|
Countering Trojans Using Proactive Security
Measures
Since the starting of the new
millennium, we have seen an increasing number of threats caused by worms
and trojans. Recently a new kind of malicious code, called 'blended
threats' has sprung up. They usually combine two or more properties of the
current set of malicious code programs. According to a recent research
done by security firm Panda Software, the Downloader.GK Trojan topped the
list of most widespread malware in the year 2004. But is it necessary that
we stop trojans and other parasites after they infect the system? What is
the cost involved in this 'after disease cure' strategy, and what are the
benefits of using 'prevention'?
Traditionally trojans were dealt with using standard
anti-virus software. When enterprises realized that this is not enough,
they started using specialized anti-trojan software. But as the security
industry matured, and security analysts gained experience, they realized
that detecting trojans after they had infected the host is simply not
done. Vital information can be leaked between the time the trojan is
loaded into the host computer, and the time at which it is detected. Real
time monitors in anti-virus and anti-trojan software may not fit the bill,
since most of these utilities are signature dependant and their
effectiveness is heavily based upon when the software vendor releases the
new definitions.
What every security administrator needs to realize is
that, to effectively counter trojan threats, we have to use proactive
security measures. Simple utilities like 'Port Scanners' can be quite
handy while dealing with trojans. If the administrator notices an open
port, which is not used by the standard allowed applications, immediate
investigation must be done. It may be a trojan trying to connect to the
infective agent. Regular port scans are absolutely essential for effective
security. All unused ports must be blocked at all times.
Firewalls are also important in countering trojans. All
services which are not required must be blocked. Any suspicious packet
sent to or from the computer in consideration must be carefully
scrutinized. An application gateway firewall is very effective in
detecting trojans, since they block any unknown application from
communicating to an outside machine. You may also install an integrity
checker, just to be sure that your important documents are not tampered
with.
Encrypt all the important files you have on your
computer. This way, even if a trojan infects your system and sends your
files to the person in control of the trojan, he has no way of reading
your precious information. Strong algorithms have made the 'snoopers' job
more difficult. A large number of good encryption programs are freely
available on the net for all major operating systems. It also helps if you
assign specific permissions about which directories are read-only and
which directories can be written to.
A new class of software called 'behavior blocker' has
also gained popularity in recent years. They ask the user before any
suspicious read/write activity or system call is made. With some common
sense, the administrator can easily sniff out hidden trojans. Along with
these measures, it is important that the anti-trojan or anti-virus utility
you use, is able to detect previously unknown trojans.
Sometimes trojans may also exploit weaknesses in already
existing software code to gain entry into your system. Use trusted, secure
software, and patch up your operating system regularly. And lastly, some
common sense goes a long way in protecting your network against trojan
threats.
Written by Rahul Batra.
Thanks to Prof Sheetal Jain
|