| About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store |
 |
||||
|
||||
 |
||||
 |
|
|||
 |
||||
|
|
|
||
|
|||||||||||||||||||||||||||||||||||||||||
 COLUMN
Here's a little advice to help you defeat the Internet's leading Trojan horse viruses TODAY'S INTERNET is a veritable hacker free-for-all. Underneath our noses, malicious packets rattle the virtual doors and windows of the Internet community and whiz through our computers searching for weaknesses. Their main targets are poorly configured Windows systems. And without a personal firewall on your employees' home systems, these seemingly innocuous PCs can be the death of your corporate security program.
What is the most popular Trojan horse found on the Internet today? Well, if our firewall logs on @Home are any indication, the Subseven 2.1 is one of the most frequently scanned-for Trojan horses. Subseven installations appear to have reached epic proportions on the Internet. The Subseven 2.1 server Trojan horse was released on Sept. 15 and contains just about everything a mad hacker's heart desires. The program is in essence a remote-control program that allows a remote attacker to use the Subseven client to connect to the server and run just about any command. Among the most deadly of these features are the port redirector and the port scanner. The Subseven port redirector allows an attacker to target any system by redirecting ports on the affected system to a new target. This is great for malicious hackers who wish to take advantage of the home user's VPN client software, which tunnels into your corporate network and opens up your corporate systems. The port scanner feature within Subseven allows an attacker to turn the typical @Home PC into a personal scanning system that accesses the corporate LAN. With both the port redirector and port scanner functions, the attacks will appear to be coming from trusted employees. A Subseven infection can occur in a number of ways. The most obvious comes through unprotected shares of the root drive. This vulnerability occurs when an unsuspecting user shares the entire C: drive, for example, by allowing unauthenticated read and write access. With this in place an attacker can simply edit the win.ini file of a Windows 9x system and run the uploaded Trojan horse at will. The simple technique for infecting a system is to spam users with an executable attached to an e-mail and then tell the recipients to run it. The most elegant techniques for infection have been made famous by Georgi Guninski, the discoverer of numerous e-mail and Web browser security issues. Through one of a number of mechanisms, an attacker can send a forged e-mail to your inbox and execute any command without your knowing it. The only way to fight Subseven and Trojan horses like it is to detect, clean, prevent, and detect again. You can initially detect these viruses by port-scanning your network for the various Subseven ports. Cleaning a system of Subseven is fairly straightforward. Many programs today -- including our favorite, the Cleaner -- will detect the Trojan horse's presence and clean the affected system. You also have a number of options for prevention including the use of popular personal firewalls. WinRoute, from TinySoftware, has a centralized management console to control its distributed filter rules. You can handle long-term detection by blocking the initial port scans with strong filtering rules within the personal firewalls. But the weakest link is always the administrator. What do you do to protect your @Home and DSL users who connect to the corporate LAN over the Internet? Let us know at security_watch@infoworld.com. Stuart Mcclure is president and CTO and Joel Scambray is managing principal at security consultancy Foundstone ( www.foundstone.com ).  RELATED SUBJECTS  SecurityMORE > SPONSORED WHITE PAPERS 
SPONSORED LINKS
|
|||||||||||||||||||||||||||||||||||||||||
|
||||||||||
|
||||||||||
