Trojan Horse Delivered In Automatic Update
by: Darren Miller
Trojan Horse - One Mans “Worse Case Scenario” Prediction
----------------------------
This is a fictional article about a Trojan Horse Virus, or you could say it is one mans prediction of a “worse case scenario”. Because of the field I’m in, I maintain a personal list of my top 10 “worse case scenarios”. Every time I perform a security assessment I run into something new or identify a situation that is ripe for a potential vulnerability. I think we could all agree that no respectable or ethical company would intentionally deliver a malicious piece of code as part of a helpful update solution. However, the reality is that human beings are behind technology and human beings are unpredictable and fallible.
Many major operating system vendors have automatic update services. Many hardware vendors and other software packages have followed this trend, incorporating automated update services into their products. In some cases, the services for automatic updates run as the local “system” account. This account has the ability to access and modify most of the operating system and application environment. When automatic updates were relative new, many people would perform the updates manually, however, as time has progressed, many now trust these services and allow the updates to proceed in a truly automated fashion.
The Final Step Before The Hammer Falls
--------------------------
So let’s expand upon our “worse case scenario”. A new service pack is just about ready for release. The last step prior to public release is quality control / validation. The team of people performing this task includes a significantly disgruntled employee (Or may he/she is going through a horrible life crisis and has not much to lose). When people are in pain or distress it is not uncommon for them to project this same feeling onto others in any way they can. So, instead of performing their job in the normal fashion, they decide to incorporate a malicious payload into the forthcoming update.
The First Step For The Trojan Horse: Evasion
--------------------------------------------------
This payload has some unique characteristic, three to be precise. First, it is constructed in such as way to not appear as something malicious. The anti-virus and anti-spyware programs currently on the market won’t be able to detect it through anomalous detection techniques.
The Second Step For The Trojan Horse: Information Collection
----------------------------
Secondly, it has been instructed to wait 12 hours to activate to start searching your computer an network for important files that may contain financial, healthcare, and other confidential information such as user accounts and passwords. It then sends this information to anonymous systems on the Internet. Because this “Trojan horse” has been incorporated into an automated update by someone with reasonable skills, it is instructed to only perform the collection of data for 12 hours. Given the number of global systems that allow automated updates, 12 hours should be more than enough. The person behind this realizes that someone will quickly identify that something malicious is going on and start to roll-out a defense solution to halt the process.
The Final Step: Incapacitate
-------------------------------
(continued...)
Trojan Horse Delivered In Automatic Update
Page 2
About The Author
Darren Miller is an Information Security Consultant with over seventeen years experience. He has written many technology & security articles, some of which have been published in nationally circulated magazines & periodicals. If you would like to contact Darren you can e-mail him at Darren.Miller@defendingthenet.com. If you would like to know more about computer security please visit us at http://www.defendingthenet.com.
Darren.Miller@paralogic.net
|
|
