How Can You Get Infected by Trojans? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A lot of people out there can't differ various ways of infection just because in their minds the only way of getting infected is by downloading and running server.exe and they will never do it as they say. As you'll read here, there are many more ways for malicious attackers to infect your machine and start using it for illegal activities. Please take all of these topics I'm reviewing here really seriously; read them carefully and remember that prevention is way better than the cure! ICQ IRC Attachments Physical Access Browser And E-mail Software Bugs Netbios(FileSharing) 1) Via ICQ People don't understand that they can also get infected while talking via ICQ or any other Instant Messenger Application. It's all risky when it's about receiving files no matter from who, and no matter from where. Believe it or not, there are still guys out there, using really old versions of ICQ and it's all because they can see the IP of the person they're talking to. The older versions of ICQ had such functionality and it was useful for everyone capable of using winnuke and other DoS tools, but really how hard it is to click with the mouse? These people are often potential victims of someone that is more knowledgeable on Windows Trojans and takes advantage of their old ICQ versions. Let's review various ways of getting infected via ICQ: - You can never be 100% sure who's on the other side of the computer at the particular moment. It could be someone that hacked your friend's ICQ UIN (Unique Identification Number)and wants to spread some trojans over his/her friends. You'll definitely trust your best dude Bob if he offers you something interesting, but is it really Bob on the other side? - Old versions of ICQ had bugs in the WebServer feature, that creates a site on your computer, with your info from the ICQ database. The bug consists in that the attacker can have access to EVERY file on your machine and if you read the previous sections carefully and know the auto-start methods, you'll probably realise what could happen if someone has access to your win.ini or other system file, namely a trojan installed in a few minutes. - Trojan.exe is renamed like Trojan....(150 spaces).txt.exe, icon changed to a real .txt file and this will definitely get you infected. This bug must be fixed in the newer versions for sure. No matter which Instant Messenger Application you're using, you could always get yourself infected by certain program bug you never had the chance to hear about, and never took care of checking for newer versions of the application, also when it's about receiving files no matter where, and no matter from who, take that very seriously and realise the dangers of your naivety. 2) Via IRC So many people LIVE on IRC and this is another place where you can get yourself infected. Trust is vital no matter what you're doing. No matter who is sending you files, pretending to be free porn archive, software for "free internet", hacking Hotmail program, DO NOT get any of these files. Newbies are often targets of these fakes, and believe me, many people are still newbies about their security. Users get infected from porn-trade channels, and, of course, warez channels, as they don't think about the risk, but how to get free porn and free programs instead. Here are several scenarios of you getting infected while using IRC: - You're talking with someone, a "girl" probably, have great time and, of course, you want to see the person you're talking to. You ask for a picture or the "girl" offers you her pictures and I'm sure you'll definitely want to see them. The "girl" says that she has just created her first screensaver, using some known free or commercial software to do this, and offers it to you, but how about if "she" mentions several pictures are naked ones?! You have been talking to "her" for a week or so, you get this screensaver.exe, you run it and, yeah, VERY nice pics, some are naked and she didn't lie to you so nothing bad or suspicious has happened BUT think again what really has happened! - Trojan.exe could also be renamed into Trojan.scr like a screensaver extension and will again run properly when you execute it so pay attention about these file extensions. - Trojan.exe is being renamed like Trojan....(150 spaces).txt.exe you'll get the file over IRC in the DCC it will appear as .TXT and you won't get worried about anything, run it and get yourself infected again. In all of these examples the icon of the file is changed, of course, because it needs to be the same icon as a normal .TXT and this fools victims very often. Most people don't notice in their Explorer that the Type of the file is Application BUT with a .TXT icon. So BEFORE you run something, even if it's with a .TXT icon, check its extension and make sure it's really a text file. 3) Via Attachments I'm always amazed how many people got themselves infected by an attachment, sent into their mailboxes. Most of these users are new to the Internet and are pretty naive. When they receive a mail,containing an attachment, saying they will get free porn, free Internet access etc., they run it without completely understanding the risks for their machines. Check the following scenario: you know your friend Alex is a very skilled Visual Basic programmer. You also know he's coding his latest program but you're curious what it is all about, and you wait for an e-mail from him with the attachment when he finishes coding the application. Yeah, but the person targeting YOU also knows that. The attacker also knows your friend's e-mail address. Then the attacker will simply code some program or get some freeware one, use some relaying mail server to fake the e-mail's FROM field and make it look like your friend's one; Alex's e-mail address is firstname.lastname@example.org so the attacker's FROM field will be changed to email@example.com and, of course, it will include the TROJANED attachment... You'll check your mail, see that Alex finally got his program ready and sent it, you'll download and run it without thinking that it might be a trojan or something else, because, hey, Alex wouldn't do something like that to me, he's my friend, and you'll get yourself infected. Information Is Power! Just because the attacker knew you were waiting for some particular file, he found Alex's e-mail address and got you infected... the right moment assumes importance here. And it all happened just because you were naive, just because you saw firstname.lastname@example.org in the FROM field, and just because you didn't check the mail headers to see that the mail came from some .jp mail server relaying e-mails and, has been used from spammers for several months. Many people got themselves infected by the famous "Microsoft Internet Explorer Update" sent directly to their mailboxes, by the nonexistent Microsoft Updates Staff. I understand you felt great because Microsoft are paying attention especially to you, and sent you the latest updates, but these "updates" are definitely trojans. Microsoft will NEVER send you updates of their software via e-mail no matter you see the FROM field is email@example.com and as you've noticed in the previous example the FROM field could and IS faked. If you ever notice some mail in your mailbox with subjects like "Microsoft IE Update" and such, delete WITHOUT viewing or reading the e-mail, because some E-Mail clients like Outlook Express and others, have bugs that automatically execute the file being attached in the e-mail WITHOUT you even touching it. As you can imagine this is a extremely dangerous problem that requires you to be always up to date with the latest version of any software you're using. 4) Physical Access Physical access is vital for your computer's security. Imagine what can an attacker do while having physical access on your machine, and let's not mention if you're always connected to the Internet and leave the room for several minutes... long enough to get you infected. Here I'll point you several scenarios, often used by attackers to infect your computer while they're having physical access to your machine. There are some very smart people out there that keep thinking of new ways of getting physical access to someone's computer. Here are some tricks that are interesting: - Your "friend" wants to infect you with a trojan and he/she has physical access to your machine. Let's say you were at home surfing the net, chatting or whatever. Suddenly your "friend" asks you for a glass of water, knowing that you'll go in another room and will be away for 1 or 2 minutes. While you do that he/she takes out a diskette of the pocket and infects your unprotected PC. You came back and everything is OK because your "friend" is doing exactly the same thing before you left ...surfing the net. - The next example is when 2 guys want to take revenge on you cause of something and are supporting each other to accomplish the task. Again you are at home with your "friend", surfing, chatting, whatever you're doing; suddenly the telephone rings and a "friend" of yours wants to speak with you for something that is really important. He/she (it's better to be she in this case) asks "Is there anyone around you? If so,please move somewhere away from him/her(after knowing it is him or her,of course). I don't want anyone to listen what I'm going to tell you". The victim is again lured away from the computer, leaving the attacker to do whatever he/she wants on the target computer. - Other approaches like the previous ones might be sudden ring on the bell, as well as other variations of phone calls and conversations leaving the attacker alone with the victim's computer. There are so many other possible approaches; just think for a while and you'll see what I mean and how easily you could be tricked, and it's because you're not suspicious enough when it is about your sensitive computer data. - Another way of infecting while having physical access is the Auto-Starting CD function. You've probably noticed that when you place a CD in your CDROM, it automatically starts with some setup interface; here's an example of the Autorun.inf file that is placed on such CD's: [autorun] open=setup.exe icon=setup.exe So you can imagine that while running the real setup program a trojan could be run VERY easily, and as most of you probably don't know about this CD function they will get infected and won't understand what happened and how it's been done. Yeah, I know it's convenient to have the setup.exe autostart but security is what really matters here, that's why you should turn off the Auto-Start functionality by doing the following: Start Button->Settings->Control Panel-> System-> Device Manager->CDROM->Properties->Settings and there you'll see a reference to Auto Insert Notification. Turn it off and you won't have any problems with that function anymore. I know MANY other variations of physical access infections but these are the most common ones so pay attention and try to make up several more by yourself. When the victim IS connected to the Internet: Here we have many variations; again, I'll mention the most common ones. While the attacker is having physical access he/she may download the trojan.exe, using various ways just by knowing how various Internet protocols work. - A special IRCbot known only to the attacker is staying in IRC with the only function to DCC the trojan.exe back to the attacker whenever he/she messages the bot with a special command. The victim will probably be away from the computer. - The attacker wants to download some specific software like new version of some programs infected with trojan(s), of course, and visit some URL, known to him/her only, and download the trojan. - The attacker pretends he/she wants to check his/her (web based) mail (for example, at Yahoo! or HotMail) but in fact has the trojan.exe stored in his/ her mailbox and just downloads and executes the file, hereby infecting the computer. The mail service is used as a storage area, in this case. There are many more ways of infecting the victim while connected to the Net, as you can imagine. Any of these examples will succeed but it all depends on the victim's knowledge of the Internet and how advanced his/her skills are, so the attacker needs to check these things somehow before doing any of these activities I pointed here. After that, the attacker will be able to choose the best variant for infecting the victim and doing the job. 5) Browser And E-mail Software Bugs Users do not update their software versions as often as they should be, and a lot of the attackers are taking advantage of this well known fact. Imagine you are using an old version of Internet Explorer and you visit a (malicious) site that will check and automatically infect your machine without you downloading or executing any programs. The same scenario goes when you check your E-mail with Outlook Express or some other software with well known problems, again you will be infected without downloading the attachment. Make sure you always have the latest version of your Browser and E-mail Software, and reduce the ways of these variations to minimum. Here are some links about Browser and E-mail Software bugs, check them out and understand how dangerous these bugs are, and it's all because of you using an old version of the software. 6) Netbios(File Sharing) If port 139 on your machine is opened,you're probably sharing files and this is another way for someone to access your machine, install trojan.exe and modify some system file, so it will run the next time you restart your PC. Sometimes the attacker may use DoS(Denial Of Service Attack) to shut down your machine and force you to reboot, so the trojan can restart itself immediately. To block file sharing in WinME version, go to: Start->Settings->Control Panel->Network->File And Print Sharing and uncheck the boxes there. That way you won't have any problems related to Netbios abuse.