| Title | | | | system to prevent any type of external |
| Trojan Horse Delivered In Automatic Update | | | | communication to its local peers and external |
| Trojan Horse - One Mans "Worse Case Scenario" | | | | (Internet) hosts. It does this in such as way that |
| Prediction | | | | the only immediate method to recover from this |
| This is a fictional article about a Trojan Horse | | | | is a system roll-back, system repair, or restore |
| Virus, or you could say it is one mans prediction | | | | from near-line media, such as tape or disk. And as |
| of a "worse case scenario". Because of the field | | | | far as system recovery is concerned, I can tell |
| I'm in, I maintain a personal list of my top 10 | | | | you that many people even in corporate entities |
| "worse case scenarios". Every time I perform a | | | | do not perform the most basic steps to be |
| security assessment I run into something new or | | | | prepared for a quick system disaster recovery. In |
| identify a situation that is ripe for a potential | | | | some cases, some of the most important |
| vulnerability. I think we could all agree that no | | | | recovery services have been disabled because of |
| respectable or ethical company would intentionally | | | | lack of system resources or disk space (which is |
| deliver a malicious piece of code as part of a | | | | amazing given how inexpensive this is anymore). |
| helpful update solution. However, the reality is that | | | | What Could Be The Impact Of This "Trusted" |
| human beings are behind technology and human | | | | Trojan Horse |
| beings are unpredictable and fallible. | | | | Just about every time you install a new application |
| Many major operating system vendors have | | | | or piece of software you increase the time it |
| automatic update services. Many hardware | | | | takes to boot your PC and in some cases |
| vendors and other software packages have | | | | decrease its performance. On thing that drives |
| followed this trend, incorporating automated | | | | me crazy is printing software. For the life of me I |
| update services into their products. In some | | | | cannot understand how or why printer support |
| cases, the services for automatic updates run as | | | | software could total 400MB in size, but they |
| the local "system" account. This account has the | | | | sometimes do. Not only that, they tend to load all |
| ability to access and modify most of the | | | | kinds of unnecessary real-time running applets. HP |
| operating system and application environment. | | | | printers are notorious for this. Be very aware of |
| When automatic updates were relative new, | | | | what it is you are loading and only load those |
| many people would perform the updates | | | | components that you need. Even some |
| manually, however, as time has progressed, many | | | | off-the-shelf software packages load adware and |
| now trust these services and allow the updates | | | | other not so helpful applets. Also, when you |
| to proceed in a truly automated fashion. | | | | uninstall software, not all the software gets |
| The Final Step Before The Hammer Falls | | | | uninstalled in many cases. One thing I suggest is |
| So let's expand upon our "worse case scenario". A | | | | to purchase a registry cleaner. This can |
| new service pack is just about ready for release. | | | | dramatically decrease boot times and in many |
| The last step prior to public release is quality | | | | cases increase the overall performance of your |
| control / validation. The team of people | | | | PC. |
| performing this task includes a significantly | | | | People are already concerned about identity theft, |
| disgruntled employee (Or may he/she is going | | | | or at least they should be. I recently spoke with a |
| through a horrible life crisis and has not much to | | | | business associate that told me that even with |
| lose). When people are in pain or distress it is not | | | | everything he does to keep his identity secure he |
| uncommon for them to project this same feeling | | | | has been the victim of identity theft not once, |
| onto others in any way they can. So, instead of | | | | but twice. If your user id's, online accounts, |
| performing their job in the normal fashion, they | | | | passwords, financials, or other confidential |
| decide to incorporate a malicious payload into the | | | | information winds up on the Internet for any |
| forthcoming update. | | | | anonymous person to see, you can bet it will be |
| The First Step For The Trojan Horse: Evasion | | | | used in a way to cause you problems. Even if |
| This payload has some unique characteristic, three | | | | only 10% of the global systems fell victim to this |
| to be precise. First, it is constructed in such as | | | | Trojan Horse, the cut off of communications |
| way to not appear as something malicious. The | | | | could cost businesses billions of dollars and |
| anti-virus and anti-spyware programs currently on | | | | potentially impact their reputation as "secure" |
| the market won't be able to detect it through | | | | institutions. |
| anomalous detection techniques. | | | | Conclusion |
| The Second Step For The Trojan Horse: | | | | If we don't think that this "worse case scenario" |
| Information Collection | | | | can happen, then we're kidding ourselves. |
| Secondly, it has been instructed to wait 12 hours | | | | Recently, one of the market leaders in the |
| to activate to start searching your computer an | | | | perimeter defense business had to recall a service |
| network for important files that may contain | | | | pack because it contained a significant "bug" that |
| financial, healthcare, and other confidential | | | | could result in a security breach; a service pack |
| information such as user accounts and passwords. | | | | that can be delivered through and intelligent |
| It then sends this information to anonymous | | | | update service. Obviously there has to be a |
| systems on the Internet. Because this "Trojan | | | | certain level of trust between us, the consumer, |
| horse" has been incorporated into an automated | | | | and the vendors of hardware / software we rely |
| update by someone with reasonable skills, it is | | | | on. I'm not entirely sure what "fail-proof" solution |
| instructed to only perform the collection of data | | | | can be put in place to prevent something like this |
| for 12 hours. Given the number of global systems | | | | from happening. Although I'm sure there are quite |
| that allow automated updates, 12 hours should be | | | | a few checks and balances in place already. The |
| more than enough. The person behind this realizes | | | | bottom line is, if you or I can image a scenario like |
| that someone will quickly identify that something | | | | this, there is always a chance of it happening. In |
| malicious is going on and start to roll-out a | | | | my case, I usually wait for several days to apply |
| defense solution to halt the process. | | | | new service packs and hot-fixes. Hopefully |
| The Final Step: Incapacitate | | | | someone else will find the problem, correct it, and |
| Finally, the Trojan Horse will cease it's data | | | | then I'll apply it. |
| collection and deliver it's final blow. Because of the | | | | You may reprint or publish this article free of |
| level of system privilege it is running at, it modifies | | | | charge as long as the bylines are included. |
| the communication protocols and services on the | | | | |