The Trojan Defence
First Published: SC Magazine

The malicious Trojan Horse application (Trojan for short) has been around for over a decade now, and organisations are still struggling to manage the threat. While anti-virus software has matured during this time and is capable of dealing with the majority of previously known or well studied Trojans, the shear number of new Trojan development kits and increasing sophistication in “silver threading” techniques (the process of inserting Trojan code within any another distributable application so it cannot be detected by anti-virus products) has ensured that they still present an immediate threat to the corporate environment.

Traditionally the corporate desktop environment has been protected by an organisations perimeter defence systems – such as firewalls, content filtering, intrusion detection systems and anti-virus protection. However, corporate users now require greater access to Internet shared resources and communication systems. This has invariably led to greater opportunities for the successful installation of Trojans at the corporate desktop level.

In essence, more corporate desktop environments are being compromised by Trojans than ever before. The significance of this is two-fold. Firstly, there are the direct threats of loss of internal network integrity and data compromise - of which most organisations are already aware of and can can typically quantify. However, the latest threat is legal deniability.

There have been incidents around the world where illegal material has been found on an employees computer system of which they have denied all responsibility. In an increasing number of cases, forensic investigations have discovered that the systems had previously been compromised by an installed Trojan. Thus casting doubt over the source of the illegal material and preventing prosecution of the employee – resulting in the dismissal of the prosecution case.

The presence of a Trojan on the computer system will make it extremely difficult for an organisation to prove beyond doubt that an employee had undertaken any illegal or malicious activity. The employee could rightly claim that someone else may have used the Trojan to carry out activities such as viewing child pornography, downloading pirated software, accessing confidential documents or hacking other corporate resources (including other external organisations).

If an employee has sufficient access rights or knowledge of their desktop environment, they may be able to install a Trojan on their computer and use it's presence to indemnify himself against any future legal repercussions.

Organisations must undertake steps to prevent Trojans from making it to the desktop by keeping their perimeter defence systems up to date, AND securing the desktop environment using local versions of their anti-virus, firewall and intrusion detection systems. Just as importantly, organisations must ensure that they can audit each client workstation and detect any changes in executable file integrity for the presence of possible Trojan installations.

Key steps to prevent Trojan incidents
(1) Ensure that the corporate perimeter defences are kept continuously up to date.
(2) Filter and scan all content at the perimeter defences that could contain malicious content.
(3) Run local versions of your anti-virus, firewall and intrustion detection software at the desktop.
(4) Rigourously control user permissions within the desktop environment to prevent the installation of malicious applications.
(5) Manage local workstation file integrity through checksums, auditing and port scanning.
(6) Monitor internal network traffic for odd ports or encrypted traffic.

    Copyright 2001-2007 © Gunter Ollmann