Detecting and Preventing Trojan Horse Attacks

A typical business application program can consist of more than 100,000 computer instructions and data items. The Trojan horse can be concealed among as many as 5 or 6 million instructions in the operating system and commonly used utility programs. It waits there for execution of the target application program, inserts extra instructions in it for a few milliseconds of execution time, and removes them with no remaining evidence.

Even if the Trojan horse is discovered, there is almost no indication of who may have done it. The search can be narrowed to those programmers who have the necessary skills, knowledge, and access among employees, former employees, contract programmers, consultants, or employees of the computer or software suppliers.

A suspected Trojan horse might be discovered by comparing a copy of the operational program under suspicion with a master or other copy known to be free of unauthorized changes. Although backup copies of production programs are routinely kept in safe storage, clever perpetrators may make duplicate changes in them. In addition, programs are frequently changed for authorized purposes without the backup copies being updated, thereby making comparison difficult.

A program suspected of being a Trojan horse can sometimes be converted from object form into assembly or higher-level form for easier examination or comparison by experts. Utility programs are usually available to compare large programs; however, their integrity and the computer system on which they are executed must be verified by trusted experts.

A Trojan horse might be detected by testing the suspect program to expose the purpose of the Trojan horse. However, the probability of success is low unless exact conditions for discovery are known. (The computer used for testing must be prepared in such a way that no harm will be done if the Trojan horse is executed.) Furthermore, this testing may prove the existence of the Trojan horse but usually does not identify its location. A Trojan horse may reside in the source language version or only in the object form and may be inserted in the object form each time it is assembled or compiled — for example, as the result of another Trojan horse in the assembler or compiler. Use of foreign computer programs obtained from untrusted sources (e.g., shareware bulletin board systems) should be restricted, and the programs should be carefully tested before production use.

The methods for detecting Trojan horse frauds are summarized in Exhibit 7. The Exhibit also lists the occupations of potential perpetrators and the sources of evidence of Trojan horse abuse.

Exhibit 7.  Detection of Trojan Horses and Viruses

COMPUTER VIRUSES

A computer virus is a set of computer instructions that propagates copies of versions of itself into computer programs or data when it is executed within unauthorized programs. The virus may be introduced through a program designed for that purpose (called a pest) or through a Trojan horse. The hidden virus propagates itself into other programs when they are executed, creating new Trojan horses, and may also execute harmful processes under the authority of each unsuspecting computer user whose programs or system have become infected. A worm attack is a variation in which an entire program replicates itself throughout a computer or computer network.

Although the virus attack method has been recognized for at least 15 years, the first criminal cases were prosecuted only in November 1987. Of the hundreds of cases that occur, most are in academic and research environments. However, disgruntled employees or ex-employees of computer program manufacturers have contaminated products during delivery to customers.

Preventing, Detecting, and Recovering from Virus Attacks

Prevention of computer viruses depends on protection from Trojan horses or unauthorized programs, and recovery after introduction of a virus entails purging all modified or infected programs and hardware from the system. The timely detection of Trojan horse virus attack depends on the alertness and skills of the victim, the visibility of the symptoms, the motivation of the perpetrator, and the sophistication of the perpetrator’s techniques. A sufficiently skilled perpetrator with enough time and resources could anticipate most know methods of protection from Trojan horse attacks and subvert them.

Prevention methods consist primarily of investigating the sources of untrusted software and testing foreign software in computers that have been conditioned to minimize possible losses. Prevention and subsequent recovery after an attack are similar to those for any Trojan horse. The system containing the suspected Trojan horse should be shut down and not used until experts have determined the sophistication of the abuse and the extent of damage. The investigator must determine whether hardware and software errors or intentionally produced Trojan horse attacks have occurred.