What type of computer attack appears to be harmless but is in fact malicious?
Stealth viruses: These types of viruses use different kind of techniques to avoid detection. They either redirect the disk head to read another sector instead of the one in which they reside or they may alter the reading of the infected file’s size shown in the directory listing. For example, the Whale virus adds 9216 bytes to an infected file; then the virus subtracts the same number of bytes (9216) from the size given in the directory.
Show
The term “trojan virus” is not technically accurate; according to most definitions, trojans are not viruses. A virus is a program that spreads by attaching itself to other software, while a trojan spreads by pretending to be useful software or content. Many experts consider spyware programs, which track user activity and send logs or data back to the attacker, as a type of trojan. Trojans can act as standalone tools for attackers, or can be a platform for other malicious activity. For example, trojan downloaders are used by attackers to deliver future payloads to a victim’s device. Trojan rootkits can be used to establish a persistent presence on a user’s device or a corporate network. Trojan Infection MethodsHere are common ways trojans can infect computers in your corporate network:
“Daserf” Trojan created by the cyber-espionage group REDBALDKNIGHT is often installed through the use of decoy documents attached in emails. Types of TrojansThe first trojan was seen in the wild was ANIMAL, released in 1975. Since then, many millions of trojan variants have emerged, which may be classified into many types. Here are some of the most common types. Downloader TrojanA downloader trojan downloads and deploy other malicious code, such as rootkits, ransomware or keyloggers. Many types of ransomware distribute themselves via a “dropper”, a downloader trojan that installs on a user’s computer and deploys other malware components. A dropper is often the first stage in a multi-phase trojan attack, followed by the installation of another type of trojan that provides attackers with a persistent foothold in an internal system. For example, a dropper can be used to inject a backdoor trojan into a sensitive server. Backdoor TrojanA backdoor trojan opens up a secret communication tunnel, allowing the local malware deployment to communicate with an attacker’s Command & Control center. It may allow hackers to control the device, monitor or steal data, and deploy other software. SpywareSpyware is software that observes user activities, collecting sensitive data like account credentials or banking details. They send this data back to the attacker. Spyware is typically disguised as useful software, so it is generally considered as a type of trojan. Rootkit TrojansRootkit trojans acquire root-level or administrative access to a machine, and boots together with the operating system, or even before the operating system. This makes them very difficult to detect and remove. DDoS Attack Trojan (Botnet)A DDoS trojan turns the victim’s device into a zombie participating in a larger botnet. The attacker’s objective is to harvest as many machines as possible and use them for malicious purposes without the knowledge of the device owners—typically to flood servers with fake traffic as part of a Distributed Denial of Service (DoS) attack. Trojan Horse Malware ExamplesFollowing are some of the fastest-spreading and most dangerous trojan families. ZeusZeus/Zbot is a malware package operating in a client/server model, with deployed instances calling back home to the Zeus Command & Control (C&C) center. It is estimated to have infected over 3.6 million computers in the USA, including machines owned by NASA, Bank of America and the US Department of Transportation. Zeus infects Windows computers, and sends confidential data from the victim’s computer to the Zeus server. It is particularly effective at stealing credentials, banking details and other financial information and transmit them to the attackers. The weak point of the Zeus system is the single C&C server, which was a primary target for law enforcement agencies. Later versions of Zeus added a domain generation algorithm (GDA), which lets Zbots connect to a list of alternative domain names if the Zeus server is not available. Zeus has many variants, including:
ILOVEYOUILOVEYOU (commonly referred to as the “ILOVEYOU virus”) was a trojan released in 2000, which was used in the world’s most damaging cyberattack, which caused $8.7 billion in global losses. The trojan was distributed as a phishing email, with the text “Kindly check the attached love letter coming from me”, with an attachment named “ILOVEYOU” that appeared to be a text file. Recipients who were curious enough to open the attachment became infected, the trojan would overwrite files on the machine and then send itself to their entire contact list. This simple but effective propagation method caused the virus to spread to millions of computers. CryptolockerCryptolocker is a common form of ransomware. It distributes itself using infected email attachments; a common message contains an infected password-protected ZIP file, with the password contained in the message. When the user opens the ZIP using the password and clicks the attached PDF, the trojan is activated. It searches for files to encrypt on local drives and mapped network drives, and encrypts the files using asymmetric encryption with 1024 or 2048-bit keys. The attackers then demand a ransom to release the files. StuxnetStuxnet was a specialized Windows Trojan designed to attack Industrial Control Systems (ICS). It was allegedly used to attack Iran’s nuclear facilities. The virus caused operator monitors to show business as usual, while it changed the speed of Iranian centrifuges, causing them to spin too long and too quickly, and destroying the equipment. How to Detect Trojans in Your OrganizationTrojans are a major threat to organizational systems and a tool commonly used as part of Advanced Persistent Threats (APT). Security teams can use the following technologies and methods to detect and prevent trojans: Endpoint protection platforms Modern endpoint protection systems include device traditional antivirus, next-generation antivirus (NGAV) that can prevent zero-day and unknown trojans, and behavioral analytics that identifies anomalous activity on user devices. This combination of protective measures is effective against most trojans. Web application firewall (WAF) A WAF is deployed at the network edge, and is able to prevent trojan infections, by preventing downloads of trojan payloads from suspicious sources. In addition, it can detect and block any unusual or suspicious network communication. WAFs can block trojans when they “phone home” to their C&C center, rendering them ineffective, and can help identify the affected systems. Threat hunting Threat hunting is the practice of actively searching for threats on corporate networks by skilled security analysts. Analysts use Security Information and Event Management (SIEM) systems to collect data from hundreds of IT systems and security tools, and use advanced searches and data analytics techniques to uncover traces of trojans and other threats present in the local environment. Triaging user complaints Often, a simple user complaint about a slow machine or strange user interface behavior could signal a trojan. Triaging IT support requests with behavioral analytics and data from other security tools can help identify hidden trojans. The following are common symptoms of trojans which may be reported by users:
Imperva Data Protection SolutionsImperva helps detect and prevent trojans via user rights management—it monitors data access and activities of privileged users to identify excessive, inappropriate, and unused privileges. It also offers the industry’s leading web application firewall (WAF), which can detect and block trojans when they attempt to contact their Command & Control center. In addition to ransomware detection and prevention, Imperva’s data security solution protects your data wherever it lives—on premises, in the cloud and hybrid environments. It also provides security and IT teams with full visibility into how the data is being accessed, used, and moved around the organization. Our comprehensive approach relies on multiple layers of protection, including:
|