United States
Understand IP addresses even if you're not a math major
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

White Papers

Case Studies

Network Security Glossary

Beware of Geeks Bearing Gifts

by Rik Farrow, Internet Security Consultant, www.spirit.com

Remember the Trojan Horse story? The Greeks besieged the city of Troy, stuck outside the city walls for over nine years. Then one morning they apparently gave up: the Trojans peered over their walls and found, instead of the Greek army, a gift; a giant wooden horse. Since the horse image was sacred to the Trojans, they pulled the wooden statue in to the city, unaware that Greek warriors were packed inside it. The hidden Greeks, now inside the walls of Troy, waited until nightfall to de-horse. Then they killed the gatekeepers and opened the gates, leading to the fall of Troy and causing ancient philosophers to coin the phrase, "Beware of Greeks bearing gifts."

Ancient history? Not entirely. Trojans can still lead to the downfall of your own network unless you're careful. This month a new Trojan, distastefully named Brown Orifice HTTPD (BOH), followed other unpleasantly named Trojans, such as Back Orifice (BO) and Deep Throat, into notoriety. What makes these programs so dangerous is that once inside your system's "city walls," they can slip out through your Firebox undetected--if you don't prevent them from being installed in the first place. This ability to create a secret connection, especially one piggybacking on another permitted protocol, is called tunneling.

Trojans: No Silliness Required

Like the original Trojan horse, most software Trojans impersonate something desirable. An infamous example is NetBus, (www.netbus.org) a remote system administration tool for Windows NT. Yes, NetBus does provide remote administration capabilities, but earlier versions additionally provided Administrator capabilities to anyone who knew the master password (you simply appended ;1 to the password and any command).

Back Orifice (BO), which originally worked only on Windows 95/98 systems but has now been ported to NT, masks capabilities that are not readily available to ordinary users. A clever hacker can use BO to slide someone else's CD-ROM tray in and out, or turn on a microphone and even a video camera and begin listening and/or watching remotely. BO can allow hackers to remotely run programs, upload/download files, talk to the user, and shut down the computer.

You might wonder, why would anybody be silly enough to install something so dangerous on their computer? No silliness is required. With Trojans, the user doesn't know what he or she really has. There are many sneaky ways of spreading Trojans. For example, the Trojan might be the payload of a virus, or even another program. A program named BO Sniffer claimed to check your system for BO, would tell you your system was free of BO, then install and run it. A game program (Bopper) also installed BO when you started the game.

WatchGuard frequently sends LiveSecurity subscribers alerts about the top ten Viruses and Trojans in the wild. "In the wild" means that this software has been found not merely in research labs, but on systems in peoples' offices and homes. The danger is real, not theoretical. As these reports suggest, if you run virus scanning software with the latest updates, you should be able to detect the known versions.

Especially Vulnerable: The City's "Gates"

Microsoft products seem especially susceptible to Trojan gambits. Microsoft has published numerous alerts in the last two years about vulnerabilities in Internet Explorer, Outlook, and Outlook Express, that allow remote attackers to execute code on a victim's system. That is, simply by visiting a Web page or receiving email, you can unwittingly load a program that allows a remote attacker to execute commands on your system.

There are literally hundreds of Trojans for Windows 9x and NT systems. New Trojans appear daily. Keeping your virus scanning software up-to-date will help you maintain a Trojan-free system. You can also employ other countermeasures:

  • Use the netstat program (available with NT and UNIX systems) to list the port addresses currently open; look for new services that you haven't seen before or can't identify.
  • On Windows 9x, NT, and 2000 systems, most Trojans modify a registry key when they are installed. The Run and RunService keys, found in the registry (Start\Run\type "regedit"\ HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\ CurrentVersion) contain a list of programs that run every time you reboot your system. It is normal to see some programs listed there (Microsoft installs some of these, and other vendors, including WatchGuard, install others). Watch for new additions to the values of these keys. Trojans may even use the RunOnce key, or files such as system.ini.
  • Lsof is a useful tool for associating an open port with a service (in Unix, use lsof -i tcp:port or udp:port). Lsof comes with many UNIX systems, and there are similar programs available for Windows NT and 2000 at low cost (or free; see Resources).

While bugs in Microsoft software appear on the average of once a week, most bugs are incapable of executing code (generally they merely read files or crash software). Still, your best course of action is to install Microsoft software updates every time a relevant bulletin comes out, or to avoid using Microsoft software for roving the Web or reading e-mail. But even other vendor's products have turned vulnerable recently.

Netscape, Java, and UNIX Vulnerabilities

In the first week of August 2000, hacker Dan Brumleve published an example exploit called Brown Orifice (BOH), a potent Java applet affecting Netscape Communicator 4.04 to 4.74. You could intentionally load a version of BOH and run it, or you could wind up running a Trojan version that someone else downloaded to your system when you visited their Web page.

Once you've loaded BOH, it acts as a Web server, allowing a non-local Web browser to display any file that you can read on your system. But, WatchGuard Fireboxes diminish this into a local network problem, as Fireboxes prevent incoming connections to arbitrary servers. In other words, the BOH exploit would only open your system up to other network users inside your Firebox. If you trust the people "behind the city walls," this is not too much of a problem.

But, BOH is available as source code, meaning that someone can easily download the Java program and modify it. BOH can be configured to open a connection from the victim's system back to the attacker. The danger in this is that your Firebox is typically NOT configured to prevent your system from making outgoing connections. Even if your Firebox configuration is very restrictive, the modified BOH can use HTTP to connect to the attacker's system, something most Firebox configurations permit. The attacker's system will not be running a real Web server, but rather a tool masquerading as a Web server while tunneling, acting as a remote control to manipulate the modified BOH.

There has always been some danger in leaving Java enabled in your browser. Security-conscious users have already disabled Java in Netscape Navigator (Edit/Preferences/Advanced/unset Enable Java), so for them, this is not a problem. You should consider disabling Java unless you find that you must use it (you visit a site that requires Java, or use software that requires Java, such as WatchGuard remote authentication). Even then, it is best to enable Java specifically to complete a particular task, then disable it again.

Unix systems can also be infected with Trojans, although less commonly. UNIX uses a different system to start services with every reboot. The configuration file /etc/inetd.conf contains some of the services to be started. Other programs are started at boot time via scripts (/etc/rc*, or those scripts in the /etc/rc.d directories). Hackers commonly modify these scripts or inetd.conf after they have successfully broken into a UNIX system, so you should keep watch on these files, using tools like tripwire (www.tripwire.com) to detect changes.

Conclusion: Think Inside-Out

Trojans and tunnels turn the whole notion of protecting your network on its head. Besides trying to keep attackers out, you must also detect them once they are inside your walls. Prevention is always the best medicine, so:

  • keep your virus scanning software up-to-date
  • keep Microsoft software updated (weekly, if required)
  • do not execute attachments
  • use netstat to look for new network services.

In general, be alert for unusual behavior from your systems and network --and beware of geeks bearing gifts.

Resources:

Lsof source (and some precompiled versions) for UNIX systems without it:
http://freshmeat.net/projects/lsof

Lsof-like products for NT:
Administrator's Pak 4.0 can list which processes hold open ports:
www.winternals.com

Another lsof for NT by Arne Vidstrom/ntsecurity.nu (free):
http://ntsecurity.nu/toolbox/inzider/

List of port addresses used by some Windows Trojans (which you can look for using netstat):
http://anti-trojan.virtualave.net/page61.html