A ghost in software
Azadeh Radmand
Course ID: CPSC 6126
Columbus, GA, USA
November 2009
Columbus State University
Abstract:
As more users are attached to the Internet and lead their activities electronically, information security becomes more important. Unfortunately, even the single use of an infected USB flash drive can allow a malware to destroy a system. In addition, a malware often allows an adversary to gain full control to extract user’s data or to install a tool to facilitate remote control of the host. There are lots of different types of malwares such as a virus, a worm, a Trojan horse, and a trapdoor or backdoor.
This paper will introduce a Trojan horse and discuss the Trojan vulnerability. It will also introduce different types of Trojans, go into some detail on Trojans in mobile devices, and provide an example of that. Next, it will explain how Trojan horses work. It will discuss about the Trojan signature and explain how the threat can be detected. Finally, this paper will explains the related work about two proposed methods for detecting and defeating rare value Trojans which are hard-wired into integrated circuits.
Keywords,
Malware, Trojan horses
Introduction:
In late 1990’s, the anti-virus industry encountered a new type of malware which was the Trojan horses. At first, programmers and security experts accused a company of exaggerating the Trojan threat to sell its security software but later this problem opened the door to more serious risks. While the first versions of the Trojan Horses were benign, more recent versions of this type of malware have posed a greater threat to both the Internet and local-area networks.
The rest of this paper is organized as follows. Section 2 describes the Trojan horses and focuses on its vulnerability. Section 3 describes how Trojans work, and Section 4 explains different types of Trojans. In Section 5, we discuss the Trojan signature and explain how the threat will be detected. Section 6 reviews related work and Section 7 summarizes and provides a conclusion.
Trojan is a Greek term which has come from a story from Greek mythology. The Trojan horses, unlike viruses and worms, are not self replicating.
Some of important purposes of Trojan horses include:
· Perform Distributed Denial-of-services (DDos) attacks
· Monitoring the user’s screen to extract sensitive information
· Modifying user’s files
· Deleting user’s files
Recently, video/music sharing, and e-commerce transactions have been used in mobile devices as well on PC. However, these features of technology became very risky when exposed to malwares. [1] Some features of the operating systems of many mobile devices can be exploited by Trojans which can disguise themselves as otherwise useful programs (“cracking”). This type of attack on the integrity of the user and system can be introduced by another malware or by an infected memory card. Once a Trojan infects a device with actions, it may use System Data Integrity to modify other parts such as handset environment. There are two type of Trojan in mobile devices (i) Memory card and (ii) other malware.
Example: A crack version of InstantSis is Cardblock Trojan. This malware is very much like InstantSis but when a user tries to use the program, it blocks the MMC memory card by setting a random password to the card.
How Trojans work
A Client and a server are two parts of a Trojan. The server should be run on the victim’s computer and wait for a command from the client which in this case is an attacker. In order to establish a connection between the client and the server, the server must know the IP address of the victim’s computer. The IP address usually will be sent to the server via emails of another form or communication.
However, these days with network address translation (NAT), this process will be challenging due to inaccessible external IP addresses. Therefore, Trojans use another method which is called “reverse -connect”. By this method, Trojans connect to the computer of the attacker, instead of the attacker connecting to his or her victim. [3]
Trojan types
In this section I would like to mention some of important type of Trojan [3].
Remote Access Trojan
This type of Trojan is one of the most common Trojan and by this method an attacker can control the victim’s computer remotely and therefore gain access to files, sensitive information, accounting data, etc.
Password sending Trojan
This type of Trojan would rip all the cached passwords and send them to the attacker via email address without the user noticing anything. Moreover, any application that needs a user to login will be used to send the password to the attacker.
Destructive
This type of Trojan is the only one which can destroy and delete files. A destructive Trojan can automatically delete all the system files directly by the attacker or it can be activated on a certain time like a logic bomb.
Trojan Signatures
[2]Some anti viruses like Norton can detect some versions of Trojan such as “srvcp.exe”. This process can be done by examining the infected machine on the registry for presence of the key and check for existence of the gus.ini file in the machine’s system directory. However, there is some likelihood for an unsuccessful search.
The Trojan can be modified in order to make it more difficult to detect. For example, a plain text editor can mutate the compiled executable by changing the name of the gus.ini file. “nhl*pwf” is the required string for the searching in the encrypted format. We can change of the letters in the encrypted string and make it “nhl*pwg”. This change will result in a modified version of the Trojan in the program using the name “fus.ini” for the file instead of “gus.ini”. This method causes an antivirus like Norton to fail to detect this type of Trojan.
Another way to detect the Trojan horse, other than Trojan signature, is to monitor its network communication. For example, running the “nestat –a” command will listen on TCP port 113 for Ident request. Then, scanning the network for unauthorized activity to run Idented can be an effective way of detecting the Trojan remotely. Based on [2], “Once the Trojan successfully connected to an IRC server, the “netstat -a” is likely to show a TCP connection to an external server on either port 6667 or 6666. This kind of communication can be detected using a network-based Intrusion Detection System (IDS) if the organization’s workstations do not normally use IRC. “
However, a more reliable way to detect a Trojan with a network IDS is to scan each packet that is associated with Trojan activities. One way is to look for a string in the network stream which is more effective than anti- viruses, since the signature can be simply changed. One solution for that is to change the string by a single IRC client every three seconds or so. However, implementing this method will exhaust the resources and is not feasible, since IDS requires to keep state information about potentially unpleasant traffic across multiple packets. On the other hand, the IDS can be adjusted to scan packets for an encrypted command that is used for the Trojan operation, since the encrypted form of these command string remain unchanged for the Trojan unless the encrypted algorithm is modified.
Related work
A closely related work to this paper is the article titled “Towards Trojan-Free Trusted ICs: Problem Analysis and Detection Scheme” [4] by Francis Wolff, Chris Papachristou, Swarup Bhunia, and Rajat S. Chakraborty. This article offers two solutions to the growing problem of hardware Trojans. It starts by explaining that hardware manufacturers are increasingly turning to outsourcing to meet their manufacturing needs for integrated circuits (ICs). It further states that this trend has left the industry open for hackers to attack systems by hardwiring Trojans into the ICs. These hardwired Trojans are often well camouflaged and engineered to defeat most conventional methods for detecting them.
The writers explain that there are many varieties of these hardware Trojans. They explain that Trojan circuits are generally classified by what type of trigger or payload mechanism they employ. A diagram of this paper is shown in Figure 1. Each of these can be either digital or analog or a combination of digital and analog. Since, as the article implies, those that are easier to detect have a decreased chance of ever being triggered, it is the Trojans that are more difficult to detect that pose the biggest threat to the computer industry. Because of this, the focus of the article is on rare value digital Trojan circuits.
The two solutions that the article offers have one thing in common – they each capitalize on the observation that Trojan manufacturers purposely design their Trojans to be triggered by rare events or values. The proposed solutions, therefore, involve establishing methods for seeking and finding the places where the IC is most vulnerable to these rare events or values.
Figure1. Trojan Circuit Taxonomy
Conclusion:
In conclusion, this paper introduced a type of malware which is different from viruses and worms. That type of malware that the paper discussed is called a Trojan horse. The paper also explained different types of Trojans and explained how a Trojan works. In addition, it described Trojans in mobile devices with an example of the latter. It also explained how Trojan horses attack a user’s resources. Furthermore, it discussed two different methods to detect Trojan horses - by a signature and by monitoring network communications. Finally, it explained the related work about two proposed methods for detecting and defeating rare value Trojans which are hard-wired into integrated circuits.
Reference:
[1] A. Bose, X. Hu, T. Park,, “Behavioral detection of malware on mobile handsets”. Proceeding of the 6th international conference on Mobile systems, applications ,Breckenridge, CO, USA, 2008, ACM, 225-238
[2] L. Zeltser, “Reverse Engineering Malware ,2001
[3] M. Siddiqui, Wang, M.,” Detecting Internet Worms Using Data Mining Techniques”, Journal of Systemics, Cybernetics and Informatics, Florida
[4] F. Wolf,, C. PaPachriston, A. Bhunia, R. Chakroborty, “Towards Trojan-Free Trusted ICs: Problem Analysis and Detection Scheme”. Proceedings of the conference on Design, automation and test in Europe, Munich, Germany, 2008, ACM, 1362-1365
1