A Trojan horse is a program containing a damaging function which is covertly embedded in another program. Trojan horses are spread by being integrated into host programs that are as "attractive" as possible and are then, for example, offered for download or sent as e-mail attachments. As well as causing damage directly, Trojan horses can be used to enable outsiders to gather information not only about this particular computer but also about the local network.
It is difficult to protect oneself against Trojan horses as they can be concealed in many different kinds of files. It is therefore important to keep reminding all users about the problem of Trojan horses. Important procedural rules in this area are provided below.
Data and programs which are retrieved from the Internet constitute a major distribution channel for computer viruses and Trojan horses designed to spy out, relay, alter or delete user data. However, it is not only programs in the true sense, but also office documents (text, spreadsheets and presentation files) that can contain viruses and Trojan horses in the form of macros.
No programs from unknown sources should be installed (see also S 2.9 Ban on using non-approved software).
A lot of data and programs are available from multiple sources, e.g. from mirror servers on the Internet or provided on CD-ROMs that come free with magazines. Data and programs should only be downloaded from trustworthy sites, i.e. preferably only from the original site of the author of the material.
No e-mail attachments or other files received from communication partners should be opened if these are not expected or have unusual names. In case of doubt, one should check with originators as to whether they have really sent the message.
Note: incoming e-mail is the biggest gateway for computer viruses and Trojan horses. Where the e-mail comes from persons who are apparently familiar and/or trustworthy, check the message text to see whether it is plausible for this to have been sent by this originator (e.g. English text from a German business associate, dubious text or lack of reference to specific procedures etc.) and whether the attachment was actually expected.
Information on file size and any stated checksum should always be checked after downloading. In the event of deviations from the stated size or checksum one may assume that unauthorised alterations have been made. Therefore such files should be deleted immediately.
When exchanging e-mails, if possible digital signatures should be used to check the authenticity and properness of the e-mail contents (S 4.34 Using encryption, checksums or digital signatures).
All files and programs received from third parties should be checked with an up-to-date virus scanning program prior to activation. Virus scanning programs do also check whether any (known) Trojan horses are present (on this point see also Section 3.6 "Computer Virus Protection Concept").
In principle all programs should be checked prior to installation and release on test systems (S 4.65 Testing of new hardware and software).
Enquiries should be made regularly with CERTs and other security-specific information services as to whether any programs used have come to light as transferring data from users' IT systems without their knowledge (see also S 2.35 Obtaining information on security weaknesses of the system). As well as some office programs and free add-on software, program libraries have come to light which have passed user information on to third parties without the programmers who have used them being informed.
When installing programs the programming notes and conditions of use should be read through carefully. Sometimes it actually states here (more or less clearly) that when the program is used user or system data will be collected and passed on.
Trojan horses can also be embedded in the active content of WWW pages (Java, JavaScript and especially ActiveX) as they are loaded along with WWW pages, often without the user noticing. A certain amount of protection can be achieved by ensuring that, especially at times when one is working online, only processes and programs which are really necessary are running, so that any extra activities on the computer or hard disk will be noticed. Moreover Internet browser settings should be reviewed and amended to ensure that, for example, active content cannot even be loaded onto the computer.
Trojan horses are often aimed at collecting passwords or other access data. Therefore passwords should never be stored on IT systems.
It is also recommended checking the storage media used regularly for unexpected alterations (new or amended files, unusual behaviour).
