Explanation of
Trojan horses
Situation:
Norton Internet Security (NIS) displays an alert or has a log entry that
indicates that someone tried to get into your computer using BackOrifice or
another Trojan horse. You want to know whether your computer has been accessed
or damaged.
Solution:
If NIS says that an attempt has been made, you can be sure that your computer
was not infiltrated. However, knowing a little bit about Trojan horses like
BackOrifice can help you understand how NIS protects your computer against
break-ins.
What is a trojan horse?
A trojan horse (or "trojan") is simply a program that purports to do one thing
but does something else that you do not know about. It has, so to speak, a
public agenda that is harmless, and a private agenda that is not. One particular
sub-category of trojans makes it possible for someone else to access your
computer over the Internet. This is the category we are concerned with here.
There are other types of trojans. You can find out more about them from the
Symantec AntiVirus Research Center (SARC) at
http://www.sarc.com.
A trojan horse that allows outside access to your computer system has two parts:
the server and the client. The server program is the trojan horse that infects
your computer. It runs on your computer and allows access into your computer.
The client program is used by the person trying to break into your computer.
How does a trojan horse let someone break into your computer?
Internet communication is done through the network protocol TCP/IP, which uses
ports as part of that communication. A port of this type is not physical
like a printer port. It's basically just a number that the computer uses to keep
all the TCP/IP information for various programs correctly sorted. In this way,
it's not unlike a street address. For example, your email program uses TCP/IP to
send and receive mail. Typically, email programs send mail over port 25 and
receive mail over port 110. Your Web browser uses different ports. This makes it
possible for you to browse a Web page and receive email on the same computer at
the same time without the two programs getting their information mixed up with
the other. There are thousands of ports available, and all programs that run
over the Internet use at least one or two of them (trojans included).
A hacker writes a trojan to use a specific TCP/IP port (or ports). The
GirlFriend trojan, for example, uses port 21554. When the hacker tries to access
your computer, he or she scans your computer to see if port 21554 responds. If
your computer is not protected (port 21554 is accessible) and you do not have
the GirlFriend trojan, the hacker will try to send it to you. If your computer
is not protected and the GirlFriend trojan is running, the hacker can access
your computer.
However, if NIS is protecting your computer, all unused ports are automatically
shut down, making them inaccessible. Even if you have already been infected with
the trojan, the port is locked down and the hacker cannot use the trojan to gain
access to your computer (even if the trojan is on your computer and is using the
port, it does it secretly, so the port appears "unused" and is shut down).
By shutting down unused ports, NIS also protects you from port scanners. A port
scanner is a tool that methodically goes from IP address to IP address and scans
for ports at that address. Using this, a hacker can scan your IP address and
check your computer for any ports he or she could use to get into your computer.
With NIS running, the hacker finds no usable ports and no access.
So when NIS alerts you to an attempted break-in into your computer, you can be
sure that all is well. NIS is just letting you know that someone tried - and
failed.
Latest virus threats >
*Click
here*
References:
Related information
Dictionary of NIS and NPF terms
NIS, NPF, or SDF reports that it blocked a Trojan from accessing your computer
You see an alert for a Trojan Horse when you connect to an FTP site
Translations of this Document:
Given the time needed to translate documents into other languages, the
translated versions of this document may vary in content if the English document
was updated with new information during the translation process. The English
document always contains the most up-to-date information.
Available translations:
German
French
