Show logo
Explore all episodes

Terrifying Trojans

  |  Command Line Heroes Team  
Security
Tech history

Command Line Heroes • • Terrifying Trojans | Command Line Heroes

Terrifying Trojans | Command Line Heroes

About the episode

Sometimes a fun game, a friendly email, or an innocuous link can be the most convenient place for an enemy to hide. And its prey is none the wiser—until it strikes. The trojan horse uses many layers of deception to do damage. The ingenuity of these attacks keeps an alarming pace with the technology we use every day. But as long as we stick to trusted sites and sources, we can better the odds against those who use our trusting nature against us.

Steve Weisman tells us about how trojans still keep security professionals on the defensive. Josephine Wolff details how these attacks have evolved, and keep evolving, to catch victims off guard. And Yanick Franantonio takes on the new frontier for trojan attacks.

Command Line Heroes Team Red Hat original show

Subscribe

Subscribe here:

Listen on Apple Podcasts Listen on Spotify Subscribe via RSS Feed

Transcript

You are at base camp in the middle of a bleak stretch of Antarctica, many miles away from any form of civilization. You're there with a team. You've been there for months. You all know each other pretty well, trust one another. You have to in a remote environment like this. But one night you hear your sled team barking. You go to investigate. The dogs are agitated, growling, and snarling, and you're not sure why. The next morning doors and windows were left open letting snow in, and no one can explain it. Your team is on edge. They're questioning each other, pointing fingers. And then you notice a colleague you thought you could trust with your life, he looks more or less the same, but he's not himself anymore. You might remember the '80s movie, The Thing. An evil alien is lurking among the ice fields of Antarctica and it has the power to take the shape of humans. The thing can commit all kinds of evil just by capitalizing on our basic belief that familiar things won't do us harm. Of course, a trick like that can play out in real life, too. Happens online all the time. This season, we're exploring the horror stories that haunt our digital lives, the malware, the hacks, the identity theft that keeps security heroes awake at night. And this time we're looking at Trojan horses, the cyber attacks that depend on human behavior. Our want and need to trust. I'm Saron Yitbarek, and this is Command Line Heroes, an original podcast from Red Hat. I'm definitely weary of emails asking me to do something like confirm my password, but even people who should know better can fall for these scams. We're going to figure out exactly how hackers capitalize on human psychology to make that happen and how and why it can lead to so much destruction. Last time, we learned about viruses and worms, where the goal is rapid far reaching attacks, but the focus of a Trojan isn't speed or reach. It's access. Think about the original Trojan horse. A team of Greek soldiers spills out of a giant wooden horse that the Trojans thought was a gift. A Trojan horse attack is going to roll right up to your front door and announce itself. It could be a fun game, a friendly email, a tempting bit of click bait. The most appealing, familiar things are offered up. And it's only once we let down our defenses and invite them in that we realize they're harboring an enemy. Once inside a device, Trojans can steal identities, capture keystrokes on banking sites, disable antivirus software, even allow your computer to become a zombie soldier in some hackers botnet. Some get to work automatically, and others wait patiently for instructions from their creator. What they all have in common is that element of trust. And as we're about to find out, trust can be a powerful and a very dangerous thing. Things aren't as bad as you think. They are far worse. The more you know, the more scared you get. Steve Weisman teaches students at Bentley University about white collar crime with a focus on cyber crimes and identity theft. From his perspective, those in security software are in a difficult situation. Trojans keep evolving to match every new technology. Security teams have no choice but to respond on the fly. They are always playing catch up. But there is something universal, something constant about Trojan attacks and that's the fact that they all take advantage of human trust and they do that by using social engineering. Social engineering is using information that can be obtained in all kinds of places to lure someone into doing something. So if I get an email that says, "Send me your username and password for your bank," well, I'm not going to trust that. However, if I get one that appears to come from my bank, so they leverage personal information to get you to trust them. Social engineering just is good, old fashion digging, getting information and using that to get people to trust them. And my motto, trust me, you can't trust anyone. Bit harsh, but point taken. Human trust is the math ingredient, but how does that play out in the real world? What level of damage can a little social engineering really do? When Zeus first came out, people weren't thinking of security and defense that much. Zeus was a Trojan horse, one of the very first Trojan malware packages. And by 2009, it was a pretty prominent security problem. The thing about 2009, as Weisman just said, is that it was a slightly more naive time. Most people weren't on social media, online banking and even email were new concepts for many. People didn't see it coming. So imagine in that more innocent time, you open your laptop and see an email, a message from a federal tax authority say, looks legit. And the subject line reads "Notice of underreported income," that can't be right. Can it? You better check. And that's it. You clicked on the link in that email and a Trojan entered your computer. Now it waits for you to visit your online bank. And when you do, Zeus grabs your user name and password, relays it to a criminal organization. Your account could be drained and you wouldn't know anything had happened until it was too late. Zeus was quite sophisticated. Zeus had the ability to take a screenshot of the computer to see what you're looking at. So, literally they could see what you are doing. Zeus could also log your keystrokes, install additional software, and even access your webcam. But the really clever thing about Zeus was how it worked around two factor authentication. Security professionals thought that asking for a second form of ID would shut down attacks like this, but Zeus found a workaround. For instance, if you went to your bank and it was infected with Zeus, when you would get to the page where you would put in your username and password, instead of the bank's webpage coming up, a Zeus controlled webpage would come up that looked identical to the bank's webpage. But it would say, "For your security, we need you now to give us your social security number" or "Give us your mother's maiden name," or whatever information. People would put it in thinking they were helping to confirm their identity when in fact they were giving the scammers all the information that they could possibly want. In other words, Zeus would convince you to bypass your own security. The attack was so convincing because Zeus was quite literally replacing your bank's actual website with a fake one. Zeus was used for years and stole hundreds of millions of dollars. According to the FBI, one Zeus ring alone was responsible for stealing over $70 million from victims. But here's the really scary thing. Zeus, devastating as it was, was just the beginning. Zeus has spawned a whole industry of banking Trojans. New versions kept cropping up because the Zeus source code was leaked online in 2011. That meant anyone could take the Zeus blueprint and build their own banking Trojan. We ended up with variants like Ice IX, Citadel, and GameOver Zeus. And then there were other Trojans that didn't derive from Zeus at all. There's SpyEye, Carberp, Tinba, and Dridex. Each one more sophisticated than the last. Technology has made it easier for the scammers, but it's also made it easier for law enforcement. Weisman is optimistic that we're getting better at fighting back. Banks have improved their security measures. Two factor authentication has evolved beyond what Zeus could circumvent. And international law enforcement cooperation has gotten much better at tracking down cybercriminals. There have been some very successful prosecutions of these large Zeus networks, and I think that will serve as a deterrent to some extent. But as Weisman said at the start, security teams are always playing catch up. The threat landscape keeps evolving. To understand how Trojans have adapted to our modern world, I wanted to talk to someone who studies how these attacks have changed over time. Trojans are really interesting from a kind of social engineering perspective because they fundamentally depend on the user doing something. Josephine Wolff is an associate professor of cybersecurity policy at Tufts University. She's written extensively about cybersecurity and has a particular interest in how human behavior intersects with technology security. Unlike a lot of other kinds of malware, Trojans can't just automatically infect your computer. They need you to download them, install them, run them. So, they're really dependent on human psychology and human behavior in a way that makes them both more limited but also more interesting from a research perspective. Wolff explains that Trojans have had to evolve alongside our changing digital habits. In the early days, they relied on people downloading suspicious files from email attachments. As we got smarter about that, they moved to compromised websites and malicious ads. We've seen Trojans become much more sophisticated in terms of the social engineering techniques they use. They're much better at mimicking legitimate software, legitimate communications from trusted sources. And as our devices have become more diverse, so have the attack vectors. Trojans have adapted to target not just computers, but smartphones, tablets, smart TVs, and even Internet of Things devices. Each new technology platform creates new opportunities for attackers but also new challenges. Mobile devices, for example, have different security models than traditional computers, which means attackers have had to develop new techniques. But perhaps the most significant change Wolff has observed is how Trojans have become part of larger, more organized criminal operations. What we've seen over the past decade is the professionalization of cybercrime. Trojans are no longer just isolated attacks by individual hackers. They're part of sophisticated criminal enterprises with clear business models and organizational structures. These criminal organizations operate like legitimate businesses. They have customer service departments, quality assurance teams, and even research and development divisions working to improve their malware. This professionalization has made Trojans much more dangerous because they're being developed by people who have the resources and expertise to create really sophisticated attacks. But it's also created new opportunities for law enforcement and security researchers to disrupt these operations by targeting their business models and organizational structures. When you're dealing with organized criminal groups, you can use traditional law enforcement techniques like following the money, infiltrating organizations, and disrupting their operations. Wolff also points out that the rise of cryptocurrency has created both new opportunities and new challenges for Trojan attacks. On one hand, cryptocurrencies make it easier for criminals to receive payments anonymously. On the other hand, blockchain technology creates a permanent record of transactions that can be analyzed by law enforcement. Cryptocurrency has definitely changed the landscape for cybercrime, but it's not a silver bullet for criminals. There are still ways to track and disrupt cryptocurrency-based criminal operations. As we look to the future, Wolff sees both reasons for optimism and concern about the evolution of Trojan attacks. On the positive side, we're getting better at developing technologies that are secure by design. On the negative side, attackers are getting more sophisticated and are targeting new technologies and new user behaviors. The key, according to Wolff, is to maintain a balance between security and usability. Security measures that are too cumbersome will be bypassed by users, while systems that are too permissive will be exploited by attackers. The challenge is creating security systems that protect users without making technology so difficult to use that people avoid security measures altogether. This brings us to an important question: What does the future hold for Trojan attacks? To get a perspective on this, I spoke with someone who works on the cutting edge of mobile security research. Humans historically have not been the best partners of themselves. The root of many problems start from there. Yanick Fratantonio is a senior security researcher at Cisco Talos. Before joining Cisco, he spent years in academia researching Android security. He taught a course that focused on mobile security, one of the first, and that gives him a unique perspective. He sees how new tech is often a space where we are naive, where we might not be thinking about security issues. For example, all the apps we keep downloading onto our phones, each one is a potential Trojan if we aren't careful. We've made things safer by centralizing app delivery through app stores that try to block bad actors, but it's still possible for Trojans to get through. You've probably had the experience of looking for an app and then wondering "There are a few similar ones here, which one is the real one?" This stuff can still happen. I think maybe three or four years ago that you would look for WhatsApp and you get tons of results with many apps that looks like WhatsApp with the same icon and so forth. And of course, many of these, there were not maybe malware but was adware or tons advertisements and so forth. But this gives you an idea that even if there is a central store and Google and Apple check for this stuff, of course there are techniques to sneak in. More than just an app's thumbnail can be faked, of course. An entire shadow UI is sometimes developed, a fully developed fake version of an app that you trust. Fratantonio has found two different versions of this trick. One, we'll say traditional phishing, where basically I show you something and this UI looks like the bank application or your Facebook application, but it's not. It's actually a malicious app like somehow mimicking the UI of Facebook and the user would be lured into putting username and password, and I will steal the password like this. The second type of trick is something Fratantonio calls click- jacking. If you place this fake OK button exactly on top of where you want the user to click, then this click is now going to go through the OK button, go in the bottom and the bottom maybe it's enabled this permission. In other words, the malware is hijacking your click. You thought you were clicking okay to one thing, but you've just granted access to maybe your contact list. Whenever we use apps, we're inviting new software and sometimes malware into our lives. And think of the kinds of permissions we give to our apps. Can I have access to your camera? How about your email? Hey, mind if I track your location? We can mitigate that risk, though, by not giving blanket permissions. Now we switched to a run time permission model, which means that a front time after you stole the app, after you can use the app a bit, they ask you, "Hey, can I please have this permission?" But remember criminals are always looking for ways to work around new limitations. The bad guy switched to try to find a context that somehow legitimized their request. In the same way that email Trojans began getting personal details about the user, a Trojan app can be custom made to request the permissions that are desired. For example, if the bad guy wants to get my voice and wants to record my voice, what would the bad guy do? Some kind of adding a fake voice recording application. And once he asks me for the voice permission, I'm going to give it to it. Fratantonio feels that for most people keeping track of your permissions is a key way to guard against Trojans in the app space. Attacks that circumvent permissions are incredibly expensive and are more likely to target specific state sponsored actions against particular people. I'm talking about journalists, activists and things like this. Most of us can take comfort in the fact that bypassing security mechanisms on our phones has become much harder to do in even the last 10 years, especially with constant security updates. Still, every user has a responsibility to be skeptical about the apps they're using. The biggest thing is not to store random apps from the store. That's stupid advice in a sense that people have these phones because they want to store random apps from the store. So, I guess the followup on this is if you really, really, really, really want random apps from the store, try to be reasonable in a sense of try to have a reality check on what you're asked to do. Every new form of communication has a custom designed Trojan of its very own, and you are the final gatekeeper. So how did those poor guys in Antarctica ever survive The Thing? They didn't just hope it stopped taking over their team members. They devised a test. They found a way to check everybody who looked human until they found an alien imposter. That's exactly how we defend ourselves against Trojans. We stop acting with blind trust and start looking deeper at the entities that reach out to us online. Because here's the thing, these cons, these Trojan horses, they need your permission before they can do their evil deeds. There might not always be a magic bullet to take them down, but a little personal responsibility and common sense goes a long way. Hey, it's me. Check out this awesome link. Nope. I'm Saron Yitbarek, and this is Command Line Heroes, an original podcast from Red Hat. Next time, we're exploring another nefarious bit of software, the logic bomb. To make sure you never miss an episode, subscribe, follow wherever you get your podcasts. Until then, keep on coding.

More about security

Security for modern systems is defined by its adaptability to newer attacks, and its integration into infrastructure and product lifecycles.

Blog Post

Red Hat’s response to OpenPrinting CUPS vulnerabilities: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177

September 26, 2024  |  Blog posts from Red Hat

...

Linux
Security

Blog Post

Red Hat’s path to post-quantum cryptography

July 15, 2024  |  Emily Fox, Simo Sorce

...

Security
Technically Speaking, an original podcast from Red Hat

Original Shows

A new software supply chain security recipe | Technically Speaking

DevOps
Security
Technically Speaking, an original podcast from Red Hat

Original Shows

WebAssembly breaks away from the browser | Technically Speaking

Edge computing
Security
Technically Speaking, an original podcast from Red Hat

Original Shows

Compute confidential: In hardware we trust | Technically Speaking

Edge computing
Security

About the show

Command Line Heroes

During its run from 2018 to 2022, Command Line Heroes shared the epic true stories of developers, programmers, hackers, geeks, and open source rebels, and how they revolutionized the technology landscape. Relive our journey through tech history, and use #CommandLinePod to share your favorite episodes.