Malware: Specialized Trojan Horse
Stefan Kiltz (Otto-von-Guericke University, Germany), Andreas Lang (Otto-von-Guericke University, Germany) and Jana Dittmann (Otto-von-Guericke University, Germany)
Copyright: © 2007
The Trojan horse can be used in cyber-warfare and cyber-terrorism, as recent attacks in the field of industrial espionage have shown. To coordinate methods of defence a categorisation of the threat posed by Trojan horses in the shape of a list of tuples is proposed. With it, a set (consisting of methods for the distribution, activation, storage, means of execution, communications, malicious functionality) can be defined, which describes the Trojan horse by its features. Each of these aspects can be accompanied by methods of self-defence (e.g., armouring or encryption) against detection and removal by protection software. The list of tuples and therefore the categorisation of the Trojan horse properties is a vital first step to develop and organise counter measures against this kind of threat. A new category of Trojan horses, the special and universal Trojan horse, is proposed. This type of malware is particularly well suited for cyber-warfare and cyber-terrorism, as it unlikely to be picked up by common protection software (e.g., virus scanner). To achieve this, a Trojan horse is tailor-made for one special attack of a particular computer system and can provide espionage or sabotage functionality. If it is not used on large-scale attacks, anti-malware software producers will have little or no chance to extract a signature for this code. Systems being spied upon without notice can deliver vital information for the attacker. In addition, the attacker can choose to permanently or temporarily disrupt IT-infrastructure (e.g., denial-of-service, destruction of hardware). The universal Trojan horse can be updated by the attacker to achieve an extended functionality which makes it universal. The above-proposed list of tuples can be a tool to describe such special and universal Trojan horses which will be introduced in the full item description.