|
|
|
A critical observation is the notion of "tricked." Suppose the user root executed this script unintentionally (for example, by typing "ls" in the directory containing this file). This would be a violation of the security policy. However, if root deliberately typed
cp /bin/sh /tmp/.xxsh chmod o+s,w+x /tmp/.xxsh
the security policy would not be violated. This illustrates a crucial component of the problems with malicious logic. The system cannot determine whether the instructions being executed by a process are known to the user or are a set of instructions that the user does not intend to execute. The next definition makes this distinction explicit.
Definition 22–2. A Trojan horse is a program with an overt (documented or known) effect and a covert (undocumented or unexpected) effect.
|
EXAMPLE: In the preceding example, the overt purpose is to list the files in a directory. The covert purpose is to create a shell that is setuid to the user executing the script. Hence, this program is a Trojan horse. |
Dan Edwards was the first to use this term [26]. Trojan horses are often used in conjunction with other tools to attack systems.
|
EXAMPLE: The NetBus program allows an attacker to control a Windows NT workstation remotely. The attacker can intercept keystrokes or mouse motions, upload and download files, and act as a system administrator would act. In order for this program to work, the victim Windows NT system must have a server with which the NetBus program can communicate. This requires someone on the victim's system to load and execute a small program that runs the server. This small program was placed in several small game programs as well as in some other "fun" programs, which could be distributed to Web sites where unsuspecting users would be likely to download them. |
Trojan horses can make copies of themselves. One of the earliest Trojan horses was a version of the game animal. When this game was played, it created an extra copy of itself. These copies spread, taking up much room. The program was modified to delete one copy of the earlier version and create two copies of the modified program. Because it spread even more rapidly than the earlier version, the modified version of animal soon completely supplanted the earlier version. After a preset date, each copy of the later version deleted itself after it was played [290].
Definition 22–3. A propagating Trojan horse (also called a replicating Trojan horse) is a Trojan horse that creates a copy of itself.
Karger and Schell [552], and later Thompson [995], examined detection of Trojan horses. They constructed a Trojan horse that propagated itself slowly and in a manner that was difficult to detect. The central idea is that the Trojan horse modifies the compiler to insert itself into specific programs, including future versions of the compiler itself.
|
EXAMPLE: Thompson [995] added a Trojan horse to the login program. When a user logged in, the Trojan horse would accept a fixed password as well as the user's normal password. However, anyone reading the source code for the login program would instantly detect this Trojan horse. To obscure it, Thompson had the compiler check the program being compiled. If that program was login, the compiler added the code to use the fixed password. Now, no code needed to be added to the login program. Thus, an analyst inspecting the login program source code would see nothing amiss. If the analyst compiled the login program from that source, she would believe the executable to be uncorrupted. The extra code is visible in the compiler source. To eliminate this problem, Thompson modified the compiler. This second version checked to see if the compiler (actually, the C preprocessor) was being recompiled. If so, the code to modify the compiler so as to include both this Trojan horse and the login Trojan horse code would be inserted. He compiled the second version of the compiler and installed the executable. He then replaced the corrupted source with the original version of the compiler. As with the login program, inspection of the source code would reveal nothing amiss, but compiling and installing the compiler would insert the two Trojan horses. Thompson took special pains to ensure that the second version of the compiler was never released. It remained on the system for a considerable time before someone overwrote the executable with a new version from a different system [839]. Thompson's point[1] was that "no amount of source-level verification or scrutiny will protect you from using untrusted code," a point to be reiterated later. |
|
|
|
| Top |