The Trojan Horse

According to Rosenberger and Greenberg “Trojan horse is a generic term describing a set of computer instructions purposely hidden inside a program. Trojan horses tell programs to do things you don’t expect them to do.” The original Trojan horse held enemy soldiers in its belly who thus gained entrance to the fortified city of Troy. In computer terms, a seemingly legitimate program is loaded by the user, but at some point thereafter malicious code goes to work, possibly capturing password keystrokes or erasing data.

An example appeared in 1995 when someone started distributing a file described as PKZIP 3.0, the long-awaited update of PKZIP version 2.04g, an excellent file archiving tool. Naturally, since the purpose of PKZIP is to compress and decompress files, version 2.04g was distributed as a self-extracting file. That is, it was executed as a program at the DOS prompt. PKZIP 3.0 was also made available on bulletin boards as an executable file, but it was not a self-extracting archive. Instead it was a Trojan horse that attempted to execute the DELTREE and FORMAT commands. Although clumsily written, it sometimes worked and some people lost data (one defense against such programs is to rename, remove, or relocate potentially destructive commands like FORMAT and DELTREE).

The Worm

According to virus experts Rosenberger and Greenberg, a worm is similar to a Trojan horse, but there is no “gift” involved: “If the Trojans had left that wooden horse outside the city, they wouldn’t have been attacked from inside the city. Worms, on the other hand, can bypass your defenses without having to deceive you into dropping your guard.” The classic example is a program designed to spread itself by exploiting bugs in a network operating software, spreading parts of itself across many different computers that are connected into a network. The parts remain in touch with, or related to, each other, thus giving rise to the term worm, a segmented insect. Naturally, this has a disruptive effect on the host computers, eating up empty space in memory and storage, and wasting valuable processing time.

The best-known example is the Internet worm which consumed so much memory space and processor time that eventually several thousand computers ground to a halt (the Morris/Internet worm has been exhaustively analyzed and documented on the Web). More destructive worms might erase files. Even without malicious intent, communications on the network are likely to be disrupted by any worm as it attempts to grow from one area to another. Most people agree that a worm is typified by independent growth rather than modification of existing programs. The difference between a worm and a virus might be characterized by saying a virus reproduces, while a worm grows.

The Code Bomb

One of the oldest forms of malicious programming is the creation of dormant code that is later activated or triggered by specific circumstances. Typical triggers are events such as a particular date or a certain number of system starts. Stories abound of disgruntled programmers planting logic bombs to get back at employers deemed to have been unfair. Several logic bombs have been planted in order to extort money. You have to pay up or find the malicious code and remove it. The latter option can be extremely costly when the system is a large mainframe computer.

Defenses Against MC

The layered approach to security that we advocate can provide a head start in defending against malicious code. To briefly reiterate the elements of this layered approach, they are

•  Access control

•  Site — controlling who can get near the system.

•  System — controlling who can use the system.

•  File — controlling who can use specific files.

•  System support

•  Power — keeping supply of power clean and constant.

•  Backup — keeping copies of files current.

The three access control items provide positive protection against infection, while the last item under System Support, backup, allows you to recover from a virus attack. However, we now add a third layer of System Support, namely Vigilance — keeping tabs on what enters or attempts to enter the system. By exercising vigilance, users and administrators alike can prevent, or at least minimize, the effects of malicious programming. To be vigilant, users need to know what they are defending against. This means:

•  General training in malicious code awareness.

•  Constant updating of defenses to remain effective against a threat which continues to evolve.

•  An ongoing program of security checking, review, and retraining.

In the case of the most prevalent malicious code threat, viruses, vigilance means:

•  Knowing what viruses are, the methods of attack they use, and what constitutes a healthy regimen of computer operation and maintenance.

•  The use of hardware and/or software that prevents or warns of virus attacks (typically, software of this type needs to be updated on a regular basis in order to remain effective).

•  Hardware and software buying choices might be affected, with systems and programs that are more inherently virus-free being preferred.