Trojan programs improve attack methods

Security watchers have warned that Trojan programs, feared for their ability to compromise a network and go unnoticed, are getting sneakier about sending data out of the network.

Typically, Trojans sit on a compromised machine and wait for incoming connections to deliver instructions.

But this leaves a flaw in the Trojan's functionality: all unnecessary ports can be blocked so that incoming connections are dropped and the Trojan is rendered useless.

But Michael DeMaria, of Syracuse University Labs, said that a new method of Trojan programming is being used to get around port blocking and intrusion detection, by making an outbound connection to an already compromised machine using legitimate network traffic.

A proof of concept Trojan called Sheepshank has been recently created. This program makes a basic 'get' request to a web server just like a browser does, but the web page picked up could be configured so that the Trojan picks up keywords containing instructions.

As an example, DeMaria said that a page could be built like '<html> <body>clearwallpaper'. The Trojan would ignore the HTML tags and simply read the 'clearwallpaper' keyword, which would instruct it to clear the wallpaper on the compromised machine.

But the keywords could also be a lot more malicious, such as a command to format the machine or to upload certain folders or documents to another location.

Because the connection is outbound, it would appear to be normal HTTP and HTML traffic, even to network monitoring and analysing tools. This would effectively render the Trojan commands and activities invisible.

However, a Trojan would have to be configured to pick up commands from a number of different locations, as continuous traffic from the same locations may arouse suspicion.

DeMaria said that to combat this new breed of Trojan, users have to look beyond the traditional methods of port blocking and intrusion detection.

"Users need to lock down applications more, as well as check application integrity," DeMaria said.

Admins need to specify which programs on each machine are allowed access to the network, as well as keep an eye out for applications that have been modified and could be acting as a Trojan Horse.