| Trojan Horse - One Mans "Worse Case Scenario" | | | | the communication protocols and services on the |
| Prediction | | | | system to prevent any type of external |
| --------------------- | | | | communication to its local peers and external |
| This is a fictional article about a Trojan Horse | | | | (Internet) hosts. It does this in such as way that |
| Virus, or you could say it is one mans prediction | | | | the only immediate method to recover from this |
| of a "worse case scenario". Because of the field | | | | is a system roll-back, system repair, or restore |
| I'm in, I maintain a personal list of my top 10 | | | | from near-line media, such as tape or disk. And as |
| "worse case scenarios". Every time I perform a | | | | far as system recovery is concerned, I can tell |
| security assessment I run into something new or | | | | you that many people even in corporate entities |
| identify a situation that is ripe for a potential | | | | do not perform the most basic steps to be |
| vulnerability. I think we could all agree that no | | | | prepared for a quick system disaster recovery. In |
| respectable or ethical company would intentionally | | | | some cases, some of the most important |
| deliver a malicious piece of code as part of a | | | | recovery services have been disabled because of |
| helpful update solution. However, the reality is that | | | | lack of system resources or disk space (which is |
| human beings are behind technology and human | | | | amazing given how inexpensive this is |
| beings are unpredictable and fallible.Many major | | | | anymore).What Could Be The Impact Of This |
| operating system vendors have automatic update | | | | "Trusted" Trojan Horse |
| services. Many hardware vendors and other | | | | --------------------- |
| software packages have followed this trend, | | | | Just about every time you install a new |
| incorporating automated update services into their | | | | application or piece of software you increase the |
| products. In some cases, the services for | | | | time it takes to boot your PC and in some cases |
| automatic updates run as the local "system" | | | | decrease its performance. On thing that drives |
| account. This account has the ability to access | | | | me crazy is printing software. For the life of me I |
| and modify most of the operating system and | | | | cannot understand how or why printer support |
| application environment. When automatic updates | | | | software could total 400MB in size, but they |
| were relative new, many people would perform | | | | sometimes do. Not only that, they tend to load all |
| the updates manually, however, as time has | | | | kinds of unnecessary real-time running applets. HP |
| progressed, many now trust these services and | | | | printers are notorious for this. Be very aware of |
| allow the updates to proceed in a truly automated | | | | what it is you are loading and only load those |
| fashion.The Final Step Before The Hammer Falls | | | | components that you need. Even some |
| --------------------- | | | | off-the-shelf software packages load adware and |
| So let's expand upon our "worse case scenario". | | | | other not so helpful applets. Also, when you |
| A new service pack is just about ready for | | | | uninstall software, not all the software gets |
| release. The last step prior to public release is | | | | uninstalled in many cases. One thing I suggest is |
| quality control / validation. The team of people | | | | to purchase a registry cleaner. This can |
| performing this task includes a significantly | | | | dramatically decrease boot times and in many |
| disgruntled employee (Or may he/she is going | | | | cases increase the overall performance of your |
| through a horrible life crisis and has not much to | | | | PC.People are already concerned about identity |
| lose). When people are in pain or distress it is not | | | | theft, or at least they should be. I recently spoke |
| uncommon for them to project this same feeling | | | | with a business associate that told me that even |
| onto others in any way they can. So, instead of | | | | with everything he does to keep his identity |
| performing their job in the normal fashion, they | | | | secure he has been the victim of identity theft |
| decide to incorporate a malicious payload into the | | | | not once, but twice. If your user id's, online |
| forthcoming update.The First Step For The Trojan | | | | accounts, passwords, financials, or other |
| Horse: Evasion | | | | confidential information winds up on the Internet |
| --------------------- | | | | for any anonymous person to see, you can bet it |
| This payload has some unique characteristic, | | | | will be used in a way to cause you problems. |
| three to be precise. First, it is constructed in such | | | | Even if only 10% of the global systems fell victim |
| as way to not appear as something malicious. The | | | | to this Trojan Horse, the cut off of |
| anti-virus and anti-spyware programs currently on | | | | communications could cost businesses billions of |
| the market won't be able to detect it through | | | | dollars and potentially impact their reputation as |
| anomalous detection techniques.The Second Step | | | | "secure" institutions.Conclusion |
| For The Trojan Horse: Information Collection | | | | --------------------- |
| --------------------- | | | | If we don't think that this "worse case scenario" |
| Secondly, it has been instructed to wait 12 hours | | | | can happen, then we're kidding ourselves. |
| to activate to start searching your computer an | | | | Recently, one of the market leaders in the |
| network for important files that may contain | | | | perimeter defense business had to recall a service |
| financial, healthcare, and other confidential | | | | pack because it contained a significant "bug" that |
| information such as user accounts and passwords. | | | | could result in a security breach; a service pack |
| It then sends this information to anonymous | | | | that can be delivered through and intelligent |
| systems on the Internet. Because this "Trojan | | | | update service. Obviously there has to be a |
| horse" has been incorporated into an automated | | | | certain level of trust between us, the consumer, |
| update by someone with reasonable skills, it is | | | | and the vendors of hardware / software we rely |
| instructed to only perform the collection of data | | | | on. I'm not entirely sure what "fail-proof" solution |
| for 12 hours. Given the number of global systems | | | | can be put in place to prevent something like this |
| that allow automated updates, 12 hours should be | | | | from happening. Although I'm sure there are quite |
| more than enough. The person behind this realizes | | | | a few checks and balances in place already. The |
| that someone will quickly identify that something | | | | bottom line is, if you or I can image a scenario like |
| malicious is going on and start to roll-out a | | | | this, there is always a chance of it happening. In |
| defense solution to halt the process.The Final | | | | my case, I usually wait for several days to apply |
| Step: Incapacitate | | | | new service packs and hot-fixes. Hopefully |
| --------------------- | | | | someone else will find the problem, correct it, and |
| Finally, the Trojan Horse will cease it's data | | | | then I'll apply it.You may reprint or publish this |
| collection and deliver it's final blow. Because of the | | | | article free of charge as long as the bylines are |
| level of system privilege it is running at, it modifies | | | | included. |