Trojans FAQ

 

We have all heard alot about trojan horse programs and the threat that they pose to your network's security. This Trojan FAQ sheds some light on what these programs are, what they do, how they can infect your network and suggests measures that could be taken to prevent such infections.  You can make sure that you have a good grasp on these malicious programs by browsing through this regularly updated Trojan FAQ which provides the answers to these questions and many others. With thanks to Dancho Danchev for his contributions to this FAQ.

 

FAQ topic 

[25] Intrusion Detection Systems FAQ

Updated: Feb 01, 2005

[23] Trojans FAQ

Updated: Jun 26, 2003

09.Why would they target me, or my company? 

In fact most of the times no one is targeting you in particular, it's just your bandwidth and the access to your computer that they're trying to get to. However there is the possibility that someone wants to attack you or your company in order to obtain classified business or sensitive personal data.

FAQ: Part Three - Protection and Response. 

10.Do Anti-Virus Scanners provide reasonable protection? 

You must realize that there isn’t a 100% sure way of protecting against Windows Trojans infections, although your major aim is to significantly reduce the risk by understanding how they work and how you could become infected.

This type of software relies mainly on the "signatures" that each trojan executable has and also it’s common auto-starting methods. But this is not a perfect solution by far for protecting yourself against trojans, as they use many other methods to hide inside the machine, most of which are undetected by Anti-Virus Software. When trojans first became a big security breach, specific Anti-Trojan packages were released to the public and it was necessary for the AVs to start detecting not only viruses, but also trojans if they wanted to attract new users. As a result, most of them became really advanced trojan scanning and detection systems, but for maximum protection it's recommended to use both Anti-Virus and Anti-Trojans software. Public trojans appear online almost every day and detection software is being updated every day to provide its customers with maximum protection. One very big problem is that the users do not update their signature files as often as they should be, thus having detection software that's not detecting several of the latest trojans or viruses. Users MUST update their software's signature files every day, and it will take them only several minutes. Each and every time a new file is downloaded, it MUST be scanned BEFORE being opened with Anti-Virus and Anti-Trojan software. If you think the file is suspicious for any reason, do NOT run it, but send it to your detection software labs for analysis.

11.Are there any effective Anti-Trojan Packages? 

Yes, there are, although you should never fully rely on them as they only partly solve the problem. It's you who has the responsibility of maintaining an acceptable level of protection. While these Packages should be used on standalone computers or very small networks, it is recommended that companies use Gateway protection Packages if they seek an improvement in their security by limiting the dangers posed by their Internet connectivity.

Here are links for some of the popular Anti-Trojan Packages that should be used in the company's Defense In Depth methodology, whose main purpose is to put another line of Security by protecting the end users workstations.

Enduser Protection Packages

• TDS-3

Trojan Defense Suite (TDS) is an indispensable, must-have software package for protection against trojans. It has many unique functions never seen in other Anti-Trojan packages. The program has really advanced features and if you're a newbie, it will probably take some time before you are able to use the software at its full capacity (read the excellent help files).

You can get TDS from http://tds.diamondcs.com.au/

• Tauscan

Trojan scanner that has unique features and is a must have. It's also able to detect new trojans and trojans that have never been released to the public. More info at its official page: http://www.agnitum.com/products/tauscan/

• Trojan Hunter

Trojan detection package with a lot of functions. It's very handy.
More info at http://www.mischel.dhs.org/trojanhunter.jsp

Gateway Protection Packages

• GFI MailSecurity - More Info
• McAfee Internet Gateway Protection - More Info
• TrendMicro's Internet Gateway - More Info
• Symantec AntiVirus Gateway Solution - More Info
• Symantec AntiVirus for SMTP Gateways - More Info

Free Online Trojan Scanning

• GFI TrojanScan - More Info

12.How do I know whether I have been infected? 

The most common trojans features have been listed above, so that by knowing them you'll be able to detect suspicious activities going around your computer. However you should keep in mind that advanced attackers will keep as silent as possible, in order to continue their illegal actions on your computer. The following events should be considered as a suspicious one:

• It's normal to visit a web site and several more pop-ups appear with the page you've visited. But alternatively, suddenly your browser directs you to some page unknown to you without you having done anything at all. Take that as a serious indication of infection.
• A strange and unknown Windows Message Box appears on your screen, asking you some personal questions.
• Your Windows settings change by themselves like a new screensaver text, date/time, sound volume changes by itself, your mouse moves by itself, CD-ROM drawer opens and closes.
• You doing absolutely nothing, no Internet related applications are running, but your modem lights are going crazy, just the way they are when you're downloading files or actively using the Internet. Consider this as an extremely suspicious sign.

GFI Software has released the GFI Trojan scanning service, which is another highly recommended way to scan your computer for Trojans. Access the service here.

13.What should I do once infected? 

• Accounting Data such as ISP passwords, ICQ, mIRC, FTP, web site passwords, e-mail address passwords are definitely known to the attacker. Contact your ISP about changing your dial-up password if you're using such a connection. Immediately change your ICQ, mIRC passwords if they're still the same. (Often attackers won't change any of your logins and passwords to fool you into thinking that everything is OK, so there is a good chance that you will still be able to recover from the compromise). Change your web based e-mail passwords and do check your information that is stored there, because password retrieval services for various e-mail providers such as Yahoo and Hotmail use this info combined with a "Secret Question" for password retrieval. Attackers often change the info, the answer to the secret question and many other things that will get them easily back into your mailbox, whether you've changed your pass or not.
• If you're taking advantage of the handy Address Book feature in your e-mail service and have a list full of the e-mail addresses of friends, colleagues, etc. there is a real possibility that the attacker has sent them a trojan and has possibly infected them too. Mail all of these people and ask them about whether they have received any files from your mailbox, inform them someone else might know your e-mail password so that they'll be able to take appropriate actions such as checking their machines for Trojans. Do the same with the people from your ICQ contact list as they might be targeted too.
• Check your HDD for abnormal activities like a lot of free space missing etc. Search for warez software and as I have mentioned, kiddie-porn archives.
• Think for a while about the sensitive information you have had on your machine before the compromise, and if you are absolutely certain that the attacker may now posses this information, then take appropriate action, such as informing any institutions that own the sensitive data that a breach has occurred.
• Scan your machine with Anti-Virus scanner, as the attacker could have placed some virus or infected macro documents on your machine to do destructive things despite the fact that the attacker no longer has access to your machine.
• Monitor your processes BEFORE and AFTER connecting to the Internet, as some trojans start when they detect Internet connection. Don't be fooled again, be very suspicious.
  

FAQ: Part Four - More Information. 

14.Are there any other quality papers concerning the Windows Trojans subject? 

Yes, there are. Follow the links below:

• http://secinf.net/trojans/The_Complete_Windows_Trojans_Paper.html
• http://www.jmu.edu/computing/info-security/engineering/issues/remote.shtml
• http://members.ozemail.com.au/~netsafe/trojan_index.html
• http://researchweb.watson.ibm.com/antivirus/SciPapers/Whalley/inwVB99.html
• http://researchweb.watson.ibm.com/antivirus/SciPapers/Smoke/smoke.html
• http://www.frame4.com/content/files/the_gentle_art_of_trojan_horsing_under_windows.txt
• http://www.frame4.com/content/files/what_trojan.pdf

15.Are there any recommended resources regarding further information on the topic? 

Windows Trojans pose a significant threat to the security of your computer; hence the Internet is filled with sites that discuss the topic. Follow the links below:

• http://www.megasecurity.org
• http://www.trojan.ch
• http://www.trojanforge.net/
• http://packetstormsecurity.org/trojans
• http://www.pcflank.com

Packages Review Web Sites:

• http://www.anti-trojan-software-reviews.com/
• http://www.staff.uiuc.edu/~ehowes/trojans/tr-tests.htm
• http://www.wilders.org/anti_trojans.htm
• http://www.firewallguide.com/anti-trojan.htm

FAQ: Part Five - Policies and Prevention.