Bug Watch: The rise of the network Trojan

Bug Watch: Each week vnunet.com asks a different expert from the IT security world to give their views on recent virus and security issues, with advice, warnings and information on the latest threats. This week's expert is Eric Chien, chief researcher at antivirus company Symantec.

The Microsoft hacking incident is one of the first high-profile cases of cyber espionage. It shows a growing trend towards viruses carrying Trojans that can launch websites or steal passwords. Experts have been predicting this evolution for the past two years.

The motivations for hacking are also changing. No longer are we contending with intellectual or technical challenges, or kids hanging on virtual street corners swapping spray paints. This is actual criminal activity in the traditional sense of the term.

With viruses carrying Trojans that can launch websites or relay passwords, the hackers are now using virus technology to carry their tools. But is antivirus software the best defence against Trojans?

Compressor tools can change a Trojan to avoid detection from antivirus software. There are many tools and many Trojans out there to modify.

Adding every single Trojan signature to an antivirus update is a colossal task. Some variant detectors may be available, but relying on your antivirus software is not the solution against hacking attempts.

The QAZ Trojan has been suggested as one of the tools used in the Microsoft attack. W32.HLLW.Qaz.A was first discovered in China in July 2000. This is a companion worm that can spread over the network and also has a back door that lets a remote hacker connect to and control the computer.

QAZ has at least four known variants, the definitions for which have been available for a number of months.

If you have a complicated network including remote users, and have antivirus software that is difficult to keep updated, then a security manager needs to assess this vulnerability and build in another layer of defence. To prevent a Trojan sending information out from a machine, a firewall at the desktop is required.

As remote access to corporate networks continue to increase as workers spend more time working from home and hotels, for example, then so too does the risk of a remote user being the weak link in the security chain.

Remote users, particularly those who RAS (remote access software) connect are sitting ducks for hackers who use any number of free, easy-to-use and widely available hacker tools to cruise the internet and seek out machines that have been infected with Trojans.

A desktop firewall will, in effect, make remotely connected computers invisible to hackers. It can monitor both inbound and outbound communications, and block attempted attacks, intrusions and Trojans.

A combination of firewall technology and antivirus technology at the desktop gives the added protection against unused ports being opened and accessed without user knowledge. A multi-tier approach to antivirus and firewall software is needed in the overall security policy.

Network security has evolved with our use of the internet and email. Networks managers have less control of the flow of content through their networks due to the increased points of entry and the increased traffic. Their task becomes one of constant management and assessment.

As Kevin Mitnick - the ex-hacker whose computer activities in the 1990s resulted in a three-year manhunt by the FBI - stated at the Software Development Conference and Expo 2000 gathering this week, if someone wants to spend the time and effort launching a dedicated attack against your network, they will get in by hook or by crook.

The question the business manger should be asking is what are my most valuable assets, and he or she should communicate this to the IT department to help them develop a prioritised resource deployment schedule.

IT departments cannot work in isolation - security is everyone's business.

If, or when, a breach occurs your company should have a contingency plan to deal with the situation. This plan should involve your IT team, marketing department, PR team and customer services.

Your ability to recover from a security breach depends on your ability to assess damage and react swiftly.

In a connected business environment 100 per cent network security would result in zero per cent network productivity. However, if you assess the vulnerabilities, prioritise your assets and monitor your network, you can significantly lower your risk against serious a security breach.

Next edition: 10 November