mailing list archives
Re: Re: Microsoft AntiSpyware falling further behind
From: Valdis.Kletnieks () vt edu
Date: Sun, 30 Oct 2005 09:44:25 -0500
On Sun, 30 Oct 2005 09:46:48 +1300, Nick FitzGerald said:
This is a Johnny come lately perversion of the real meaning of Trojan
Horse in reference to software. Trojan Horse, or simply Trojan,
software has always meant, and still does to anyone with a vague hint
of historical awareness, software that gets installed under the
pretense of being something desirable or beneficial but that actually
has deliberately (on the part of its designer/developer) undesirable
effects that are (at least initially) hidden or not obvious to the
intended user(s) of the software.
Which is particularly amusing, given that the Trojan Horse written about by Homer
was quite specifically a 'remote access Trojan' - a very small number of soldiers
were hidden inside to open the gates for the main forces. If anything, the
use of the term to mean "remote access Trojan" is getting back in line with the
*actual* historical meaning - uses of "Trojan" for non-remote-access back doors
were in fact not strictly historically correct...
You'll also notice that I *did* say:
and (b) once there, gives the attacker a "back door" into the system, to
do unspecified things (run commands, launch DDoS attacks, send spam, scan
for other vulnerable software, upload plugins to extend the Trojan's functionality,
So I *was*, in fact, covering the 0.001% of trojans in use today that aren't
strictly a remote-access variant. Meanwhile, the *old* name for what Nick
wants to call a 'Trojan Horse' was 'trap door' (see Karger&Schell's 1974 paper
on Multics security - in fact, section 126.96.36.199 of that paper discusses the
theoretical possibility of a 'compiler trap door', subsequently actually
implemented by Ken Thompson as discussed in his 1984 Turing Award Lecture "On
Interestingly enough, Ken calls his implementation a Trojan Horse:
"Figure 6 shows a simple modification to the compiler that will deliberately
miscompile source whenever a particular pattern is matched. If this were not
deliberate, it would be called a compiler "bug." Since it is deliberate, it
should be called a "Trojan horse.""
Additionally, he goes on:
"The final step is represented in Figure 7. This simply adds a second Trojan
horse to the one that already exists. The second pattern is aimed at the C
compiler. The replacement code is a Stage I self-reproducing program that
inserts both Trojan horses into the compiler. "
Notice that the second pattern is specifically *not* allowing any remote access,
but propogating the first pattern. Yet Thompson calls it a Trojan as well.
Forget it, Nick. You're fighting a battle already lost in 1984. ;)
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/