ash1106-ga:
Thank you for your Question regarding Internet Security and Trojans. I
hope that you find the following information useful.
First, at the risk of repeating what you already know, let's take a
quick look at the definitions of what viruses and trojans are, from
Wikipedia.org:
====================
Computer virus
http://en2.wikipedia.org/wiki/Computer_virus
excerpt:
"a virus is a piece of program code that, like a biological virus,
makes copies of itself and spreads by attaching itself to a host,
often damaging the host in the process. ...As with all code, viruses
use the host's resources: memory and hard disk space, amongst others,
and are sometimes deliberately destructive (erasing files / formatting
hard disks) or allow others to access the machine without
authorization across a network. ...The term is often used in common
parlance to describe all kinds of malware (malicious software),
including those that are more properly classified as worms or trojans.
Most popular anti-viral software packages defend against all of these
types of attack. "
-------------------
Trojan horse
http://en2.wikipedia.org/wiki/Trojan_horse
excerpt:
"A Trojan horse is also a relatively dangerous computer program that
does something which the programmer (or packager, or distributor, or
advertiser) maliciously intends it to do, but which is unknown to the
user. The term is derived from the classical myth of the Trojan Horse.
A Trojan horse differs from a virus in that it is a stand-alone
program; the Trojan does not attach to another program. It differs
from a worm in that it does not move from one computer to another on
its own. A person must transfer it intentionally, such as by email."
-------------------
And, for completeness:
Computer worm
http://en2.wikipedia.org/wiki/Computer_worm
excerpt:
"A computer worm is a self-replicating computer program, similar to a
computer virus. The main difference between the two is that a virus
attaches itself to, and becomes part of, another executable program,
while a worm is self-contained; it does not need to be part of another
program to propagate itself. In addition to replication, a worm may be
designed to do any number of things, such as delete files on a host
system, or send documents via email. It should be pointed out that
worms are not always bad, and in fact can be occasionally useful, for
instance they could be used to upgrade software on a very large
privately run network. But even if worms do not have malicious intent
if they reproduce quickly enough they can consume a lot of bandwidth
and slow networks."
====================
The term "Trojan Horse" is really only properly used when referring to
a software 'container' that is used to deliver a harmful payload to an
unsuspecting recipient. The most famous example of this is the Back
Orifice trojan, described in part here:
Back Orifice 2000 Trojan horse explained (July 15, 1999)
http://www.cyberwalker.net/columns/jul99/170799.html
The general idea is that the recipient is somehow duped into executing
the software container (which they may have received as an e-mail
attachment, or on a CD-ROM or floppy disk from a 'friend'). The
container itself may be some harmless joke program (ever see the one
that has the button that says "Click Here For Pay Raise", where the
button keeps moving to avoid the mouse? Something like that can be
easily modified to contain the payload). However, when executed, the
deadlier payload is delivered and installed onto the recipient's
computer.
Once installed, the trojan is able to do what any program running on a
computer can do. It can access all of the resources of the computer
that is made available through the operating system, and it can access
all of the resources that are attached to the computer using the
interfaces presented to it by the operating system.
In the case of the Back Orifice 2000 trojan, its capabilities include:
(from link given above)
"According to Symantec's AntiVirus Research Center web site at
http://www.symantec.com/avcenter/, the attacker can do any of the
following tasks on the victim's machine:
- Execute any program.
- Record keystrokes (i.e. store words you type for later retrieval).
- Restart the machine.
- Lock up the machine.
- View the contents of any file.
- Transfer files to and from the victim's machine.
- Display the screen saver password."
If you look at that list, you will observe that all of these
capabilities are made possible by the operating system. As far as the
operating system is concerned, since the trojan is a program running
on the computer, it must have the right to access all of that
information and all of those resources.
Another viewpoint on trojans and their capabilities is provided here:
Trojan Viruses, what are they and how do they work?
http://homepage.ntlworld.com/rcaville/trojans.htm
--------------------
A computer worm is a different beast from a trojan. The distinguishing
feature of a worm is its ability to self-distribute independently.
Many modern worms, in fact, have a small SMTP mail application
built-in, allowing it to send out copies of itself using your e-mail
service without ever needing to run the user's e-mail client
application. The payload portion of a worm is not much different from
the payload portion of a trojan; typically, the software features the
capability to observe the user's private information, and to transmit
that information through an Internet connection to a recipient
somewhere else in the world.
--------------------
Both worms and trojan payloads can be designed to send back a message
to their creator when they have successfully installed, so that the
creator knows where they are on the Internet (based on an IP address).
Most also have the ability to send out updates whenever the IP address
of their 'host' changes, so that the hacker can continue to know where
they are. The purpose of this is to allow the hacker to communicate
with the maliscious software through an open TCP or UDP port,
typically one set up by the worm or trojan payload. That is why it is
important to have a firewall program installed on the computer, that
verifies with the user each time a new program requests to open a
port. Some firewalls do not do this, as they expect all threats to
come from the outside, not the inside.
Where things get really interesting, is when the payload delivered by
a trojan or incorporated into a worm includes the ability for the
creator to control the actions of the payload remotely. Many of the
more dangerous (from a resource cost point of view) worms and tojan
payloads incorporate a 'phone-home' capability, where the software
periodically checks in with a pre-determined location on the Internet
(for example, an IRC chat room, or a compromised web server) for new
instructions. Those instructions may include something along the lines
of ("repeatedly send PING requests to IP address XXX.XXX.XXX.XXX"), or
may instruct the software to become a relay point in a complex routing
scheme set up by a hacker to hide their trail when they want to try to
hack into an online system. The result of this, for example, is that a
Denial of Service attack can be launched against an online server
simply by instructing a large number of infected computers to all ping
away at that server non-stop.
In order for any of this communication to occur, though, the
maliscious software must be able to get to the chat room. Again, this
is where good quality firewall programs come into play, to prevent
anything but user-authorized communications from occurring.
--------------------
To get to the heart of your question, there are really two key
questions that need to be answered: how do trojans get into the
computer of a cautious user, and how can a cautious user prevent
trojans from causing harm using their computer?
For the first part, the answer is frighteningly diverse. Besides the
e-mail attachments and "sneakerware" (removable media) approaches I
mentioned above, it seems like we hear about a new exploit of
Microsoft software every week, ranging from the operating system to
applications like MS Word. Most of the exploits tend to involve
Internet Explorer, where through either an innocent approach to
programming, or just poor programming practices (you take your pick),
it seems that it is possible to cause just about any of the memory
buffers used by Internet Explorer to overflow, leaving open the
possibility for a smart hacker to create a scenario where a user
visits (or is directed to) a website where, as part of the webpage
download, maliscious code is also downloaded in the background and
executed.
There are also features such as the 'Messenger Service', originally
implemented in Windows NT to make it easy for network administrators
to send out a message to all users on the corporate network, that can
also be exploited to either annoy the user, or to deliver an
unsuspected payload through a buffer overflow.
It is also possible to take advantage of the power available through
the main web browsers out there (Internet Explorer, Netscape
Navigator) to use applets to deliver and/or execute maliscious code.
So, as a responsible, cautious user and as a competent programmer,
what can you do? First, there are indeed good, solid, well-designed
programs out there that you can use to add layers of protection to
your computer. A highly-regarded firewall package such as ZoneAlarm
will allow you to control all of the traffic that passes through your
computer's TCP/IP stack. Definitely, a constantly maintained
anti-virus program is a must; regular (daily) updates of virus
definition files is the only way to be able to spot the maliscious
programs before they have a chance to execute.
You can also adopt good computer usage practices such as never leaving
your computer openly connected to the Internet without at least a
firewall program installed to close off all unnecessary ports. If you
use an always-on broadband Internet connection at home, consider using
a router/gateway device that provides additional, hardware firewall
protection for your home network.
As a programmer, you should definitely invest in the following book,
and read it until it is well and truly dog-eared:
----------------
http://www.securecoding.org/
Graff, M.G. & van Wyk, K.R. Secure Coding: Principles & Practices.
O'Reilly & Associates, Inc. 2003.
ISBN 0-596-00242-4
Amazon.com link:
http://www.amazon.com/exec/obidos/tg/detail/-/0596002424/qid%3D1074041308/sr%3D11-1/ref%3Dsr%5F11%5F1/102-5567548-2636934
----------------
It doesn't matter if you are coding in Delphi, Visual Studio.NET, or
BASIC, in the end it's how you use (and don't abuse) the resources of
the computer that will determine how safe your programs are.
I hope that this is helpful to you. Please let me know if you need any
part of this clarified, using the "Request Clarification" button
above. Thanks!
Regards,
aht-ga
Google Answers Researcher |
Clarification of Answer by
aht-ga
on
14 Jan 2004 12:15 PST
ash1106-ga:
As a rule, a hacker trying to get into a system is not looking for
ways through the security that is already in place, they are looking
for areas that are not properly secured. When it comes to TCP ports,
they are looking for any port that is either intentionally, or
unintentionally left open to the Internet. Then, based on whichever
service may be running on the system, listening to traffic on that
port, they would attempt to take advantage of whatever known fault
exists in that service.
For a deeper look at this issue, visit:
http://www.grc.com/default.htm
and scroll down to the "Hot Spots" section, where you can click on 'ShieldsUP!'.
The ShieldsUP! test looks at your computer's ports to see if they are
open to the Internet, closed (but detectable), or in stealth mode (no
way for someone on the outside to tell if there is even a port there).
When you get to the ShieldsUP! test page (after reading through a page
of info about your current IP address, etc.), you are presented with a
little ShieldsUP! Services interface. Select the "Common Ports" button
to test your computer's most commonly used ports. In the resulting
page, you will see each of these ports listed, their current status on
your computer, and a description of the potential problem if the port
is left open. You can also click on the port number to get a detailed
(and I mean very detailed) description of what the port is used for
(ie. which services use it, any reasons to be concerned).
This is perhaps the most comprehensive collection of information I can
direct you to on this topic.
As for your question about why you sometimes cannot 'see' a
virus/trojan in Task Manager, the answer is relatively simple. A
virus, by definition, attaches itself to an existing application, such
as Notepad.exe, or Explorer.exe. The virus runs when the infected
program runs. Other approaches are to present the same process name to
the OS as a known, good application. That way, the malicious code can
run independently, yet appear on the Task Manager process list as
simply 'explorer.exe', for example. When you look at your process
list, there are an awful lot of processes running with cryptic names
that do not really mean anything to the average user.
Truly effective viruses and other such evil-doing software is usually
written to be small, to aid in distribution. That means they are
usually written in assembly language. There is also the class of
viruses called macro viruses, which are written in whichever macro
language applies to the application (Visual Basic for Applications in
the case of MS Office applications). Languages such as C++ or Delphi
carry just a little too much overhead (from use of standard libraries
and procedures) to be effective virus making platforms.
Now, can you please clarify something for me? Are you looking for
advice on how to make your own programs secure against being exploited
by hackers? Or are you looking for information on how, using Delphi,
you would be able to duplicate what the hackers do? If it is the
latter, that would fall into the category of information related to
illegal activities that I am prevented from providing. However, if it
is the former (making your own programs secure), the most important
thing is to get the book I mentioned above, Secure Coding: Principles
and Practices. There is just too much that a good programmer needs to
know, to be able to do it justice through an Answer here.
Regards,
aht-ga
Google Answers Researcher
|