Path: utzoo!utgpu!water!watmath!clyde!burl!codas!killer!jfh
From: jfh@killer.UUCP (The Beach Bum)
Newsgroups: comp.misc
Subject: Re: Trojan Horse a Myth?
Summary: Have a first hand account ...
Message-ID: <2393@killer.UUCP>
Date: 9 Dec 87 22:04:48 GMT
References: <459@gtx.com>
Organization: Big "D" Home for Wayward Hackers
Lines: 81

In article <459@gtx.com>, al@gtx.com (0732) writes:
> I just read a newspaper article by Clarence Peterson of the Chicago Tribune
> in which "Jan Harold Brunvard, University of Utah Professor of folklore
> and author of three books about urban legends" dismisses the "Trojan Horse"
> computer program as an "Urban Myth".  He says "I think there probably have been
> some programs like that cooked up, but I can find no evidence that it's
> actually been done, and it isn't as though it couldn't be detected and
> destroyed."
> 
> 
> It seems to me that the Professor is being quite naive.  We all know
> how easy it would be to create a Trojan Horse Program, and even, with a
> little more difficulty, make it infect the user's system in subtle
> ways.  As for the question, "has anyone actually been hurt by one of
> these?", I only know third-hand accounts.  Can anyone relate a
> first-hand account of damage done to his/her system by a malicious
> Trojan Horse?
> 
>    | Alan Filipski, GTX Corp, 2501 W. Dunlap, Phoenix, Arizona 85021, USA |

First to say, Trojan Horses are much easier under Unix than other operating
systems I have used, but this experience isn't from Unix, it's a Vax/VMS
story.  I was actually involved in this experience, although initially as
a victim, and later whn I found out what was going on, I let my sophmorish
attitudes (I was a sophmore, what more can I say ;-) get me in trouble.

I write this because Trojan Horses are _EASY_ to write, and even easier to
be fooled by.  What I did was wrong.  I am not advocating doing this to your
local computer system.  Please don't, it can wreak havoc.

When The University of New Orleans bought it's first Vax-11/780, a guy from
California  was involved in the initial set-up.  He had been a system manager
on a Vax someplace else and had learned how to abuse VMS.  At first he just
had an account with operators privileges, and later he wrote a little
program to act like login and steal passwords.  (side note: The system had
the Unix-like toolbox on it and this was blamed for the original security
breach.  This toolkit wasn't the problem, the guy that set up the system was.
This is the true story, whether Sal Tillis (hi Sal) want's to believe it or
not.  The other things I did to their Vax are a whole different matter ;-)
accept it or not ...)

This guy wrote a little .COM file (that's .BAT to the DOS world) which
displayed a faked logout message when he logged out.  Then started the
trojan horse part.  It prompted for a login name with
$ INQUIRE/NOPUNCTUATION 'Username: ' $username
to read in the victims user name.  This was followed by
$ SET TERMINAL/NOECHO ( or something like that - it's been 6 or 7 years)
$ INQUIRE/NOPUNCTUATION 'Password: ' $password
The results were written into a file of his.  He repeated the username/
password commands 3 times to insure the user typed the password correctly.
After each prompt the system gave a real looking error message.  When he
was done, the set the baud rate on the terminal to something other than
what it should be and logged out.

This thing looked quite real.  The only way to tell the difference was to
type a ^Z at it and look at the error message.  It trapped ^C and ^Y as
it should, but ^Z was being handled by RMS, not the program, and RMS didn't
give the same message LOGINOUT (or whatever) gave.

He got several dozen user's account names and such and did cause some grief.
After my homework was ruined by his little ploy (like I said in the beginning,
I got bit) I got pissed off and managed to wreak a bit more havoc before
the System Manager (hi Sal) got disgusted with the lot of us and pitched
us from the machine.

As I said earlier, don't go screwing with peoples computers.  It isn't fun
getting canned from your Universities system and trying to get a degree
at the same time.  It can really screw up getting your first few jobs also.
And if you are a system manager, my best advice is pay attention to the
wierd complaints you get about terminals and such acting strange.  Anyone
wanting more information can write myself or if you can find Sal Tillis
hanging around the DECUS group, you can ask him.  Professor What's-His-Face
should keep his mouth shut and stick to teaching basket weaving for all the
good he is doing.

- John.
-- 
John F. Haugh II                  SNAIL:  HECI Exploration Co. Inc.
UUCP: ...!ihnp4!killer!jfh                11910 Greenville Ave, Suite 600
      ...!ihnp4!killer!rpp386!jfh         Dallas, TX. 75243
"Don't Have an Oil Well?  Then Buy One!"  (214) 231-0993