Saturday, February 04, 2006

what is a trojan?

a trojan horse program is a program which the user believes performs good (or at least benign) function but which also or instead performs a function the user would not approve of if s/he knew about it...

there are those who think trojan horse programs are synonymous with back doors, however that is only one of the many different types of trojans known...

the most striking thing about this is that it is not a functional definition... we cannot determine if program X belongs in the trojan horse class just by examining it, we must also look at how it gets presented to the user and make guesses as to how an average user might reasonably interpret that presentation...

for example, format.com (the utility used to format disks) is certainly not a bad program - if you need to format a disk then this is the program you want to use... however, if someone were to rename it to best-blowjob-ever.com (an example of social engineering) then someone else could be in for a nasty surprise when they tried to run it...

this may seem like nothing more than a mental exercise so far, but now imagine you were going to write an anti-trojan program to help protect people from trojans - how could your product alarm on best-blowjob-ever.com and not on format.com when their contents are identical? in general it can't be done and so deciding whether or not to detect program X as a trojan becomes a balancing act... one has to try to decide whether it's more important to warn people of the potential trojan or to not create fear among those who happen to have a legitimate program that gets maliciously misused in some circumstances...

these kinds of problems innevitably stymie efforts to help protect people from malware and is why non-functional definitions are such a bad thing... unfortunately, in the case of trojans, that's the kind of definition we're stuck with...

back to index

0 comments: