Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Microsoft AntiSpyware falling further behind
From: Valdis.Kletnieks () vt edu
Date: Sun, 30 Oct 2005 09:44:25 -0500

On Sun, 30 Oct 2005 09:46:48 +1300, Nick FitzGerald said:

This is a Johnny come lately perversion of the real meaning of Trojan 
Horse in reference to software.  Trojan Horse, or simply Trojan, 
software has always meant, and still does to anyone with a vague hint 
of historical awareness, software that gets installed under the 
pretense of being something desirable or beneficial but that actually 
has deliberately (on the part of its designer/developer) undesirable 
effects that are (at least initially) hidden or not obvious to the 
intended user(s) of the software.

Which is particularly amusing, given that the Trojan Horse written about by Homer
was quite specifically a 'remote access Trojan' - a very small number of soldiers
were hidden inside to open the gates for the main forces.  If anything, the
use of the term to mean "remote access Trojan" is getting back in line with the
*actual* historical meaning - uses of "Trojan" for non-remote-access back doors
were in fact not strictly historically correct...

You'll also notice that I *did* say:

and (b) once there, gives the attacker a "back door" into the system, to
do unspecified things (run commands, launch DDoS attacks, send spam, scan
for other vulnerable software, upload plugins to extend the Trojan's functionality,
or whatever).

So I *was*, in fact, covering the 0.001% of trojans in use today that aren't
strictly a remote-access variant.  Meanwhile, the *old* name for what Nick
wants to call a 'Trojan Horse' was 'trap door' (see Karger&Schell's 1974 paper
on Multics security - in fact, section of that paper discusses the
theoretical possibility of a 'compiler trap door', subsequently actually
implemented by Ken Thompson as discussed in his 1984  Turing Award Lecture "On
Trusting Trust".

Interestingly enough, Ken calls his implementation a Trojan Horse:

  "Figure 6 shows a simple modification to the compiler that will deliberately
  miscompile source whenever a particular pattern is matched. If this were not
  deliberate, it would be called a compiler "bug." Since it is deliberate, it
  should be called a "Trojan horse.""

Additionally, he goes on:

  "The final step is represented in Figure 7. This simply adds a second Trojan
  horse to the one that already exists. The second pattern is aimed at the C
  compiler. The replacement code is a Stage I self-reproducing program that
  inserts both Trojan horses into the compiler. "

Notice that the second pattern is specifically *not* allowing any remote access,
but propogating the first pattern.  Yet Thompson calls it a Trojan as well.

Forget it, Nick.  You're fighting a battle already lost in 1984. ;)

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]