The case illustrates the growing threat to enterprises from surreptitious monitoring programs, which are increasingly being used in sophisticated and coordinated attacks. While news of virus and worm outbreaks still dominates the headlines, Trojans could be a silent epidemic affecting untold numbers of companies, according to one leading malicious code researcher.
Authorities in Israel are expected to charge Michael Haephrati of London with writing the Trojan program that stole documents from one of the countrys leading car importers, as well as high technology and telecommunications firms. Private investigation firms are believed to have planted the Trojan, then pilfered documents from the companies computers, including customer lists, sensitive information on bids and corporate strategy documents, according to published reports.
Security experts contacted by eWEEK agree that similar Trojans could be lurking on the networks of many companies without arousing suspicion.
A recent, informal poll of companies by the SANS Institutes Internet Storm Center turned up a number of examples of spyware and Trojans that stole passwords and spied on e-mail traffic. The network administrators who contacted ISC typically found the programs by accident, said John Bambenek, a research programmer at the University of Illinois and ISC incident handler.
Trojans and key loggers are now common components of worms and viruses, he said. Supplementing those elements with programs that search out and pilfer particular types of documents is a simple matter, he said.
Recent evidence collected by researchers at Computer Associates International Inc. suggests that those behind Trojan programs are becoming more sophisticated in getting their wares onto vulnerable machines, also.
Recent versions of the Glieder and Fantibag families of Trojan horse programs cooperate to infect vulnerable systems, according to Sam Curry, vice president of eTrust Security Management at CA.
The staged attacks began with a flood of new Glieder variants—eight in 8 hours—which spread quickly between machines. The new variants strained anti-virus researchers, who had to create unique signatures for each new variant, giving the Trojan time to spread undetected.
In the second stage of the attack, the Glieder variants opened a backdoor on infected systems that was used by the new variants of Fantibag, which cut off access to anti-virus update services and the Microsoft Windows update service. In the final stage of the attacks, a version of the Mitglieder Trojan was installed to channel network traffic through proxy servers run by the parties who launched the attack, Curry said.
"These are new dimensions and degrees of coordination," he said.
The sheer volume of new Trojan programs could overwhelm enterprise anti-virus and perimeter protection systems, exposing companies or employees to identity theft, loss of intellectual property or even regulatory violations, Curry said.
"The scary thing is that often the [support] calls are not there. There arent alarm bells going off. These systems are being abused, and people have no idea of what happened," he said.