Re: [Full-disclosure] Re: Help put a stop to incompetent computerforensics
J.A. Terranson wrote: SANS is a for profit corp., and was run as such even when they were playing possum as a non-profit. They are *not* a disinterested third party any more than the anti-virus firms are - and not many people would use *them* as an authoritative reference To drive this point home, Newton's Telecom 'Dictionary' has some amazingly bad 'definitions' -- for example, the definition of 'multimedia' includes data that is transmitted or viewed by way of a fax machine. http://www.harrynewton.com/ Newton's 'definition' of 'Internet' starts out with a first-person narrative on how difficult it is to define the Internet. Pure crap. Anyone who puts effort into writing a book should be encouraged to publish it, but publishers (and readers) should care a little about commercial misuse of labels like 'dictionary' when the definitions have only a single biased author. There are some very impressive collaborative, community-developed computer dictionaries and encyclopedias. They do a nice job most of the time, because they are constantly peer-reviewed and corrected. Anyone presumptuous enough to arbitrarily define technical terms without considerable careful thought and then publish the arbitrary text and call it a 'dictionary' should be shot. Regards, Jason Coombs [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Help put a stop to incompetent computerforensics
On Sat, Aug 13, 2005 at 04:49:45AM +, Jason Coombs wrote: Anyone presumptuous enough to arbitrarily define technical terms without considerable careful thought and then publish the arbitrary text and call it a 'dictionary' should be shot. Might it not be a bit more tolerant of other views to simply not buy his book ? --- Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561 www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Help put a stop to incompetent computerforensics
Hey Jason, you really have to make up your mind about whether the old definition is archaic and thus obsolete, or if we should be using the original definition from Homer. You can't keep flopping back and forth like you're running for a major political office. A trojan is well-understood (by everyone else) to be software that pretends to have some useful, noble or benign purpose, but carries with it some other malignant function. It is one of the most frequently used vehicles for backdoors, but in and of itself, and Trojan is not necessarily a Backdoor. Just because the mainstream media misuses malware terms such as virus, worm, and trojan doesn't mean we have to sit playing semantics on a 50-post thread -- alternating between understood and original meanings. Your posts have been even more ironic given the thread title you used, and your original complaint. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 8/10/05, Jason Coombs [EMAIL PROTECTED] wrote: Chuck Fullerton wrote: A Trojan horse is a program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality. A Backdoor is a program that allows attackers to bypass normal security controls on a system, gaining access on the attacker's own terms. Here's an example of a completely flawed explanation of the origin ofthe term. The definition given claims that the warriors emerged from thehorse and only those warriors overran the city. Obviously that isn't what happened in the Iliad, the Trojan Horse was used to get furtheraccess for other warriors. Furthermore, overran the city means ofcourse that the Trojan Horse was used for the purpose of gaining control of the city, regardless of which warriors accomplished the objective.Most (but not all) of you are suggesting that the only thing thatmatters is what the definitions say, and that's not the right way to look at this issue. A program that does something malicious when used isnot a Trojan unless its malicious purpose fits with the story of theTrojan Horse as it is understood by non-computer people. This is why we don't call spyware Trojans any longer -- a distinction has been drawn,and that distinction has overrun the past usage of the term. http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213221,00.htmlIn computers, a Trojan horse is a program in which malicious or harmfulcode is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such asruining the file allocation table on your hard disk. In one celebratedcase, a Trojan horse was a program that was supposed to find and destroy computer viruses. A Trojan horse may be widely redistributed as part ofa computer virus.The term comes from Greek mythology about the Trojan War, as told in theAeneid by Virgil and mentioned in the Odyssey by Homer. According to legend, the Greeks presented the citizens of Troy with a large woodenhorse in which they had secretly hidden their warriors. During thenight, the warriors emerged from the wooden horse and overran the city. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Help put a stop to incompetent computerforensics
How many of you are lawyers back to what seemed to be the original point: Data on a drive is just data, unless you can prove how it was created. And generally the data in question can't prove itself, external factors have to be considered. -- * Brian L. Anderson Darton College Office of Information Technology bla at darton.edu - ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Help put a stop to incompetent computerforensics
On Wed, 10 Aug 2005, Jason Coombs wrote: Chuck Fullerton wrote: A Trojan horse is a program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality. A Backdoor is a program that allows attackers to bypass normal security controls on a system, gaining access on the attacker's own terms. Here's an example of a completely flawed explanation of the origin of the term. snip Most (but not all) of you are suggesting that the only thing that matters is what the definitions say, and that's not the right way to look at this issue. Jason, we're friends (I think), and I generally respect your opinions, but if you were on the other side of the aisle with this tripe I'd roast you in front of the Judge (yes folks, most of these cases are heard in front of Judges, not Juries). The simple fact of the matter is that what matters *IS* the definition, and you full well know it. What happened here is you slipped and fell, and rather than admitting it you're crying foul - shame on you! You slipped - brush yourself off before you tarnish that sterling reputation of yours and move on. Oh, and *admit* when you're wrong: it works wonders for your credibility - even in front of Judges and Juries ;-) //Alif -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF I like the idea of belief in drug-prohibition as a religion in that it is a strongly held belief based on grossly insufficient evidence and bolstered by faith born of intuitions flowing from the very beliefs they are intended to support. don zweig, M.D. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Help put a stop to incompetent computerforensics
Jason Coombs to J.A. Terranson: The simple fact of the matter is that what matters *IS* the definition, and you full well know it. What happened here is you slipped and fell, and rather than admitting it you're crying foul - shame on you! I didn't disagree that the broader definition of Trojan was completely unknown to me. How did I miss it? Was it me who slipped and fell, because I was being careless, or is there more to the story... This was and is a good question. It may seem like a good question to you, but to anyone who has been around for more than a couple of years, it is an utterly dull question with a terribly obvious answer... In my entire life I have not encountered a real-world use of the term Trojan where the software at issue did not grant remote access to an attacker after the Trojan infection occurred. Then you simply have not been around long enough _for your opinion to matter_. As others have already explained, there was a time when Trojan was used but could not mean or imply allows unauthorized access because the vast bulk of machines that could be victims to the (common) Trojan Horse programs of those days were not (and, generally COULD NOT BE) networked. Look up the dirty dozen list -- I'm sure you'll find a few old copies of it archived around the net. It was jam-packed full of things that claimed to be the newest, or cracked-so-no-registration- required-yet-full-function, versions of all manner of (then) popular software, and otherwise useful-sounding gizmos, but which are described in the DD list in terms of formats your hard drive and similar data- destruction payloads. Now we use other terms like spyware to classify what I have recently learned used to be called Trojans. No. Simple data-trashing Trojans are not spyware and still exist. Even more controversially, it can be argued that a great deal of so- called spyware does not and never did meet the classic definition of Trojan Horse program (that's not to say that all spyware is not Trojanic, but there is certainly some that is not). Much as I am not an apologist for the great swathes of scumware that fall into this category, but there is clearly some spyware that does not hide its true purpose. True, most typical users are far too lazy and stupid to read the full documentation and EULA of most software they ever install, and just click the OK/Next/etc buttons, BUT abject laziness on the part of end-users does not turn honest spyware into a trojan any more than your laziness and lack of historical knowledge makes Trojan a term that necessarily means something like software that allows unauthorized access to the host computer My conclusion is that I slipped and fell because the definition has changed and computer dictionaries haven't caught up yet. No, the definition never changed, at least not amongst computer security professionals. Vulgar, common usage may have changed, in that, vulgar, common users started using the term Trojan to describe some or class(es) of software where they previously used no special words or terms for those classes of software, but that does not mean the that technical meaning of the term, as used by astute comp-sec professionals changed at all. You seem to love looking tyhings up in dictionaries (or at least, quoting the ones you looked up that provide a definition that matches your personally warped and weirdly biased view of this issue, but you have missed a VERY IMPORTANT point about words and dictionaries. Words often have multiple meanings (or shades and connotations of related meanings) _at the same point in history_ but among different groups and specialities. If you look at all closely, you will find common words listed in dictionaries with odd meanings attributed to them, BUT these will be noted as Engr., or Astr. or Med., etc, etc. That simply means that that odd, possibly highly specialized meaning is peculiarly used, if not limited to, Engineers, or Astronomers or members of the medical profession, etc, etc. Bearing that in mind, as this is a list (presumably) mainly of interest to computer security professionals, please don't consider it odd or unusual of us to use our own special words and terms in their own special way here. As it is now apparent that you did not know the comp- sec meaning of Trojan, please now just shut the f*ck up and sit quietly down the back until you have learned enough to participate like a grown up comp-sec person... snip drivel We're all familiar with, and have experienced, the broadening of the meaning of familiar terminology. However, the narrowing of the meaning of familiar terminology can and does also occur. I conclude, and it is my opinion, that just such a narrowing has occurred and is occurring with respect to Trojan as the term is applied and used in computing. Such narrowing is not occurring in informed, technical comp-sec circles. You are
RE: [Full-disclosure] Re: Help put a stop to incompetent computerforensics
Can we agree that in the world of computer securitythe Trojan horse is a malicious program disguised as a legitimate software and let it go at that? Thanks Hummer Marchand, GCIH,CISSP CompTIA Security+ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Donald J. AnkneySent: Wednesday, August 10, 2005 5:20 PMTo: [EMAIL PROTECTED]Cc: Full-Disclosure; Thierry ZollerSubject: Re: [Full-disclosure] Re: Help put a stop to incompetent computerforensicsWikipedia: In the context of computer software, a Trojan horse is a malicious program that is disguised as legitimate software. The term is derived from the classical myth of the Trojan horse. In the siege of Troy, the Greeks left a large wooden horse outside the city. The Trojans were convinced that it was a gift, and moved the horse to a place within the city walls. It turned out that the horse was hollow, containing Greek soldiers who opened the city gates of Troy at night, making it possible for the Greek army to pillage the city. Trojan horse programs work in a similar way: they may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed. http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29 Your definition is just a subset of the standard, broader one. On Aug 10, 2005, at 3:43 PM, Jason Coombs wrote: [EMAIL PROTECTED] wrote: On Thu, Aug 11, 2005 at 12:26:23AM +0200, Thierry Zoller wrote: The industry definition is perfectly within Homers defintion of a Trojan horse. JC http://classics.mit.edu/Homer/iliad.html When I read Homer, it was a Greek horse. The horse became the property of the Trojans before it launched its hidden attack, but your point is interesting as well. There are other terms used to describe malware disguised as something else that has hidden capability to cause damage. Logic bomb, for example. I'll do some more work on this and see where it leads. The proposal of "backdoor" as the better term just doesn't work, since a backdoor is a hidden mechanism for gaining entry or control of a system that is built into the system by its creator or some other involved party. An intruder may open up a backdoor in a system by altering its programming rather than by planting a Trojan, so there needs to be a distinction between the two. Cheers, Jason Coombs [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: Help put a stop to incompetent computerforensics
To Quote Ed Skoudis' Malware: Fighting Malicious Code A Trojan horse is a program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality. A Backdoor is a program that allows attackers to bypass normal security controls on a system, gaining access on the attacker's own terms. What this means is that many times they are found together but a Trojan is not necessarily a backdoor and a backdoor is not necessarily a trojan. In the case Jason was saying the Trojan was forcing the use of the Backdoor. Does this clear it up at all? Chuck Fullerton CEH, OPST, CISSP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Coombs Sent: Wednesday, August 10, 2005 8:59 PM To: Donald J. Ankney Cc: Full-Disclosure Subject: Re: [Full-disclosure] Re: Help put a stop to incompetent computerforensics Donald J. Ankney wrote: Your definition is just a subset of the standard, broader one. When a word causes widespread misunderstanding such that you simply can't use it to communicate ideas clearly, the old meaning becomes archaic. I think that's what has happened with Trojan. Proof of this can be found in the list of malware that anti-Trojan software is designed to detect -- without double-checking this, just from memory, I'm going to say that the list of malware detected by the typical anti-Trojan software product is limited to malware that meets my definition and does not include the broader definition. That causes a real problem, in practice, since if the anti-Trojan doesn't stop spyware then how can spyware be a Trojan? Regards, Jason Coombs [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: Help put a stop to incompetent computerforensics
Ok.. In one reply you typed... In computers, a Trojan horse is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk. Below you said... This is part of why I'm saying that the definition of Trojan must include the access and control that a backdoor gives. In your reply to me earlier (First example above), The trojan can do its damage without giving control to an outside attacker. That's the difference between the two. A backdoor gives access to an outside attacker while a Trojan doesn't. It can however use a backdoor combined with the trojan to deliver access. Chuck Fullerton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Coombs Sent: Wednesday, August 10, 2005 9:34 PM To: James Tucker Cc: Full-Disclosure Subject: Re: [Full-disclosure] Re: Help put a stop to incompetent computerforensics James Tucker wrote: Sorry, how many programs which you class as Trojans add what you define as a backdoor, given that a backdoor is generally pre-compiled code which allows access via previously un-announced or commonly unused connection methods? Malware doesn't typically ADD backdoors, it comes shipped with them, thus the classification Trojan.Backdoor, as opposed to just Trojan. Many of the more common Trojans these days are Worms, Trojans, and Backdoors and some are Viri too. The reason is simple - short of breaking the kernel process scheduler it is useful to be a Trojan when present as an active virus. Similarly due to the current nature of desktop and server side application logic, most viri are unsuccessful without being worms - although this may change in a few decades as applications become more data driven and automatic. Nothing will ever substitute a full description of a particular malware's actions in describing what it does, unless you expect malware authors to start conforming to standards. Applying the broader definition of Trojan, I can't even make sense out of your paragraph above. But I know that you aren't using the term to communicate the idea of malware that enables the attacker to gain control over, and future access to, the infected system ... If that's the definition you had in mind, then the paragraph you wrote makes logical sense. Otherwise, not. I agree that calling it a backdoor isn't comfortable, it just doesn't fit. This is part of why I'm saying that the definition of Trojan must include the access and control that a backdoor gives. It doesn't make sense to me that Many of the more common Trojans these days are Worms, Trojans, and Backdoors ... unless you are using Trojan to communicate the feature of remote access to the infected box. Sincerely, Jason Coombs [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
