Bugwatch: Preventing Trojan trouble

This week Gunter Ollmann, EMEA manager of X-Force Security Assessment Services at Internet Security Systems, offers vital advice on dealing with the threat of increasingly sophisticated Trojans, including steps companies can take to prevent Trojan incidents.

The malicious Trojan has been around for over a decade, and organisations are still struggling to manage the threat.

While antivirus software has matured during this time and is capable of dealing with the majority of previously known or well-studied Trojans, the sheer number of new Trojan development kits and increasing sophistication in 'silver threading' techniques has ensured that they still present an immediate threat to the corporate environment.

Silver threading is the process of inserting Trojan code within any other distributable application so that it cannot be detected by antivirus products.

Traditionally, the corporate desktop environment has been protected by an organisation's perimeter defence systems, such as firewalls, content filtering, intrusion detection and antivirus protection.

But corporate users now require greater access to internet-shared resources and communication systems. This has invariably led to greater opportunities for the successful installation of Trojans at the corporate desktop level.

In essence, more corporate desktop environments are being compromised by Trojans than ever before. There is the direct threat of loss of internal network integrity and data compromise. Most organisations are already aware of this and can typically quantify the risk. However, the latest threat is legal deniability.

There have been incidents around the world where illegal material has been found on an employee's computer system for which they have denied all responsibility. In an increasing number of cases, forensic investigations have discovered that the systems had been previously compromised by an installed Trojan.

Such a finding casts doubt over the source of the illegal material and prevents prosecution of the employee, resulting in dismissal of the prosecution case.

The presence of a Trojan on the computer system makes it extremely difficult for an organisation to prove beyond doubt that an employee has undertaken any illegal or malicious activity. The employee could rightly claim that someone else may have used the Trojan to carry out activities such as viewing child pornography, downloading pirated software, accessing confidential documents or hacking other corporate resources (including other external organisations).

Therefore it is feasible that if an employee has sufficient access rights or knowledge of their desktop environment, they may be able to install a Trojan on their computer and use its presence to indemnify themselves against any future legal repercussions.

Organisations must take steps to prevent Trojans from making it to the desktop by both keeping their perimeter defence systems up-to-date, and securing the desktop environment using local versions of their antivirus, firewall and intrusion detection systems.

Just as importantly, organisations must ensure that they can audit each client workstation and detect any changes in executable file integrity for the presence of possible Trojan installations.

Key steps to prevent Trojan incidents:

• Ensure that the corporate perimeter defences are kept continuously up-to-date
• Filter and scan all content at the perimeter defences that could contain malicious content
• Run local versions of your antivirus, firewall and intrusion detection software at the desktop
• Rigorously control user permissions within the desktop environment to prevent the installation of malicious applications
• Manage local workstation file integrity through checksums, auditing and port scanning
• Monitor internal network traffic for odd ports or encrypted traffic.