How Trojan Horses Work

One of the most enduring stories of the Trojan War, the most important conflict in Greek mythology, is the tale of the Trojan horse. Trying to find a way into the city of Troy, the great warrior Odysseus ordered his men to build a massive wooden horse, one big enough for several Greek soldiers to fit in. Once the structure was finished, he and several other warriors climbed inside, while the rest of the Greeks sailed away from Troy. One man named Sinon, however, stayed behind in order to deceive the Trojans, convincing them that his fellow Greeks had betrayed him and fled from the city. The wooden horse, he told the Trojans, was safe and would bring them luck.

After some discussion over the matter, the Trojans agreed to wheel the horse through their gates, unknowingly giving the Greek enemy access to the city. After proclaiming victory and partying all night, the citizens of Troy went to sleep -- it was then that Odysseus and his men crept out of the Trojan horse and wreaked havoc on the city.

­Although you've probably heard of the Trojan horse from Greek mythology, chances are you've also heard of Trojan horses in reference to computers. Trojan horses are common but dangerous programs that hide within other seemingly harmless programs. They work the same way the ancient Trojan horse did: Once they're installed, the program will infect other files throughout your system and potentially wreak havoc on your computer. They can even send important information from your computer over the Internet to the developer of the virus. The developer can then essentially control your computer, slowing your system's activity or causing your machine to crash.

­Though they're not actually viruses, they're referred to as "Trojan horse viruses," "Trojan viruses," "Trojan horses" or just plain "Trojans." Regardless of what people call them, they all mean same thing. But what happened? How did you let this Trojan horse into your computer in the first place? And what can you do stop one from getting in?

Creeper (program)

           Creeper was an experimental self-replicating program written by Bob Thomas at BBN in 1971. It was designed not to damage but to demonstrate a mobile application. It is generally accepted to be the first computer worm, although the notion of a "computer virus" did not exist in the 1970s. Creeper infected DEC PDP-10 computers running the TENEX operating system.

Virus:

        Creeper gained access via the ARPANET and copied itself to the remote system where the message, "I'm the creeper, catch me if you can!" was displayed. The Creeper would start to print a file, but then stop, find another Tenex system, open a connection, pick itself up and transfer to the other machine (along with its external state, files, etc.), and then start running on the new machine, displaying the message. The program rarely if ever actually replicated itself; rather, it jumped from one system to another, attempting to remove itself from previous systems as it propagated forward. Thus, Creeper didn't install multiple instances of itself on several targets, it just moseyed around a network.

Reaper:
       The Reaper program was created to delete Creeper.

10 Worst Computer Viruses of All Time

 Computer viruses can be a nightmare. Some can wipe out the information on a hard drive, tie up traffic on a computer network for hours, turn an innocent machine into a zombie and replicate and send themselves to other computers. If you've never had a machine fall victim to a computer virus, you may wonder what the fuss is about. But the concern is understandable -- according to Consumer Reports, computer viruses helped contribute to $8.5 billion in consumer losses in 2008 [source: MarketWatch]. Computer viruses are just one kind of online threat, but they're arguably the best known of the bunch.
Computer viruses have been around for many years. In fact, in 1949, a scientist named John von Neumann theorized that a self-replicated program was possible [source: Krebs]. The computer industry wasn't even a decade old, and already someone had figured out how to throw a monkey wrench into the figurative gears. But it took a few decades before programmers known as hackers began to build computer viruses.
While some pranksters created virus-like programs for large computer systems, it was really the introduction of the personal computer that brought computer viruses to the public's attention. A doctoral student named Fred Cohen was the first to describe self-replicating programs designed to modify computers as viruses. The name has stuck ever since.
­In the good­ old days (i.e., the early 1980s), viruses depended on humans to do the hard work of spreading the virus to other computers. A hacker would save the virus to disks and then distribute the disks to other people. It wasn't until modems became common that virus transmission became a real problem. Today when we think of a computer virus, we usually imagine something that transmits itself via the Internet. It might infect computers through e-mail messages or corrupted Web links. Programs like these can spread much faster than the earliest computer viruses.
We're going to take a look at 10 of the worst computer viruses to cripple a computer system. Let's start with the Melissa virus.

How AntiVirus Works - Virus Detection Techniques

Virus: The words alone provoke images of loss, destruction and helplessness, so does the word Computer Virus evoke images of vanishing data, vanishing work, crashing desktop’s, stolen personal information’s and finally financial ruin. Emerging from obscurity during the past two decades to front page news, the computer virus has been portrayed by the movie industry from mere siphoning of your money to total destruction of planet earth. May be not that dramatic as destruction of our beloved planet, still the present day viruses are daily nuisances for both home and corporate computer users.
Details of the work antivirus researchers conduct is shrouded in secrecy. Their goal is to produce an antivirus product that can discover both known and unknown viruses and malicious code stop it, and whenever possible, reverse any damage performed. Among the AV companies themselves there is an interesting dichotomy. While an individual company's technology is proprietary, the various antivirus research labs exchange viruses for analysis with other antivirus labs. These exchanges are based on trusts gained through personal relationships, and years of working together in the trenches. Researchers test with existing viruses, and do not create their own.

What Actually is a Virus?
While most people lump any kind of malicious code into the virus category, there are some distinctions among the bad guys. A Virus is a computer program, or piece of code, that can replicate itself without a user's knowledge. A virus is not always malicious, though it is more times than not, and sometimes its mere presence on a system can cause problems. In addition, non-malicious viruses may contain bugs that cause damage. Not all malicious code is a virus. A Trojan horse program, one that comes into your system disguised as something else (and causes damage or compromises security) is not a virus. Internet worms can actually be a combination of threats, and can enter your system through various ways. They can also affect other systems in a multitude of ways. Both worms and Trojans, however, can "drop" viruses into systems. The antivirus software and security vendors refer to these worms as blended threats, and they are currently the focus of much research and development.
Viruses can come in the form of executable programs, document macros, Web page scripts, or even as packets on the Internet never written to disk (as seen in the CodeRed worm). Threats are classified in a number of ways -- operating system (W32,W95, Linux, etc), applications they infect (W97M, WordPro, X97M, etc), type of threat (Worm, Backdoor, Trojan, etc), or language (HTML, VBS, JS, etc). Delivery of malicious codes to a user’s machine has changed since the first viruses were discovered.

What Actually is a Worm?
A computer worm is a self-replicating Malware computer program. It uses a computer network to send copies of itself to other computers on the network and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
These worms can cause havoc in many ways like creating back door entry in your system (which make your system open to all), delete file from host machine, send documents via email. Then most generic way of these worm movements these days is via the internet. They come mostly through mail, one very notorious case of which would be the I LOVE YOU worm.

What Actually is a Trojan?
A Trojan, sometimes referred to as a Trojan horse, is non-self-replicating (it does not have the ability to replicate) malware that appears to perform a desirable function for the user but instead facilitates unauthorized access to the user's computer system. Trojan horses require interaction with a hacker to fulfill their purpose, though the hacker need not be the individual responsible for distributing the Trojan horse. In fact, it is possible for hackers to scan computers on a network using a port scanner in the hope of finding one with a Trojan horse installed, which the hacker can then use to control the target computer. A Trojan differs from a virus in that only a file specifically designed to carry it can do so.
Trojan horses can be installed through the following methods:

1. Software downloads (e.g: a Trojan horse included as part of a software application downloaded from a file sharing network).
2. Websites containing executable content (e.g: a Trojan horse in the form of an ActiveX control).
3. Email attachments.
4. Application exploits (e.g: flaws in a web browser, media player, messaging client, or other software that can be exploited to allow installation of a Trojan horse).

Knowledge of Malware for Making AntiVirus:
All antivirus protection starts with researchers dissecting and analyzing unknown viruses. Most antivirus vendors accept files that may or may not contain unknown viruses from their customers, as well as other sources. Symantec's Digital Immune System combines automated submissions from customers with automated analysis to look for potential viruses without tying up human researchers unnecessarily. Many unknown viruses can be identified, and detection methods created, without human intervention, for this there are many methods, mostly based on categorizing the different type of attacks on common grounds and writing antivirus signature such that any different virus but with the same kind of technique will be caught without creating a new signature for that malware. If a potential virus is unable to be handled by the automated systems, human researchers analyze the code.
Researchers require a wide range of skills to dissect viruses to see how they tick. Executable and boot viruses are written mostly at an assembly language level to have access to the innermost workings of DOS, Windows, and the file system. Some Windows viruses are written in C/C++ or Delphi, and Visual Basic for Applications, as well as assembler, while others are developed in Java and Javascript for script and macro threats. Researchers must understand assembler, higher level languages like C/C++, as well as macro languages. Additionally, they need to be intimately familiar with the operating system and file systems. Lastly, they must have an understanding of how viruses work, a skill that comes with experience.

Detecion Method Overview:
As detection gets more sophisticated, so do the virus writers. Many polymorphic and metamorphic viruses use anti-antivirus techniques, such as only executing on a specific day at a specific time, or activating only after a specific keystroke combination, or activating the instant user logs into or opens a specific site for example orkut (we had the notorious “MUHAHAHA orkut is banned” virus attack). Polymorphic viruses are encrypted with random keys every time they infect a file so they do not have a set pattern that can be recognized. For these viruses, researchers execute them in automated environments that run through series of day changes and other input or environment changes to attempt to force the virus to replicate or trigger malicious behavior. However, manual analysis (humans) is the only way certain types of viruses can be detected.
Once they execute and replicate, the virus code and its behaviors are analyzed and cataloged for ways to identify the virus with a software scanner (like products from Symantec, McAfee, Trend Micro, Panda, etc). In the lab, trained researchers can run and analyze an application for hours or days to determine its infection level or potential, but for consumers, detection has to be fast or they won't use the product.
We will be looking more closely at the two types of detection that most if not all antivirus products use-- signature (or pattern) detection for exact matches, and heuristic scanning/behavior detection for extrapolated detection. Most systems use a combination of the two, and it's hard to draw the line between them.
While we won't discuss all the possibilities here, there are several other methods of combating viruses other than scanning. File and boot integrity checking by some products will record a checksum of key executables and system files, and will check for anomalies on boot or execution. Most CMOS BIOS systems now have a setting to monitor changes to boot records. Behavior blocking by many antivirus and security products can also watch for changes to boot records, as well as system files. Symantec's products offer script blocking that can stop malicious scripts before they do damage. Windows XP and 2000 will also watch for infection to system files as part of their System File Checker (SFC) ability, and logs changes. The SFC mechanism is meant to solve "DLL hell" when applications overwrite each other, though it is vulnerable to virus writers turning it off or avoiding infecting protected files. Windows Me and later versions of Windows have system file backups and the ability to roll back to prior system and file states, mostly for repairing problems caused by application installations that overwrite system DLLs. Unfortunately, there isn't always a warning when a system file is corrupted rather than overwritten.

Signature Scanning:
One basic mode of virus detection today is still signature scanning, but things are far more sophisticated now. A signature file/Dat file is a database of uniquely identifiable "fingerprints" that a virus contains. The fingerprint for an executable virus typically is a series of machine code bytes aka "strings" that a virus contains and such strings are the fruit of the researcher’s labors.
Scanning is done either on-demand (scan at user will) or on-the-fly (email scanner or network scanner), and uses essentially the same techniques. On demand scanning is what most people envision as an antivirus-- you click on an icon, or launch a program that scans a target file, folder or whole drive. On-the-fly scanning is done when you execute a program, receive an email, or copy a file.
In the early days of antivirus software, the number of viruses fingerprinted numbered in the hundreds. Scanning a file looking for all known viruses was fairly quick. Now, there are over a million known viruses, Trojans, worms, and variations. Antivirus vendors not only struggle to identify and detect malicious code, but have to keep scanning performance within acceptable limits.
Several techniques are used to keep a handle on performance. First, signatures are classified by the type of infection they represent-- boot sector, .COM file, .EXE file, scripts, or macros. Through a process of elimination, when a particular file is scanned, only the signatures that pertain to that file type is used to keep scan times down. For example, a boot sector signature would not be used to scan a macro file.
Next, certain rules are applied to keep the scanner from having to trudge through a complete file looking for infection. Depending on the type of file-- .com, .exe, or .doc -- the scanner knows to go to areas in the file that are more likely to contain a virus. For example, in a simple .com, the scanner will look to the end of the file, as it is the most commonly infected area. Alternately, a Word 97 DOC file has a specific area where macros are stored that the scanner can directly evaluate.

Generic Signature:
While it is advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic signature. Many viruses start as a single infection, and through either mutation or modifications by other virus writers, can grow into dozens of slightly different strains. In addition, virus authoring tools, such as the Nowhere Man's Virus Creation Laboratory (circa 1992-93), create similar viruses. Rather than create a signature for every single strain, virus researchers find common areas that all viruses in a family share uniquely, and they create a single generic signature. These signatures often contain non-contiguous code, using wild cards where differences lie. These wild cards allow the scanner to detect if virus code is padded with other junk code. While the vendors wouldn't discuss exactly how it worked, the signatures may contain fragments of unique code from a number of areas in the infected file.
Signature scanning, while made more flexible by pre-qualifying files and types of infections, and using wild cards, still requires exact matches between infection and signature. They can only be used to find known viruses, ones that have been analyzed and categorized. When a totally new virus hits the scene it often passes virus testing by signature scanning, unless it was developed from existing roots, and by chance, shares family traits. To catch unknown or more complex viruses, heuristic scanning techniques are used, and we'll be studying those techniques in more depth, including polymorphic and metamorphic virus detection.

Heuristic Scanning:
More of the sophisticated antivirus software provides heuristic scanning/analysis to find malware or other variants of malware.
Heuristic scanning is similar to signature scanning, except that instead of looking for specific signatures, heuristic scanning looks for certain instructions or commands within a program that are not found in typical application programs. As a result, a heuristic engine is able to detect potentially malicious functionality in new, previously unexamined, malicious functionality such as the replication mechanism of a virus, the distribution routine of a worm or the payload of a Trojan.
They do this by employing either weight-based systems and/or rule-based systems (both of which will be explained in greater detail later in this paper). A heuristic engine based on a weight-based system, which is a quite old styled approach, rates each functionality it detects with a certain weight according to the degree of danger it may pose. If the sum of those weights reaches a certain threshold, also an alarm can be triggered.
Nearly all nowadays utilized heuristic approaches implement rule-based systems. This means, that the component of the heuristic engine that conducts the analysis (the analyzer) extracts certain rules from a file and this rules will be compared against a set of rule for malicious code. If there matches a rule, an alarm can be triggered.

Heuristic Engines and Encrypted Viruses:
Historically, heuristic engines could only assess what was visible to them; as a result, encrypted viruses caused them major problems. In response to this, modern heuristic engines try to identify decryption loops, break them, and assess the presence of an encryption loop according to the additional functionality that is detected.
So how does an AV scanner identify an encryption loop (such as for M68k assembler as utilized on the current Palm OS platform)? The presence of any combination of the following conditions/instructions could indicate an encryption loop:

1. Initialization of a pointer with a valid memory address.
2. Initialization of a counter.
3. Memory read operation depending on the pointer.
4. Logical operation on the memory read result.
5. Memory write operation with the result from the logical operation.
6. Manipulation of the counter.
7. Branching depending on the counter.

Protocol Anomaly Detection:
This is an example of a heuristic technique used for anomaly detection in network based intrusion detection. Basically in here we create a model of the TCP/IP protocols using their specifications. Since creating model for correct use of a protocol is easier and any deviation from the standards due to new attack methods can be easily found.
Nowadays, we also see engines that mix heuristic detection abilities with generic detection approaches. This means that the engines try to identify that a certain set of functionality found within a file belongs to a special class/family of malicious code. Removal capabilities are most often available for this kind of files detected by “class/family” detection.

Note: This is an abstract paper on heuristic and signature scanning, more detailed information can be collected by searching for heuristic scanning and heuristic functions