Trojan horses are malicious software programs that users are tricked into running. They usually allow remote users to control your computer, installing software and reading your files. To find systems infected by trojan horses, attackers will simply brute force scan every address within a given range, listening for a “Hi!” response from infeced systems, until they find enough hosts for their purposes. Most commonly, these systems are used to perform Denial of Service attacks on servers, send spam, or mask other illegal activities. If you’re not infected by a trojan, you’re at no risk from remote trojan scans. If you didn’t block the scan, your computer would just respond with a “Huh?” to the scan, and nothing would come of it. Software can easily detect scans from remote systems and tell you what IP they originate from. Tracing this to a geographic area is much more problematic and significantly less reliable, as IP addresses are no longer assigned based on location. Most likely, the host that scanned you was another machine infected by a trojan horse, either doing automated scanning or being controlled by an attacker.
I blocked the alleged “Trojan Horse”. Was I right to do this?
Yes.
What exactly is a “Trojan Horse”?
A Trojan Horse is a malicious or undesirable program. Unlike viruses or worms, where a weakness in the operating system is used to execute them, a Trojan Horse exploits human nature. Someone presents you with an executable and suggests it is, for example, a cute little game or a screensaver or a .zip archive full of nude pictures of Roseanne Barr. You, wanting whatever is promised, click on the file to execute it. Instead of doing the expected, it does something different like install a keystroke-logger or remove critical files or just open up some ports so the hacker can get in at his or her leisure.
A Trojan Horse is a seemingly benign package full of malicious content that you are tricked into executing.
How was the source tracked back to one IP Address?
IP address ranges are registered to people or companies. Part of the registration is supposed to be an addressed of the person on record. This information is easily available.
How does the software know the IP Address is located in Iceland?
Same as above. The software is reporting the recorded addresss or location for the entity that owns that IP address.
Is this a relaible location, or are there some tricks used to put the software “off the scent” at the “Trojan Horse” end?
It is not foolproof. It reports where the records say the IP address was registered, but in the case of ISPs (like AOL, Earthlink, etc…) the addresses may be registered to a location, but the users may dial-in or connect from very diverse locations. The IP address will get you to the service provider. From there, you report the abuse to the provider and they, if they are honest and not feeling lazy, inestigate. They determine what customer was assigned that IP address at that time, look at throught their logs and determine what action to take. In this case, probably none unless they get a lot of complaints.
Why was my PC targetted for the “Trojan Horse”?
Your PC wasn’t targetted. It is common to scan whole ranges of IP addresses for machines that may possibly be vulnerable and then go back and try specific attacks on the vulnerable addresses. You weren’t targetted. Some hacker went fishing with a very wide net.