http://www.wired.com/politics/security/news/2008/04/trojan_anniversary_feature By Ryan Singel Wired.com 04.24.08 About 3,000 years ago Thursday, some Greeks left the people of Troy a wooden horse at the walled city.s front gate -- a free gift, no cost, no obligation from would-be invaders who wanted their adversaries to think they had left in peace. Accepting the Trojan horse at face value turned out to be a big mistake. Some things never change. In the 21st century Trojan horses are made of electronic "1s" and "0s" but are still left for you in all innocence and in plain sight: your e-mail inbox, in IMs and on a web page. But the intent, and the outcome, is pretty much the same: to pillage and steal. The computer security industry describes computer Trojans as any program that purports to be one thing -- a screensaver or a .pdf file or a video codec -- but which actually conceals a malicious payload, like a password logger or pop-up advertising software. One might be tempted to think we've gotten smarter in the three millennia since the Trojans ignored Cassandra's warning and accepted the first one. But when it comes to a propensity to fall for a deal that is too good to be true, humans have made little progress. Or none whatsoever, if you believe computer-security guru Peter Neumann. "People are still just as stupid now as they were then," says Neumann, the chief scientist at SRI's computer-security lab. "They see something shiny or a website that offers something for free and then they are dead." But don.t expect technology to save you from yourself any time soon, Neumann warns. "We are dealing with computer systems incapable of giving us the security that we need and we are dealing with people doing things that should be or are illegal," Neumann says. "We are dealing with a nation of sheep that don.t even understand there is a problem and we are dealing with technologists that think making a fast buck is the optimal strategy, regardless of the consequences." That explains why internet scammers can still get users to open fake e-greeting-card attachments. Once clicked, the attachment instead absorbs the less-than-savvy user's computer into a zombie clone army of remotely controllable Windows boxes. The internet-security firm Sophos identifies this most recent threat as the Pushdo Trojan, which accounted for nearly 45 percent of all the malware in e-mail attachments in the first three months of 2008. Microsoft's recently released Security Intelligence Report noted that in the first half of 2007 an explosion in the number of Trojans that its security scanning tool removed from users' computers. The numbers jumped from some 2 million in the second half of 2006 to more than 8 million in the next six months. Many of these were delivered to people who were lured to a web page rather than by opening a rogue attachment. While online criminal gangs are still seeking out suckers on the net with e-mail blasts to millions of addresses, the newest tactic is to send more targeted Trojans to a more limited audience. On April Fools' Day this year, employees at the nonprofit Committee to Protect Journalists got an e-mail purporting to be from Martin Seutcheu, a real human-rights officer for the United Nations. The e-mail with the subject line: "Beijing Olympics Tactical Campaign Meeting Report," had an attached PowerPoint file called Timeline May 21. But that file, according to BitDefender anti-virus software, is just a carrier for Exploit.PPT.Gen. CPJ employees didn't fall for the trick since there were enough clues it wasn't quite right, according to CPJ spokeswoman Abi Wright. "Obviously their English isn't great and you get suspicious immediately," Wright says, noting that it's very odd to get a one-line e-mail with an attachment from someone you don't know, even if you know their organization. That's not to say it's not worrisome or chilling, according to Wright. "We haven't seen this kind of concerted effort to crash our system before," Wright says. "It's a change for the worse." That attack is just one of many originating from and reporting back to servers hosted in China. Though the perpetrators aren't known, government agencies around the world -- along with defense contractors and Tibetan and Taiwanese independence groups -- have all experienced similar attacks, according to Patrik Runald, a senior security researcher for the Finnish-based security company F-Secure. "In a lot of these cases, it's not just hit and miss -- it's more planned than what a lot of people think," Runald says. "They will find out what anti-virus software they are using, try to find out information from LinkedIn or Facebook, and send an e-mail saying, "Following up on our conversation at the conference in Japan, here's the info we talked about." Matt Richard, Verisign iDefense Lab's rapid response manager, has been tracking two gangs based in Romania that target corporations to steal files and hopefully get at company's money. In a sort of inverse Trojan horse tactic, the groups pretend to be notifying executives about IRS issues, Better Business Bureau consumer complaints, and most recently, a notice that the company was being sued in federal court. The Romanian groups, which have been operating for about a year, rely on being able to trick humans, a technique known as social engineering. That's why Richard suggests that companies need to start testing employees with companies that have Trojans sent to them as a way to test whether they can be duped or not. "Education becomes important at the executive level," Richard says. "If a C-level forwards a notice about the IRS on to one of his staff, not only is the IRS's name attached but also the CEO's name is attached to it as well." Much of the problem can be traced back to software makers failing to heed the lessons first laid out more than 30 years ago by researchers who warned against letting programs have unchecked access to key operating files or user data, according to SRI's Neumann. "Some of the mass-market operating systems haven't learned to protect the basic underlying systems from the applications," Neumann says. "We really need systems that are much more robust and secure and reliable, and you can't get there form here with minor incremental changes." Which is just another way of saying that even when you get your flying car in the future, Trojan horses will probably still be around, successfully thumbing a ride from the gullible. _______________________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Thu Apr 24 2008 - 22:24:03 PDT