Computer Trojan Horse Malware White Paper | How can I tell if someone is monitoring my computer?

The "No Network is 100% Secure" series
- Trojan Horse (computer) Malware -
A White Paper

What is a Trojan Horse?: A Trojan horse, also known as a Trojan, describes a class of computer malware that appears to perform a desirable function but in fact performs undisclosed malicious functions. These could include allowing unauthorized access to the host machine, logging the user's keystrokes (spyware) and even permitting complete control over the computer.

Trojan Horses (not technically a virus) can be easily and unwittingly downloaded. This is usually done by tricking the user into downloading and activating malevolent software under the guise of being an ActiveX plug-in, driver, game or some other "desired" piece of software or function. The Trojan, one activated, opens a back door that allows a hacker to control the computer of the user. In recent years, sophisticated designs have made it increasingly easier to trick users into installing Trojans onto their computers. Additionally, the Trojan removal process has become correspondingly more difficult. The term is derived from the classical story of the Trojan Horse.

A program named "waterfalls.scr" serves as a simple example of a Trojan horse. The author claims it is a free waterfall screen saver. When running, it instead unloads hidden programs, scripts, or any number of commands without the user's knowledge or consent. Malicious Trojan horse programs conceal and install a malicious payload on an affected computer.

The Zlob Trojan is another, much more insidious and destructive Trojan. When visiting a web site, the user is asked if they want to install an ActiveX control so that the user can view the site contact (often videos). At this point, the Trojan has already been downloaded to the user's computer. Clicking anywhere on the request pad (not just the "OK" button) will install and activate the Trojan.

Once installed, it displays popup ads with appearance similar to real Microsoft Windows warning popups, informing the user that their computer is infected with spyware. Clicking these popups trigger the download of a fake anti-spyware program (such as Virus Heat) in which the Trojan horse is hidden.

Some variants of the Zlob family, like the so-called DNSChanger, adds rogue DNS name servers to the Registry of Windows-based computers, network settings of Macintosh computers and attempts to hack into any detected router to change the DNS settings and therefore could potentially re-route traffic from legitimate web sites to other suspicious web sites.

The Trojan has also been linked to downloading atnvrsinstall.exe which uses the Windows Security shield icon to look as if it is an Anti Virus installation file from Microsoft. Having this file initiated can wreak havoc on computers and networks. One symptom is random computer shutdowns or reboots with random comments. This is caused by the programs using Scheduled Tasks to run a file called "zlberfker.exe".

PHSDL - Project Honeypot Spam Domains List tracks and catalogues Zlob spam Domains. Some of the domains on the list are redirects to porn sites and various video watching sites that show a number of inline videos. Clicking on the video to play activates a request to download an ActiveX codec which is malware. It prevents the user from closing the browser in the usual manner. Other variants of Zlob Trojan installation are in the form of computer scan that comes as a Java cab.

There is evidence that the Zlob Trojan might be a tool of the Russian Business Network or at least of Russian origin.

SpySheriff is malware that disguises itself as an anti-spyware program, in order to trick the owner of the infected computer to buy the program, by repeatedly informing them of false threats to their system. SpySheriff often goes unnoticed by actual anti-spyware programs, and is difficult to remove from an infected computer.

SpySheriff cannot be simply deleted, as it reinstalls itself through hidden components on the computer. Trying to remove it with the Add/Remove programs feature has similar results, or may result in a system crash. A blue screen of death may occur. The program will stop the computer from connecting to the internet or a limited internet connection, and will display an error message reading "The system has been stopped to protect you from Spyware."

The desktop background can also be replaced with a blue screen of death, or a notice reading: "SPYWARE INFECTION! Your system is infected with spyware. Windows recommends that you use a spyware removal tool to prevent loss of data. Using this PC before having it cleaned of spyware threats is highly discouraged." SpySheriff has been known to create another user account, at the administrator level, to block access to programs and utilities for other users. If logged in as an administrator, it is sometimes possible to delete the SpySheriff account. It also acts to stop any attempt to do a System restore by preventing the calendar and restore points from loading. This prevents the user from being able to revert their computer to an earlier usable state. A System restore is however often possible after booting in Safe mode.

It blocks several websites, including the ones that have downloadable anti-spyware software, locks the user's Internet Explorer options, and It has also been implemented in pirated versions of Norton Antivirus. It will likely create the need for the use of a recovery disk in order to restore original factory specs.

Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a Trojan horse that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook.

A Vundo infection is typically caused either by opening an e-mail attachment carrying the Trojan, or through a variety of browser exploits, including vulnerabilities in popular browser plug-ins, such as Java. Many of the popups advertise fraudulent programs such as Sysprotect, Storage Protector, AntiSpywareMaster, WinFixer, AntiVirus 2009, and AntiVirus 360.

Since there are many different varieties of Vundo Trojans, symptoms of Vundo vary widely, ranging from the relatively benign to the severe. Almost all varieties of Vundo feature some sort of pop-up advertising as well as rooting themselves to make them difficult to delete.

Most antivirus programs are not able to block this infection. Some antivirus programs such as McAfee VirusScan and VundoFix may be able to remove the Trojan, however sometimes it is not able to, depending on what happens and how much damage the Trojan did.

Types of Trojan horse payloads are almost always designed to cause harm, but can sometimes be harmless. Payloads are classified based on how they breach and damage systems. The six main types of Trojan horse payloads are: Remote Access, Data Destruction, Downloader/dropper, Server Trojan (Proxy, FTP, IRC, Email, HTTP/HTTPS, etc.), Disable security software and Denial-of-service attack (DoS).

Methods of removal Since Trojan horses have a variety of forms, there is no single method to delete them. The simplest approach involves clearing the temporary internet files file and deleting it manually. Normally, antivirus software is able to detect and remove the Trojan automatically. Updated anti-spyware programs are also efficient against this threat. Most Trojans also hide in registries and processes. It is generally more difficult to remove a Trojan if the computer has been rebooted after the Trojan has been activated. Installing good quality anti virus software, keeping the virus definitions up-to-date and running a virus scam daily is the minimum that should be done to protect against Trojans.

Rogue Infiltrants Viruses that are displayed as "Anti-Virus programs" are known as Rogue Viruses. Rogue viruses have the prime intention of collecting money from a victim, and/or harming his or her computer with infections. The infections installed with rogue viruses make the user's computer slow, so they actually believe an infection exists, which it does. Trojan viruses frequently trick users with pop-up messages that get them to purchase "virus removal software" which of course does nothing of the kind.

Privacy-invasive software is a type of computer software that ignores user privacy and that is distributed with a specific intent, often of a commercial nature. Three examples of privacy-invasive software are adware, spyware and content hijacking programs. Keyloggers record user keystrokes in order to monitor user behavior. Self-replicating malware downloads and spreads disorder in systems and networks. Data-harvesting software that is programmed to harvest e-mail addresses, which results in spam e-mail messages that flood networks and mail servers with unsolicited commercial content (which are frequently scams). Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent.

While the term spyware suggests software that secretly monitors the user's behavior, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, such as Internet surfing habits, sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software, and redirecting Web browser activity. Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet or functionality of other programs. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is captured under the term privacy-invasive software.

In response to the emergence of spyware, a small industry has sprung up dealing in anti-spyware software. Running anti-spyware software has become a widely recognized element of computer security best practices.

Employee monitoring software is a means of employee monitoring, and allows company administrators to monitor and supervise all their employee computers from a central location. It is normally deployed over a business network and allows for easy centralized log viewing via one central networked PC.

Techniques include: Logging all keystrokes along with the window name they are typed. Capturing and logging sent and received E-mails. Logging all websites visited. Monitoring and logging all applications that a user runs. Record the documents and files a user opens and views.

Malware: Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, Trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software. Malware's most common pathway from criminals to users is through the Internet. Primarily via email and WWW web sites.

You might be surprised at all of the creepy, unknown "stuff" that's running on your servers and workstations. This is especially true if you don't have a process in place to audit your computing equipment periodically. We've seen (many) cases where production servers had been exploited and a rootkit run on them. And in some cases these servers were unknowing IRC chat servers with hundreds of on-going connections! Vulnerable web servers that were exploited and had subdomains created on them by hackers that housed hundreds of links to porn sites. And worse. Workstations with viruses, Trojans and bots that were sending out SPAM by the trainload. And all the user knew was that the PC had "gotten slower" recently.

Easyrider LAN Pro can come in and audit your enterprise in an organized way to see what's going on. Think of the performance boosts you are going to see once all of those non-production programs and services are removed from your network! Having firewalls and anti virus software deployed is no guarantee that there aren't LOT'S of infected computing gear in your enterprise. In fact, almost all of the sites where we have found major issues did indeed have these provisions installed and IT thought their network was 100% secure. Surprise! :(

Next in the security white paper series:

Firewall White Paper
Virus White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Port Scanning White Paper
Shelfware White Paper