New 'Trojan Horse' strain may go mainstream

A new variety of 'Trojan Horse'' that broadcasts victims' files on the Internet is making its way into the mainstream, antivirus vendors warn. This one has the ability to broadcast the information from a victim's hard drive to Internet Relay Chat (IRC) channels around the world.

A new variety of "Trojan Horse'' that broadcasts victims' files on the Internet is making its way into the mainstream, antivirus vendors warn.

While the strain compares to the Melissa and Explore.Zip worms in that it uses e-mail systems for self-perpetuation, it differs in its ability to broadcast the information from a victim's hard drive to Internet Relay Chat (IRC) channels around the world.

An IRC channel might be described as the Internet equivalent of citizens band radio, according to experts. Hundreds of IRC channels on numerous subjects are hosted across the Internet.

"This type of virus is best for targeted attacks," said Dan Schrader, vice president of new technologies at Cupertino, Calif.-based Trend Micro Inc. "If it happens to get on the machine of someone with lots of confidential information, there are huge privacy implications.''

For example, confidential company information about acquisitions, initial public offerings or income sources could end up available to anyone on the Internet, he said.

Viruses that employ IRC as a means to retrieve victims' information have been around for about two years, Schrader said. But the first to hit the mainstream -- what virus experts call moving from a laboratory to being released "into the wild" -- was the PrettyPark virus, which debuted in France earlier this month.

PrettyPark spreads itself via an e-mail attachment bearing the icon of a character from South Park, a popular cartoon series. Once opened, the virus takes sensitive system information, such as user passwords, and posts it on multiple IRC channels.

Fortunately, PrettyPark seems contained inside France because its mechanism for e-mail-based self-perpetuation isn't very good, Schrader said.

"But this is sure a sign of things to come,'' he warned. ``And it's starting to really hit home for security professionals.'' According to Schrader, information technology shops have long relied on encryption and firewalls to protect highly sensitive information. But if someone gets your passwords and seems to be coming from a trusted source, encryption and firewalls can be thwarted, he said.

Schrader said the best defense against Trojan Horse e-mail viruses is end-user education -- and, of course, updated virus-scanning software. Companies should also consider developing broad policies related to e-mail attachments. For instance, companies might consider banning attachments containing macros.

"Everyone needs to think before opening attachments," advised Richard Jacobs, president of Sophos Inc., a data security company in Woburn, Mass. "Viruses can't exist in the text of an e-mail, so they don't get the chance to operate unless they're launched."

This attack can put corporations at risk because telecommuters often fail to regularly update their antivirus software, said Sal Viveros, group marketing manager for total virus defense at Network Associates Inc.(NAI) in Santa Clara, Calif.

"As more and more people telecommute, that is the hardest group to keep updated and control [via] security policies [given that] remote users don't necessarily log in every day," Viveros said. NAI's Enterprise SecureCast technology pushes updates of the company's antivirus software such as VirusScan and CyberCop to users' desktops when they log on to company networks.

"If you have a valuable asset on your laptop or home machine, you should be worried about this attack," said Fred Rica, a partner at Deloitte & Touche's attack and penetration service line.

Information technology managers should be concerned. Viveros said there's a growing number of remote access Trojan programs sent via e-mail that can open the backdoor to a user's PC and gather log-ins and passwords to company intranets. "It is much easier to get a remote access Trojan into a company than break down a firewall," Viveros said.

PrettyPark enters a user's system as a Trojan horse when Windows users open an attached e-mail file named PrettyPark. Unknown to users, the worm connects their PC to a custom IRC channel when they are logged on to a remote server while surfing the Web or reading e-mail.

Once connected to an IRC, the creator of the custom channel or his robot program can download the victim's files, passwords, log-in data, operating system preferences and other personal information -- including stored credit-card numbers.

PrettyPark also sends duplicate files of itself to the e-mail addresses listed in the user's Internet address book. Antivirus software firms say they're trying to determine who's collecting this information.

The worm has mostly attacked home users who are less likely to update antivirus software or use firewalls that block IRC traffic, according to Carey Nachenburg, chief researcher at Symantec Corp.'s antivirus research center in Cupertino, Calif.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments