Lecture 6. Trojans

What Is a Trojan?

A trojan horse, or trojan is

• An unauthorized routine contained within a legitimate program. This unauthorized routine performs functions unknown to (and probably unwanted by) the user.
• A legitimate program that has been altered by the placement of unauthorized code within it; this code performs functions unknown to (and probably unwanted by) the user.
• Any program that appears to perform a desirable and necessary function but that (because of unauthorized code within it that is unknown to the user) performs functions unknown to (and probably unwanted by) the user.

What do trojans do?

• steal passwords or copy files or other valuable data without your knowledge.
• function as backdoor, which is a secret undocumented entry point into a program or a system with proper authorization.
• damage data files or hardware devices, or some other system.
• hides some information such as the traces of intrusion.

How Does One Detect a Trojan?

Detecting trojans amounts to detecting changes to files.
• examine time of last modification
• can be manipulated
• when copied, it doesn't change
• examine file size
• still possible to be manipulated
• few people remember file sizes
• checksum or CRC values

In the checksum system, the data elements of a file are added together and run through an algorithm. The resulting number is a checksum, a type of signature for that file.

On the SunOS platform, the utility "sum" calculates and prints to STDOUT the checksums of the specified files, and the utility "cksum" calculates CRC values.

Although checksums are more reliable than time of last modification or file size, these too can be tampered with.

Most system administrators suggest that if you rely on a checksum system, your checksum list should be kept on a separate server or even a separate medium, accessible only by root and other trusted users.

In any event, checksums work nicely for checking the integrity of a file transferred, for example, from point A to point B, but that is the extent of it.
 

• one-way hash functions such as MD5 or SHA-1

one-way hash function H may be considered as a stronger form of checksum or CRC functions, and has the following properties:

• H, applied to an arbitrary-length message M, returns a fixed-length value h.
• One-wayness:
1. Given M, it is easy to compute h.
2. Given h, it is hard to compute M such that H(M) = h.
3. Given M, it is hard to find another message, M', such that H(M) = H(M').
• Collision Resistance:
It is hard to find two random messages, M and M', such that H(M) = H(M').

MD5

MD5 belongs to a family of one-way hash functions, called message digest algorithms, developed by Ron Rivest. The MD5 system is defined in RFC 1321. Concisely stated:
The algorithm takes as input a message of arbitrary length and produces as output a 128-bit fingerprint or message digest of the input. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private key under a public-key cryptosystem such as RSA.

When one runs a file through an MD5 implementation, the signature emerges as a 32-character value. It looks like this:

2d50b2bffb537cc4e637dd1f07a187f4

Another usage of MD5 is its use in one-time password scheme S/Key, which is used primarily for remote logins. (Read "S/Key Overview" at http://medg.lcs.mit.edu/people/wwinston/skey-overview.html)

SHA-1

SHA-1 (Secure Hash Algorithm) is a message digest algorithm, designed by NSA for Digital Signature Standard, which produces 160-bit output. For details, see FIPS180-1.

SHA-1 is considered much stronger than MD5.

TripWire

TripWire is a comprehensive system-integrity tool.

The program reads your environment from a configuration file. That file contains all filemasks (the types of files that you want to monitor). This system can be quite incisive. For example, you can specify what changes can be made to files or directories of a given class without TripWire reporting the change.

The original values (digital signatures) for these files are kept within a database file. That database file (simple ASCII) is accessed whenever a signature needs to be calculated.

Hash functions included in the distribution are: MD5, MD4, CRC32, MD2, Snefru, SHA.

TripWire is a magnificent tool, but there are some security issues.

Its databases can be altered by a cracker. Therefore, it is recommended that the database be stored in a secure place, and perhaps on read-only media.

Another issue is that files might have been tampered even before TripWire is run.