Trojan Horse Technology Exploits IE
LAS VEGAS--A new technology could let a Trojan horse disguise itself as Internet Explorer and let hackers steal data from your PC by fooling firewalls into thinking it's a trusted Microsoft application, say three security consultants.
The trio of South African researchers demonstrated the technique for
breeching firewalls Sunday at DefCon. The annual
Security pros have been warning for two years that a Trojan horse
The Trojan horse gets loaded onto a victim's PC in the same manner as
But Setiri differs from other Trojan horses in that it does not contain executable commands that can cause its malicious actions to be blocked by the firewall.
Instead, the program launches an invisible window in Internet Explorer
to connect stealthily to a Web server through an anonymous proxy site called
Anonymizer.com. The site is intended to
The Trojan horse exploits a standard feature in Internet Explorer that lets invisible browser windows open and connect to the Internet. The browser windows open in the background and don't appear on the desktop, so you can't see what they're doing. If you look for evidence of an open window in your Windows Task Manager, the window will be listed as IEXPLORE.EXE, just like a regular Internet Explorer window.
Internet Explorer uses invisible windows for many legitimate purposes, such as sending registration info to the Net. The e-mail program Eudora makes use of invisible browser windows to download pictures in e-mail.
One possible way to thwart the Trojan horse would be for Microsoft to turn off the invisible window function, says researcher Roelof Temmingh. But doing so would hinder some IE operations.
The only way to prevent Setiri from going to the Web site where its commands are stored, Temmingh says, is to configure a firewall to deny access to the Anonymizer site.
But Haroon Meer, Temmingh's colleague, says this wouldn't stop other variations of the Trojan horse, which might use a different proxy Web site or even use a trusted Web site, where a hacker could conceivably embed malicious code.
According to the demonstrators, a Microsoft programmer in attendance said the company will look for ways to restrict invisible browsers to certain actions. A Microsoft spokesperson would only say the company is committed to keeping customer information safe, and that Microsoft is evaluating the scenario presented in the Setiri demonstration.
Users can, of course, help
Temmingh, Meer, and colleague Charl van der Walt, consultants for SensePost, say they demonstrated the Trojan horse not to scare users and system administrators. They want to raise awareness about what may already be in the wild, and promote discussion of what must be done to protect systems from such programs. "We are three guys who work full-time jobs and we came up with this program just in our spare time," said Temmingh. "So imagine what guys with a lot of time on their hands have already come up with."
In fact, after the DefCon presentation a hacker in the audience told Temmingh that he and friends have already devised a Trojan horse that does what Temmingh's test Trojan horse does. "This stuff could be happening on your machine right now. It's out there, and you must think about the problems with this now," Temmingh says.
Van der Walt urges a closer look at firewalls and invisible programs. "The idea is to look at this mechanism that's trusted by firewalls and see how such a Trojan horse can abuse that trust," he says. "We need to look at what methods should be allowed for invisible programs to operate."
Meer says the three hope Microsoft will soon deal with the invisible window function. But he acknowledges that this will be difficult, since "it will take some functionality away from IE if Microsoft tries to limit the invisible browser."
The three also say that their demo should prompt the firewall developers to reexamine how they handle Net access and designate trustworthy applications.
"The message is, don't think you're safe because you have the usual defenses, such as a firewall," Meer says.