On Thu, Oct 28, 1999 at 03:48:53PM -0400, Mullen, Patrick wrote:
> > It may or may not be a "trojan horse", but it is definitely a
> > trojan. (The Trojans hid in the horse, remember.) The thing gets
> > wrapped up with games and utilities and worms and other nasties which
> > allow it to be propagated to unsupecting chumps who are stupid enough
> > to run active content they receive in the mail or off of insecure web
> > sites.
> Didn't you just prove yourself wrong? Back Orifice is not
> wrapped in any game or utility or anything other than
> social engineering. There may be versions out which are
> trojans where someone tacked it onto the end of another
> program, but in its original form all it (BO, anyway) does
> is delete the executable after installation.
So?
The script kiddies are using Cellophane to marry BO* / Netbus and
tools like it to arbitrary games and goodies and leaving them laying
around like cybermines to be picked up by the unwary. I know of at least
one university where an administrator has reported that BO infestations
have become epidemic because of Cellophane wrapped games carrying BO
payloads. You can't even trust games and cards you've seen before.
One day it may be a 100K silly card. The next time you run into it,
you may find an 800K surprise wrapped under the hood and acting just
like the original (as far as you can see). BO is designed just for
this purpose (integration into other vectors of propagation).
This is were the malicious nature of BO2K comes to the forefront.
Most cracker tools can be put to legitimate use somewhere, somehow.
Many legitimate administrative tools can be abused to break into systems.
What sets them apart is how they were originally designed and for what
purpose. BO is designed to be stealthy. It installs itself, has no
"install wizard" announcing the installation, and no user prompts at
installation or startup, and no icons, and no start-up splash screens.
It's designed to install itself and start itself up quietly, without the
operator or administrator being aware of its installation or its existance
after installation. It goes to significant effort to not be detected
during routine operation (barring security scans which are not routine
operation) above and beyond what a legitimate tool would be expected to do.
That's one of the fundamental differences that these things
can be judged on (but, by no means the only differnce). Legitimate tools
announce their presence (hell - they're usually proud or announcing some
copyright or logo). Malicious tools try to hide their presence. What
use you CAN put the tool is of less significance that the way they are
designed to work.
> Personally, I don't know what security term I would use
> on Back Orifice. It's not a trojan because its intent
> is clearly defined (except to the unsuspecting luser).
> Mayhaps it's simply a network administration tool for
> Windows which can be used for nefarious deeds.
One could just as easily argue that it is a trojan because
it is masquarding as something that it's not and it's true intent
is not what it appears to be. While its technical functionallity may
appear to be clear, it's still a tool for compromising the security of
systems masquarding as a legitimate administration tool. Its intent is
to compromise the security of the systems that it has stealthily infected
(through other vectors of propagation) while appearing to be a tool that
an administrator might have legitimately installed. The masquarding is
not that it's masquarding as a different utility, it that it's masquarading
as having a legitimate purpose on the systems under attack. That meets my
definition of a trojan. This is a trojan on the "social engineering"
level. Not replacing a program with something else but making people
think that it's something honest when it's not.
> I'm just glad no one has said "It's not a trojan, it's
> a virus!!" ;-)
No, but it is being loaded as the toxic payload of virii and
trojans are being created by combining other games and executables with
BO2K under a Cellophane wrapper. All these copies of BO2K that are
cropping up are not some chearful inDUHvidual thinking "I'm just
install this neat tool for myself".
> ~Patrick
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
