Watch out: Trojans disguise computer viruses and worms
This is the first story in a two-part series about computer security at Fermilab.
Named after the mythical Trojan horse, computer trojans contain malicious code, such as viruses or worms.
Gene Fisk of DZero had a tough start to his new year. In the first week of January, a good friend and physics colleague had passed away, and he'd spent several days contacting physicists about the funeral. So when he sat down in his office the morning of January 9th and found an e-mail greeting card in his inbox, he opened it. "Under normal circumstances, it's something I wouldn't have done," said Fisk. But when he did, instead of a sympathetic message, he found that the card wouldn't launch. Within moments, his server connection had disappeared.
The message was an e-mail phishing scam intended to compromise Fisk's computer. It downloaded a file, called a trojan, which installed an internet relay chat on Fisk's computer. This IRC allowed the attacker to remotely control the computer while blending in among its legitimate applications. "They hide in plain sight," said Joe Klemencic, security coordinator for the Computing Division. Groups of compromised computers running malicious code allow attackers to access and command all the computers at once, said Mark Leininger, CD's Security Manager. The capabilities of this kind of virus range from profiling and data mining to recording every keystroke.
In Fisk's case, the trojan was so sophisticated that the computer's security system did not detect it. The attackers know the security technology and find ways to exploit it, said Klemencic. "This machine was properly patched and running current antivirus software and was still compromised. Our users are our final line of defense," added Leininger. In addition to avoiding e-mails that have suspicious subjects or senders, the CD team advises employees not to read e-mails in html format, not to click on links in e-mails, and not to open unknown attachments.
Fisk's desktop was down for more than a week while CD ran security checks, removed the virus, reformatted his hard drive and reinstalled its software and files. Fortunately, the trojan did not spread to any other machines. And fortunately for Fisk, his files were backed up on a DZero server and he used a laptop to continue work. But the experience has driven home what he calls that "old admonition": don't trust your e-mail.
Fermilab users can scan their systems for vulnerabilities using CD's ScanMeNow or the new nessquik, available on Fermilab's security website.