O'Reilly logo

Malicious Mobile Code by Roger A. Grimes

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Trojan Technology

Like the virus underground, Trojan writers also have a segment of their developers dedicated to helping Trojans escape detection and spread.

Stealth

Trojans are just beginning to pick up the stealth habits that viruses have long utilized in order to remain undiscovered. They are becoming encrypted and polymorphic, and are installing themselves in different ways to escape detection. A common routine, which I don’t consider true stealth, is when a Trojan renames itself after a valid system file (i.e. Explorer.EXE, Mdm.EXE, System32.VXD). When I’m looking for signs of a Trojan, I’ll initially bypass these types of files when doing my first inspection. Only after I’ve ruled out the strange-looking or unfamiliar names do I investigate the common system filenames. Some Trojans install themselves with names containing characters that won’t display on a monitor. Their filenames will appear blank, except for the extension. When pulling up the Task Manager, a user might not notice a blank name. If a Trojan registers itself as a service in Windows 9x, the Task Manager will not show the bogus program. Other Trojans hook the Task Manager routine, and manipulate its query process so that it does not reveal the bad executable. Stealth definitely complicates Trojan and worm detection. If you do not know what is supposed to be running in memory in the first place, before the malware hits, it’s much more difficult to diagnose a possible Trojan event.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required