Monday, November 28, 2005

Trojan History

The best way to investigate how Trojan horses work is to look at some of the more notorious examples that have infected systems over the years, starting with the earliest known Trojan horse.
PC-Write Trojan: The first Trojan horse, PC-Write Trojan, appeared in 1986, pretending to be version 2.72 of the shareware word processor, PC-Write. (Quicksoft, the company that made PC-Write, did not release a version 2.72.) When a user launched what he/she believed to be PC-Write 2.72, he/she really started the PC-Write Trojan, which then performed two actions: one, it wiped out the FAT (file allocation table; system a PC uses to organize contents on the hard drive); and two, it formatted the hard drive, deleting all saved data.
AIDS Trojan: As we mentioned earlier, the creator of the AIDS Trojan distributed it via floppy diskette because relatively few people used email in 1989. Instead, unsuspecting PC users received a copy of the AIDS Trojan on a diskette in the mail. Allegedly, the diskette contained information about AIDS (acquired immune deficiency syndrome) and HIV (human immunodeficiency virus). Running the program on the diskette, however, actually activated a Trojan horse.
Then, after a user restarted his computer several times, the Trojan horse would encrypt his hard drive. Normally, encryption protects and secures files; however, because the AIDS Trojan didn’t give the user the password to decrypt the files, it locked him out of all the files and programs on his system. After encrypting a user’s hard drive, the AIDS Trojan prompted the user to pay a fee for the password he needed to decrypt the hard drive.
What is unique about the AIDS Trojan is that rather than destroy files, it held them hostage, demanding a ransom before the user could open and use the files again.
AOL4Free Trojan: We previously discussed the social engineering approach to the AOL4Free Trojan, but what we didn’t mention was the other reason why this Trojan horse was so sneaky: An earlier hoax known by the same name lowered users’ suspicions.
Originally, a message circulated about a virus (not a Trojan horse) called AOL4Free. Actually, there was no such virus; this was a hoax. And once word spread that the AOL4Free virus was only a hoax, someone created a Trojan horse and named it AOL4Free, knowing that many users would readily accept it after hearing that the AOL4Free virus scare was only a hoax. Then, the creator of the AOL4Free Trojan started circulating it as an attachment to the original hoax message and claimed that running the attachment would provide recipients with free AOL service.
Users who believed the attachment would provide free AOL access double-clicked the AOL4FREE .COM icon and soon learned that the message duped them. The launched AOL4Free Trojan horse used the DELTREE command and deleted all the files on the hard drive.
Polyglot Trojan: In 1999, many users received an email message that included a Y2Kcount.exe attachment and looked as if Microsoft sent it. Users believed double-clicking the attachment would launch a program that displayed a countdown to New Year’s Day 2000. Instead, opening the file displayed an error message.
Then, while users read the error message and tried to diagnose the “problem,” a Trojan horse named Polyglot ran in the background, installing itself on the system and editing configuration files to monitor user Internet activity. Whenever Polyglot noted data transmission over the Internet, it would scan the data for passwords and other sensitive information and log the information into a TMP (temporary) file. Periodically, the Trojan horse sent this type of keystroke log to an email account, where a hacker could easily retrieve its contents.
Liberty Trojan: In 2000, Trojan horses found their way onto PDAs (personal digital assistants) with the Liberty Trojan. This Trojan horse was allegedly a patch that let PDA users play Nintendo Game Boy games on the Palm OS. When users opened the file, however, it deleted personal information, as well as any third-party applications.
Cytron: In September 2002, anti-virus software developers (and others) discovered the Cytron Trojan horse. A user receives an email message that claims the user can pick up an ecard from a friend by clicking a graphic of a hand holding an envelope. When the recipient clicks the graphic, a designated web site loads in the browser window. Then, if the user accepts the Digital Certificate that appears on-screen, Cytron begins sending full-screen pop-up ads for pornographic web sites to the user.