Applications of Trojans 115 of how it was obtained Users were also advised to inspect any other software that had

been downloaded from the compromised site.

Example: A keystroke logger (or a keystroke grabber) is a Trojan horse that runs in the background, recording the user’s keystrokes. (This is also an example of spyware or rat, Chapter 9.) The keystrokes are written onto a hidden file and are later transmitted to the Trojan’s owner or even retrieved personally. The latter option makes sense in cases where the culprit has physical access to the infected computer, such as in an office or a lab.

Every computer user knows the importance of keystrokes. Every password is en- tered through the keyboard, so the perpetrator of a keystroke logger can easily obtain all the passwords of the computer user/owner. Even bank account numbers often have to be typed, making the financial resources of the computer owner vulnerable to the hacker.

One solution is to minimize the number of keystrokes by using copy and paste. A computer owner may keep all sensitive information, such as passwords, account numbers, and credit card numbers in an encrypted text file. Whenever any sensitive information is needed, the owner decrypts this file (its password has to be typed, and is intercepted by the hacker, but the hacker may not have access to the file), copies the data, then pastes it into a login program, an ftp program, or an Internet browser. The copy and paste are done by typing special keystrokes (such as a function key or a command key) that are always the same and don’t provide any useful information to the hacker.

Some Swiss banks hit on a different solution. The bank provides its customers with a special minicalculator that’s synchronized with the bank’s main computer. A customer wanting to transact business with the bank from their computer type their password into the minicalculator, which generates a second, random password good for just one transaction. The customer then types the second password into their computer (Figure 4.1) and it is recognized by the bank’s computer for one transaction only. Inter- cepting such a one-time password is futile, making this two-step authentication scheme highly secure.

1. Enter 12345 2. See 7gre8& 3. Enter 7gre8&

Trojan horses, which open back doors on computers for hackers to enter through, have become easy to develop and are being used to steal banking details. Such Trojans wait for a user to browse a Web site with the wordbankin it. At that point, the Trojan records the user’s key strokes, capturing their user name, password and account numbers.

—Eugene Kaspersky, Kaspersky Labs,http://www.kaspersky.com.

Example: A screen capturing program. Anything typed by a user is echoed and displayed on the monitor screen, for visual verification. Thus, when a password is pasted into a browser, it is shown on the screen for a short time. A hidden program that captures the screen (periodically or each time the user presses “return”) can therefore be useful to a hacker. TheTheef 2.0Trojan horse is known to capture the computer screen continuously, as well as performing other destructive operations. A common solution is to display the password as a string of asterisks.

Exercise 4.2: Search the Internet for more examples of common trojans.

4.2 Installing a Trojan

A simple way of installing a program with a Trojan horse on many computers is to write a useful application or utility and sell it (perhaps as shareware) for a very low price. This should be a program that the user will execute often, or at least on a regular basis, so here are some ideas:

Anti-virus software. Someone who buys such software is supposed to execute it often or at least as soon as a new virus update appears.

A cleanser. A modern operating system is complex and may require periodic house cleaning. The following list may look familiar to many personal computer owners.

1. Applications and utilities may create temporary files and forget (if written by an inexperienced programmer) to delete them.

2. Log files, cache files, and automatic messages created by the operating system should be deleted from time to time.

3. Access permissions of important operating system files may be modified acci- dentally by imperfectly-written programs or when the computer crashes or hangs. A sudden power failure may also damage the permissions. Thus, someone (or something) should periodically check and restore the original permissions.

4. Programs often have a help facility, and a program may have lots of small files with help text in many languages. A user who speaks only Armenian, for example, may want to delete all the help files in other languages.

5. The file directory may become slightly damaged over time. Running a disk repair utility once a week may be a good idea, as this can locate and repair small problems before they turn serious.

6. Certain operating systems recommend that files should be defragmented peri- odically.

4.2 Installing a Trojan 117