Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Re: Microsoft AntiSpyware falling further behind

from [bkfsec] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Re: Microsoft AntiSpyware falling further behind
Date: Mon, 31 Oct 2005 15:46:50 -0500 
Valdis.Kletnieks@vt.edu wrote:

Which is particularly amusing, given that the Trojan Horse written about by 
Homer
was quite specifically a 'remote access Trojan' - a very small number of 
soldiers
were hidden inside to open the gates for the main forces.  If anything, the
use of the term to mean "remote access Trojan" is getting back in line with the
*actual* historical meaning - uses of "Trojan" for non-remote-access back doors
were in fact not strictly historically correct...

You'll also notice that I *did* say:



<snip>


So I *was*, in fact, covering the 0.001% of trojans in use today that aren't
strictly a remote-access variant.  Meanwhile, the *old* name for what Nick
wants to call a 'Trojan Horse' was 'trap door' (see Karger&Schell's 1974 paper
on Multics security - in fact, section 3.4.5.1 of that paper discusses the
theoretical possibility of a 'compiler trap door', subsequently actually
implemented by Ken Thompson as discussed in his 1984  Turing Award Lecture "On
Trusting Trust".

Interestingly enough, Ken calls his implementation a Trojan Horse:

 "Figure 6 shows a simple modification to the compiler that will deliberately
 miscompile source whenever a particular pattern is matched. If this were not
 deliberate, it would be called a compiler "bug." Since it is deliberate, it
 should be called a "Trojan horse.""

Additionally, he goes on:

 "The final step is represented in Figure 7. This simply adds a second Trojan
 horse to the one that already exists. The second pattern is aimed at the C
 compiler. The replacement code is a Stage I self-reproducing program that
 inserts both Trojan horses into the compiler. "

Notice that the second pattern is specifically *not* allowing any remote access,
but propogating the first pattern.  Yet Thompson calls it a Trojan as well.

Forget it, Nick. You're fighting a battle already lost in 1984. ;)



I'm forced to disagree with you Valdis.

First, I'll deal with the Homer reference: "Trojan Horse", in the story, refers to the horse itself that housed the soldiers. The particular *use* of the horse was not to open a backdoor, that was the intention of its "payload", the soldiers inside the horse.

The horse itself had one sole duty: to trick the trojans.

That's all it had to do. They could have put a bomb in there for all intents and purposes and it still would have been a Trojan Horse, obviously. No back door required, just a burning city.

So, much like all analogies in network security, people take this one too far. No offense meant here, but reading the story so literally and comparing that to the term is, in my opinion, a misreading of the story.

Secondly, Nick wasn't saying that Trojan Horses can't refer to code which drops backdoors, rather that that's not all they are. Frankly, the Ken Thompson lecture you cited *proves* his point as the Trojan does not open up a back door.

In my mind, there are three important major groups of malware: Virus, Trojan, and Worm.

*ALL* forms of malware tend to match at least one of these subgroupings in their design and operation. All that separates the groups therein are payloads which cause them to do different things. (I am not listing manual exploit code as its use is obvious.)

Viruses are file/exec infectors (including boot sectors and anything that executes). Trojans are programs requiring manual execution intended to deceive. And worms spread on their own accord via network means.

Spyware, backdoors, keyloggers, and other malware payloads are all dropped by one of these types of packages. Spyware drops its payload often through websites with malicious code on it. This, in my mind, consistutes a trojan as the deceptive website draws the target in for silent installation. E-mail "viruses" are trojans in my book because the deceptive e-mail is the draw.

If we start coming up with arbitrary and restrictive taxonomy for the different "types" of malware, we're going to harm our ability to deal with them. I think it's very important that we keep the major strata of malware from becoming too specific in its meaning.

               -bkfsec


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Full-disclosure] Security, Hacking & Social Engineering Presentation., James Eaton-Lee
Next by Date:  RE: [Full-disclosure] Security, Hacking & Social EngineeringPresentation., Todd Towles
Previous by Thread:  Re: [Full-disclosure] Re: Microsoft AntiSpyware falling further behind, Valdis . Kletnieks
Next by Thread:  Re: [Full-disclosure] Re: Microsoft AntiSpyware falling further behind, Nick FitzGerald
Indexes:  [Date] [Thread] [Top] [All Lists]