ch11.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,114 行 · 第 1/4 页

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 11 -- Trojans</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch10/ch10.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch12/ch12.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">11</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">Trojans</FONT></H1>
</CENTER>
<P>This chapter examines one of the more insidious devices used to circumvent Internet
security: the <I>trojan horse</I>, or <I>trojan</I>. No other device is more likely
to lead to total compromise of a system, and no other device is more difficult to
detect.
<H2><FONT COLOR="#000077"><B>What Is a Trojan?</B></FONT></H2>
<P>Before I start, I want to offer a definition of what a trojan is because these
devices are often confused with other malicious code. A <I>trojan horse</I> is</P>

<UL>
	<LI><FONT COLOR="#000000">An unauthorized program contained within a legitimate program.
	This unauthorized program performs functions unknown (and probably unwanted) by the
	user.</FONT><BR>
	<BR>
	
	<LI><FONT COLOR="#000000">A legitimate program that has been altered by the placement
	of unauthorized code within it; this code performs functions unknown (and probably
	unwanted) by the user.<BR>
	<BR>
	</FONT>
	<LI><FONT COLOR="#000000">Any program that appears to perform a desirable and necessary
	function but that (because of unauthorized code within it that is unknown to the
	user) performs functions unknown (and probably unwanted) by the user.</FONT>
</UL>

<P>The unauthorized functions that the trojan performs may sometimes qualify it as
another type of malicious device as well. For example, certain viruses fit into this
category. Such a virus can be concealed within an otherwise useful program. When
this occurs, the program can be correctly referred to as both a <I>trojan</I> and
a <I>virus</I>. The file that harbors such a trojan/virus has effectively been <I>trojaned</I>.
Thus, the term <I>trojan</I> is sometimes used as a verb, as in &quot;He is about
to trojan that file.&quot;</P>
<P>Classic Internet security documents define the term in various ways. Perhaps the
most well known (and oddly, the most liberal) is the definition given in RFC 1244,
the Site Security Handbook:

<DL>
	<DD>A trojan horse program can be a program that does something useful, or merely
	something interesting. It always does something unexpected, like steal passwords
	or copy files without your knowledge.
</DL>

<P>Another definition that seems quite suitable is that given by Dr. Alan Solomon,
an internationally renowned virus specialist, in his work titled <I>All About Viruses</I>:

<DL>
	<DD>A trojan is a program that does something more than the user was expecting, and
	that extra function is damaging. This leads to a problem in detecting trojans. Suppose
	I wrote a program that could infallibly detect whether another program formatted
	the hard disk. Then, can it say that this program is a trojan? Obviously not if the
	other program was supposed to format the hard disk (like Format does, for example),
	then it is not a trojan. But if the user was not expecting the format, then it is
	a trojan. The problem is to compare what the program does with the user's expectations.
	You cannot determine the user's expectations for a program.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B><I>All About Viruses</I>
	by Dr. Alan Solomon can be found at <A HREF="http://www.drsolomon.com/vircen/allabout.html"><TT>http://www.drsolomon.com/vircen/allabout.html</TT></A>.</P>
	<P>Anyone concerned with viruses (or who just wants to know more about virus technology)
	should visit Dr. Solomon's site at <A HREF="http://www.drsolomon.com/"><TT>http://www.drsolomon.com/</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>At day's end, you can classify a trojan as this: any program that performs a hidden
and unwanted function. This may come in any form. It might be a utility that purports
to index file directories or one that unlocks registration codes on software. It
might be a word processor or a network utility. In short, a trojan could be anything
(and could be found in anything) that you or your users introduce to the system.
<H2><FONT COLOR="#000077"><B>Where Do Trojans Come From?</B></FONT></H2>
<P>Trojans are created strictly by programmers. One does not get a trojan through
any means other than by accepting a trojaned file that was prepared by a programmer.
True, it might be possible for a thousand monkeys typing 24 hours a day to ultimately
create a trojan, but the statistical probability of this is negligible. Thus, a trojan
begins with human intent or <I>mens rea</I>. Somewhere on this planet, a programmer
is creating a trojan right now. That programmer knows exactly what he or she is doing,
and his or her intentions are malefic (or at least, not altruistic).</P>
<P>The trojan author has an agenda. That agenda could be almost anything, but in
the context of Internet security, a trojan will do one of two things:</P>

<UL>
	<LI><FONT COLOR="#000000">Perform some function that either reveals to the programmer
	vital and privileged information about a system or compromises that system.<BR>
	<BR>
	</FONT>
	<LI><FONT COLOR="#000000">Conceal some function that either reveals to the programmer
	vital and privileged information about a system or compromises that system.</FONT>
</UL>

<PRE></PRE>
<P>Some trojans do both. Additionally, there is another class of trojan that causes
damage to the target (for example, one that encrypts or reformats your hard disk
drive). So trojans may perform various intelligence tasks (penetrative or collective)
or tasks that amount to sabotage.</P>
<P>One example that satisfies the sabotage-tool criteria is the PC CYBORG trojan
horse. As explained in a December 19, 1989 CIAC bulletin (&quot;Information about
the PC CYBORG (AIDS) Trojan Horse&quot;):

<DL>
	<DD>There recently has been considerable attention in the news media about a new
	trojan horse which advertises that it provides information on the AIDS virus to users
	of IBM PC computers and PC clones. Once it enters a system, the trojan horse replaces
	<TT>AUTOEXEC.BAT</TT>, and may count the number of times the infected system has
	booted until a criterion number (90) is reached. At this point PC CYBORG hides directories,
	and scrambles (encrypts) the names of all files on drive C:. There exists more than
	one version of this trojan horse, and at least one version does not wait to damage
	drive C:, but will hide directories and scramble file names on the first boot after
	the trojan horse is installed.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>You can find the CIAC
	bulletin<I> </I>&quot;Information about the PC CYBORG (AIDS) Trojan Horse&quot;<I>
	</I>at <A HREF="http://www.sevenlocks.com/CIACA-10.htm"><TT>http://www.sevenlocks.com/CIACA-10.htm</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Another example (one that caused fairly widespread havoc) is the AOLGOLD trojan
horse. This was distributed primarily over the Usenet network and through e-mail.
The program was purported to be an enhanced package for accessing America Online
(AOL). The distribution consisted of a single, archived file. Unzipping the archive
revealed two files, one of which was a standard <TT>INSTALL.BAT</TT> file. Executing
the <TT>INSTALL.BAT</TT> file resulted in 18 files being expanded to the hard disk.
As reported in a security advisory (&quot;Information on the AOLGOLD Trojan Program&quot;)
dated Sunday, February 16, 1997:</P>


<BLOCKQUOTE>
	<P>The trojan program is started by running the <TT>INSTALL.BAT</TT> file. The <TT>INSTALL.BAT</TT>
	file is a simple batch file that renames the <TT>VIDEO.DRV</TT> file to <TT>VIRUS.BAT</TT>
	and then runs it. <TT>VIDEO.DRV</TT> is an amateurish DOS batch file that starts
	deleting the contents of several critical directories on your C: drive, including</P>
	<PRE><FONT COLOR="#0066FF">c:\
c:\dos
c:\windows
c:\windows\system
c:\qemm
c:\stacker
c:\norton</FONT></PRE>

</BLOCKQUOTE>

<PRE><FONT COLOR="#0066FF"></FONT></PRE>

<DL>
	<DD>When the batch file completes, it prints a crude message on the screen and attempts
	to run a program named <TT>DOOMDAY.EXE</TT>. Bugs in the batch file prevent the <TT>DOOMDAY.EXE</TT>
	program from running. Other bugs in the file cause it to delete itself if it is run
	from any drive but the C: drive. The programming style and bugs in the batch file
	indicates that the trojan writer appears to have little programming experience.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>You can find the security
	advisory titled<I> </I>&quot;Information on the AOLGOLD Trojan Program&quot; at <A
	HREF="http://www.emergency.com/aolgold.htm"><TT>http://www.emergency.com/aolgold.htm</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>These trojans were clearly the work of amateur programmers: kids who had no more
complex an agenda than causing trouble. These were both destructive trojans and performed
no sophisticated collective or penetrative functions. Such trojans are often seen,
and usually surface, on the Usenet news network.</P>
<P>However, trojans (at least in the UNIX world) have been planted by individuals
that are also involved in the <I>legitimate </I>development of a system. These are
inside jobs, where someone at a development firm inserts the unauthorized code into
an application or utility (or, in rare instances, the core of the operating system
itself). These can be far more dangerous for a number of reasons:</P>

<UL>
	<LI><FONT COLOR="#000000">These trojans are not destructive (they collect intelligence
	on systems); their discovery is usually delayed until they are revealed by accident.<BR>
	<BR>
	</FONT>
	<LI><FONT COLOR="#000000">Because most servers that matter run UNIX, some highly
	trusted (and sensitive) sites can be compromised. By servers that matter, I mean
	those that provide hundreds or even thousands of users access to the Internet and
	other key networks within the Internet. These are generally governmental or educational
	sites, which differ from sites maintained, for example, by a single company. With
	a single company, the damage can generally travel only so far, placing the company
	and all its users at risk. This is a serious issue, to be sure, but is relevant only
	to that company. In contrast, the compromise of government or educational sites can
	place thousands of computers at risk.</FONT>
</UL>

<PRE></PRE>
<P>There are also instances where key UNIX utilities are compromised (and trojaned)
by programmers who have nothing to do with the development of the legitimate program.
This has happened many times and, on more than one occasion, has involved security-related
programs. For example, following the release of SATAN, a trojan found its way into
the SATAN 1.0 distribution for Linux.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>This distribution was not the work
	of Farmer or Venema. Instead, it was a precompiled set of binaries intended solely
	for Linux users, compiled at Temple University. Moreover, the trojan was confined
	to a single release, that being 1.0. 
<HR>


</BLOCKQUOTE>

<P>Reportedly, the file affected was a program called fping. The story goes as follows:
A programmer obtained physical access to a machine housing the program. He modified
the <TT>main()</TT> function and altered the <TT>fping</TT> file so that when users
ran SATAN, a special entry would be placed in their <TT>/etc/passwd</TT> file. This
special entry was the addition of a user named <TT>suser</TT>. Through this user
ID, the perpetrator hoped to compromise many hosts. As it happened, only two recorded
instances of such compromise emerged. Flatly stated, the programming was of poor
quality. For example, the trojan provided no contingency for those systems that made
use of shadowed passwords.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>The slackware distribution of Linux
	defaults to a nonshadowed password scheme. This may be true of other Linux distributions
	as well. However, the programmer responsible for the trojan in question should not
	have counted on that. It would have been only slightly more complicated to add a
	provision for this. 
<HR>