CERT Advisory CA-99.02 – Trojan Horses


CERT Advisory CA-99-02-Trojan-Horses

   Original issue date: February 5, 1999
   Last Revised:
Systems Affected

   Any system can be affected by Trojan horses.

   Over the past few weeks, we have received an increase in the number of
   incident reports related to Trojan horses. This advisory includes
   descriptions of some of those incidents (Section II), some general
   information about Trojan horses (Sections I and V), and advice for
   system and network administrators, end users, software developers, and
   distributors (Section III).
   Few software developers and distributors provide a strong means of
   authentication for software products. We encourage all software
   developers and distributors to do so. This means that until strong
   authentication of software is widely available, the problem of Trojan
   horses will persist. In the meantime, users and administrators are
   strongly encouraged to be aware of the risks as described in this
I. Description

   A Trojan horse is an "apparently useful program containing hidden
   functions that can exploit the privileges of the user [running the
   program], with a resulting security threat. A Trojan horse does things
   that the program user did not intend" [Summers].
   Trojan horses rely on users to install them, or they can be installed
   by intruders who have gained unauthorized access by other means. Then,
   an intruder attempting to subvert a system using a Trojan horse relies
   on other users running the Trojan horse to be successful.
II. Recent Incidents

   Incidents involving Trojan horses include the following:
False Upgrade to Internet Explorer

   Recent reports indicate wide distribution of an email message which
   claims to be a free upgrade to the Microsoft Internet Explorer web
   browser. However, we have confirmed with Microsoft that they do not
   provide patches or upgrades via electronic mail, although they do
   distribute security bulletins by electronic mail.
   The email message contains an attached executable program called
   Ie0199.exe. After installation, this program makes several
   modifications to the system and attempts to contact other remote
   systems.We have received conflicting information regarding the
   modifications made by the Trojan horse, which could be explained by
   the existence of multiple versions of the Trojan horse.
   At least one version of the Trojan horse is accompanied by a message
   which reads, in part:
     As an user of the Microsoft Internet Explorer, Microsoft
     Corporation provides you with this upgrade for your web browser. It
     will fix some bugs found in your Internet Explorer. To install the
     upgrade, please save the attached file (ie0199.exe) in some folder
     and run it.
   The above message is not from Microsoft.
   We encourage you to refer to the Microsoft Internet Explorer web site
   at the following location:
   Please refer to the Section III below for general solutions to Trojan
Trojan Horse Version of TCP Wrappers

   We recently published "CA-99-01-Trojan-TCP-Wrappers," which said that
   some copies of the source code for the TCP Wrappers tool were modified
   by an intruder and contain a Trojan horse. The advisory is available
   at the following location:
Trojan Horse Version of util-linux

   The util-linux distribution includes several essential utilities for
   linux systems. We have confirmed with the authors of util-linux that a
   Trojan horse was placed in the file util-linux-2.9g.tar.gz on at least
   one ftp server between January 22, 1999, and January 24, 1999. This
   Trojan horse could have been distributed to mirror FTP sites.
   Within the Trojan horse util-linux distribution the program /bin/login
   was modified. The modifications included code to send email to an
   intruder that contains the host name and uid of users logging in. The
   code was also modified to provide anyone with access to a login prompt
   the capability of executing commands based on their input at the login
   prompt. There were no other functional modifications made to to the
   Trojan horse util-linux distribution that we are aware of.
   A quick check to ensure you do not have the Trojan horse installed is
   to execute the following command
     $ strings /bin/login | grep "HELO"
   If that command returns the following output, then your machine has
   the Trojan horse version of util-linux-2.9g installed.
   If the above command returns nothing, then you do not have this
   particular Trojan horse installed.
   You cannot rely on the modification date of the file
   util-linux-2.9g.tar.gz because the Trojan horse version has the same
   size and time stamp as the original version.
   In response to the distribution of this Trojan horse, the authors of
   util-linux have released util-linux-2.9h.tar.gz. This file is
   available via anonymous ftp from:
   Be sure to download and verify the PGP signature as well:
   This package can be verified with the "Linux Kernel Archives" PGP
   Public Key, available from the following URL:
Previous Trojan Horses

   Trojan horses are not new entities. A classic description of a Trojan
   horse is given in [Thompson]. Additionally, you may wish to review the
   following documents for background and historical information about
   Trojan horses.
III. Impact

   Trojan horses can do anything that the user executing the program has
   the privileges to do. This includes
     * deleting files that the user can delete
     * transmitting to the intruder any files that the user can read
     * changing any files the user can modify
     * installing other programs with the privileges of the user, such as
       programs that provide unauthorized network access
     * executing privilege-elevation attacks, that is the Trojan horse
       can attempt to exploit a vulnerability to increase the level of
       access beyond that of the user running the Trojan horse. If this
       is successful, the Trojan horse can operate with the increased
     * installing viruses
     * installing other Trojan horses
   If the user has administrative access to the operating system, the
   Trojan horse can do anything that an administrator can. The Unix
   'root' account, the Microsoft Windows NT 'administrator' account, or
   any user on a single-user operating system has administrative access
   to the operating system. If you use one of these accounts, or a
   single-user operating system (e.g., Windows 95 or MacOS), keep in mind
   the potential for increased impact of a Trojan horse.
   A compromise of any system on your network, including a compromise
   through Trojan horses, may have consequences for the other systems on
   your network. Particularly vulnerable are systems that transmit
   authentication material, such as passwords, over shared networks in
   cleartext or in a trivially encrypted form. This is very common. If a
   system on such a network is compromised via a Trojan horse (or another
   method) the intruder may be able to install a network sniffer and
   record usernames and passwords or other sensitive information as it
   traverses the network.
   Additionally, a Trojan horse, depending on the actions it takes, may
   implicate your site as the source of an attack and may expose your
   organization to liability.
IV. How Trojan Horses Are Installed

   Users can be tricked into installing Trojan horses by being enticed or
   frightened. For example, a Trojan horse might arrive in email
   described as a computer game. When the user receives the mail, they
   may be enticed by the description of the game to install it. Although
   it may in fact be a game, it may also be taking other action that is
   not readily apparent to the user, such as deleting files or mailing
   sensitive information to the attacker. As another example, an intruder
   may forge an advisory from a security organization, such as the CERT
   Coordination Center, that instructs system administrators to obtain
   and install a patch.
   Other forms of "social engineering" can be used to trick users into
   installing or running Trojan horses. For example, an intruder might
   telephone a system administrator and pose as a legitimate user of the
   system who needs assistance of some kind. The system administrator
   might then be tricked into running a program of the intruder's design.
   Software distribution sites can be compromised by intruders who
   replace legitimate versions of software with Trojan horse versions. If
   the distribution site is a central distribution site whose contents
   are mirrored by other distribution sites, the Trojan horse may be
   downloaded by many sites and spread quickly throughout the Internet
   Because the Domain Name System (DNS) does not provide strong
   authentication, users may be tricked into connecting to sites
   different that the ones they intend to connect to. This could be
   exploited by an intruder to cause users to download a Trojan horse, or
   to cause users to expose confidential information.
   Intruders may install Trojan horse versions of system utilities after
   they have compromised a system. Often, collections of Trojan horses
   are distributed in toolkits that an intruder can use to compromise a
   system and conceal their activity after the compromise, e.g., a
   toolkit might include a Trojan horse version of ls which does not list
   files owned by the intruder. Once an intruder has gained
   administrative access to your systems, it is very difficult to
   establish trust in it again without rebuilding the system from
   known-good software. For information on recovering after a compromise,
   please see
   A Trojan horse may be inserted into a program by a compiler that is
   itself a Trojan horse. For more information about such an attack see
   Finally, a Trojan horse may simply be placed on a web siteto which the
   intruder entices victims. The Trojan horse may be in the form of a
   Java applet, JavaScript, ActiveX control, or other form of executable
V. Solutions

   The best advice with respect to Trojan horses is to avoid them in the
   first place.
     * System administrators (including the users of single-user systems)
       should take care to verify that every piece of software that is
       installed is from a trusted source and has not been modified in
       transit. When digital signatures are provided, users are
       encouraged to validate the signature (as well as validating the
       public key of the signer). When digital signatures are not
       available, you may wish to acquire software on tangible media such
       as CDs, which bear the manufacturer's logo. Of course, this is not
       foolproof either. Without a way to authenticate software, you may
       not be able to tell if a given piece of software is legitimate
       regardless of the distribution media.
     * We strongly encourage software developers and software
       distributors to use cryptographically strong validation for all
       software they produce or distribute. Any popular technique based
       on algorithms that are widely believed to be strong will provide
       users a strong tool to defeat Trojan horses.
     * Anyone who invests trust in digital signatures must also take care
       to validate any public keys that may be associated with the
       signature. It is not enough for code merely to be signed -- it
       must be signed by a trusted source.
     * Do not execute anything sent to you via unsolicited electronic
     * Use caution when executing content such as Java applets,
       JavaScript, or Active X controls from web pages. You may wish to
       configure your browser to disable the automatic execution of web
       page content.
     * Apply the principle of least privilege in daily activity: do not
       retain or employ privileges that are not needed to accomplish a
       given task. For example, do not run with enhanced privilege, such
       as "root" or "administrator" for ordinary tasks such as reading
     * Install and configure a tool such as Tripwire® that will allow you
       to detect changes to system files in a cryptographically strong
       way. For more information about Tripwire®, see
       Note, however, that Tripwire® is not a foolproof guard against
       Trojan horses. For example, see
     * Educate your users regarding the danger of Trojan horses.
     * Use firewalls and virus products that are aware of popular Trojan
       horses. Although it is impossible to detect all possible Trojan
       horses using a firewall or virus product (because a Trojan horse
       can be arbitrary code), they may aid you in preventing many
       popular Trojan horses form affecting your systems.
     * Review the source code to any open source products you choose to
       install. Open source software has an advantage compared to
       proprietary software that the source code can be widely reviewed
       and any obvious Trojan horses will probably be discovered very
       quickly. However, open source software also tends to be developed
       by a wide variety of people with little or no central control.
       This makes it difficult to establish trust in a single entity.
       Keep in mind that reviewing source code may be impractical at
       best, and that some Trojan horses may not be evident from a review
       of the source as described in [Thompson].
     * Adopt the use of cryptographically strong mutual authentication
       systems such as ssh for terminal emulation, X.509 public key
       certificates in web servers, S/MIME or PGP for electronic mail,
       and kerberos for a variety of services. Avoid the use of systems
       that trust the domain name system for authentication, such as
       telnet, ordinary http (as opposed to https), ftp, or smtp unless
       your network is specifically designed to support that trust.
     * Do not rely on timestamps, file sizes, or other file attributes
       when trying to determine if a file contains a Trojan horse.
     * Exercise caution when downloading unauthenticated software. If you
       choose to install software that has not been signed by a trusted
       source, you may wish to wait for a period of time before
       installing it in order to see if a Trojan horse is discovered.
     * We encourage all security organizations to digitally sign any
       advisories or other alerts. We also recommend that users validate
       any signatures, and to beware of unsigned security advice. The
       CERT Coordination center signs all ASCII copies of our advisories
       with our PGP key, available at:
   If you do fall victim to a Trojan horse, some anti-virus software may
   also be able to recognize, remove and repair the damage from the
   Trojan horse. However, if an intruder gains access to your systems via
   a Trojan horse, it may be difficult or impossible to establish trust
   in your systems. In this case, we recommend that you disconnect from
   the network and rebuild your systems from known-good software being
   careful to apply all relevant patches and updates, to change all
   passwords, and to check other nearby systems. For information on how
   to rebuild a Unix system after a compromise, please see

   [Summers] Summers, Rita C.Secure Computing Threats and Safeguards,
   McGraw-Hill, 1997 An online reference is available from the publisher.
   [Thompson] Thompson, Ken, "Reflections on Trusting Trust,"
   Communications of the ACM 27(8) pp. 761-763 (Aug. 1984); Turing Award

   Our thanks to Andries Brouwer for providing information regarding
   util-linux and to the many people who reported information about
   Trojan horse versions of Internet Explorer.
   Tripwire is a registered trademark of the Purdue Research Foundation,
   and it is also licensed to VCC.
   This document is available from:
CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.
Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
   If you prefer to use DES, please call the CERT hotline for more
Getting security information

   CERT publications and other security information are available from
   our web site http://www.cert.org/.
   To be added to our mailing list for advisories and bulletins, send
   email to cert-advisory-request@cert.org and include SUBSCRIBE
   your-email-address in the subject of your message.
   Copyright 1999 Carnegie Mellon University.
   Conditions for use, disclaimers, and sponsorship information can be
   found in http://www.cert.org/legal_stuff.html.
   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
Revision History

Version: 2.6.2


Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis