Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!killer!tness7!tness1!nuchat!sugar!karl From: karl@sugar.UUCP (Karl Lehenbauer) Newsgroups: news.admin Subject: Re: Author's Reliability (was Re: Malicious Posting Worries...) Summary: Binary analysis tools can't guarantee programs aren't trojan horses Message-ID: <2274@sugar.UUCP> Date: 8 Jul 88 23:02:01 GMT References: <266@octopus.UUCP> <11518@agate.BERKELEY.EDU> <271@octopus.UUCP> <279@octopus.UUCP> Organization: Sugar Land UNIX - Houston, TX Lines: 23 In article <279@octopus.UUCP>, pete@octopus.UUCP (Pete Holzmann) writes: > ...There are plenty of > PC-based tools for binary analysis that can be quickly run over reasonble- > sized programs (and slowly run over big programs). String searches, > automatic disassemblers that produce comments for anything that touches > the external environment (system memory, I/O ports, interrupts, system > calls), etc. One of the nice things about having millions of hardware- > compatible systems, is that we've got automatic tools to do what must > be done by 'hand' in Unix. Well, I assume automatic dissasemblers blow off stuff they don't understand and just .DATA it or whatever as binary data. It would be no problem for a Trojan Horse to decrypt the portion of itself that actually trashes your system when it has decided that the time is right. That way, string searches and code that looks for anything that touches system memory, I/O ports, interrupts, system calls, etc, will fail to locate the Trojan. More clever variations can be envisioned in which the encrypted part, or code that generates the code to do the trashing, etc, etc appears to be something useful, or at least seems too complicated to bother to decipher. -- -- uunet!sugar!karl -- These may be the official opinions of Hackercorp -- I'll have to ask Peter.