[Securing Internet Banking] Part 5 – Trojan Attacks

In Greek mythology, the Greeks tricked the Trojans into believing they have won the war building a large wooden horse outside the city and hiding in it. When the Trojan soldiers celebrated their victory by carrying the horse into city, the Greeks launched a surprise attack from within the city and destroyed Troy. Trojan attacks on computer systems are based loosely on the same principles and often just as deadly.

The Trojan can be in any form – executable application code, music files, documents, emails or even images, with the sole purpose of getting the unsuspecting bank customer to install or execute or view it on his personal computer. Trojan attacks can be directly obvious, for example, attachments in emails that promise something ‘exciting’ found in the file (usually with pornographic connotations). The file attachments can be executable applications or common file formats such as Word or Excel, MP3 audio files or even JPG images[1]. Another common way for Trojans to gain entry is to pretend to be useful software (including shareware, open source software and even normal commercial software that come in CDs) or plug-ins or file viewers. Any method that can propagate viruses can also be used to propagate a Trojan in the system. The Trojan can even start its life as a worm or a virus and replicates itself throughout a network, so the entry point might not obvious.

As Trojans are only the carriers, the real harm is usually done by the Trojan’s payload. Common Trojan payloads include viruses, worms, rootkits, keyloggers and screenloggers. Trojans are a generic tool used by hackers to penetrate computer systems, and their intent varies in the payload that comes with the Trojan. The earlier Trojans were mostly used to propagate viruses that cause immediate damage (by deleting files or defacing web sites or launching denial-of-service attacks) but these have eventually moved on to more insidious theft-based eavesdropping attacks that cause financial damage. While virus-based Trojans are usually generic and widespread with the intention of spreading to as many systems as possible, eavesdropping Trojans are usually more specific. In a recent case in Israel, a married couple was arrested for corporate espionage using Trojans[2]. Such Trojans are harder to detect as they are geared towards a specific environment and cannot be normally detected by anti-virus or anti-spyware applications.

Eavesdropping Trojans are usually offline attacks – the Trojan will capture information on the computer and stores or sends it for later usage by the hacker. For Internet banking systems, eavesdropping Trojans are an obvious threat to the bank customer’s personal computers as they compromise the integrity of the communications between the Internet banking system and the bank customer. According to the Anti-Phishing Working Group (APWG), there were 180 unique phishing-based Trojans (keyloggers) and 1912 websites spreading password-stealing Trojans detected and recorded by APWG researchers in December 2005 alone[3]. A report released by Counterpane Internet Security and MessageLabs in March 2006 found that financial services and banking industry organizations suffered the largest percentage of Trojan attacks in 2005 with close to 40 percent of all Trojans focussed on them[4].

Keyloggers are a common payload in Trojan. Keyloggers monitor the keys that are pressed at the breached computer. They are typically used to trap data that is keyed in at the computer and to relay the information to the hacker. Many keyloggers use a feature in Microsoft’s Internet Explorer called Browser Helper Object (BHO) to detect the sites that are visited in order to collect the needed set of data. Keyloggers, like remote monitoring software, are not inherently malicious. In fact, many keyloggers are sold as commercial software for legitimate purposes such as monitoring and controlling a network of personal computers within a corporate environment. For example, it is ironic that the software ‘Perfect Keylogger’ used by the teenage hacker in Singapore described below is software that is sold commercially for security purposes[5]. Screenloggers are a variant of keyloggers that capture the screen as well as the keystrokes, and is basically used to overcome counter-keylogging measures that display on-screen security features.

A rootkit is a set of software tools used by intruders to conceal their activities after the computer has been compromised. Rootkits helps the intruders to maintain their access to the system without the owner’s knowledge. Trojans that install rootkits often install other payloads and uses rootkits to prevent detection. Rootkits are also often used in the creation of botnets or zombie networks of computers captured by hackers. Such botnets are often used in launching other attacks such as phishing or sending out spam mails.

A recent infamous Trojan is the Sony rootkit controversy[6]. A piece of software called Extended Copy Protection (XCP) used for copyright protection and digital rights management in audio CDs was used on some audio CDs that were distributed by Sony BMG. In this case, if a user attempts to play the music on a Windows system, XCP will be installed in the computer without knowledge or permission from the user. It will then remain resident in the user’s system, intercepting all accesses of the CD drive to prevent any other media player or ripper software other than the one included with CD from accessing the music tracks of the Sony CD. More ominously it also alters the operating system registry settings which render the CD drive inoperable if any attempts are made to remove the software. While the controversy drags to messy legal disputes, it is worth noting that Trojans do not necessarily come from hackers across the Internet. If instead of DRM software an audio (or video) CD or DVD installs other malicious software such as keyloggers or screenloggers, the entire system can be compromised. It does not take large leaps of creativity to imagine some teenager or child popping in a nice looking CD he gets from a schoolmate into the family personal computer leading to identity theft and security breaches.

Another trick used by Trojans work more insidiously. When a user clicks on a hyperlink to an Internet website or types in the URL to the site, the web browser requests the operating system for a translation of the URL to a set of numeric IP addresses that are the ‘real’ addresses used by the network to find the correct server. The operating system would first go to a local hosts file to check if a local translation is available. If it is not, (and that is usually case unless the website is a part of the Intranet), it will reach out for the nearest Domain Name Server to request for a translation. Some Trojans modify the local hosts file to add in redirection to a phishing site. For example, if the bank customer types http://www.citibank.com and the hosts file has been ‘poisoned’ to redirect to a phishing site, the bank customer will not be able to tell that it is not the correct web site. With a simple command to remove itself after the attack, this attack is almost invisible. When paired with an efficient phishing site, these hosts file poisoning attacks are extremely dangerous.

Trojans are so common that it has even been offered as packaged software. Researchers from PandaLabs found a system that offers a custom-made Trojan for sale[7]. For only US$990, the system offers a personalized Trojan, complete with tech support. If the file is discovered the designer provides a guarantee to alter it so that it may continue to avoid detection from updated antivirus software.

Another sobering fact is that Trojans are not only installed from malicious websites but are often injected by friends or someone the user knows and normally trusts. In a recent case in Singapore[8], a teenager invited some friends via email to play some computer games that embedded a keylogger. Using this Trojan the teenager managed to acquire the Internet banking user names and passwords from his friends and successfully paid his phone bills using his friend’s account.

[1] See Declan McCullagh, Robert Lemos, Trojan horse exploits image flaw (September 2004) at http://news.com.com/Trojan+horse+exploits+image+flaw/2100-7355_3-5385995.html

[2] http://news.yahoo.com/s/nf/20060308/tc_nf/41980

[3] See Phishing Attack Trends Report – December 2005 at http://antiphishing.org/reports/apwg_report_DEC2005_FINAL.pdf

[4] http://www.counterpane.com/pr-20060313.html

[5] http://www.blazingtools.com/bpk.html

[6] See Mark Russinovich, Sony, Rootkits and Digital Rights Management Gone Too Far (October 2005) at http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

[7] See Peter Pollack, Malware moves up, goes commercial, Arstechnica (Feb 2006) at http://arstechnica.com/news.ars/post/20060225-6264.html

[8] http://tech.monstersandcritics.com/news/article_1077952.php