|
|
|
A Trojan Horse is a program that tricks an unsuspecting victim into performing some function under his access authorization or into divulging confidential information. Trojan horses take advantage of the fact that few security systems are designed to protect users from themselves. Standard security system implementations assume that we are responsible for all programs and data under our control. Most security systems protect users from each other and control access to files and data not owned by the user. They protect resources from users, but not users from resources. Usually, any program that executes under a given user ID can access any of the data files owned by that ID. However, if you inadvertently execute a Trojan horse, it can actually be erasing or searching all your files.
Disguised as logon dialogs, ISPF dialogs, utilities, or games, Trojan horses work by fooling you. Trojan horse logon dialogs work best in environments where people share terminals or PCs. In a z/OS environment, the hacker can create a program that displays a signon screen that looks exactly like the standard signon screen. You sit down at your terminal and key in your user ID and password. The hacker’s program can reply that the maximum number of users are logged on and to try again later. You then leave, unaware that the hacker’s program recorded your user ID and password. The Trojan horse continues to run until the hacker keys in a secret command to unlock it and retrieves all the user IDs and passwords that the program collected.
Any time you cannot log on to the system, you can circumvent this type of Trojan horse by powering off the terminal and powering it back on. This action should abend the Trojan horse and let you access the system. Also, if you suspect a Trojan horse recorded your password, change your password.
The PC versions of this type of Trojan horse can simulate or capture an image of the TSO, CICS, IMS, or other signon screens that contain your ID and password. The hacker simply uses the PC to occasionally harvest the latest IDs and passwords. These programs can easily be brought into a data center on floppy disks and installed in shared PCs or PCs of prominent users. No system modifications are required.
Another technique is the concealed command. This technique tricks someone with the proper authority into issuing a particular command for you. This technique works because IBM 3270‑type devices are screen‑oriented and transmit or receive an entire screen buffer at a time. An attribute byte that precedes each data field on the screen tells the hardware whether the field is alphabetic, numeric, protected, unprotected, high intensity, nondisplayable, or so on. Nondisplayable fields provide an opportunity for the hacker to exploit. When an innocuous‑looking but tempting message such as “Important message waiting, please press Enter” is sent to a victim, the victim does not realize that a restricted command is hidden in a “dark” field of the message screen. If the message tricks the victim into pressing the Enter key, the hidden command is executed under the victim’s authority.
Time‑sharing systems such as TSO/ISPF are vulnerable to Trojan horses. Hackers can make attractive games available in a system library and invite everyone to try their skills. While curious and unsuspecting users are playing the games, the Trojan horse is busy picking their pockets. Even though the game programs reside in a public library, they actually execute under the players’ user IDs. Hackers can use this technique to gain access to a user’s program library. Once in the library, the Trojan horse can use virus concepts to spread to other programs and libraries that the user has access to. If these programs are shared by other users, the virus can latch on to these programs and infect the entire system, and eventually, the operating system.
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |