Trojans FAQ

 

We have all heard alot about trojan horse programs and the threat that they pose to your network's security. This Trojan FAQ sheds some light on what these programs are, what they do, how they can infect your network and suggests measures that could be taken to prevent such infections.  You can make sure that you have a good grasp on these malicious programs by browsing through this regularly updated Trojan FAQ which provides the answers to these questions and many others. With thanks to Dancho Danchev for his contributions to this FAQ.

 

FAQ topic 

[25] Intrusion Detection Systems FAQ
Updated: Feb 01, 2005
[23] Trojans FAQ
Updated: Jun 26, 2003
[1] 2 3

FAQ: Part One - Introducing Trojans. 

01.Introduction 

Trojan Horses pose one of the most significant threats to the Windows OS, thus exposing sensitive information to malicious attackers, as well as providing them with full access to the computer, which often results in further illegal activities done via the infected computer. This paper will cover the Windows Trojans topic in-depth, it will highlight a lot of the important aspects, but will also act as a FAQ, summarizing the topic in a brief, easy to understand, yet effective and informative way. The FAQ will be updated on a monthly basis, so be sure to come back, although we've created a Newsletter for your convenience that will let you know when the site is being updated. Subscribe Here.

02.What is a Trojan horse? 

Basically a Trojan horse can be defined as:

  • An unauthorized program contained within a legitimate program. This unauthorized program performs functions unknown (and probably unwanted) by the user.
  • A legitimate program that has been altered by the placement of unauthorized code within it; this code performs functions unknown (and probably unwanted) by the user.
  • Any program that appears to perform a desirable and necessary function but (because of unauthorized code within it that is unknown to the user) performs functions unknown (and definitely unwanted) by the user.

The trojan has borrowed it's name from the old mythical story about how the Greeks gave their enemy a huge wooden horse as a gift, but after the enemy accepted it, during the night the Greek soldiers crept out of the horse and conquered the city.

03.How do Trojans work?  

Most trojans come in two parts, a Client, and a Server, but there are exceptions where the trojan does not need a Client, as it's able to automatically do what it was intended to do (stealing passwords, business data etc.), without any intervention from the attacker. However those who use both Client and Server in order to operate need assistance from the attacker. Once the victim runs the Server (unknowingly), the attacker will use a port to connect to the Server (your computer) and start using the Trojan.TCP/IP is the usual protocol used, but there are exceptions using ICMP, and UDP as well. When the Server is executed on the victim's machine, it will hide itself somewhere within the computer and start listening on the specified by the attacker port. However there are trojans that automatically listen for incoming connections once run, which will wait a period of time to reduce the risk of being detected.

It's necessary for the attacker to know the victim's IP address to connect to his/her machine. Many trojans have features such as the ability to mail the victim's IP, as well as the ability to message the attacker via ICQ or IRC. This is used when the victim has a dynamic IP, which means that every time you connect to the Internet you
get a different IP (most of the dial-up users have this). ADSL users have static IPs so the infected IP is always known to the attacker and this makes it considerably easier to connect to your machine.

Most of the Trojans use Auto-Starting Methods in order to auto-run each time your computer is started. These methods include, but are not limited to, using the Windows Registry, using some of the Windows's System Files, as well as using third party configuration files.

System files are located in the Windows Directory. Here is a brief explanation of most of the common auto-starting methods that use the Windows System Files:

  • Autostart Folder

The Autostart folder is located in C:\Windows\Start Menu\Programs\startup and as its name suggests, automatically starts everything placed within this folder.

  • Win.ini

Windows system file using load=Trojan.exe and run=Trojan.exe to execute the Trojan.

  • System.ini

Using Shell=Explorer.exe trojan.exe results in execution of every file after Explorer.exe

  • Wininit.ini

Mostly used by Setup-Programs. Once it is run, it is auto-deleted, which is very handy for trojans to restart.

  • Winstart.bat

Acting as a normal bat file, the trojan is added as @trojan.exe to hide its execution from the user.

  • Autoexec.bat

It's a DOS auto-starting file and it's used as an auto-starting method like this -> c:\Trojan.exe

  • Config.sys

Could also be used as an auto-starting method for trojans

  • Explorer Startup

Is an auto-starting method for Windows95, 98, ME and if c:\explorer.exe exists, it will be started instead of the usual c:\Windows\Explorer.exe, which is the common path to the file.

Windows Registry is another commonly used place regarding the auto-starting methods of the Trojans. Here are some known ways:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Info"="c:\directory\Trojan.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Info"="c:\directory\Trojan.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Info"="c:\directory\Trojan.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Info="c:\directory\Trojan.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Info"="c:\directory\Trojan.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Info"="c:\directory\Trojan.exe"

- Registry Shell Open

[HKEY_CLASSES_ROOT\exefile\shell\open\command] 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]

A key with the value "%1 %*" should be placed there and if there is some executable file placed there, it will be executed each time you open a binary file. It's used like this: trojan.exe "%1 %*"; this would restart the trojan.

- ICQ Net Detect Method 

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\]

This key includes all the files that will be executed when ICQ detects an Internet connection. As you can understand, this feature of ICQ is very handy but it's frequently abused by attackers as well.

- ActiveX Component

[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\InstalledComponents\KeyName] 
StubPath=C:\directory\Trojan.exe

All of the aforementioned methods are well known to the community, although you should not rely on them (by checking these Registry Entries, as well as the System Files ones) as a foolproof method for detecting Trojans, because new methods are discovered literally every day.

04.What are their functions?  

Windows Trojans vary in their functions and abilities, although here's a brief summary of the most common ones:

  • Change the victim's resolution. This function displays a list with all the resolutions available on the victim's computer and the attacker just pick one and hit "change it!”, after that you'll have your resolution changed
  • Notify. The attacker is notified by e-mail, ICQ, IRC when you're online, as well as your IP if you have a dynamic one
  • Processes monitoring. The attacker has the ability to monitor all of your processes, start new ones, as well as the ability to kill current one.
  • Registry editor. It gives to the attacker, the ability to view/create/delete/change everything in the registry.
  • Find files feature. Provides the attacker with the opportunity to find any file on the hard drive, if he/she is looking for something particular.
  • ScrollLock, CapsLock, NumLock can be turned ON and OFF by the attacker, this function is defined as a "fun" one.
  • Disconnect victim. The attacker can hang up the victim's connection to the net at anytime.
  • Screenshot. The attacker can make screenshots of your activities, which are directly transferred to his/her computer, however there are more advanced functions including Web Cam monitoring, as well as microphone recording, if you have any of these of course.
  • Flip Screen. That's an obvious one, and it's again considered as a "fun" one
  • Hide/Show the victim's desktop icons. Annoying the victim is what amuses people sometimes.
  • FTP server. This option turns your PC into a FTP server accessible by the whole world, or to the attacker only.
  • Open the browser at an address specified by the attacker.
  • Hide/show the Start button.
  • Enable/Disable keyboard.
  • Chat with the victim. Interesting function enabling the attacker to open an ICQ look-alike chat with the victim.
  • Start/stop the victim's PC Speaker.
  • Restart windows.
  • Open/Close the CD-ROM tray.
  • Turn monitor on/off.
  • Get more information about the victim's computer. For exmaple: windows version, user name, company name, screen resolution, etc.
  • File manager. This function acts as an explorer for the attacker while browsing through your system.
  • Retrieve passwords. This function will provide the attacker with the recorded passwords on your computer.
  • KeyLogger. Logs all of the keys you've pressed, could be achieved in offline/online mode.

There you have the most common Trojan's functions. As you've noticed most of these could be, and are, pretty dangerous and destructive ones.

05.How dangerous are they?  

Windows Trojans represent a large security threat to your computer. Here I'll cover various scenarios, as well as provide you with further information so that you'll be able to realize how dangerous they are indeed.

As you've noticed while reading all of the aforementioned functions, they can be pretty dangerous. The attacker can have access to ALL of your files, personal information, sensitive work projects, and other confidential information just using the Keylogger, and the Explorer functions. In most cases the attacker will be looking for:

  • Credit Card Information (often used for domain registration, shopping with your credit card).
  • Any accounting data (E-mail passwords, Dial-Up passwords, WebServices passwords, etc.).
  • Email Addresses (Might be used for spamming, as explained above).
  • Work Projects (Steal your presentations and work related papers).
  • Children's names/pictures, Ages (pedophile attacker?!).
  • Schoolwork (steal your papers and publish them with his/her name on it).

You should realize that Trojans can be very destructive, and that they're not only used to delete files, but to steal people's work, job projects, and many other illegal activities.

On the other hand some advanced attackers will use your computer in order to commit further online crimes, and involve you in other illegal activities, thus turning your computer into a proxy, enabling them to move through your computer without any traces left, before they reach their potential aim. It can be illustrated as:

attacker--->your computer--->computer to be attacked
               (turned into a proxy)

As you can see this is extremely dangerous to you, as the traces will lead back to you, no matter what is the attacker doing while having access to your PC, in 99% of the cases it will be an illegal activity.

You can contribute to a DDoS (Distributed Denial Of Service Attack), as your computer might be turned into the so called "zombie", proving the attacker with the ability to use your bandwidth for flooding and causing damage to other networks.

06.What are the most common Trojans?  

Here are the most popular kinds, although most of these represent a combination of several more, and let's not forget the non-public ones, which will never be released to the public, and are used for the attacker's illegal activities, those are some of the most dangerous ones.

Remote Access Trojans (RAT's)

These are probably the most publicly used Trojans, simply because they give the attackers the power to do more things on the victim's machine than the victim himself, while standing in front of the machine. The idea of these Trojans is to give the attacker COMPLETE access to someone's machine, and therefore access to files, private conversations, accounting data, etc.

Password Sending Trojans

The purpose of these trojans is to rip all cached passwords and also look for other passwords you're entering, then sends them to a specific mail address without the user noticing anything. Passwords for ICQ, IRC, FTP, HTTP or any other application that require a user to enter a login+password are being sent back to the attacker's e-mail address.

Keyloggers

These trojans are very simple. The only thing they do is to log the keystrokes of the victim and then let the attacker search for passwords or other sensitive data in the log file. Most of them come with two functions such as online and offline recording. Of course they could be configured to send the log file to a specific e-mail address on a daily basis.

Destructive

The only function of these trojans is to destroy and delete files. This makes them very simple and easy to use. They can automatically delete all your core system files (for example: .dll, .ini or .exe files, possibly others) on your machine.

Denial Of Service (DoS) Attack Trojans

These trojans are becoming very popular these days, giving the attacker the power to start a DDoS if having infected enough victims of course. The main idea is that if you have 200 ADSL users infected and start attacking the victim simultaneously, this will generate a LOT of traffic (more then the victim's bandwidth, in most cases) and its the access to the Internet will be shut down. WinTrinoo is a DDoS tool that has become really popular recently, and if the attacker has infected many ADSL users, major Internet sites could be shut down as a result, as we've seen it happened in the past few months.

Another variation of a DoS trojan is the mail-bomb trojan, whose main aim is to infect as many machines as possible and simultaneously attack specific e-mail address/addresses with random subjects and contents which cannot be filtered.

Proxy/Wingate Trojans

An interesting feature implemented in many trojans is the ability to turn the victim's computer into a proxy/wingate server available to the whole world or only to the attacker. It's used for anonymous Telnet, ICQ, IRC, etc., and also to register domains with stolen credit cards and for many other illegal activities. This gives the attacker complete anonymity and the chance to do everything from YOUR computer and if he/she gets caught the trace leads back to you.

FTP Trojans

These trojans are probably the simplest ones and are kind of outdated as the only thing they do is open port 21(the port for FTP transfers) and let EVERYONE connect to your machine or only the attacker. Newer versions are password protected so only the one that infected you may connect to your computer.

Software Detection Killers

There are such functionalities built into some trojans, but there are also separate programs that will kill ZoneAlarm, Norton Anti-Virus and many other (popular anti-virus/firewall) programs that protect your machine. When they are disabled, the attacker will have full access to your machine, enabling the attacker to perform some illegal activity, use your computer to attack others and often disappear. Even though you may notice that these programs are not working or functioning properly, it will take you some time to remove the trojan, install the new software, configure it and get back online with some sense of security.

FAQ: Part Two - How and Why? 

07.In what ways could I be infected?  

The Complete Windows Trojans Paper discusses in-depth each of the possible scenarios as far as becoming infecting with a trojan is concerned. You’re strongly advised to closely look at them, thus being able to understand and properly react to the threat posed by the Windows Trojans.

Via ICQ

People don't understand that they can also get infected while talking via ICQ or any other Instant Messenger Application. It's all risky when it's about receiving files no matter from whom and no matter from where.

Believe it or not, there are still guys out there using really old versions of ICQ and it's all because they can see the IP of the person they're talking to. The older versions of ICQ had such functionality and it was useful for everyone capable of using winnuke and other DoS tools, but really how hard is it to launch such attacks with only the click of the mouse? These people are often potential victims of someone that is more knowledgeable on Windows Trojans and takes advantage of their old ICQ versions.

Let's review various ways of getting infected via ICQ:

  • You can never be 100% sure who's on the other side of the computer at that particular moment. It could be someone that hacked your friend's ICQ UIN (Unique Identification Number) and wants to spread some trojans among his/her friends. You'll definitely trust your best dude Bob if he offers you something interesting, but is it really Bob on the other side?
  • Old versions of ICQ had bugs in the WebServer feature, which creates a site on your computer, with your info from the ICQ database. The bug constitutes a security hole in that the attacker can have access to EVERY file on your machine and if you read the previous sections carefully and know the auto-start methods, you'll probably realize what could happen if someone has access to your win.ini or other system file, namely a trojan installed in a few minutes.
  • Trojan.exe is renamed Trojan....(150 spaces).txt.exe, icon changed to a real .txt file and this will definitely get you infected. This bug has almost certainly been fixed in the newer version.

No matter which Instant Messenger Application you're using, you could always get yourself infected by certain program bugs that you have never had the chance to hear about, and never took the precaution of checking for newer versions of the application. Also when you’re receiving files no matter where and no matter from whom, take this potential threat very seriously and recognize the dangers of naïve behavior.

Via IRC

So many people LIVE on IRC and this is another place where you can get yourself infected. Trust is vital no matter what you're doing. No matter who is sending you files, whether they are pretending to be free porn archive, whether offering software for "free internet" or offering a Hotmail hacking program, DO NOT download any of these files. Newbies are often targets of these fakes, and believe me, many people are still newbies where security is concerned. Users get infected from porn-trade channels, and of course, warez channels, as they don't think about the risk but think only of getting free porn and free programs instead.

Here are several scenarios of how you may become infected while using IRC:

  • You're talking with someone, probably a "girl", having great time and of course, you want to see the person you're talking to. You ask for a picture or the "girl" offers you her pictures and I'm sure you'll definitely want to see them. The "girl" says that she has just created her first screensaver using some known free or commercial software and offers it to you, but how about if "she" mentions several pictures are nude ones?! You have been talking to "her" for a week or so, you get this screensaver.exe, you run it and yeah, VERY nice pics. Some are nude and she hasn't lied to you so nothing bad or suspicious has happened BUT think again what really has happened!
  • Trojan.exe could also be renamed into Trojan.scr like a screensaver extension and will again run properly when you execute it so pay attention about these file extensions.
  • Trojan.exe is being renamed Trojan....(150 spaces).txt.exe you'll get the file over IRC and in the DCC it will appear as .TXT and as a result you won't become suspicious, run it and get yourself infected again. In all of these examples the icon of the file is changed of course, because it needs to be the same icon as a normal .TXT and this fools victims very often.
  • Most people don't notice in their Explorer that the Type of the file is Application BUT with a .TXT icon. So BEFORE you run something, even if it's with a .TXT icon, check its extension and make sure it really is a text file.

Via Attachments

I'm always amazed by the number of people that get themselves infected by an attachment sent to their mailboxes. Most of these users are new to the Internet and are pretty naive. When they receive an email containing an attachment saying that they will get free porn, free Internet access etc., they run it without completely understanding the risk to their machines. Check the following scenario: you know your friend Alex is a very skilled Visual Basic programmer. You also know he's coding his latest program but you're curious as to what it is all about, and when he finishes coding the application you wait for an e-mail from him with the attachment. Yeah, but the person targeting YOU also knows that. The attacker also knows your friend's e-mail address. Then the attacker will simply code some program or get some freeware one, use some relaying mail server to fake the e-mail's FROM field and make it look like your friend's one. Alex's e-mail address is alex@example.com so the attacker's FROM field will be changed to alex@example.com and of course, it will include the TROJANED attachment... You'll check your mail, see that Alex finally has his program ready and has sent it as an attachment. You'll download and run it without thinking that it might be a trojan or something else, because hey, Alex wouldn't do something like that to me, he's my friend, and in this way you've just been infected.

Information Is Power! Simply because the attacker knew you were waiting for some particular file, he went ahead and found Alex's e-mail address and infected you...the timing of the attack assumes importance here. And it all happened just because you were naive, just because you saw alex@example.com in the FROM field, and just because you didn't check the mail headers to see that the mail actually came from some .jp mail server relaying e-mails and has been used by spammers for several months.

Many people have gotten themselves infected by the famous "Microsoft Internet Explorer Update" sent directly to their mailboxes, by the nonexistent Microsoft Updates Staff. I understand you may have felt great because Microsoft were paying you special attention and sent you the latest updates, but these "updates" are definitely trojans. Microsoft will NEVER send you updates of their software via e-mail even if you see that the FROM field is updates@microsoft.com and as you've noticed in the previous example the FROM field could be and IS faked. If you ever notice some mail in your mailbox with subjects like "Microsoft IE Update" and such, delete WITHOUT viewing or reading the e-mail, because some E-Mail clients like Outlook Express and others, have bugs that automatically execute the file being attached in the e-mail WITHOUT you even touching it. As you can imagine this is an extremely dangerous problem that requires you to keep yourself constantly up-to-date with the latest version of any software you're using.

Physical Access

Physical access is vital for your computer's security. Imagine what an attacker could do while having physical access on your machine, and let's not forget to mention that if you're always connected to the Internet and leave the room for several minutes that you’ve just given long enough of a chance to get yourself infected. Here I'll illustrate several scenarios often used by attackers to infect your computer while they're having physical access to your machine. There are some very smart people out there that keep thinking of new ways of gaining physical access to someone's computer. Here are some tricks that are interesting:

  • Your "friend" wants to infect you with a trojan and he/she has physical access to your machine. Let's say you were at home surfing the net, chatting or whatever. Suddenly your "friend" asks you for a glass of water, knowing that you'll go in another room and will be away for 1 or 2 minutes. While you do that, he/she takes out a diskette of his/her pocket and infects your unprotected PC. You came back and everything is OK because your "friend" is doing exactly the same thing before you left ...surfing the net.
  • The next example is when 2 guys want to take revenge on you cause of something and are supporting each other in order to accomplish their task. Again you are at home with your "friend", surfing, chatting, whatever you're doing; suddenly the telephone rings and a "friend" of yours wants to speak with you for something that is really important. He/she asks, "Is there anyone around you? If so, please move somewhere away from him/her (after knowing it is him or her, of course). I don't want anyone to listen what I'm going to tell you". The victim is again lured away from the computer, leaving the attacker to do whatever he/she wants on the target computer.
  • Other approaches similar to the previous ones might be a sudden ring of the doorbell, as well as other variations of phone calls and conversations leaving the attacker alone with the victim's computer. There are so many other possible approaches; just think for a while and you'll see what I mean and how easily you could be tricked, and it's because you're not suspicious enough when it comes to your sensitive computer data.
  • Another method of infecting a computer while having physical access is through use of the Auto-Starting CD function. You've probably noticed that when you place a CD in your CDROM it automatically starts with some setup interface. Here's an example of the Autorun.inf file that is placed on such CD's:

  [autorun]
  open=setup.exe
  icon=setup.exe

So you can imagine that while running the real setup program a trojan could be run VERY easily, and since most of you probably aren’t aware of this CD function, you will become infected and won't understand what has happened and how it has been done. Yeah, I know it's convenient to have the setup.exe autostart but security is what really matters here, that's why you should turn off the Auto-Start functionality by doing the following:

Start Button->Settings->Control Panel->System->Device Manager->CDROM->Properties->Settings

And there you'll see a reference to Auto Insert Notification. Turn it off and you won't have any problems with that function anymore.

I know MANY other variations of physical access infections but these are the most common ones so pay attention and try to think up several more by yourself.

When the victim IS connected to the Internet:

Here we have many variations. Again, I'll mention the most common ones. While the attacker has physical access he/she may download the trojan.exe, using various ways just by knowing how various Internet protocols work.

  • A special IRCbot known only to the attacker is available in IRC whose only function is to DCC the trojan.exe back to the attacker whenever he/she messages the bot with a special command. The victim will probably be away from the computer.
  • The attacker wants to download a specific software such as a new version of some program infected with a trojan of course, and visits some URL known only to him/her and then downloads the trojan.
  • The attacker pretends he/she wants to check his/her (web based) mail (for example, at Yahoo! or HotMail) but in fact has the trojan.exe stored in his/her mailbox and simply downloads and executes the file, hereby infecting the computer. In this case the mail service is used as a storage area.

There are many more ways of infecting the victim while connected to the Net, as you can imagine. Any of these examples will succeed but it all depends on the victim's knowledge of the Internet and how advanced his/her skills are, so the attacker needs to check these things somehow before doing any of the activities that I have mentioned here. After that, the attacker will be able to choose the best variant for infecting the victim and doing the job.

Browser And E-mail Software Bugs

Users do not update their software versions as often as they should be, and a lot of the attackers are taking advantage of this well known fact. Imagine you are using an old version of Internet Explorer and you visit a (malicious) site that will check and automatically infect your machine without you having downloaded or executed any programs. The same scenario occurs when you check your E-mail with Outlook Express or some other software with well known problems. Again you will be infected without having downloaded the attachment. Make sure that you always have the latest version of your Browser and E-mail Software, thus reducing the risk to a minimum.

Netbios(File Sharing)

If port 139 on your machine is opened, you're probably sharing files and this is another way for someone to access your machine, install trojan.exe and modify some system file, so it will run the next time you restart your PC. Sometimes the attacker may use DoS (Denial Of Service Attack) to shut down your machine and force you to reboot, so the trojan can restart itself immediately. To block file sharing in Win ME, go to:

Start->Settings->Control Panel->Network->File And Print Sharing

And uncheck the boxes there. That way you won't have any problems related to Netbios abuse.

Fake Programs

Imagine a Freeware SimpleMail program that's very suitable for your needs, and very handy with its features like address book, option to check several POP3 accounts and many other functions that make it even better then your E-mail client and the best thing for you is that it's free. You use ZoneAlarm or any other similar protection software, and mark the program as a TRUSTED Internet server so none of your programs will ever bother you about that program as you are probably using it every day because it's working very well, no problems ever occurred, you're happy, but a lot of things are going on in the background. Every mail you send and all your passwords for the POP3 accounts are being mailed directly into the attacker's mailbox without you noticing anything. Cached passwords and your keystrokes could be also mailed and the idea here is to gather as much info as possible and send it to the attacker. This info includes credit card numbers, passwords for various applications and many other things. Fake programs that have hidden functions often have professional looking web sites, links to various anti-trojan software mentioned as affiliates and make you trust the site; readme.txt is included in the setup and many other things to fool you into trusting it. Pay attention to freeware tools that you download, regard them as extremely dangerous and as a very useful and easy way for attackers to infect your machine with a Trojan.

Freeware Software, and the so called "Hackers" Web Sites

A site located at some free web space provider or just offering some programs for illegal activities can be considered as an untrusted one. As you know, there are thousands of "hacking/security" archives on these free web space providers like Xoom, Tripod, Geocities and many many others. These sites have archives filled with "hacking" programs, scanners, mail-bombers, flooders and many other tools. The guy who created the site infects often several, if not all of these programs. It's highly risky to download any of the programs and the tools located on such untrusted sites; no matter which software you use. Are you ready to take that risk? There are some untrusted sites that look REALLY professional and boast huge archives full of Internet related software, feedback forms and links to other popular sites. I think if you take some time, look deeper, scan all the files you download, then you can decide on your own whether the site you are downloading your software from is a trusted or an untrusted one. Freeware programs should be considered suspicious and extremely dangerous due to the fact that it's a very easy and useful way for the attacker to infect your machine with some freeware program. No matter how suitable you find the program, remember that "free is not always the best" and it's very risky to use any of these programs. My advice is: before using a freeware program, do search for some reviews on it, check popular search engines, and try to look up for some info about it. If you find any reviews written by respected sites, that means they've used and tested it and the chance of infection is hereby minimized. If no reviews or comments about the software are found via the search engines, then it may be highly risky to start using it.

08.How am I endangering my company's data once infected? 

Once infected, critical business data could be exposed to a malicious attacker or a corporate spy. You should not assume that the data is properly protected by the company's firewall, and that even if you get infected, that there would be no way for the attacker to get the data. Firewalls are essential and will block their attempts to connect to the Server (your computer), however attackers are becoming more creative and adaptive, so there are ways to retrieve the data without the need to connect to your computer. You can also unknowingly participate in exposing the whole network to attack, there at work, just by having your computer infected with a Trojan Horse.

[1] 2 3

Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center

Readers' Choice

Which is your preferred Patch Management solution?