Hi, > Well ... yes and no. The thing is, _any_ trojan relies on "social > engineering" to convince victims to run it, and setting aside for > a moment the question of whether "Internet idiot" is an appropriate > term for someone merely naive as opposed to dense, sometimes that > social engineering can be quite clever.
there are far more subtle ways of doing it than relying on social engineering, and they are part of the standard toolboox of every programmer. Instead of hiding inside something that the user executes directly and explicitly it is more effective to hide inside something that the software executes, such as a DLL in Windows. It's a trick that is used everywhere. I first used it back in the early 80s when I was writing machine code on ICL mainframes. The same techniques apply to every environment I've seen since that uses dynamic linking rather than static compile-time linking (or consolidation, as we knew it). You write a subroutine and give it the same name and interface as one that's well-known and commonly used. At link time the linker/loader searches a list of libraries for the named subroutine. If you've put yours earlier than the original in the library search sequence then the system will link your subroutine rather than the original. Depending on the search algorithm and whether or not you've statically linked the original in yours, your subroutine can then call the original to carry out the expected task as normal, and subsequently do its own dirty work. In DOS we used to do it by intercepting interrupts. There are many, many perfectly valid reasons for doing it. In the days when I was a full-time programmer we often talked about how easy it would be to do nefarious stuff, and one guy I worked with was prosecuted because something he'd been mucking around with in the test environment at his previous company was inadvertently released into production after he'd left the compnay, and brought down every terminal in every branch of a national bank. He had to work in Saudi Arabia for 2 years to earn enough to pay back the loan he'd taken out to pay the fine. Personally I'd have prosecuted the release management team, not the programmer. -- Cheers, Bob
