Search:  
 Location: Home / Email Privacy / Trojans Site Map 
· Email Privacy
   · PGP
   · SSL
   · Digital Signatures
   · Remailers
   · Trojans
      · Trojan Types
   · Viruses
   · Mail Anatomy
· Privacy Tips
· FAQ
· Test Your Email
· Remailers List
· Useful Software
· Useful Links
· Stay Invisible
· Public Web Proxies
Link Exchange

Trojans

What is a Trojan?

Email Trojans (hoaxes) form a real problem in today's electronic culture. A Trojan is a malware that performs unexpected or unauthorized, often malicious, actions. The term "Trojan" comes from the classic Trojan Horse found in Homer's Iliad. In this story, the Greek left behind a large wooden horse outside the city of Troy and sailed off. The citizens brought the wooden horse into town. The horse contained Greek warriors, who then jumped out, killed a bunch of people and opened the city gates letting in the rest of the Greek army who had been hiding. So, when a Trojan is executed, users will likely experience unwanted system problems in operation and sometimes, a loss of valuable data. The main difference between a Trojan and a virus is the inability to replicate. Trojans cause damage, unexpected system behavior, and compromise the systems' security but do not replicate. If it replicates, then it should be classified as a virus.

How Do Trojans Work?

Unlike virus and worms, trojans do not replicate themselves, so, to get infected you must, one way or the other, have the program downloaded onto your computer. This most commonly occurs when you download a program that pretends to be one thing while it is actually another. To force you to download it, the attacker often uses social engineering. In computer security, "social engineering" is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. It's usually a request "to save yourself from a great danger by downloading something/visiting web page" or another variant of these statements. This should put you on guard. Common subjects are the following:

Malicious Code (Virus and Trojan) Warnings

Warnings about Trojans, viruses, and other malicious code that has no basis in fact.

Give Aways

Stories about give-aways by large companies. If you just visit the site, a big company will send you a lot of money, clothes, a free vacation, etc.

Sympathy Hoaxes

Requests for help or sympathy for someone who has had a problem or accident.

Threats

Mail that threatens to hurt you, your computer, or someone else if you do not do something.

Scam

Mail messages that appear to be from a legitimate company but that are scams and cons.

Trojans usually come in two parts, a Client part and a Server part. When the victim runs the Server on its machine, it will try to hide somewhere in the computer. Most of the trojans use Auto-Starting methods to auto start, so even when you shut down your computer they're able to restart and give the attacker access to your machine again. New auto-starting methods and other tricks are discovered all the time. The variety starts from "joining" the trojan into some executable file you use very often like explorer.exe, for example, and goes to the known methods like modifying the system files or the Windows Registry. After booting, trojans start listening on some ports for incoming connections from the attacker. The attacker will then use the Client to connect to the Server and start using the trojan. Many trojans have a feature of messaging the victim's IP because it's necessary for the attacker to know this IP address to connect to the victim's machine. For this reason, if the victim has dynamic IP, which means every time you connect to the Internet you get a different IP (most of the dial-up users experience this), some trojans are able to message it to the attacker via ICQ or IRC. ADSL users have static IPs, so, the attacker always knows the infected IP and this makes it considerably easier to connect to your machine.

How can I become infected with a Trojan?

In most cases, being infected by a Trojan comes as a result of opening an email attachment, transferring files over the ICQ and similar services, or opening binary messages on Newsgroups. They can also be transferred by means of ActiveX or Java programming but this is not a common method.

Getting Infected Via Attachments

When users receive a mail containing an attachment saying they will get something free, most of them run it without completely understanding the risk of doing so for their machines. Usually the attacker uses some relaying mail server to fake the email's FROM field and makes it look like your friend's address. So, you check your mail, see familiar address and download whatever it says without thinking because you didn't check the mail headers to see that the mail came from some .jp mail server relaying emails. Many people got themselves infected by the famous "Microsoft Internet Explorer Update" sent directly to their mailboxes by the nonexistent Microsoft Updates Staff. Microsoft will never send updates of their software via email, no matter you see updates@microsoft.com in the FROM field, and as you've noticed in the previous example the FROM field could be and is often faked. If you ever see an email in your mailbox with the subject like "Microsoft IE Update" and such, delete this email without viewing or reading because some email clients like Outlook Express and others have bugs that automatically execute the file being attached to the email when you just try to view the message.

Email Software Bugs

Users do not update their software versions as often as they should and a lot of the attackers are taking advantage of this well-known fact. You may receive a letter inviting you to visit a (malicious) site where by means of bugs in old versions of Internet Explorer you'll be automatically infected downloading or executing any programs. The same scenario goes when you check your email with Outlook Express or some other software with well-known problems, again, you will be infected without downloading the attachment. Make sure you always have the latest version of your Browser and Email Software and reduce the ways of getting infected to a minimum.

As you can see, this is an extremely vital issue that requires you to be always up to date with the latest version of any software you're using. By using an updated Anti Virus program that detects Trojans and a good firewall such as Zone Alarm that prevents outgoing connections, you can be relatively safe both from being infected and from being accessed by an intruder if you are already infected. However, it's important to understand that using an Anti Virus / Anti Trojan and a firewall won't help you if you are careless to click on just about any email attachment or file you download. The most important part of Security is eternal vigilance.

How can I find out if I am already infected by a Trojan?

Depending on the type of Trojans, the signs may differ. But always look for strange behavior of your computer.

  • A strange and unknown Windows Message Box appears on your screen asking you some personal questions.
  • Its normal to visit a web site and have several more pop-up pages appeared with the one you've visited. But when you do completely nothing and suddenly your browser directs you to a page unknown to you, take that seriously.
  • Your Windows settings change by themselves, for example, appears a new screensaver text; date/time, or sound volume changes by itself, your mouse moves by itself, CD-ROM drawer opens and closes.

Please, note, that most advanced attackers will just spy on you and use your infected machine for some specific reason, and not perform any of the above "tricks" so as not to cause any suspicious activity on the target system (as this would probably mean they could get easily detected). Someone who just wants to have fun with you is more likely to perform those actions.

It's a good idea to be pro active and every once in a while have a look at all the programs running in the background and look for strange or unfamiliar program names. It is also helpful to always look for listening ports on your machine. You can do this by typing "netstat -an" in a command prompt (DOS) session. Look for ports that are marked "listening" and compare those port numbers with several Suspected Trojan port lists available in the Internet.

Using an Anti Trojan software is a great help too. You'd be able to find free Anti Trojan programs on the Internet and a few non-free programs as well, and all of them will do the job in one way or another. Of course, you should always be looking for strange programs in your firewall asking permission to get out of your computer. If you don't know which program it is, always say "no" and seek help before allowing the program to get out.

How do I get rid of a Trojan?

Anti-Virus (AV) and Anti-Trojans (AT) Scanners

Trojans are likely to be recognized by most up do date virus scanners, however, once the Trojan is executed, it will make several changes to your registry and configuration which are not easily detected by virus scanners and can't be cleaned automatically. That's when an Anti Trojan program may do a better job in cleaning your computer. Anti Trojan packages rely not only on "signatures" of each trojan's server executable and its common auto-starting methods (like Anti-Viruses mainly do) but use specific advanced trojan scanning and detection systems. But for your maximal protection, it's recommended to use both Anti-Virus and Anti-Trojans software.

However, once you are infected and depending on how long you've been infected, the intruder may have made even more modifications to your computer manually and that makes it hard to detect and even harder to be absolutely sure that you are completely clean. So, sometimes you'll have to be prepared to do a clean format if your computer has valuable information or if it's a mission critical machine.

After You Clean Yourself

Your machine has been compromised and probably a lot of sensitive data stolen, files have been modified and illegal activities have been preformed on your computer. Here are some recommendations about what to do after you are clean of trojans.

  • Accounting Data such as ISP passwords, ICQ, mIRC, FTP, web site passwords, email address passwords are definitely known to the attacker. Contact your ISP about changing your dial-up password if you're using such connection. Immediately change your ICQ, mIRC passwords. Change your web based email passwords and do check your information stored there, as password retrieval services for various email providers such as Yahoo and Hotmail use this info combined with a "Secret Question" for password retrieval. Attackers often change the info, the answer to the secret question and many other things that will get them easily back into your mailbox, whether you've changed your pass or not.
  • There is a real possibility that the attacker has sent trojan and possibly infected all your correspondents in your Address. Mail all of these people and ask them about receiving any files from your mailbox, inform them that someone else might know your email password so they'll be able to take appropriate actions.
  • Think for a while about the sensitive information you had on your machine before the compromise, and if you are absolutely sure the attacker may know it, too, then take appropriate actions like informing the institutions which the sensitive data belongs to.
  • Scan all your machine with Anti-Virus scanner as the attacker could have placed some virus or infected macro documents on your machine to do destructive things even when there's no access for him/her to your machine.

Related Information

  • Trojan Types
  • Anti-Trojan Tips

    		•
    © 2003-2005 Glastonberry Inc. | Policy Powered by WebGUI | Staff Login