GFI White Paper Exposes How Hackers Can Elude Anti-Virus Software With Custom Trojans

Network administrators must add Trojan detection capabilities to their network security arsenal

London, UK, 9 July 2003 – GFI today released a white paper to help network administrators tackle the growing problem of Trojans, which are increasingly being used to steal credit card data, passwords, and other sensitive information, and to launch electronic attacks against targeted organizations. GFI’s latest white paper outlines what Trojans are, why they pose a danger to corporate networks, and how to protect against them. It can be viewed at http://www.gfi.com/mailsecurity/wptrojans.htm.

What a Trojan is and why it poses a threat to organizations

A Trojan horse is used to enter a victim’s computer undetected, granting the attacker unrestricted access to the data stored on that computer. A Trojan can be a hidden program that runs on the victim’s computer without his knowledge, or it can be ‘wrapped’ into a legitimate program, meaning that this program includes hidden functions that the victim is unaware of. In the corporate world, Trojans are mainly used to siphon off confidential information (industrial espionage) or to create damage. GFI’s white paper describes the seven main types of Trojan and explains how a network can be infected by a Trojan via an email attachment or a downloaded file.

Why an anti-virus engine does not provide all the protection required

Protection against Trojans is a must. Yet, basic security software such as an anti-virus engine does not provide an adequate safeguard against Trojans: the paper explains that although most virus scanners detect some public/known Trojans, they are unable to scan unknown Trojans. This is because anti-virus software relies mainly on recognizing the “signatures” of each Trojan. Yet, because the source code of many Trojans is easily available, a more advanced hacker can create a new version of a Trojan, the signature of which is unknown to any anti-virus scanner.

“If the person planning to attack you finds out what anti-virus software you use, for example through the automatic disclaimer added to outgoing emails by some anti-virus engines, he will then create a Trojan specifically to bypass your virus scanner engine,” the white paper points out. “Also, apart from failing to detect unknown Trojans, virus scanners do not detect all known Trojans either – most virus vendors do not actively seek new Trojans, and research has shown that virus engines each detect a particular set of Trojans.”

How to protect a network from Trojans

The white paper proposes that to detect Trojans, one must use a multi-level strategy and deploy multiple virus scanners at the gateway, which would increase the percentage of known Trojans caught; and use content security with executable analysis to detect potentially malicious executables, analyze what they might do and prevent unknown Trojans from entering the network.

Detecting unknown Trojans can be done by manually reviewing each incoming executable; yet this is a tedious and time-intensive job, that can be subject to human error. Therefore it is better to automate the process by means of a Trojan and executable scanner that can intelligently analyze what each executable does and how dangerous it is. A Trojan and executable analyzer disassembles the executable and detects in real time what it might do. It compares these actions to a database of malicious actions and then rates the risk level of the executable. This way, potentially dangerous, unknown or one-off Trojans can be detected.

Gateway protection

Two products that offer comprehensive gateway protection that includes multiple virus engines, content checking and a Trojan and executable scanner, as well as other security features are:
* GFI MailSecurity for Exchange/SMTP, an email content checking, exploit detection, threats analysis, anti-Trojan and anti-virus solution that removes all types of email- borne threats before they can affect an organization’s email users. More product information and a trial version can be found at http://www.gfi.com/mailsecurity/.
* GFI DownloadSecurity for ISA Server, that enables administrators to assert control over what files users download from HTTP and FTP sites by content checking and quarantining downloaded files for malicious content, viruses, and Trojans. More product information and a trial version can be found at http://www.gfi.com/dsec/.

About GFI

GFI is a leading provider of Windows-based network security, content security and messaging software. Key products include the GFI FAXmaker fax connector for Exchange and fax server for networks; GFI MailSecurity email content/exploit checking and anti-virus software; GFI MailEssentials server-based anti-spam software; GFI LANguard Security Event Log Monitor (S.E.L.M.) that performs event log based intrusion detection and network-wide event log management; and GFI LANguard Network Security Scanner (N.S.S.) that audits network security and allows administrators to remotely install hotfixes and service packs. Clients include Microsoft, Telstra, Time Warner Cable, Shell Oil Lubricants, NASA, DHL, Caterpillar, BMW, the US IRS, and the USAF. GFI has six offices in the US, UK, Germany, France, Australia and Malta, and has a worldwide network of distributors. GFI is a Microsoft Gold Certified Partner and has won the Microsoft Fusion (GEM) Packaged Application Partner of the Year award.

All product and company names herein may be trademarks of their respective owners.

Don't miss