T 5.21 Trojan horses

A Trojan horse, often also referred to as a Trojan, is a program containing a hidden, undocumented function or effect. It is therefore impossible for the user to influence the execution of this function, and Trojan horses are therefore related to computer viruses to a certain extent. However, unlike viruses, Trojan horses do not have the ability to reproduce themselves. All types of application programs can be used as carriers for Trojan horses. However, script languages such as batch files, ANSI control sequences, REXX Execs and ISPF Command Tables in the z/OS operating system, and Postscript and similar script languages that are interpreted by the corresponding operating system or application program can also be misused for Trojan horses.

The more rights the carrier program of a Trojan horse possesses, the more serious the potential damage that can be caused by the Trojan horse.

Examples:

• A modified login program can contain a Trojan horse that transmits the name and password of the user over the network to the attacker, who then passes it on to the actual login program. Such Trojan horses are encountered on online services such as AOL or T-Online, for example.

• Screen savers, especially those downloaded from the Internet, can contain a hidden function that records the passwords entered by the users when they log in and then transmits the corresponding data back to the attacker.

• The Back Orifice program is a client/server application that allows a client to maintain a Windows PC remotely over the network. In particular, it is possible with this program to read and write data as well as to run programs. There is a risk that this program could be integrated into another application program and therefore be used as a Trojan horse. If the Trojan horse is started and a network connection is available, then an attacker could use the remote maintenance function of Back Orifice to gain access without the user noticing. The NetBUS program, which offers similar functionality, should also be mentioned in this regard.

• With the help of root kits, which are available for various Unix variants and which contain manipulated versions of system programs such as ps, who, netstat etc. it is possible to keep back doors open for a long time without being detected. The back doors allow an attacker to break into the system and cover up all traces of the attack. In many cases, the files /sbin/in.telnetd, /bin/login, /bin/ps, /bin/who, /bin/netstat, and the C libraries, among other files, are replaced using back doors.

• Another source of risk on Unix systems is the use of "." in the $PATH environment variable. If the PATH variable contains the current working directory (.) as a path, then programs located in the current working directory are executed first. In this manner, the superuser could unintentionally run a modified "ls" program with root rights that has been stored in the current working directory when listing the contents of a directory.

• One method of obtaining higher-level rights in the z/OS operating system can be exploited by an attacker when the attacker has Update access to the files used during the login procedure (e.g. REXX EXEC) or that are commonly used during processing (e.g. ISPF Command Tables). The attacker can then replace the existing code by code he has programmed himself.