A well-known Israeli mystery writer, Amnon Jackont, found himself embroiled in a plot that could have come straight out of one of his novels. One day last year, he and his wife, Varda Raziel-Jackont, stumbled across a Web site that reprinted chapters from their cowritten--and not yet published--book. Until that moment, they thought that the book existed only as a file on their personal computer.
The thief? An estranged member of the family [see photo, " Culprit"]. With the police, the Jackonts figured out that the ex-husband of Raziel-Jackont's daughter had cracked their computer by e-mailing them a school registration form for their granddaughter with malicious software embedded.
The attack, of a kind known in software circles as a targeted Trojan horse, turned out to be the clue to a much bigger crime. When the local police got to the server where the culprit was thought to be storing the purloined novel, says Jackont, "they found a lot of people's stuff."
It emerged that the Jackonts' former son-in-law, Michael Haephrati, had made a business of selling his spy software and services to corporate leaders, who harvested competitors' secrets from destops. In due course, nearly 20 people--including executives at two cellphone companies, a major satellite television provider, and a Honda importer--found themselves in handcuffs and in Israeli tabloid headlines. Their victims included an Israeli telecommunications giant and a Volkswagen importer.
"To me," comments a programmer working in Israel's aerospace industry, "it was amazing how many legitimate firms bought into this action. Maybe I'm just naive."
The Trojan horse attack, in which an e-mailed attachment--like the Trojan horse of Greek myth--looks innocuous but conceals a dangerous cargo, has been an all-too-familiar part of the computer landscape for decades. In recent years, however, a new and ever more prominent feature in that landscape has been the targeted Trojan, in which the e-mail subject line or message contains language calculated to lure a particular recipient into opening the attachment. Increasingly, targeted Trojan horses are being used to steal proprietary information, obtain intelligence to get an edge on rivals, and even, it seems, obtain access to sensitive military data.
The U.S. Department of Energy--keeper of the nation's nuclear secrets, among other responsibilities--revealed in July that it received several eerily personalized messages this summer. One e-mail, sent to a small group of DOE employees, appeared to come from a colleague and began with the convincing line, "In regards to today's meeting at 3 pm, I have attached a preliminary file for your reading." The attached file hid software that, if launched, would have allowed information to be extracted from the computer by remote control. (The DOE declined to answer questions about whether the targeted Trojan horses compromised any data.)
Customized Trojan-bearing e-mails likewise struck critical government and commercial offices in the United Kingdom and Canada. In a security briefing in June, the British government described this type of attack as an ongoing threat to national infrastructure. The Canadian and U.S. governments issued similar warnings.
No one knows exactly how often targeted Trojans strike, but they clearly represent a new twist in the way "malware" (malicious software) is distributed, says Johannes Ullrich of the SANS Internet Storm Center, a private organization in Bethesda, Md., that tracks security threats. Trojan horse software made up a third of the top malware complaints to Symantec Corp., a leading security company in Cupertino, Calif., in the second half of 2004--double the proportion in the second half of 2003.