Trojan Explosion

Gavin Coe

Introduction

The first trojans well known on PC are the famous NetBus, SubSeven, and Back Orifice. There were others such as Acid Shivers of course, but these are the most well known ones. This all seems so long ago when analysing trojans today (for detection by TrojanHunter). In the beginning, there were only a few trojans, and no such thing as trojan scanners. This grew steadily over a couple of years to quite a decent population of trojan authors, and public trojan releases with 1 or 2 new public trojans a week, all year around. Some weeks were very busy and made for a full time job of analysing these high profile backdoors, keyloggers and password stealers. These were an obvious threat to many users, the threat of deliberate trojan attack by other internet users. Many other private trojans existed, but these were more sparingly used. At some stages Optix Pro for example, was on the top 20 list of viruses detected by major antivirus scanners. A russian backdoor, AntiLamer (based off Delphi open source Latinus) also made the top 20 list (source: Kaspersky VirusList)*

Today

Today there is an absolute sea of malware. Not just trojans, and NOT viruses. Viruses are nowhere near as dominant as they were in the 80's and 90's, and even in the early 21st century many viruses were very prolific. Email worms which usually do not virally infect files (some do) are very widespread and can be the most popular by number of infections, these are still somewhat viruses which are "alive" on the internet and spread by themselves. Sometimes these viruses hang around battering firewalls for over a year.

SPYWARE, trojans, adware, hijackers and other malicious objects are also extremely widespread. An average day of downloading malware results in another few hundred or so files, most of which are trojans, keyloggers or other malware applicable to detection by TrojanHunter. The rate at which new and modified variants appear is phenomenal, and of course most of the new malware is fuelled by the desire for MONEY. Very little underground public trojan scene exists anymore.

Many attacks are organised crime, spyware or other trojans designed to earn money for someone out there. A tiny EXE file included in an installer can sit silently earning the owner 2 cents a day - PER infection. Such trojans known as Trojan CLICKERS can infect thousands of machines and make the author a lot of money. The recent widespread use of rootkits, along with modified, repacked or obfuscated malware means many are probably still making money off MONTHS-old malware, any single undetected clicker variant could easily infect a few thousand unmanned machines by targeting specific types of IP range (educational, etc).

The simple fact that money is there to be made, albeit by scamming, cheating or outright hijacking a PC, is enough to bring more and more attackers to the PC every month. Even when there were a few hundred attackers writing malware, and lots modifying public trojans to bypass AV, things were pretty bad. Today there are so many variants than no scanner can detect them all, even combinations of scanners are common to have misses. An educated guess would be that worst affected are those who visit crack/warez sites and "porn" sites. These have long been used by attackers as key infection vectors for earning money from malware.

An End?

Hopefully there is an end to this. Windows VISTA is a big step in the right direction by Microsoft. Right now, all we can do is try to detect as much as possible, and as much which is NOT detected by common virus scanners. Another important objective for me, as Misec trojan analyst, is to detect as much of the WORST TYPE of malware I can find. Most of the detection in TrojanHunter is based on these principles, and I aim to add a minimum of 100 new detections per day, and report interesting findings on my website*. New TrojanHunter features are expected in the coming months to make the fight against trojans easier for us.

Users should follow common sense principles and be careful. Use of forums like the TrojanHunter forum* and other forums are a great idea, to keep up with news on security patches, important vulnerabilities (like the WMF* one that just passed) and patches*. Through being careful many of the most novice level users avoid being infected for years ! Anyone can avoid viruses and trojans, but being sensible must be the first step. We offer as much detection as is humanly possible for a wide range of trojans, and strive to take TrojanHunter further in detection capabilities as trojans advance.

Right now, TrojanHunter is possibly the best solution simply that I can add a lot of malware very fast if needed, as I did when the WMF vulnerability hit. TrojanHunter detected over 50 new malware samples which were being used by trojaned websites, or downloaded if you got an exploit email or image. Having detection for this malware was obviously of huge importance, so this detection was released within 12 hours of the "big bang" of malware when WMF went public.

* Links and other info

- WMF vulnerability and patch - http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

- Misec / TrojanHunter forum - http://forum.misec.net

- DSLreports security forum - http://www.dslreports.com/forum/security

- Multi virus scanner - http://virusscan.jotti.org

- Kaspersky Virus List - http://www.viruslist.com

- My website - http://www.anyspyware.com