Attitude Adjustment: Trojans and Malware on the Internet

This paper continues our examination of Trojan horses on the Internet; their prevalence, technical structure and impact. It explores the type and scope of threats encountered on the Internet throughout history until today. It examines user attitudes and considers ways in which those attitudes can actively affect your organization’s vulnerability to Trojanizations of various types. It discusses the status of hostile active content on the Internet, including threats from Java and ActiveX, and re-examines the impact of these types of threats to Internet users in the real world. Observations related to the role of the antivirus industry in solving the problem are considered. Throughout the paper, technical and policy based strategies for minimizing the risk of damage from various types of Trojan horses on the Internet are presented This paper represents an update and summary of our research from Where There's Smoke There's Mirrors: The Truth About Trojan Horses on the Internet, presented at the Eighth International Virus Bulletin Conference in Munich Germany, October 1998, and Attitude Adjustment: Trojans and Malware on the Internet, presented at the European Institute for Computer Antivirus Research in Aalborg, Denmark, March 1999. Significant portions of those works are included here in original form. Descriptors: fidonet, internet, password stealing trojan, trojanized system, trojanized application, user behavior, java, activex, security policy, trojan horse, computer virus Attitude Adjustment: Trojans and Malware on the Internet Trojans On the Internet... Ever since the city of Troy was sacked by way of the apparently innocuous but ultimately deadly Trojan horse, the term has been used to talk about something that appears to be beneficial, but which hides an attack within. In the remainder of this paper, we will talk about "Trojan horses" (or just “Trojans”) of a digital type; Trojan horse computer programs which some users are encountering on the Internet today. These Trojan horses are let into organizations, and their hidden behaviours come out of the bellies of programs when least expected, in some cases vanquishing your data! In this paper, we will continue to examine ways you can minimize your vulnerabilities to the Trojan horses of today. Finally, we will discuss how one’s preconceived attitude towards Trojan horses can significantly effect one’s ability to protect an environment from the potential threat, and provide a sociological as well as technical path toward reducing the risk posed by Trojan Horses. Historical Perspective Despite the common usage of the term Trojan horse, a good working definition of the term remains somewhat elusive. Thus, we shall offer several operational definitions of “Trojan horse”, taken from a historical perspective, before discussing some the limitations of these definitions. In "Reflections on Trusting Trust", Ken Thompson discusses early (pre-1984) academic experiences writing self-reproducing programs and explores the possibilities of Trojan horses [1]. His examination of the functionality of a C compiler that contains instructions to deliberately miscompile code when a certain input pattern is matched illustrates how using any untrusted code can compromise a computing process. The types of academic exercises portrayed by Thompson illustrate the types of Trojans that were created as academic challenges in the late 70’s and early 80’s. As these exercises were taking place in Universities, users outside academic environments were beginning to see the impact of untrusted code. As an example, Discretionary access control mechanisms restrict access to objects based solely on the identity of subjects who are trying to access them. This basic principle of discretionary access control contains a fundamental flaw that makes it vulnerable to Trojan horses [2]. Trojan horse: A computer program with an apparently or actually useful function that contains additional (hidden) functions that surreptitiously exploit the legitimate authorizations of the invoking process to the detriment of security. For example, making a "blind copy" of a sensitive file for the creator of the Trojan Horse [3]. At a professional meeting last week, we had a presentation by a university data center manager on a Trojan Horse attack which had shut down his operation [4]. However, even these problems were limited due to the fact that connectivity during these early days was still basically limited to academic and government subsets of population. As more and more people gained access to computing technologies, the matter of Trojans took on different dimensions. We will explore these changes in connectivity and the evolution of Trojans in the following sections, beginning with an examination of FidoNet and The Dirty Dozen. FidoNet and The Dirty Dozen In the late 1980's, FidoNet bulletin boards were popular places for computer users to gather and engage in various forms of communication: message boards, chats, and games. These bulletin boards comprised the FidoNet network. Programs were made available from the individual systems for download. As users downloaded programs, they sometimes obtained programs that claimed (according to the documentation either on the BBS or accompanying the program) to do one thing, but which actually did another. Most often, the thing they did was something the user did not want them to do. Sometimes these programs were widely circulated. Someone came up with the idea that it might be a good idea to document the existence of these harmful programs and warn other FidoNet Sysops (the BBS operators) about the files so they could be removed, and to warn users about the existence and location of such Trojan horses. Out of this need and idea, The Dirty Dozen was born. The Dirty Dozen is a list that was established to provide warnings about the most common Trojans and Logic bombs. A Trojan was defined by the creators of the list thusly: *TROJAN* (T) These programs PURPOSEFULLY damage a user's system upon their invocation. They almost always shoot to disable hard disks, although they can, in rare cases, destroy other equipment too. There are many ways that a TROJAN can disable your hard disk. [5] According to documentation published in 1989 by the creators of The Dirty Dozen list, Recently bulletin board download directories have exploded with an ever-increasing number of unlawfully modified, illegally copied, and altogether deceptive programs. The Dirty Dozen lists known examples. SysOps: Please be careful when posting files in your download libraries! A professional quality program should arouse your suspicions, particularly if it doesn't include the author's name, address, and distribution policy. The BBS community is under legislative threat at the State and Federal level. We cannot fight this threat effectively while our directories sit stocked viruses, "trojan horses, and cracked commercial games!" Let's demonstrate a little social responsibility by cleaning up our download libraries. [6] The first issue of The Dirty Dozen was distributed October 20, 1985, via FidoNet, on an echomail forum called, appropriately, "Dirty_Dozen". It contained a list of 12 “bad files”, identified by filename [7]. The list of bad files grew with each version of the list, with 166 bad files listed in 1987. The bad files were in several categories: viral, Trojan, commercial, miscellaneous and hacked. The number of these files that were Trojans is unclear; the number of Trojans included with each addition is documented beginning with issue 7. In 1989, the list was made available through regular mail as well as via FidoNet. For $10.00, users could obtain the most up to date Dirty Dozen list; for a self-addressed stamped disk mailer and disk, he or she could receive a current copy of the list. The January 23, 1989 issue of The Dirty Dozen listed 63 programs which were Trojans; here is an example listing, given as a filename, description of what they program is supposed to do, followed by what the program actually does [8]: