Command Line Heroes - Terrifying Trojans
Episode Date: March 8, 2022Sometimes a fun game, a friendly email, or an innocuous link can be the most convenient place for an enemy to hide. And its prey is none the wiser—until it strikes. The trojan horse uses many layers... of deception to do damage. The ingenuity of these attacks keeps an alarming pace with the technology we use every day. But as long as we stick to trusted sites and sources, we can better the odds against those who use our trusting nature against us. Steve Weisman tells us about how trojans still keep security professionals on the defensive. Josephine Wolff details how these attacks have evolved, and keep evolving, to catch victims off guard. And Yanick Franantonio takes on the new frontier for trojan attacks. If you want to read up on some of our research on trojans, you can check out all our bonus material over at redhat.com/commandlineheroes.Follow along with the episode transcript.  Â
Transcript
Discussion (0)
You're at base camp in the middle of a bleak stretch of Antarctica, many miles away from any form of civilization.
You're there with a team. You've been there for months.
You all know each other pretty well, trust one another.
You have to in a remote environment like this.
But one night, you hear your sled team barking.
You go to investigate.
The dogs are agitated, growling and snarling, and you're not sure why. The next morning, doors and windows were left open,
letting snow in, and no one can explain it.
Your team is on edge.
They're questioning each other, pointing fingers.
And then you notice a colleague you thought you could trust with your life.
He looks more or less the same,
but he's not himself anymore. You might remember the 80s movie, The Thing. An evil alien is lurking
among the ice fields of Antarctica, and it has the power to take the shape of humans. The thing can commit all kinds of evil
just by capitalizing on our basic belief
that familiar things won't do us harm.
Of course, a trick like that can play out in real life too.
Happens online all the time.
This season, we're exploring the horror stories that haunt our digital lives. The malware,
the hacks, the identity theft that keep security heroes awake at night. And this time, we're
looking at Trojan horses. The cyber attacks that depend on human behavior are want and need to
trust. I'm Saranya Parikh, and this is Command Line Heroes,
an original podcast from Red Hat. I'm definitely weary of emails asking me to do something like
confirm my password, but even people who should know better can fall for these scams. We're going
to figure out exactly how hackers capitalize on human psychology to make that happen,
and how and why it can lead to so much destruction.
Last time, we learned about viruses and worms, where the goal is rapid, far-reaching attacks.
But the focus of a Trojan isn't speed or reach, it's access. Think about the original Trojan horse. A team of
Greek soldiers spills out of a giant wooden horse that the Trojans thought was a gift.
A Trojan horse attack is going to roll right up to your front door and announce itself. It could
be a fun game, a friendly email, a tempting bit of clickbait.
The most appealing, familiar things are offered up.
And it's only once we let down our defenses and invite them in that we realize they're harboring an enemy.
Once inside a device, Trojans can steal identities, capture keystrokes on banking sites, disable antivirus software,
even allow your computer to become a zombie soldier in some hacker's botnet.
Some get to work automatically, and others wait patiently for instructions from their creator.
What they all have in common is that element of trust. And as we're about to find out, trust can be a powerful and a very dangerous thing.
Things aren't as bad as you think.
They are far worse.
The more you know, the more scared you get.
Steve Wiseman teaches students at Bentley University about white-collar crime
with a focus on cybercrimes
and identity theft. From his perspective, those in security software are in a difficult situation.
Trojans keep evolving to match every new technology. Security teams have no choice
but to respond on the fly. They're always playing catch up. But there is something universal, something constant
about Trojan attacks. And that's the fact that they all take advantage of human trust. And they
do that by using social engineering. Social engineering is using information that can be obtained in all kinds of places to lure someone into doing something.
So if I get an email that says, send me your username and password for your bank,
well, I'm not going to trust that. However, if I get one that appears to come from my bank,
so they leverage personal information to get you to trust them. Social engineering just is
good old-fashioned digging, getting information, and using that to get people to trust them. And
my motto, trust me, you can't trust anyone. Bit harsh, but point taken. Human trust is the magic
ingredient. But how does that play out in the real world?
What level of damage can a little social engineering really do?
When Zeus first came out, people weren't thinking of security and defense that much.
Zeus was a Trojan horse, one of the very first Trojan malware packages.
And by 2009, it was a pretty prominent security problem.
The thing about 2009, as Weissman just said, is that it was a slightly more naive time.
Most people weren't on social media. Online banking and even email were new concepts for many.
People didn't see it coming.
So imagine, in that more innocent time, you open your laptop and see an email.
A message from a federal tax authority, say.
Looks legit.
And the subject line reads,
Notice of Underreported Income.
That can't be right, can it?
You better check.
And that's it.
You clicked on the link in that email, and a Trojan entered your computer.
Now it waits there, totally unnoticed.
You don't even know you've been attacked.
But next time you hop on a banking website,
Zeus records the keystrokes of your login and password.
The stolen info is then shuttled back to the hacker who can tap into your bank account.
Money gets funneled to so-called money mules who move the cash around, and the rest is your basic
crime world shenanigans. Back in 2009, the tech world was not ready for Zeus. 70 million dollars
were stolen before software was developed to combat it.
And there's no big courthouse conclusion to the story of Zeus.
The creator was never found.
In fact, whoever they are, they open-sourced their code,
allowing others to adapt it and make their own Trojan malware.
That basic Zeus code that he provided to everyone, we had defenses on that.
But by providing that code, he sort of had the house half built.
So other cyber criminals could use that valuable information to develop and evolve newer versions.
And that's what we have seen.
Tens of millions of PCs were ultimately infected with some form of Zeus, and the Trojan
technique, capitalizing on basic human trust to gain entry into a computer, became a mainstay
of cybercrime. This was something that should have been a wake-up call for many people, and for
many it was, but not enough. The world was growing more connected,
and along the way, we became used to updating passwords
and confirming contact details whenever prompted.
Just getting through the day meant putting trust
in the entities that reached out to us.
And we rarely stopped to wonder
who was behind that random email, who had taken the form of a trusted friend.
That was good news for malicious hackers.
A lot of the times, the only clues you have to go on are what's the logo, what's the name, what does the website look like where I'm downloading this from?
Josephine Wolfe is an associate professor of cybersecurity policy at the Fletcher School at Tufts University.
She describes a world where Trojan attacks are part of a larger arsenal that criminals use, a way to leapfrog past security innovations. The goal is to make you trust or want it enough
that you're willing to sort of go to the trouble of saying,
you know, yeah, I know this was just something I downloaded from the internet
and my operating system manufacturer hasn't vetted it
and I don't know exactly where it's coming from, but I still really want it.
Security specialists can build all kinds of safeguards into systems.
But if a user really wants to believe they have, say, inherited $60 million, just click here,
or caught the eye of someone who'd like to go on a date with you, open and see. They might go ahead
and follow those prompts. That's the goal is to get that initial foothold in a targeted system
and circumvent all of the layers of protection that we've built up to try and make that harder to do.
In a world where personal information is often available for anybody to collect online, that means Trojans aren't always generic.
Advertisers have learned to personalize and nano-target their messages to your specific profile.
The creators of Trojans can do the same.
I think that's sort of the scariest and most effective form of Trojan attacks,
is to see somebody who's willing to take the time to figure out,
okay, who exactly would be a person you would expect to see an email from?
Who's a person who you wouldn't be
able to sort of just ignore or say maybe this is something suspicious. The goal with these
targeted Trojans is, of course, to offer you something so appealing, so designed to meet
your personal needs, that any lessons you know about digital hygiene just sort of fade. And
because we're all human, anybody can be tempted.
This past year, while I was at home, I taught a Zoom class and I'm going through my email inbox and I see there's a message there from a colleague at Tufts saying, if you've experienced any
hardship this year due to the pandemic, Tufts University has applied for some funds to support any relief efforts among faculty and staff.
You can click here to apply for it.
Think how targeted that is.
It's an email supposedly from one of Wolf's colleagues.
And it's offering her money, but not in a bonkers, you won the lottery way.
It's a really believable way.
Funding for hardship during the pandemic. it's a very carefully designed promise.
People could very easily fall for it.
It was reasonably official looking in its formatting, in its style.
It was a moment when that was a real thing that was happening.
Workplaces were offering relief funds of this nature.
People try to take advantage of particular moments, particular
current events, particular employers and access to accounts to install Trojan malware and gain
access to computers and accounts. Did Wolf, who specializes in this stuff, fall for it?
So I was curious enough to click through to the phishing website that the email linked to. And
once you do
that, you do get some other clues, right? You can see, okay, what domain is hosting this website?
Is this really a Tufts University website? Things like that. I would say one of the things that was
interesting about it was a lot of the times when we talk about this kind of email message, it comes
from a slightly wrong email address, right? Instead of somebody's name
at tufts.edu, it will come from like somebody's name at tufts.ed or tuft.ed or something that's
a little bit wrong. That's the number one giveaway for most of us, isn't it? An email address that's
just slightly off, maybe only one letter difference. One of the things that was, I think, really scary about this particular incident
was that wasn't the case, right?
It really was coming from a Tufts.edu email address.
But there was definitely a fair bit of work and effort that had gone into formulating it.
So there weren't as many obvious clues as you would hope.
There weren't as many of the clues that we sometimes tell people,
you should look for this when you're reading your email. The level of care and even cynicism that
is needed to avoid these deceptions can sometimes feel over the top. We don't like to treat
everything as a potential scam. We don't like to assume every new encounter is a con. And largely,
that's because for most of us, we don't think we have anything
on our computers worth stealing. Why would an elaborate Trojan attack happen to me, right?
It just feels paranoid. This is a fight I have, say, with my parents all the time, right? They
say, you know, what's interesting in my email? Who would possibly bother? It's sort of that
psychology is actually a huge hurdle for people who are trying to get users to take cybersecurity seriously.
And I think there are a couple things that are really important to keep in mind in response to that.
One is that it's not just about protecting yourself, right?
Your computers, your accounts are often an intermediate point for attacking other victims.
Wolf works at a university, for example,
and universities are favorite targets for cyber criminals, not because they want Dr. Wolf's
personal lecture notes, but because universities communicate with governments and private companies.
And it will look like that traffic is coming from a place that that company or that government
communicates with all the time, a place that can be trusted. So the first thing I'd say is really when we're talking about security,
we're not just talking about, do you care about your data? Do you want to protect it? We're
talking about, do you want to be a good citizen? Do you want to be sort of somebody who's contributing
to the overall security of the internet writ large and the security of everybody else who's using it,
not just you. Even if you don't care about being a good citizen, you probably have more to protect
than you think. Probably you do some online banking. Probably your payroll is operated
through a website and an online account. Probably you manage important functions in your life
through websites,
and all of that is vulnerable.
So there are two things here. First, a lot of people don't take security seriously,
leaving them open to malware like Trojans. And second, those same people are importing
more and more of their lives into digital spaces where Trojans work.
Maybe most importantly, our financial lives have moved online.
As there's more money changing hands over the internet, then there's perhaps inevitably much more interest in how do you steal that money and how do you steal all of the information that can be turned into money in that space.
We're not just talking about phishing emails anymore.
Trojans are evolving to meet the moment.
Steve Wiseman mentioned a new avenue for Trojan attacks that, frankly, have me a little freaked.
There have been some banking Trojans that have infected apps, legitimate apps. You know, we always tell people,
only get your apps from the legitimate stores. But even when you get your app from the legitimate
store, it can still be infected. That made me wonder, what is the new frontier of Trojan horses?
This con, as old as the ancient Greeks, what shape does that wooden horse take today?
Humans historically have not been the best partners of themselves.
The root of many problems start from there.
Yannick Fratantonio is a senior security researcher at Cisco Telos.
Before joining Cisco, he spent years in academia researching Android security.
He taught a course that focused on mobile security, one of the first.
And that gives him a unique perspective.
He sees how new tech is often a space where we're naive,
where we might not be thinking about security issues.
For example, all the apps we keep downloading onto our phones, each one is a potential Trojan if we aren't careful.
We've made things safer by centralizing app delivery through app stores that try to block bad actors.
But it's still possible for Trojans to get through.
You've probably had the experience of looking for an app
and then wondering, there are a few similar ones here.
Which one is the real one?
This stuff can still happen.
I think maybe three, four years ago,
you would look for WhatsApp and you get tons of results
with many apps that looks like WhatsApp
with the same icon and so forth.
And of course, many of these, they were not mainly malware, malware, but was, you know,
adware, so tons of advertisement and so forth. But this gives you an idea that even if there is a central store and Google and Apple check for this stuff, of course, there are techniques to
sneak in. More than just an app's thumbnail can be faked, of course.
An entire shadow UI is sometimes developed.
A fully developed fake version of an app that you trust.
Fred Antonio has found two different versions of this trick.
One was a traditional phishing, where basically I show you something,
and this UI looks like the bank application or your Facebook application,
but it's not. It's actually a malicious app, like somehow mimicking the UI of Facebook.
And, you know, the user will be lured into putting username and password and I will steal the password like this.
The second type of trick is something Frat Antonio calls click jacking.
If you place this fake OK button exactly on top of where you want the user to click, then
this click is going to go through the OK button, go to the bottom, and the bottom maybe is
enable this permission.
In other words, the malware is hijacking your click.
You thought you were clicking OK to one thing, but you've just granted access to maybe your
contact list. Whenever we use apps,
we're inviting new software, and sometimes malware, into our lives. And think of the kinds of
permissions we give to our apps. Can I have access to your camera? How about your email? Hey, mind if
I track your location? We can mitigate that risk, though, by not giving blanket permissions.
Now we switch to a runtime permission model, which means that at runtime, after you install the app, after you can use the app a bit, they ask you, hey, can I please have this permission?
But remember, criminals are always looking for ways to work around new limitations.
The bad guys switch to, you know, try to find a context that somehow
legitimizes their request.
In the same way that email Trojans
began targeting personal details
about the user, a Trojan
app can be custom-made to
request the permissions that are desired.
For example, if the bad guy
wants to get my voice and wants to record
my voice, what would the bad guy
do? So I'm kind of
having a fake voice recording application. And once he asks me for the voice permission,
I'm going to give it to him. Fred Antonio feels that for most people,
keeping track of your permissions is a key way to guard against Trojans in the app space.
Attacks that circumvent permissions are incredibly expensive and are
more likely to target specific state-sponsored actions against particular people. I'm talking
about journalists, activists, and things like this. Most of us can take comfort in the fact
that bypassing security mechanisms on our phones has become much harder to do in even the last 10 years, especially with constant security updates.
Still, every user has a responsibility
to be skeptical about the apps they're using.
The biggest thing is not to store random apps from the store.
That's a stupid advice in the sense that
people have these phones because they want to store random apps from the store.
So I guess the follow-up on this is
if you really, really, really, really want to store random apps on the store. So I guess the follow-up on this is, if you really, really, really, really want to install
random apps on the store, try to be reasonable
in the sense of try to have a reality check
on what you're asked to do.
Every new form of communication
has a custom-designed Trojan of its very own.
And you are the final gatekeeper.
So, how did those poor guys in Antarctica ever survive the thing? They didn't just hope it'd stop taking over their team members. They devised a test. They found a way to check everybody who looked human until they found
an alien imposter. That's exactly how we defend ourselves against Trojans. We stop acting with
blind trust and start looking deeper at the entities that reach out to us online. Because
here's the thing. These Khans, these Trojan horses,
they need your permission before they can do their evil deeds.
There might not always be a magic bullet to take them down,
but a little personal responsibility and common sense goes a long way.
Hey, it's me. Check out this awesome link.
Nope.
I'm Saranya Dbarik, and this is Command Line Heroes, an original podcast from Red Hat.
Next time, we're exploring another nefarious bit of software, the logic bomb.
To make sure you never miss an episode, subscribe, follow, wherever you get your podcasts.
Until then, keep on coding. about Edge is that they assume they're not ready for it. They think that it'll mean starting over
from scratch or that every time their business needs to change, they'll be re-engineering
solutions and re-evaluating vendors. And look, Edge is complex and it does mean a different approach,
particularly for devices at the far edge. But with Red Hat, it doesn't mean starting over with new
platforms. We've taken the same enterprise solutions that simplify and accelerate work Thank you.