[Full-disclosure] Re: Microsoft AntiSpyware falling further behind
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Sun Oct 30 14:44:25 GMT 2005
On Sun, 30 Oct 2005 09:46:48 +1300, Nick FitzGerald said:
> This is a Johnny come lately perversion of the real meaning of Trojan
> Horse in reference to software. Trojan Horse, or simply Trojan,
> software has always meant, and still does to anyone with a vague hint
> of historical awareness, software that gets installed under the
> pretense of being something desirable or beneficial but that actually
> has deliberately (on the part of its designer/developer) undesirable
> effects that are (at least initially) hidden or not obvious to the
> intended user(s) of the software.
Which is particularly amusing, given that the Trojan Horse written about by Homer
was quite specifically a 'remote access Trojan' - a very small number of soldiers
were hidden inside to open the gates for the main forces. If anything, the
use of the term to mean "remote access Trojan" is getting back in line with the
*actual* historical meaning - uses of "Trojan" for non-remote-access back doors
were in fact not strictly historically correct...
You'll also notice that I *did* say:
> and (b) once there, gives the attacker a "back door" into the system, to
> do unspecified things (run commands, launch DDoS attacks, send spam, scan
> for other vulnerable software, upload plugins to extend the Trojan's functionality,
> or whatever).
So I *was*, in fact, covering the 0.001% of trojans in use today that aren't
strictly a remote-access variant. Meanwhile, the *old* name for what Nick
wants to call a 'Trojan Horse' was 'trap door' (see Karger&Schell's 1974 paper
on Multics security - in fact, section 22.214.171.124 of that paper discusses the
theoretical possibility of a 'compiler trap door', subsequently actually
implemented by Ken Thompson as discussed in his 1984 Turing Award Lecture "On
Interestingly enough, Ken calls his implementation a Trojan Horse:
"Figure 6 shows a simple modification to the compiler that will deliberately
miscompile source whenever a particular pattern is matched. If this were not
deliberate, it would be called a compiler "bug." Since it is deliberate, it
should be called a "Trojan horse.""
Additionally, he goes on:
"The final step is represented in Figure 7. This simply adds a second Trojan
horse to the one that already exists. The second pattern is aimed at the C
compiler. The replacement code is a Stage I self-reproducing program that
inserts both Trojan horses into the compiler. "
Notice that the second pattern is specifically *not* allowing any remote access,
but propogating the first pattern. Yet Thompson calls it a Trojan as well.
Forget it, Nick. You're fighting a battle already lost in 1984. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051030/de46d628/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.