Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Microsoft AntiSpyware falling further behind
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 30 Oct 2005 09:46:48 +1300

Valdis Kletnieks wrote:

No, because they're different.


Trojan horses (a) get installed under pretense of being something wanted
or beneficial ("Hey, I'm a neat fun codec that lets you view these movies...")


and (b) once there, gives the attacker a "back door" into the system, to
do unspecified things (run commands, launch DDoS attacks, send spam, scan
for other vulnerable software, upload plugins to extend the Trojan's functionality,
or whatever).


In the late 1990s, a particular form of Trojan Horse program -- remote 
access Trojans or RATs -- became very popular with a certain element of 
computer users.  Things like Netbus and BackOrifice became all the rage 
and "hacking" others' computers by SE'ing them into installing your 
preferred RAT was considered de rigeur by what would generally be 
called the kiddies.

Anyway, an upshot of this was that a certain element (and I'd never 
have picked Valdis K as being one of these!) started using the word 
"Trojan" or the phrase "Trojan Horse" for the first time _for them_ in 
reference to computer software, _AND_ they were using it specifically 
(though few probably even realized this) as a shorthand for "remote 
access Trojan".

This is a Johnny come lately perversion of the real meaning of Trojan 
Horse in reference to software.  Trojan Horse, or simply Trojan, 
software has always meant, and still does to anyone with a vague hint 
of historical awareness, software that gets installed under the 
pretense of being something desirable or beneficial but that actually 
has deliberately (on the part of its designer/developer) undesirable 
effects that are (at least initially) hidden or not obvious to the 
intended user(s) of the software.

This whole issue of the late-90s/early-00s attempt to redefine "Trojan" 
was hashed out here a month two back -- how quickly we forget...

Anyway, given the correct definition of Trojan Horse software, much 
spyware actually already falls under the definition of Trojan Horse 
software, not necessarily because of its outright design, but because a 
sizable chunk of its installations are deliberately surreptitious, with 
the presence and purpose of the software being kept from the user.  Of 
course, many of the makers of such spyware counter that their software 
is not supposed to be installed surreptitiously and that to the extent 
this happens with their software it is indicative of "bad affiliates" 
and not their own intentions.  This latter issue was, at least until 
recently, quite a sticking point for a lot of traditional antivirus 
developers detecting such wares, especially given the litigious nature 
of the US, where many of the spyware developers are based.

Spyware, on the other hand (a) *may* be installed via Trojan Horse means, but may
also be forcibly inserted on a system via a software vulnerability, or added
in via the above-mentioned plugin method by an already-present Trojan, and (b) is
software that monitors system activity (keystrokes, screen pixmaps, etc) in an
effort to acquire credentials or other sensitive information.

The ASC says "spyware and other potentially unwanted technologies" are:

   Technologies deployed without appropriate user consent and/or
   implemented in ways that impair user control over:

     * Material changes that affect their user experience, privacy, or
       system security;
     * Use of their system resources, including what programs are
       installed on their computers; and/or
     * Collection, use, and distribution of their personal or other
       sensitive information.

Not exactly rocket science, nor earth-shattering news to anyone here, I 
suspect, but I guess the hope is this "definition" will be used to 
inform various legal initiatives that are currently considering dealing 
with "the spyware problem"...


Nick FitzGerald

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]