Trojans FAQ

 

We have all heard alot about trojan horse programs and the threat that they pose to your network's security. This Trojan FAQ sheds some light on what these programs are, what they do, how they can infect your network and suggests measures that could be taken to prevent such infections.  You can make sure that you have a good grasp on these malicious programs by browsing through this regularly updated Trojan FAQ which provides the answers to these questions and many others. With thanks to Dancho Danchev for his contributions to this FAQ.

 

FAQ topic 

[25] Intrusion Detection Systems FAQ

Updated: Feb 01, 2005

[23] Trojans FAQ

Updated: Jun 26, 2003

16.Can you provide me with tips in order to protect myself, as well as prevent possible infections? 

Here's a summary of the whole FAQ. You'll learn how to behave in a secure manner while reading these tips, and don't forget that they could be a lifesaver as far as Windows Trojan threats are concerned.

• Never accept a file even it is from some friend. You're never absolutely sure who's on the other side of the computer at any given moment. If you really need this file, let's say it’s some presentation or a work paper, find other ways such as by telephone and verify that the file is indeed from your friend. Yeah it will take you some time and slow you down a bit, but by being paranoid about the attachments you may receive you won't get infected in this way.
• When executing files, first check their type. Is it really a .doc or it's some executable with a .doc icon?
• Update your Anti-Virus and Anti-Trojan package signature files regularly, if possible EVERY day for maximum protection, as new trojans and viruses are discovered every day. Most of the detection software have functions like scheduling scans so if you are away from your machine during the night but you leave it switched on, why not consider to schedule a scan and update every night? Doing so will ensure your maximum protection.
• Make sure you always have the latest version of the software you're using as new bugs appear very often and programs are regularly updated. Check often to see if there are bugs and/or other problems that have been found in the software that may potentially put your system at risk - and patch/update your system(s) accordingly. Some software has an option to check for the latest version of the software from the vendor’s web site; make use of it.
• Take several minutes and regularly check the processes on your machine with the software I have reviewed above. You'll be surprised at what you may detect sometimes.
• It's vital to understand the risk of getting software from someone you have just met, or from someone that you have only had several ICQ, IRC conversations with.
• Consider freeware programs as very risky software to download, and try searching for some reviews of the program before running it.
• Carefully read the help files that come with your detection software in order to be able to use them to their full capacity.
• Download software ONLY from its official page(s) or dedicated mirror web site. Never get the latest version of mIRC, ICQ or from some site you've never heard about such as from some free web space provider like Geocities. Consider it as an untrusted site and do NOT download anything from there.
• If you are playing with trojans you can also get infected as there are trojans or other software that are already infected and is waiting for someone with not so much knowledge on the topic to download and use it.
• Don't be so naive in regards to everything that you see on the Internet or in regards to what various sites offer you  don't download any software you've never heard about.

17.How should we deal with potential malware problems in our company? 

Security Policy

First of all you should establish an Anti-Malware Policy, guiding the staff members on the process of protecting critical company data from destruction or exposure. It needs to clearly state their responsibilities while using any of the company's Information Resources, thus making sure that it will be easily understood and properly implemented later. You should define what is allowable and what is not, what they should and what they shouldn't do in order to keep their workstations, as well as the company's network free of malware. Keep it short, precise and easy to understand, know your audience before your start building it, measure their computer/security level skills for maximal effectiveness. A sample Anti-Virus Policy can be found here.

Gateway Protection

You might consider using Gateway Protection, detecting and blocking malware at the Server level before reaching the workstations. A few reasonable products for this activity are:

• Symantec AntiVirus Gateway Solution - More Info
• Symantec AntiVirus for SMTP Gateways - More Info
• Symantec Anti-Virus Corporate Edition - More Info
• GFI MailSecurity - More Info
• GFI DownloadSecurity - More Info

Content Blocking

Another valuable strategy that might be implemented, in the company's effort to protect its critical data from malware, is to filter known to be dangerous and potentially destructive file extensions at the Server level. These include: .exe, .com, .vbs, .scr, .asd, .asf, .asx, .bas, .bat, .chm, cmd, .com, .dll, .exe, .hlp, .hta, .hto, .js, .jse, .link, .lnk, .pif, .reg, .scr, .vb, .vbe, .vbs, .wsf, .wsh, and .wsc. A list of dangerous extensions may be found here.

Whenever someone from the company needs to receive a specific attachment having one of these extensions, the receiver might ask the sender to change the file's extension, and in this way confirms that indeed, a known person has sent the attachment.

18.How should we deal with the dangers of Free E-mail providers, as far as protecting against Malware is concerned?  

In your Anti-Malware Policy, you need to state whether the use of Free E-mail providers is allowed or it is strictly prohibited. Educate them on the problem of potentially destructive attachments, downloaded from their external e-mail and run on the company's network. On the other hand, if the use of these services is prohibited due to security policy, then block access to these and let your staff members know that the proper use of the E-mail system is being strictly monitored.