Trojan Horse Delivered In Automatic Update

By | May 4, 2006

This is a fictional article about a Trojan Horse Virus, or you could say it is one mans prediction of a “worse case scenario”. Because of the field I’m in, I maintain a personal list of my top 10 “worse case scenarios”. Every time I perform a security assessment I run into something new or identify a situation that is ripe for a potential vulnerability. I think we could all agree that no respectable or ethical company would intentionally deliver a malicious piece of code as part of a helpful update solution. However, the reality is that human beings are behind technology and human beings are unpredictable and fallible.

Many major operating system vendors have automatic update services. Many hardware vendors and other software packages have followed this trend, incorporating automated update services into their products. In some cases, the services for automatic updates run as the local “system” account. This account has the ability to access and modify most of the operating system and application environment. When automatic updates were relative new, many people would perform the updates manually, however, as time has progressed, many now trust these services and allow the updates to proceed in a truly automated fashion.

So let’s expand upon our “worse case scenario”. A new service pack is just about ready for release. The last step prior to public release is quality control / validation. The team of people performing this task includes a significantly disgruntled employee (Or may he/she is going through a horrible life crisis and has not much to lose). When people are in pain or distress it is not uncommon for them to project this same feeling onto others in any way they can. So, instead of performing their job in the normal fashion, they decide to incorporate a malicious payload into the forthcoming update.

The First Step For The Trojan Horse: Evasion – This payload has some unique characteristic, three to be precise. First, it is constructed in such as way to not appear as something malicious. The anti-virus and anti-spyware programs currently on the market won’t be able to detect it through anomalous detection techniques.

The Second Step For The Trojan Horse: Information Collection – Secondly, it has been instructed to wait 12 hours to activate to start searching your computer an network for important files that may contain financial, healthcare, and other confidential information such as user accounts and passwords. It then sends this information to anonymous systems on the Internet. Because this “Trojan horse” has been incorporated into an automated update by someone with reasonable skills, it is instructed to only perform the collection of data for 12 hours. Given the number of global systems that allow automated updates, 12 hours should be more than enough. The person behind this realizes that someone will quickly identify that something malicious is going on and start to roll-out a defense solution to halt the process.

The Final Step: Incapacitate – Finally, the Trojan Horse will cease it’s data collection and deliver it’s final blow. Because of the level of system privilege it is running at, it modifies the communication protocols and services on the system to prevent any type of external communication to its local peers and external (Internet) hosts. It does this in such as way that the only immediate method to recover from this is a system roll-back, system repair, or restore from near-line media, such as tape or disk. And as far as system recovery is concerned, I can tell you that many people even in corporate entities do not perform the most basic steps to be prepared for a quick system disaster recovery. In some cases, some of the most important recovery services have been disabled because of lack of system resources or disk space (which is amazing given how inexpensive this is anymore).

What Could Be The Impact Of This “Trusted” Trojan Horse

People are already concerned about identity theft, or at least they should be. I recently spoke with a business associate that told me that even with everything he does to keep his identity secure he has been the victim of identity theft not once, but twice. If your user id’s, online accounts, passwords, financials, or other confidential information winds up on the Internet for any anonymous person to see, you can bet it will be used in a way to cause you problems. Even if only 10% of the global systems fell victim to this Trojan Horse, the cut off of communications could cost businesses billions of dollars and potentially impact their reputation as “secure” institutions.

If we don’t think that this “worse case scenario” can happen, then we’re kidding ourselves. Recently, one of the market leaders in the perimeter defense business had to recall a service pack because it contained a significant “bug” that could result in a security breach; a service pack that can be delivered through and intelligent update service. Obviously there has to be a certain level of trust between us, the consumer, and the vendors of hardware / software we rely on. I’m not entirely sure what “fail-proof” solution can be put in place to prevent something like this from happening. Although I’m sure there are quite a few checks and balances in place already. The bottom line is, if you or I can image a scenario like this, there is always a chance of it happening. In my case, I usually wait for several days to apply new service packs and hot-fixes. Hopefully someone else will find the problem, correct it, and then I’ll apply it.

Darren Miller is an Information Security Consultant with over sixteen years experience. Darren is a staff writer for

Leave a Reply