GFI white paper exposes how hackers can elude antivirus software with custom Trojans

July 09, 2003 - 12:00

GFI today released a white paper to help network administrators tackle the growing problem of Trojans, which are increasingly being used to steal credit card data, passwords, and other sensitive information, and to launch electronic attacks against targeted organizations. GFI’s latest white paper outlines what Trojans are, why they pose a danger to corporate networks, and how to protect against them. It can be viewed at http://www.gfi.com/whitepapers/network-protection-against-trojans.pdf.

What a Trojan is and why it poses a threat to organizations
A Trojan horse is used to enter a victim's computer undetected, granting the attacker unrestricted access to the data stored on that computer. A Trojan can be a hidden program that runs on the victim’s computer without his knowledge, or it can be 'wrapped' into a legitimate program, meaning that this program includes hidden functions that the victim is unaware of. In the corporate world, Trojans are mainly used to siphon off confidential information (industrial espionage) or to create damage. GFI’s white paper describes the seven main types of Trojan and explains how a network can be infected by a Trojan via an email attachment or a downloaded file.

Why an antivirus engine does not provide all the protection required
Protection against Trojans is a must. Yet, basic security software such as an antivirus engine does not provide an adequate safeguard against Trojans: the paper explains that although most virus scanners detect some public/known Trojans, they are unable to scan unknown Trojans. This is because antivirus software relies mainly on recognizing the "signatures" of each Trojan. Yet, because the source code of many Trojans is easily available, a more advanced hacker can create a new version of a Trojan, the signature of which is unknown to any antivirus scanner.

“If the person planning to attack you finds out what antivirus software you use, for example through the automatic disclaimer added to outgoing emails by some antivirus engines, he will then create a Trojan specifically to bypass your virus scanner engine,” the white paper points out. “Also, apart from failing to detect unknown Trojans, virus scanners do not detect all known Trojans either - most virus vendors do not actively seek new Trojans, and research has shown that virus engines each detect a particular set of Trojans.”

How to protect a network from Trojans
The white paper proposes that to detect Trojans, one must use a multi-level strategy and deploy multiple virus scanners at the gateway, which would increase the percentage of known Trojans caught; and use content security with executable analysis to detect potentially malicious executables, analyze what they might do and prevent unknown Trojans from entering the network.

Detecting unknown Trojans can be done by manually reviewing each incoming executable; yet this is a tedious and time-intensive job, and can be subject to human error. Therefore it is better to automate the process by means of a Trojan and executable analyzer that can intelligently analyze what each executable does and how dangerous it is. A Trojan and executable analyzer disassembles the executable and detects in real time what it might do. It compares these actions to a database of malicious actions and then rates the risk level of the executable. This way, potentially dangerous, unknown or one-off Trojans can be detected.

Gateway protection
Two products that offer comprehensive gateway protection that includes multiple virus engines, content checking and a Trojan and executable scanner, as well as other security features are:

  • GFI MailSecurity for Exchange/SMTP, an email content checking, exploit detection, threats analysis, anti-Trojan and antivirus solution that removes all types of email-borne threats before they can affect an organization’s email users. More product information and a trial version can be found at http://www.gfi.com/mailsecurity/.
  • GFI DownloadSecurity for ISA Server, that enables administrators to assert control over what files users download from HTTP and FTP sites by content checking and quarantining downloaded files for malicious content, viruses, and Trojans. More product information and a trial version can be found at http://www.gfi.com/dsec/.

About GFI
GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. With award-winning technology, an aggressive pricing strategy and a strong focus on small-to-medium sized businesses, GFI is able to satisfy the need for business continuity and productivity encountered by organizations on a global scale. GFI has offices in the US, Malta, UK, Hong Kong and Australia which support more than 200,000 installations worldwide. GFI is a channel-focused company with over 10,000 partners worldwide. GFI is a Microsoft Gold Certified Partner. More information about GFI can be found at http://www.gfi.com.