacker looks for
Trojans can be used to siphon off confidential information or to create damage. Within the network context, a Trojan is most likely to be used for spying and stealing private and sensitive information (industrial espionage). The attacker's interests could include but are not limited to:
Different types of Trojans
There are many different types of Trojans, which can be grouped into seven main categories. Note, however, that it is usually difficult to classify a Trojan into a single grouping as Trojans often have traits would place them in multiple categories. The categories below outline the main functions that a Trojan may have.
Remote access Trojans
These are probably the most publicized Trojans, because they provide the attacker with total control of the victim's machine. Examples are the Back Orifice and Netbus Trojans. The idea behind them is to give the attacker COMPLETE access to someone's machine, and therefore full access to files, private conversations, accounting data, etc.
The Bugbear virus that hit the Internet in September 2002, for instance, installed a Trojan horse on the victims'machines that could give the remote attacker access to sensitive data.
The remote access Trojan acts as a server and usually listens on a port that is not available to Internet attackers. Therefore, on a computer network behind a firewall, it is unlikely that a remote (off-site) hacker would be able connect to the Trojan (assuming that you have blocked these ports, of course). HOWEVER, an internal hacker (located behind the firewall) can connect to this kind of Trojan without any problems.
Data-sending Trojans (passwords, keystrokes etc.)
The purpose of these Trojans is to send data back to the hacker with information such as passwords (ICQ, IRC, FTP, HTTP) or confidential information such as credit card details, chat logs, address lists, etc. The Trojan could look for specific information in particular locations or it could install a key-logger and simply send all recorded keystrokes to the hacker (who in turn can extract the passwords from that data).
An example of this is the Badtrans.B email virus (released in the wild in December 2001) that could log users' keystrokes.
Captured data can be sent back to the attacker's email address, which in most cases is located at some free web-based email provider. Alternatively, captured data can be sent by connecting to a hacker's website - probably using a free web page provider - and submitting data via a web-form. Both methods would go unnoticed and can be done from any machine on your network with Internet and email access.
Both internal and external hackers can use data-sending Trojans to gain access to confidential information about your company
Destructive Trojans
The only function of these Trojans is to destroy and delete files. This makes them very simple to use. They can automatically delete all the core system files (for example, .dll, .ini or .exe files, and possibly others) on your machine. The Trojan can either be activated by the attacker or can work like a logic bomb that starts on a specific day and time.
A destructive Trojan is a danger to any computer network. In many ways, it is similar to a virus, but the destructive Trojan has been created purposely to attack you, and therefore is unlikely to be detected by your anti-virus software.
Denial of service (DoS) attack Trojans
These Trojans give the attacker the power to start a distributed denial of service (DDoS) attack if there are enough victims. The main idea is that if you have 200 infected ADSL users and you attack the victim simultaneously from each, this will generate HEAVY traffic (more than the victim's bandwidth can carry, in most cases), causing its access to the Internet to shut down.
WinTrinoo is a DDoS tool that has recently become very popular; through it, an attacker who has infected many ADSL users can cause major Internet sites to shut down; early examples of this date back to February 2000, when a number of prominent e-commerce sites such as Amazon, CNN, E*Trade, Yahoo and eBay were attacked.
Another variation of a DoS Trojan is the mail-bomb Trojan, where the main aim is to infect as many machines as possible and simultaneously attack specific email address/addresses with random subjects and contents that cannot be filtered.
Again, a DoS Trojan is similar to a virus, but the DoS Trojan can be created purposely to attack you, and therefore is unlikely to be detected by your anti-virus software.