http://www.wired.com/politics/security/news/2008/04/trojan_anniversary_feature
By Ryan Singel
Wired.com
04.24.08
About 3,000 years ago Thursday, some Greeks left the people of Troy a
wooden horse at the walled city.s front gate -- a free gift, no cost, no
obligation from would-be invaders who wanted their adversaries to think
they had left in peace.
Accepting the Trojan horse at face value turned out to be a big mistake.
Some things never change. In the 21st century Trojan horses are made of
electronic "1s" and "0s" but are still left for you in all innocence and
in plain sight: your e-mail inbox, in IMs and on a web page. But the
intent, and the outcome, is pretty much the same: to pillage and steal.
The computer security industry describes computer Trojans as any program
that purports to be one thing -- a screensaver or a .pdf file or a video
codec -- but which actually conceals a malicious payload, like a
password logger or pop-up advertising software.
One might be tempted to think we've gotten smarter in the three
millennia since the Trojans ignored Cassandra's warning and accepted the
first one. But when it comes to a propensity to fall for a deal that is
too good to be true, humans have made little progress.
Or none whatsoever, if you believe computer-security guru Peter Neumann.
"People are still just as stupid now as they were then," says Neumann,
the chief scientist at SRI's computer-security lab. "They see something
shiny or a website that offers something for free and then they are
dead."
But don.t expect technology to save you from yourself any time soon,
Neumann warns.
"We are dealing with computer systems incapable of giving us the
security that we need and we are dealing with people doing things that
should be or are illegal," Neumann says. "We are dealing with a nation
of sheep that don.t even understand there is a problem and we are
dealing with technologists that think making a fast buck is the optimal
strategy, regardless of the consequences."
That explains why internet scammers can still get users to open fake
e-greeting-card attachments. Once clicked, the attachment instead
absorbs the less-than-savvy user's computer into a zombie clone army of
remotely controllable Windows boxes.
The internet-security firm Sophos identifies this most recent threat as
the Pushdo Trojan, which accounted for nearly 45 percent of all the
malware in e-mail attachments in the first three months of 2008.
Microsoft's recently released Security Intelligence Report noted that in
the first half of 2007 an explosion in the number of Trojans that its
security scanning tool removed from users' computers. The numbers jumped
from some 2 million in the second half of 2006 to more than 8 million in
the next six months. Many of these were delivered to people who were
lured to a web page rather than by opening a rogue attachment.
While online criminal gangs are still seeking out suckers on the net
with e-mail blasts to millions of addresses, the newest tactic is to
send more targeted Trojans to a more limited audience.
On April Fools' Day this year, employees at the nonprofit Committee to
Protect Journalists got an e-mail purporting to be from Martin Seutcheu,
a real human-rights officer for the United Nations. The e-mail with the
subject line: "Beijing Olympics Tactical Campaign Meeting Report," had
an attached PowerPoint file called Timeline May 21.
But that file, according to BitDefender anti-virus software, is just a
carrier for Exploit.PPT.Gen.
CPJ employees didn't fall for the trick since there were enough clues it
wasn't quite right, according to CPJ spokeswoman Abi Wright.
"Obviously their English isn't great and you get suspicious
immediately," Wright says, noting that it's very odd to get a one-line
e-mail with an attachment from someone you don't know, even if you know
their organization.
That's not to say it's not worrisome or chilling, according to Wright.
"We haven't seen this kind of concerted effort to crash our system
before," Wright says. "It's a change for the worse."
That attack is just one of many originating from and reporting back to
servers hosted in China. Though the perpetrators aren't known,
government agencies around the world -- along with defense contractors
and Tibetan and Taiwanese independence groups -- have all experienced
similar attacks, according to Patrik Runald, a senior security
researcher for the Finnish-based security company F-Secure.
"In a lot of these cases, it's not just hit and miss -- it's more
planned than what a lot of people think," Runald says. "They will find
out what anti-virus software they are using, try to find out information
from LinkedIn or Facebook, and send an e-mail saying, "Following up on
our conversation at the conference in Japan, here's the info we talked
about."
Matt Richard, Verisign iDefense Lab's rapid response manager, has been
tracking two gangs based in Romania that target corporations to steal
files and hopefully get at company's money.
In a sort of inverse Trojan horse tactic, the groups pretend to be
notifying executives about IRS issues, Better Business Bureau consumer
complaints, and most recently, a notice that the company was being sued
in federal court.
The Romanian groups, which have been operating for about a year, rely on
being able to trick humans, a technique known as social engineering.
That's why Richard suggests that companies need to start testing
employees with companies that have Trojans sent to them as a way to test
whether they can be duped or not.
"Education becomes important at the executive level," Richard says. "If
a C-level forwards a notice about the IRS on to one of his staff, not
only is the IRS's name attached but also the CEO's name is attached to
it as well."
Much of the problem can be traced back to software makers failing to
heed the lessons first laid out more than 30 years ago by researchers
who warned against letting programs have unchecked access to key
operating files or user data, according to SRI's Neumann.
"Some of the mass-market operating systems haven't learned to protect
the basic underlying systems from the applications," Neumann says. "We
really need systems that are much more robust and secure and reliable,
and you can't get there form here with minor incremental changes."
Which is just another way of saying that even when you get your flying
car in the future, Trojan horses will probably still be around,
successfully thumbing a ride from the gullible.
_______________________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss
Comments