Trojan Horse applications (Trojans for short) are not new, having been around for over ten years now, but amazingly no-one has found a way to manage the threat.
Anti-virus software can isolate most of the known or well studied Trojans, but they are still a significant threat to businesses of all sizes because of the sheer number of new Trojan development kits and increasing sophistication in techniques like 'silver threading' (where malicious code is inserted within any other distributable application so it cannot be detected by anti-virus products).
Essentially the corporate desktop is more at risk from Trojans than ever before. The impact of this is not just the direct threat from loss of internal network integrity and data compromise. There is a second threat that is now emerging: legal deniability. Using the presence of Trojans on a computer as a defence against criminal charges like possession of child pornography.
Around the world, including the UK, there are incidents where illegal material has been found on an employee's computer system which they have denied all responsibility for. In an increasing number of cases, forensic investigations have discovered that the systems had previously been compromised by an installed Trojan. This casts doubt over the source of the illegal material and prevents prosecution of the person, resulting in dismissal of the case.
The presence of a Trojan on the computer system will make it extremely difficult for an organisation to prove beyond doubt that an employee has undertaken any illegal or malicious activity. The employee could rightly claim that the hacker who planted the Trojan was responsible for coding it to carry out activities such as accessing child pornography, downloading pirated software, acquiring confidential documents or hacking other corporate resources (including other external organisations').
The person could be totally innocent but it is feasible that if an employee has sufficient access rights or knowledge of their desktop environment, they may be able to install a Trojan on their computer and use it's presence to indemnify themselves against any future legal repercussions.
It is imperative that organisations take steps to stop Trojans from making it to the desktop.
Preventing Trojan incidents in 6 steps:
1. Ensure that the corporate perimeter defences are kept
continuously up-to-date.
2. Filter and scan all content at the perimeter defences for malicious
content.
3. Run local versions of your anti-virus, firewall and intrusion
detection software at the desktop.
4. Rigorously control user permissions within the desktop
environment to prevent the installation of malicious applications.
5. Manage local workstation file integrity through checksums,
auditing and port scanning.
6. Monitor internal network traffic for odd ports or encrypted traffic.
Gunter Ollmann - manager of X-Force Security Assessment Services EMEA, Internet Security Systems, www.iss.net
