|
||||||||||||
You have accessed an archived page on the Public Safety and Emergency Preparedness Canada website. This material may be outdated. Please consult our new site for up-to-date information. |
|
Information Note Number: IN05-001 Purpose Audience Background A Trojan horse is a malicious program that attempts to trick users into opening and/or installing it by presenting itself as legitimate. These programs can have a range of capabilities, but generally seek to gather information about infected computers, collect data, and allow the author of the program remote access to the infected computer. Some Trojans may allow a remote attacker to download additional malicious code onto infected computers, or permit infected computers to be used in Denial of Service attacks. These programs are frequently spread by indiscriminate means: they may be left behind by worms, attached to mass e-mails or spread by malicious Web sites.Recently, media reports and incident reporting to CCIRC have highlighted a trend towards attackers using more targeted means of distributing Trojans. Incidents reported in Canada have involved small numbers of Trojan horse programs being spread via e-mails containing either trojanized attachments or links to Web sites hosting trojanized files. These e-mails are typically sent to specific individuals, rather than the large, random distributions associated with phishing attacks or other Trojan activity. In addition, the e-mails use sophisticated social engineering to appear credible and entice users into opening the attachment or following the link:
Once the attachment is opened or the link followed, a Trojan is installed on the user’s computer. Based on the capabilities of Trojans used to date, the primary purpose of these incidents was the gathering of commercial, financial, or economic information. Similar cases reported in the media have been described as economic or industrial espionage.1 Assessment There are two elements that make this attack technique noteworthy. First, the Trojans used in incidents reported to CCIRC sometimes circumvent anti-virus software and firewalls, two of the primary defensive mechanisms for critical infrastructure networks. The Trojans reported to date have been either mali cious code detectable by some anti-virus products, previously unseen malicious code or modifications of existing open-source Trojans. In all three scenarios, the latest version of any anti-virus software did not always detect the malicious code. Anti-virus companies must intercept a copy of a malicious program in order to update their software’s signatures so as to detect it; the targeted distribution of the malicious code in this attack technique makes this highly unlikely. In addition, Trojans can be configured to transmit information to a remote attacker using ports assigned to common services (such as TCP port 80, which is assigned to Web traffic) and thereby defeat most firewalls. Consequently, network security personnel will need to take additional measures to protect against this type of attack. Second, the highly sophisticated social engineering employed in the incidents reported greatly increases the likelihood of users opening malicious attachments and inadvertently infecting their computers. While social engineering techniques in general have shown marked improvement in the last two years (particularly vis-à-vis phishing attacks), the targeted distribution of these Trojans allows e-mails to be highly tailored towards the intended recipients. Information available to CCIRC suggests that attacks of this kind have been detected in other countries. CCIRC has also received a very small number of reports of attacks of this type in Canada . Although CCIRC has no information to suggest a threat to Canadian critical infrastructure overall, the vulnerability of critical infrastructure networks to such an attack is significant. Suggested actions Because of the targeted distribution of Trojans spread in this way, and because of the possibility of communication with remote attackers using ports assigned to common services, detection of this type of attack is problematic. In addition, there is no completely effective mitigation against this type of attack for any computer system connected to the Internet. In general, network security staff should keep anti-virus software as up-to-date as possible so as to detect older Trojans that may be used in an attack of this kind. Because vulnerabilities in various Microsoft applications have been used to install Trojans in the past, all current patches should be applied. As well, anomalous slow-running machines should be investigated for unknown processes or unexpected Internet connections, and user reports of such behaviour should be encouraged. Finally, users should be educated not to visit suspicious Web sites or open unsolicited attachments from any source without confirming the legitimacy of the e-mail or link. Other detection and/or mitigative actions for these types of attacks are as follows:
Incidents of attacks using this technique, like all cyber security incidents affecting Canadian critical infrastructure, should be reported to the Canadian Cyber Incident Response Centre (CCIRC) via the Government Operations Centre at (613) 991-7000 or goc-cog@psepc-sppcc.gc.ca, to the attention of the Cyber Duty Officer. 1In an Israel i case, a Trojan known as HotWord was spread to several companies by a competitor. The method of propagation was reportedly a Trojanized promotional CD-ROM; however, the characteristics of this method of spreading Trojans are substantively similar to the targeted e-mails described in this Information Note. See http://www.msnbc.msn.com/id/8145520/ Public Safety and Emergency Preparedness Canada (PSEPC) collects information related to cyber and physical threats to, and incidents involving, Canadian critical infrastructure. This allows us to monitor and analyse threats and to issue alerts, advisories and other information products to our partners. For more information about the Canadian Cyber Incident Response Centre, which fulfills the cyber aspect of this role, visit our web site as www.psepc.gc.ca/ccirc. To report threats or incidents, please contact CCIRC via the Government Operations Centre at (613) 991-7000 or goc-cog@psepc-sppcc.gc.ca by e-mail. Unauthorized use of computer systems and mischief in relation to data are serious Criminal Code offences in Canada . Any suspected criminal activity should be reported to local law enforcement organizations. The RCMP National Operations Centre (NOC) provides a 24/7 service to receive such reports or to redirect callers to local law enforcement organizations. The NOC can be reached at (613) 993-4460. National security concerns should be reported to the Canadian Security Intelligence Service (CSIS) at (613) 993-9620. PSEPC publications are based on information obtained from a variety of sources. The organization makes every reasonable effort to ensure the accuracy, reliability, completeness and validity of the contents in its publications. However, it cannot guarantee the veracity of the information nor can it assume responsibility or liability for any consequences related to that information. It is recommended that PSEPC publications be carefully considered within a proper context and in conjunction with information available from other sources, as appropriate. |
Last Updated: 10/25/2005 | Important Notices |