Attack Description

Once a trojanised attachment is opened, the remote attacker may use it as a launchpad to gain full control of the user’s machine. A compromise poses a threat to the confidentiality, integrity and availability of data stored on the computer and its associated networks. It could also be used to launch attacks against other networks.

Files used by the attackers are often publicly available on the Web or have been sent to distribution lists. The attackers are able to receive, trojanise and resend a document within 120 minutes of its release, indicating a high level of sophistication.

The trojanised files can be common types such as databases, documents, executables (.exe) and help files (.chm) and are often compressed (.zip or .rar). The files exploit known software vulnerabilities to install a trojan on the user’s computer.

How do they know when the user has gone to a site?
As said, banking trojans filter out useless data – or more precisely, they only capture interesting data from banking activity. This means that the trojan has to know when the user is banking online. It is very common for the trojan only to monitor what the web browser is doing and where it is going. Banking trojans today use the following means of determining where the user is surfing:

• Hooking (e.g. inline hooks on WinInet API functions)
• BHO (Browser Helper Object) interface [4]
• Window title enumeration (e.g. FindWindow() [5])
• DDE [6]
• Other COM (Component Object Model) / OLE (Object Linking and Embedding) interfaces
• Firefox browser extensions
• LSP (Layered Service Provider) interface [7]

As a fairly conventional example, Banker.ark [8] steals logon credentials related to some Brazilian banks by logging keystrokes when the internet browser title bar contains a string that is on its filter list.

Potential Gain:
To successfully alter the tabulated vote from some or all DRE’s in a county. A Trojan Horse attack would not have to explicitly reverse the recorded outcome of an election (e.g., create a republican victor in a predominantly democratic district) to be successful. It may be sufficient to simply alter a few undervotes, or reduce the margin of victory by a few votes. This would also be useful in voting events where a simple majority was not the determinate state, but where a ratio of votes (e.g., electing candidates across multiple possible positions, or as the basis for determining electoral representation) would be of enough interest to motivate the attackers.

Introduction to RFID
Radio Frequency Identification (RFID) is the quintessential Pervasive Computing technology. Touted as the replacement for traditional barcodes, RFID’s wireless identification capabilities promise to revolutionize our industrial, commercial, and medical experiences. The heart of the utility is that RFID makes gathering information about physical objects easy. Information about RFID tagged objects can be transmitted for multiple objects simultanously, through physical barriers, and from a distance. In line with Mark Weiser’s concept of .ubiquitous computing.[20], RFID tags could turn our interactions with computing infrastructure into something subconscious and sublime.

What is a virus?
The terms “computer virus” and “virus” are used very loosely in everyday conversation and have become synonymous with “trouble”.

A virus is usually not something that creates cool screen effects and enables you to hack into Pentagon. The “Launching virus” screen as seen in Hollywood movies bear no resemblance with real life viruses. In reality, a virus infection is most often invisible to the user. The machine may slow down a little. Some programs may be unstable and crash at irregular intervals, but then again that happens ever so often on clean systems too.

Still, some viruses have some sort of screen effect. The Windows virus “Marburg” fills the desktop with red circles with a white “X” inside”. A couple of viruses will make desktop icons escape the mouse cursor. Such effects are not particularly common, since they expose the existence of the virus. In order to explain such vexing programs, we will need to look at what programs really are.

Laboratory Protocol

Our laboratory protocol to regulate behavior in the laboratory was initially based on biohazard protocols (Health Canada, 2001); biologists and chemists have had decades of experience working with dangerous substances, and it is only prudent to build on their experience. Obviously, the analogy breaks down after a certain point, but there were a number of things to be learned about laboratory access, operation, and personnel training.

Since the contagions of concern in the computer virus lab are electronic, we had to add a number of provisions with respect to media handling, and any means of electronic transmission, both wired and wireless. Our initial thought was to let students bring media into the lab, so long as it was not brought out again, to allow material researched on the Internet to be brought in, but after negative reviewer feedback we scrapped this idea. Printouts were also contentious, in two ways: first, that we were allowing them to be made at all; second, how they were to be handled by students. We eventually clarified the protocol to specify how printouts should be handled, but still allowed them to be made – at the very least, printouts can be useful for debugging purposes.