Trojan Technology

Like the virus underground, Trojan writers also have a segment of their developers dedicated to helping Trojans escape detection and spread.

Stealth

Trojans are just beginning to pick up the stealth habits that viruses have long utilized in order to remain undiscovered. They are becoming encrypted and polymorphic, and are installing themselves in different ways to escape detection. A common routine, which I don’t consider true stealth, is when a Trojan renames itself after a valid system file (i.e. Explorer.EXE, Mdm.EXE, System32.VXD). When I’m looking for signs of a Trojan, I’ll initially bypass these types of files when doing my first inspection. Only after I’ve ruled out the strange-looking or unfamiliar names do I investigate the common system filenames. Some Trojans install themselves with names containing characters that won’t display on a monitor. Their filenames will appear blank, except for the extension. When pulling up the Task Manager, a user might not notice a blank name. If a Trojan registers itself as a service in Windows 9x, the Task Manager will not show the bogus program. Other Trojans hook the Task Manager routine, and manipulate its query process so that it does not reveal the bad executable. Stealth definitely complicates Trojan and worm detection. If you do not know what is supposed to be running in memory in the first place, before the malware hits, it’s much more difficult to diagnose a possible Trojan event.

Get Malicious Mobile Code now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.