 |
The "No Network is 100% Secure" series
- Trojan Horse (computer) Malware -
A White Paper
|
|
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
Contact Us
Got a green screen with a system stopped message?: Skip to
the Vundo trojan section
Types of Trojan horse payloads are almost always designed to cause harm,
but can sometimes be harmless. Payloads are classified based on how they breach and
damage systems. The six main types of Trojan horse payloads are: Remote Access,
Data Destruction, Downloader/dropper, Server Trojan (Proxy, FTP, IRC, Email,
HTTP/HTTPS, etc.), Disable security software and Denial-of-service attack (DoS).
You might be surprised at all of the creepy, unknown "stuff" that's running on
your servers and workstations. This is especially true if you don't have a process
in place to audit your computing equipment periodically. We've seen (many) cases where
production servers had been exploited and a rootkit run on them. And in some cases
these servers were unknowing IRC chat servers with hundreds of on-going connections!
Vulnerable web servers that were exploited and had subdomains created on them by
hackers that housed hundreds of links to porn sites. And worse. Workstations
with viruses, Trojans and bots that were sending out SPAM by the trainload. And all
the user knew was that the PC had "gotten slower" recently.
Next in the security white paper series:
What is a Trojan Horse?: A Trojan horse, also known as a Trojan, describes a
class of computer malware that appears to perform a desirable function but in fact
performs undisclosed malicious functions. These could include allowing unauthorized
access to the host machine, logging the user's keystrokes (spyware) and even
permitting complete control over the computer.
Trojan Horses (not technically a virus) can be easily and unwittingly downloaded.
This is usually done by tricking the user into downloading and activating malevolent
software under the guise of being an ActiveX plug-in, driver, game or some other
"desired" piece of software or function. The Trojan, one activated, opens a back door
that allows a hacker to control the computer of the user. In recent years, sophisticated designs have made it increasingly easier to trick users into installing Trojans onto
their computers. Additionally, the Trojan removal process has become correspondingly
more difficult. The term is derived from the classical story of the Trojan Horse.
A program named "waterfalls.scr" serves as a simple example of a Trojan horse.
The author claims it is a free waterfall screen saver. When running, it instead
unloads hidden programs, scripts, or any number of commands without the user's
knowledge or consent. Malicious Trojan horse programs conceal and install a
malicious payload on an affected computer.
The Zlob Trojan is another, much more insidious and destructive Trojan. When
visiting a web site, the user is asked if they want to install an ActiveX control so
that the user can view the site contact (often videos). At this point, the Trojan
has already been downloaded to the user's computer. Clicking anywhere on the
request pad (not just the "OK" button) will install and activate the Trojan.
Once installed, it displays popup ads with appearance similar to real Microsoft
Windows warning popups, informing the user that their computer is infected with
spyware. Clicking these popups trigger the download of a fake anti-spyware
program (such as Virus Heat) in which the Trojan horse is hidden.
Some variants of the Zlob family, like the so-called DNSChanger, adds rogue DNS
name servers to the Registry of Windows-based computers, network settings of
Macintosh computers and attempts to hack into any detected router to change the
DNS settings and therefore could potentially re-route traffic from legitimate
web sites to other suspicious web sites.
The Trojan has also been linked to downloading atnvrsinstall.exe which uses the
Windows Security shield icon to look as if it is an Anti Virus installation file
from Microsoft. Having this file initiated can wreak havoc on computers and networks.
One symptom is random computer shutdowns or reboots with random comments. This is
caused by the programs using Scheduled Tasks to run a file called "zlberfker.exe".
PHSDL - Project Honeypot Spam Domains List tracks and catalogues Zlob spam Domains.
Some of the domains on the list are redirects to porn sites and various video
watching sites that show a number of inline videos. Clicking on the video to play
activates a request to download an ActiveX codec which is malware. It prevents the
user from closing the browser in the usual manner. Other variants of Zlob Trojan
installation are in the form of computer scan that comes as a Java cab.
There is evidence that the Zlob Trojan might be a tool of the Russian Business
Network or at least of Russian origin.
The Gumblar trojan:
A recent attack known as Gumblar is continuing to blow all previous web-based malware out
of the water, with a new infected web page found every 4.5 seconds. Troj/JSRedir-R is
now found six times more often than its nearest rival Mal/Iframe-F.
JSRedir-R, which has been found on high traffic legitimate Web sites, loads malicious
content from third-party sites (including one called Gumblar.cn, inspiring some
security vendors to dub the threat 'Gumblar') without users' knowledge. The malware
can then be used to steal sensitive information for financial gain, to commit identity
theft or to meddle with search-engine results. The core security problem is that
most computer users still think there's no danger in surfing the web. But with
legitimate sites often falling victim to these attacks, it's time to change that
thinking. As a first step, it's essential to scan every Web site for malicious code
before visiting it. However, a green check mark is no guarantee of safety. I recently
clicked on a legitimate-looking link on a legitimate-looking web site and
INSTANTLY received a pop-up message from my web shield antivirus software that a
threat had been detected. Poof.. like that the trojan was on my PC. Luckily for me,
AVG immediately dumped it in the quarantine vault. But had I not been using
professional grade AV software that I automatically update every four hours, it could
have been a much sadder story.
So how is that so many websites are being compromised lately? Often it is due to SQL
injection errors or direct hacking into the back end of the hosting companies.
But the most prevalent method seems to be compromised FTP passwords that belonged to
the people that administer these websites. There is also a major vulnerability
in the Microsoft IIS server software that is being exploited.
If you think you may have visited a compromised site and have been infected, you
may want to have a look
HERE.
SpySheriff is malware that disguises itself as an anti-spyware program, in
order to trick the owner of the infected computer to buy the program, by repeatedly
informing them of false threats to their system. SpySheriff often goes unnoticed
by actual anti-spyware programs, and is difficult to remove from an infected
computer.
SpySheriff cannot be simply deleted, as it reinstalls itself through hidden components
on the computer. Trying to remove it with the Add/Remove programs feature has similar
results, or may result in a system crash. A blue screen of death may occur.
The program will stop the computer from connecting to the internet or a limited
internet connection, and will display an error message reading "The system has been
stopped to protect you from Spyware."
The desktop background can also be replaced with a blue screen of death, or a notice
reading: "SPYWARE INFECTION! Your system is infected with spyware. Windows recommends
that you use a spyware removal tool to prevent loss of data. Using this PC before
having it cleaned of spyware threats is highly discouraged."
SpySheriff has been known to create another user account, at the administrator level,
to block access to programs and utilities for other users. If logged in as an
administrator, it is sometimes possible to delete the SpySheriff account.
It also acts to stop any attempt to do a System restore by preventing the calendar
and restore points from loading. This prevents the user from being able to revert
their computer to an earlier usable state. A System restore is however often possible
after booting in Safe mode.
It blocks several websites, including the ones that have downloadable anti-spyware
software, locks the user's Internet Explorer options, and It has also been implemented
in pirated versions of Norton Antivirus. It will likely create the need for the use
of a recovery disk in order to restore original factory specs.
Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and
sometimes referred to as MS Juan) is a Trojan horse that is known to cause popups
and advertising for rogue antispyware programs, and sporadically other misbehavior
including performance degradation and denial of service with some websites including
Google and Facebook.
A Vundo infection is typically caused either by opening an e-mail attachment carrying
the Trojan, or through a variety of browser exploits, including vulnerabilities in
popular browser plug-ins, such as Java. Many of the popups advertise fraudulent
programs such as Sysprotect, Storage Protector, AntiSpywareMaster, WinFixer,
AntiVirus 2009, and AntiVirus 360.
Since there are many different varieties of Vundo Trojans, symptoms of Vundo vary
widely, ranging from the relatively benign to the severe. Almost all varieties of
Vundo feature some sort of pop-up advertising as well as rooting themselves to make
them difficult to delete.
Most antivirus programs are not able to block this infection. Some antivirus
programs such as McAfee VirusScan and VundoFix may be able to remove the Trojan,
however sometimes it is not able to, depending on what happens and how much damage
the Trojan did.
Think you may have the Vundo Trojan infection?
We are currently getting dozens of hits per hour by people looking for information
about a green screen and popup saying that their system has been halted. I
suspect this is due to the currently (as of 1/16/10) unpatched vulnerability in
Microsoft Internet Explorer that hackers are gleefully taking advantage of.
Here's what the trojan looks like when you are infected:
desktop screen becomes all green with a box in the middle displaying the following
message: "Your system is infected! System has been stopped due to a serious
malfunction. Spyware activity has been detected. It is recommended to use spy ware
removal tool to prevent data loss. Do not use the computer before all spy ware
removed"
Clearing this trojan (Trojan.Vundo.H) is a pain but it can be done. First step is
to do a scan using whatever AV software you happen to already have installed. Make
sure your definitions are up-to-date although Vundo has been around for a while.
You could get lucky and your existing AV software will get rid of it. However....
if your AV software was doing it's job you wouldn't have gotten infected in the
first place, right? Failing that, try the following:
We've heard of good results using MBAM - Malwarebytes free Anti-Malware tool. You can
download it from http://www.malwarebytes.org/mbam.php or alternately from
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
Follow the instructions to install and run MBAM, taking the defaults. Reboot
in normal mode after the scan is completed. Run the scan a second time and verify
that the system is now clean. You may also want to run something like ATF
Cleaner to get rid of lingering temp files and other garbage. I've had good
results from CCleaner. Both are free. If you still have problems or want to go really
crazy, your can download and run SUPERAntiSpyware at http://www.superantispyware.com
If you follow this procedure and have good results (or not) please drop us a note
and we'll add your comments to this thread. Good luck!
Methods of removal Since Trojan horses have a variety of forms, there is no
single method to delete them. The simplest approach involves clearing the temporary
internet files file and deleting it manually. Normally, antivirus software is able to
detect and remove the Trojan automatically. Updated anti-spyware programs are also
efficient against this threat. Most Trojans also hide in registries and processes.
It is generally more difficult to remove a Trojan if the computer has been rebooted
after the Trojan has been activated. Installing good quality anti virus software,
keeping the virus definitions up-to-date and running a virus scam daily is the
minimum that should be done to protect against Trojans.
Rogue Infiltrants Viruses that are displayed as "Anti-Virus programs" are known
as Rogue Viruses. Rogue viruses have the prime intention of collecting money from a
victim, and/or harming his or her computer with infections. The infections installed
with rogue viruses make the user's computer slow, so they actually believe an infection
exists, which it does. Trojan viruses frequently trick users with pop-up messages
that get them to purchase "virus removal software" which of course does nothing of
the kind.
Privacy-invasive software is a type of computer software that ignores user
privacy and that is distributed with a specific intent, often of a commercial nature.
Three examples of privacy-invasive software are adware, spyware and content hijacking
programs. Keyloggers record user keystrokes in order to monitor user behavior.
Self-replicating malware downloads and spreads disorder in systems and networks.
Data-harvesting software that is programmed to harvest e-mail addresses, which
results in spam e-mail messages that flood networks and mail servers with
unsolicited commercial content (which are frequently scams).
Spyware is computer software that is installed surreptitiously on a personal
computer to intercept or take partial control over the user's interaction with the
computer, without the user's informed consent.
While the term spyware suggests software that secretly monitors the user's behavior,
the functions of spyware extend well beyond simple monitoring. Spyware programs can
collect various types of personal information, such as Internet surfing habits, sites
that have been visited, but can also interfere with user control of the computer in
other ways, such as installing additional software, and redirecting Web browser
activity. Spyware is known to change computer settings, resulting in slow connection
speeds, different home pages, and/or loss of Internet or functionality of other
programs. In an attempt to increase the understanding of spyware, a more formal
classification of its included software types is captured under the term
privacy-invasive software.
In response to the emergence of spyware, a small industry has sprung up dealing in
anti-spyware software. Running anti-spyware software has become a widely recognized
element of computer security best practices.
Employee monitoring software is a means of employee monitoring, and allows
company administrators to monitor and supervise all their employee computers from
a central location. It is normally deployed over a business network and allows for
easy centralized log viewing via one central networked PC.
Techniques include: Logging all keystrokes along with the window name they are
typed. Capturing and logging sent and received E-mails. Logging all websites
visited. Monitoring and logging all applications that a user runs.
Record the documents and files a user opens and views.
Malware: Software is considered malware based on the perceived intent of the
creator rather than any particular features. Malware includes computer viruses,
worms, Trojan horses, most rootkits, spyware, dishonest adware, crimeware and other
malicious and unwanted software. Malware's most common pathway from criminals to
users is through the Internet. Primarily via email and WWW web sites.
Easyrider LAN Pro can come in and audit your enterprise in an
organized way to see what's going on. Think of the performance boosts you are
going to see once all of those non-production programs and services are removed
from your network! Having firewalls and anti virus software deployed is no
guarantee that there aren't LOT'S of infected computing gear in your enterprise.
In fact, almost all of the sites where we have found major issues did indeed
have these provisions installed and IT thought their network was 100% secure.
Surprise! :(
About the Author
Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle.
Home-based in Portland, Oregon, Frank has been designing remote diagnostic and
network enterprise monitoring centers since the late 1970s. Prior to becoming a
professional systems engineering consultant in 1990, Frank had a 20 year career
in computer systems field engineering and field engineering management. Frank
has a BSEE from Northeastern University and holds several certifications including
Network General's Certified Network Expert (CNX). As a NOC design engineer and
architect, Frank works regularly with enterprise-class monitoring tools such as
HP Openview Operations, BMC Patrol and others. In his enterprise security
audit work, Frank uses sniffers and other professional grade monitoring tools on a
daily basis.
How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Conficker White Paper
Phishing White Paper
DNS Poisoning White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourced IT White Paper
Easyrider LAN Pro Consulting services:
Network Security Audit and PC Tune-up service
- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting
Last modified January 16, 2010
Copyright 1990-2010 Easyrider LAN Pro