RESEARCH TRIANGLE PARK — The ever-evolving hacker industry recently has introduced another threat, and tech executives had better prepare for it, warns security firm Lancope.

The Atlanta-based company says a new, third-generation “Trojan Horse” is currently on the prowl and is capable of bypassing standard detection methods. If not stopped, the Trojan Horse can launch coordinated denial of service attacks “of crippling magnitude” and also pirate confidential information, Lancope says.

“This is a technique that could be used to make any of the existing Trojan Horse applications more stealthy – harder to detect and (to) locate compromised machines,” John Copeland, Lancope’s founder and a leading figure in security matters, tells Local Tech Wire.

Faron Golden whom Copeland identified as a “professional network security analyst, working to protect a US government network”, brought the new threat to Lancope’s attention. Lancope confirmed the existence of the Trojan Horse and projected that it could probe 63 percent of global Internet Protocol addresses “every 17 hours.”

Lancope identified what it called the “malicious probe packets” on its own trap, or “honeynet”, and on a large university network.

“Honey Net (is) a fake network to tract the attention of hackers so that their activities can be studied,” Copeland explains.

The Trojan horse is “characterized by a TCP SYNB probe,” Lancope adds. “It looks like the packet used to open a TCP/IP network connection. It’s used to see if a computer has a certain service available, like a web or mail server.”

Sniffing and stealing

If a connection is determined by the packets to be vulnerable, Copeland added, “sniffing” for information or raiding the network for data can begin.

“Trojan Horse software can set up a backdoor to let a hacker have interactive access to a compromised system, or it may work automatically to gather data and forward it,” Copeland says. “Typical activities are scanning the local network and compromising other hosts, acting as a repository for digital media data, collecting data from the local hard disk, and/or sniffing the local network for passwords and account information.”

Lancope defines the new threat as a “third-generation” Trojan Horse that avoids what it called “weaknesses” of the first two generations: The inclusion of a hard-coded contact e-mail/IP address with the Trojan Horse that could be detected by virus scanners, and “listening” for specific ports for traffic, their return addresses being used to contract “controllers” on “compromised hosts”. The controllers could be tracked by security systems known as intrusion detection systems.

“This new generation of Trojan horses makes it far more difficult to detect either the Controller IP address or the Trojan-infected hosts,” Copeland explained in a statement. “In these cases where the Controller-Trojan connection cannot be detected, a behavior-based intrusion detection solution such as StealthWatch is critical.”

Lancope’s StealthWatch technology is based on detecting abnormal behavior within a network. Copeland says the technology offers users “the ability to detect unknown, mutated and encrypted attacks.”
Lancope forwarded its discoveries on to federal agencies.

“They rarely reply to information they receive directly. They collect info and issue a bulletin if a treat appears imminent,” Copeland adds. “Since they have not seen a malicious application yet using the new technique, they have not issued a bulletin. Of course, with this technique, they may see that threat until it is well underway.”

Unfortunately, Copeland said, many executives won’t react immediately to the new threat.

“Not until a malicious application hits,” he says.