Blocking and detecting Trojan code
Security administrators are racing to control Fizzer (alternately known by such names as W32.HLLW.Fizzer), an e-mail worm with a nasty payload that has been steadily spreading through e-mail and the Kazaa peer-to-peer file-sharing network. Windows 95, 98, Me, NT, 2000, and XP systems are vulnerable.
Once opened, Fizzer performs a range of actions: targeting anti-virus software processes, sending randomly named versions of itself to random e-mail addresses as well as those in a Windows Address Book, running a keystroke logging program, connecting to the mIRC chat network to communicate with a remote attacker, and uploading itself to the Kazaa network.
“This is one of the more complicated worms we've seen,” says Mikko Hypponen, manager of anti-virus research at security software company F-Secure Corp. in Helsinki, Finland. “The worm is 200KB of code spaghetti, containing backdoors, code droppers, attack agents, key loggers and even a small Web server.”
The worm installs a backdoor that will let attackers monitor the computers remotely or use them to launch massive, denial-of-service attacks.
Upgrading computers with the latest anti-virus patterns will stop computers from becoming infected. For already infected computers, administrators must search out the worm’s telltale files and registry listings, or can use a free, automated tool such as Symantec’s W32.HLLW.Fizzer Removal Tool, available at http://email@example.com.
Fizzer highlights a problem for security administrators: stopping Trojan horses from infecting or continuing to infect computers. Anti-virus software can catch worms before they come in, but only once the anti-virus vendor identifies the new threat, updates virus-checking patterns, and its customers update their pattern files. Once a worm infects a computer by installing Trojan files or processes, it can just lay low. Undetected, the worm could be uploading all of a user’s keystrokes, including usernames, passwords, credit card numbers, and Web sites visited, to a remote attacker.
Software to stop Trojan processes once they’ve infected a computer is available. One such product is Confidence Online from WholeSecurity Inc. in Austin, Texas. It protects PCs by monitoring for inappropriate behavior. “What we've got is a behavioral technology that looks for the characteristics of Trojan horses, keyboard loggers, remote control, screen grabs—anything that allows someone to control your computer remotely, we look for it and eliminate it on the computer,” says Scott Olson, senior vice president and director of marketing for WholeSecurity. The software also checks to ensure PCs are running in accordance with company policy—anti-virus on, for example, and Kazaa off—or it notifies administrators.
Discerning good from bad can be tricky. For example, in March, the Deloder worm carried VNC, an open source version of PC Anywhere, as its payload. VNC can be a powerful tool for administrators to control PCs remotely. Yet an attacker could also use it for the same purpose, such as with this worm. “Here's a legitimate program that's been put out there to control PCs, certainly that's nothing that would ever be caught by a signature program, because it could be legitimate,” says Olson. On the other hand, software such as WholeSecurity could flag any instance of VNC, unless administrators specifically exempted the program because they need it.
Olson predicts a rise in Trojan attacks because of the continuing change in connectivity—transmitting large amounts of data or screen grabs is easy, so long as it isn’t over a dial-up connection. “I really believe these types of attacks are going to become far more common than viruses, because of the critical mass of users who have broadband and are online all the time.”
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.