A self-propagating virus could have an invisible trojan program as its payload. The virus might be started on one computer of a network and then copy itself to other insecure computers on a network. The trojan will then end up on all the insecure computers.

A trojan might be inserted by the same technique as its name obviously come from, i.e a harmless looking gift which contains the trojan. These are most often propagated by spam emails of many many kinds, which have links to 'something good' to attract the victim. Or it might for instance have been inserted into a copy of a legitimate shareware program and then uploaded to one of the many shareware distribution sites. Or it might have a fake name and appear to be a harmless picture or text file from its name, but is actually an executable program, which possibly disguises its action, by installing the trojan and then performing the apparent action of displaying a picture or text file.

A trojan might be inserted via an EXPLOIT. An exploit is generally an insecure bit of programming in standard legitimate programs, which can be 'exploited' to insert external coding into that legitimate program, sufficient to fetch and install a trojan.

The most frequent type of exploit that you will see is a 'buffer overflow'. Within some programs instructions and data are mixed together and a buffer overflow might occur as in this example. Suppose a program is inputing some stuff from a user in a typical input box on the screen, say the users name or email address. The legitimate programmer assumed that the name would not be longer than 60 characters, so he assigns a buffer 60 characters long. The compiler might allocate 60 bytes for that buffer and then carry on compiling more instructions. Now if the original programmer is careless and does not check or restrict the size of the incoming information before it is written into the buffer, it might jam a large input into the small buffer and would overflow. The incoming stuff would then overwrite the following instructions.

Now if this happens by accident the incoming characters considered as instructions will be nonsense and the most likely result is that the computer crashes or hangs. But if a cyber-crim (ex-hacker) knows of a particular buffer-overflow insecurity he can carefully craft characters in the overflow portion so that they are not nonsense but are a loader of trojans instead. So it loads the trojan and then crashes. After the re-boot the trojan is in place.

Cyber-crims learn of insecurities in various ways, by their own investigations, by publications on hidden criminal forums, etc or by buying them from each other. There's plenty of victims out there so they probably don't mind selling their second best exploits to each other. Dark-hackers might actually develop the whole exploit and sell it as an injection tool.

Most of the patches issued by Microsoft on it's monthly updates are to fix insecurities by re-writes which perform the checking or restricting that the original programmer should have put in in the first place, thus closing the exploit.

How do they get the bloated data into a relevant buffer on the victim's computer? Well usually it is from stuff output by a dodgy or compromised website. Within an internet browser program (Internet Explorer, Firefox etc) many actions take place when a page is received from a website. Internally some of these use buffers and some of the programming is insecure. Firefox is generally considered to have less such insecurities than Internet Explorer, mainly because the program is open-source so many many people read the actual programming and report insecurities. Unfortunately it also means that dark-hackers can also read the programming looking for new insecurities on which they can write exploits.

Where the buffer overflow insecurity is in the programming of a legitimate website itself, it is somewhat easier for the cyber crim as they can merely (?) compose the exploit and then feed it directly to the website. So they can get a hidden program onto the website itself. This can then be used to rework legitimate web pages so that they contain exploits which will then infect users computers.

Bill.

So what does a trojan malware program do?

Well first of all, like ET the Alien, it 'phones home', since the infections are scattered on the wind, the crim will not know that a computer has been infected until it calls home.

Naturally the crims, make the call home as invisible as possible so a variety of techniques are used, to make the crims difficult to trace. One method is to use the IRC internet protocol, the original version of instant messaging (like Windows Live Messenger etc.). It's possible to use legitimate IRC servers, by sending to a specific user ID. The crim-user logs in to the legitimate IRC server from time to time and from a different IP address each time, so s/he cannot easily be traced. {the crims-actions are all automated of course}.

The trojan sends the IP address(es) of its infected computer etc and a name etc and will probably try open any firewalls for particular ports.

The cyber-crim then adds this computer to his database of infected computers or robots, collectively known as his BOTNET.

The crim can then send programs to the trojan for the trojan to install in the infected computer. One of those programs could well be a keylogger program. This will record all keystrokes typed by the victim on his keyboard, so it is quite likely to contain internet addresses of banking websites etc and anything typed shortly there after is likely to be an account name and password. Banks try to prevent this working by asking for only part of a password, but a frequent on-line bank user will eventually have typed in many of the combinations and the whole password will be obvious over time.

Another common program to be installed by the trojan is a spam mail relay program. The billions of spam emails are not nowadays sent from a few spammers locations (they would be found out and blocked) instead they are sent out by botnets. The botnet crim send a sample email and a big list of email addresses over the net to his slaved computers and each one will silently send out hundreds of thousands or millions of spam emails. The crim will of course use this to send out more infection emails to expand his botnet, but he will also rent out his botnet for sending more conventional spam such as the many adverts for Viagra.

Other installed programs will search the files of the infected computer looking for valid email addresses for mor span and for any passwords in files.
NB: Never name a file of passwords with an obvious name like passwords.txt and never include the word 'password' or 'key' or 'passkey' as headers or such within such a document. And never use any financial passwords on any other websites etc and always create a different password for each different financial situation.

<enough for today. I will try explain more at a later date>

If you want more right now read this white paper from Sophos
http://web.sophos.com/sph/enterEmailAddress.jssp?PivotalWebId=sophos-security-threat-report-midyear-2010-wpna&FormName=White_Paper&lang=en&Resource=sophos-security-threat-report-midyear-2010-wpna&returnUrl=/security/whitepapers/sophos-security-threat-report-midyear-2010-wpna?action=lead_collected
Link

You have to 'sign-up' to download it {probably because Sophos would like to find the dumbest criminals who give out their contact info to read the report about their criminal activities.

Revised on 10 Apr 2011

In the case of Firefox the help information is not held locally on your computer it is at the Firefox website, where it provide a search box. I typed [password removal] in the search and it cam up with various pages, not directly answering the question, but one of them was this:

http://support.mozilla.com/en-US/kb/Protecting+stored+passwords+using+a+master+password?s=password+removal&as=s Link

Which shows how to install a master password to protect all the stored website passwords.

As you see a short way down that help page it tells you to drop down the EDIT menu and select PREFERENCES and then SECURITY.

And you could follow the procedure to set a master password, but also on that dialog box is a button called [saved passwords]. Click that button and it leads to the dialog box for managing the saved passwords and for removing them from the list.

REMINDER: On ordinary shopping or discussion websites etc never define the same password(s) that you use for any of your financial logins such as banks or Paypal or credit cards etc. And try to avoid having a shopping site remember your credit card details (unfortunately a lot of them do memorise the details). If it does memorise your credit card detail go back to your shopping site account details and make sure you used a good secure password or change it to a good one.. A good password should be LONG at least over 12 symbols long and should contain both upper and lower case letters, some digits and some graphic symbols if allowed. Keep a record of your passwords in a secure paper booklet such as an old diary and don't make it too obvious which website a given password belongs to.

Tips for making passwords: try using a few simple rules to help you. e.g
i)use TWO or THREE words strung together (no spaces),
ii)perhaps use digits to separate the words. iii)Use some sort of rule for the digits such as the digits of the date on which you defined the password or a count of the letters in the preceding word
iv)Avoid capitalizing the first letter of each word, instead always capitalize the second or the third or the last or those letters that happen to occur in your own name or in the other word of a two word pair.
v) don't tell anyone else the rules you choose.

Bill.

Revised on 10 Apr 2011

Phishing

The fake email above is a simple instance of what is generally known as phishing [Phoney fishing ?]

Most often it is not an attachment but a link in the email that is fake

Which is why it is best to always view your emails as plain text.

It's nice maybe to have those pretty emails with logos and backdrop paper textures etc, but its far safer to look at them as plain text so that you do not get fooled by fraudsters.

Here is a phishing attempt I received some time ago. It pretends to be from HSBC and tells me about fraudulent attempts.

quote:

---

Hsbc Bank plc. is hereby announcing newly upgrade security system. We have been dealing with cases of fraudulent messages in recent times and we have decided to carry out a verification exercise on all of our customers account to prevent them from being victimized.
Due to the recent security upgrade, you are requested to follow the link below.http://www.hsbc.co.uk/1/2/personal/pib-home/

We appreciate your understanding, as we work towards making Hsbc
Bank a safe and reliable place to do business.
Thank you for your patience in this matter.

---