| Title | | | | data collection and deliver it's final blow. |
| | | | Because of the level of system privilege it |
| Trojan Horse Delivered In Automatic Update | | | | is running at, it modifies the communication |
| | | | protocols and services on the system to |
| Trojan Horse - One Mans "Worse Case Scenario" | | | | prevent any type of external communication to |
| Prediction | | | | its local peers and external (Internet) |
| | | | hosts. It does this in such as way that the |
| This is a fictional article about a Trojan | | | | only immediate method to recover from this is |
| Horse Virus, or you could say it is one mans | | | | a system roll-back, system repair, or restore |
| prediction of a "worse case scenario". | | | | from near-line media, such as tape or disk. |
| Because of the field I'm in, I maintain a | | | | And as far as system recovery is concerned, I |
| personal list of my top 10 "worse case | | | | can tell you that many people even in |
| scenarios". Every time I perform a security | | | | corporate entities do not perform the most |
| assessment I run into something new or | | | | basic steps to be prepared for a quick system |
| identify a situation that is ripe for a | | | | disaster recovery. In some cases, some of |
| potential vulnerability. I think we could all | | | | the most important recovery services have |
| agree that no respectable or ethical company | | | | been disabled because of lack of system |
| would intentionally deliver a malicious piece | | | | resources or disk space (which is amazing |
| of code as part of a helpful update solution. | | | | given how inexpensive this is anymore). |
| However, the reality is that human beings are | | | | |
| behind technology and human beings are | | | | What Could Be The Impact Of This "Trusted" |
| unpredictable and fallible. | | | | Trojan Horse |
| | | | |
| Many major operating system vendors have | | | | Just about every time you install a new |
| automatic update services. Many hardware | | | | application or piece of software you increase |
| vendors and other software packages have | | | | the time it takes to boot your PC and in some |
| followed this trend, incorporating automated | | | | cases decrease its performance. On thing that |
| update services into their products. In some | | | | drives me crazy is printing software. For the |
| cases, the services for automatic updates run | | | | life of me I cannot understand how or why |
| as the local "system" account. This account | | | | printer support software could total 400MB in |
| has the ability to access and modify most of | | | | size, but they sometimes do. Not only that, |
| the operating system and application | | | | they tend to load all kinds of unnecessary |
| environment. When automatic updates were | | | | real-time running applets. HP printers are |
| relative new, many people would perform the | | | | notorious for this. Be very aware of what it |
| updates manually, however, as time has | | | | is you are loading and only load those |
| progressed, many now trust these services and | | | | components that you need. Even some |
| allow the updates to proceed in a truly | | | | off-the-shelf software packages load adware |
| automated fashion. | | | | and other not so helpful applets. Also, when |
| | | | you uninstall software, not all the software |
| The Final Step Before The Hammer Falls | | | | gets uninstalled in many cases. One thing I |
| | | | suggest is to purchase a registry cleaner. |
| So let's expand upon our "worse case | | | | This can dramatically decrease boot times and |
| scenario". A new service pack is just about | | | | in many cases increase the overall |
| ready for release. The last step prior to | | | | performance of your PC. |
| public release is quality control / | | | | |
| validation. The team of people performing | | | | People are already concerned about identity |
| this task includes a significantly | | | | theft, or at least they should be. I recently |
| disgruntled employee (Or may he/she is going | | | | spoke with a business associate that told me |
| through a horrible life crisis and has not | | | | that even with everything he does to keep his |
| much to lose). When people are in pain or | | | | identity secure he has been the victim of |
| distress it is not uncommon for them to | | | | identity theft not once, but twice. If your |
| project this same feeling onto others in any | | | | user id's, online accounts, passwords, |
| way they can. So, instead of performing their | | | | financials, or other confidential information |
| job in the normal fashion, they decide to | | | | winds up on the Internet for any anonymous |
| incorporate a malicious payload into the | | | | person to see, you can bet it will be used in |
| forthcoming update. | | | | a way to cause you problems. Even if only 10% |
| | | | of the global systems fell victim to this |
| The First Step For The Trojan Horse: Evasion | | | | Trojan Horse, the cut off of communications |
| | | | could cost businesses billions of dollars and |
| This payload has some unique characteristic, | | | | potentially impact their reputation as |
| three to be precise. First, it is constructed | | | | "secure" institutions. |
| in such as way to not appear as something | | | | |
| malicious. The anti-virus and anti-spyware | | | | Conclusion |
| programs currently on the market won't be | | | | |
| able to detect it through anomalous detection | | | | If we don't think that this "worse case |
| techniques. | | | | scenario" can happen, then we're kidding |
| | | | ourselves. Recently, one of the market |
| The Second Step For The Trojan Horse: | | | | leaders in the perimeter defense business had |
| Information Collection | | | | to recall a service pack because it contained |
| | | | a significant "bug" that could result in a |
| Secondly, it has been instructed to wait 12 | | | | security breach; a service pack that can be |
| hours to activate to start searching your | | | | delivered through and intelligent update |
| computer an network for important files that | | | | service. Obviously there has to be a certain |
| may contain financial, healthcare, and other | | | | level of trust between us, the consumer, and |
| confidential information such as user | | | | the vendors of hardware / software we rely |
| accounts and passwords. It then sends this | | | | on. I'm not entirely sure what "fail-proof" |
| information to anonymous systems on the | | | | solution can be put in place to prevent |
| Internet. Because this "Trojan horse" has | | | | something like this from happening. Although |
| been incorporated into an automated update by | | | | I'm sure there are quite a few checks and |
| someone with reasonable skills, it is | | | | balances in place already. The bottom line |
| instructed to only perform the collection of | | | | is, if you or I can image a scenario like |
| data for 12 hours. Given the number of global | | | | this, there is always a chance of it |
| systems that allow automated updates, 12 | | | | happening. In my case, I usually wait for |
| hours should be more than enough. The person | | | | several days to apply new service packs and |
| behind this realizes that someone will | | | | hot-fixes. Hopefully someone else will find |
| quickly identify that something malicious is | | | | the problem, correct it, and then I'll apply |
| going on and start to roll-out a defense | | | | it. |
| solution to halt the process. | | | | |
| | | | You may reprint or publish this article free |
| The Final Step: Incapacitate | | | | of charge as long as the bylines are |
| | | | included. |
| Finally, the Trojan Horse will cease it's | | | | |