Back Orifice Trojan horse explained
Question: I’ve heard a lot of people talk about the Trojan horse virus. What is it, and how can I protect myself against it? – B.L.
Answer: A Trojan horse is not really a virus. I suppose you could call it a class of virus, but it behaves differently.
A virus is a piece of maliciously designed computer code that sneaks its way on to a computer by hiding in a floppy disk or inside another program. It then runs amok, making the computer do odd or annoying tasks (like displaying rude lines of text). In some cases, it does damage to the host computer. A Trojan horse, on the other hand, works by allowing a remote attacker to access the victim’s computer across a network, like the Internet.
You’ve no doubt heard of the story of the Trojan horse written by the Greek poet Homer in his famous book The Iliad. To understand that story is to understand a Trojan Horse virus on a computer. In the story, the Greeks give a giant wooden horse to their enemies, the Trojans, as a peace offering. The unsuspecting Trojans drag the horse into Troy, a walled city. Once inside, Greek soldiers, who are hiding in the horse’s hollow belly, open the city gates and the Greek army pours in and takes Troy by force. Malicious programmers also use the Trojan horse trick.
The idea is that they create a program that is sometimes disguised as a computer virus killer or some other apparently useful program. After a user installs it on a PC, the attacker can then access the user’s machine remotely, typically via the Internet, and either take control of the machine or simply snoop around on it.
A particularly famous Trojan horse virus is known as Back Orifice. It’s a hacker tool that consists of two pieces, a client application (a program on the attacker’s computer) and a server application (running on the victim’s computer).
According to Symantec’s Security Response web site, the attacker can do any of the following tasks on the victim’s machine:
- Execute any program.
- Record keystrokes (thereby storing whatever you type, which the attacker retrieves later.
- Restart the computer.
- Force the computer to lock up or freeze.
- View the contents of any file on the computer.
- Transfer files to and from the victim’s machine (done in the background so the victim is unaware it’s happening).
- Display the screen-saver password, if there is one.
The first version of Back Orifice Trojan was designed to work on Windows 95 and 98 machines, but later the original authors released a new version. It’s called Back Orifice 2000 and it can run on Windows NT machines.
The key to protecting yourself from the Back Orifice Trojan horse is to not install it in the first place. Also, the attacker must know the IP address of the target machine. That’s a numeric number assigned to each machine connected to the Internet. The Internet Service Provider usually assigns this number whenever a computer connects to the Internet by modem.
In many circumstances, the IP address changes each time they connect, but computers on high-speed services, like ADSL or cable modems, have IP addresses that are static – that means they don’t routinely change (although it’s possible to force a change). Computers on company networks that have access to the Internet via a network also have static IPs , and a technician or expert user can change them.
If an attacker doesn’t know your IP, they have a harder time seizing control of your machine. They can use the client application to perform a search through a range of IP addresses. This can be difficult, not to mention time-consuming, because there are four billion possible IP addresses. Also, users behind firewalls – a computer that guards a company network – are typically safe. Most corporations have firewalls in place.
All the above is important, to be sure, but at the end of the day, the best defense against Trojan horses is to follow safe computing practices. Don’t download or run programs from unknown sources. If you receive an attachment or download you didn’t request and weren’t expecting, even if it’s from someone you know, check with the sender to be sure it’s for real before you click on anything.
In the event you do inadvertently install a Trojan horse, it can be removed manually by deleting an entry in Windows registry and then a program from the hard drive. Symantec’s Security Response has catalogued known Trojan horses and offers manual deletion solutions to them, often at no charge.
Most up-to-date anti-virus programs, like Norton Anti-Virus 2007 and McAfee VirusScan Plus, will guard against Trojan horses and remove them should they be installed. Of course, they need to be updated with virus signature files to catch the latest Trojan horse variants that are released periodically. These signature files (sometimes called “definition files”) can be obtained from the program vendor via the Internet.