Path: utzoo!yetti!spectrix!clewis
From: clewis@spectrix.UUCP (Chris Lewis)
Newsgroups: comp.misc
Subject: Re: Trojan Horse a Myth?
Message-ID: <337@spectrix.UUCP>
Date: 11 Dec 87 19:08:37 GMT
Article-I.D.: spectrix.337
Posted: Fri Dec 11 14:08:37 1987
References: <459@gtx.com> <2393@killer.UUCP>
Reply-To: clewis@spectrix.UUCP (Chris Lewis)
Organization: Spectrix Microsystems Inc., Toronto, Ontario, Canada
Lines: 64

In article <2393@killer.UUCP> jfh@killer.UUCP (The Beach Bum) writes:
>In article <459@gtx.com>, al@gtx.com (0732) writes:
>> I just read a newspaper article ...
>> in which "Jan Harold Brunvard, University of Utah Professor of folklore
>> and author of three books about urban legends" dismisses the "Trojan Horse"
>> computer program as an "Urban Myth".  He says "I think there probably have been
>> some programs like that cooked up, but I can find no evidence that it's
>> actually been done, and it isn't as though it couldn't be detected and
>> destroyed."
>> It seems to me that the Professor is being quite naive.  We all know

You're not kidding.

>First to say, Trojan Horses are much easier under Unix than other operating
>systems I have used, but this experience isn't from Unix, it's a Vax/VMS
>story....

A minor quibble - have you ever used PC/MSDOS?  It's very simple to
break security on these machines because there ain't none.  Many BBS's
catering to this market have accidentally acquired Trojans and redistributed
them to unsuspecting users.  The problem has become so severe that the BBS
sysops have to examine as much of the stuff as they can.  There are programs
written which will attempt to determine whether a program is a Trojan
(by tracing system calls etc.) but they aren't fool-proof.  I've seen
many messages on PC BBS's saying "WARNING: if you've downloaded "X", purge
it FAST!".  At least in this world the person who gets stung *usually*
explicitly knows he's importing code into his machine, and can usually
point fingers in the right way after getting blown.

MSDOS is particularly susceptable to Trojans because: there's no
security, most programs that are traded are binaries rather than sources,
and it's real easy to diddle hardware directly.  Fortunately fewer
people are affected.  At least in UNIX the person triggering the Trojan
(root) is likely to be able to know enough to recover.

Another minor quibble: according to the definition of "Trojan horse"
(a program "trusted" by a user which does something additional), I wouldn't
call "password snatching" or hoping that root has "." in his path a "Trojan".
They're "traps".  In the MSDOS world, Trojans quite frequently take the form
of a new program the user acquires from somewhere that purports to do
something he wants.  Then he finds that not only does it do that, but it
does other things (eg: reformat hard disk).

A couple of issues back in comp.risks (oops, we expire it faster'n I thought!)
there is a personal account of a particularly hideous MSDOS trojan.
Appears that somehow somebody munged a copy of DOS to: copy the modifications
without the user knowing it to every DOS bootable floppy that the DOS
comes in contact with, and after the fourth generation (not quite sure 
the precise semantics here), zap the hard disk so badly that no utility 
can recover).  Started out as a Trojan and turned into a virus.  And,
it's apparently spreading...  Could some UNIX fanatic be trying to kill 
off all MSDOS machines?  (It's about time! ;-).  Don't quote me on this,
quote the article directly if you can find it.

BTW: I've noticed a lot of comments from people encountering/making
password snatchers making me think that it's a lot more prevalent than
I thought.  Then again, it's almost impossible for ANY interactive computer
system that uses traditional "userid" and "password" protection to prevent.
Trivial on almost any OS I've ever used (MVS/TSO, VM/CMS, VMS, UNIX, etc.)
-- 
Chris Lewis, Spectrix Microsystems Inc,
UUCP: {uunet!mnetor, utcsri!utzoo, lsuc}!spectrix!clewis
[Also: lsuc!clewis in a pinch]
Phone: (416)-474-1955