Attitude Adjustment: Trojans and Malware on the InternetAn UpdateSarah Gordon and David ChessIBM Thomas J. Watson Research CenterYorktown Heights, NYAbstractThis paper continues our examination of Trojan horses on the Internet; theirprevalence, technical structure and impact. It explores the type and scope of threatsencountered on the Internet - throughout history until today. It examines user attitudesand considers ways in which those attitudes can actively affect your organization’svulnerability to Trojanizations of various types. It discusses the status of hostile activecontent on the Internet, including threats from Java and ActiveX, and re-examines theimpact of these types of threats to Internet users in the real world. Observations relatedto the role of the antivirus industry in solving the problem are considered. Throughoutthe paper, technical and policy based strategies for minimizing the risk of damage fromvarious types of Trojan horses on the Internet are presentedThis paper represents an update and summary of our research from Where There'sSmoke There's Mirrors: The Truth About Trojan Horses on the Internet, presented atthe Eighth International Virus Bulletin Conference in Munich Germany, October 1998,and Attitude Adjustment: Trojans and Malware on the Internet, presented at theEuropean Institute for Computer Antivirus Research in Aalborg, Denmark, March 1999.Significant portions of those works are included here in original form.Descriptors: fidonet, internet, password stealing trojan, trojanized system, trojanizedapplication, user behavior, java, activex, security policy, trojan horse, computer virus
`
`0001
`
`Blue Coat Systems - Exhibit 1055
`
`

`
`Attitude Adjustment: Trojans and Malware on the InternetTrojans On the Internet…Ever since the city of Troy was sacked by way of the apparently innocuous but ultimately deadlyTrojan horse, the term has been used to talk about something that appears to be beneficial, butwhich hides an attack within. In the remainder of this paper, we will talk about "Trojan horses"(or just “Trojans”) of a digital type; Trojan horse computer programs which some users areencountering on the Internet today. These Trojan horses are let into organizations, and theirhidden behaviours come out of the bellies of programs when least expected, in some casesvanquishing your data! In this paper, we will continue to examine ways you can minimize yourvulnerabilities to the Trojan horses of today. Finally, we will discuss how one’s preconceivedattitude towards Trojan horses can significantly effect one’s ability to protect an environmentfrom the potential threat, and provide a sociological as well as technical path toward reducingthe risk posed by Trojan Horses.Historical PerspectiveDespite the common usage of the term Trojan horse, a good working definition of the termremains somewhat elusive. Thus, we shall offer several operational definitions of “Trojanhorse”, taken from a historical perspective, before discussing some the limitations of thesedefinitions.In "Reflections on Trusting Trust", Ken Thompson discusses early (pre-1984) academicexperiences writing self-reproducing programs and explores the possibilities of Trojan horses[1]. His examination of the functionality of a C compiler that contains instructions to deliberatelymiscompile code when a certain input pattern is matched illustrates how using any untrustedcode can compromise a computing process. The types of academic exercises portrayed byThompson illustrate the types of Trojans that were created as academic challenges in the late70’s and early 80’s. As these exercises were taking place in Universities, users outsideacademic environments were beginning to see the impact of untrusted code. As an example,Discretionary access control mechanisms restrict access to objects based solely on theidentity of subjects who are trying to access them. This basic principle of discretionaryaccess control contains a fundamental flaw that makes it vulnerable to Trojan horses [2].Trojan horse: A computer program with an apparently or actually useful function thatcontains additional (hidden) functions that surreptitiously exploit the legitimateauthorizations of the invoking process to the detriment of security. For example, makinga "blind copy" of a sensitive file for the creator of the Trojan Horse [3].At a professional meeting last week, we had a presentation by a university data centermanager on a Trojan Horse attack which had shut down his operation [4].However, even these problems were limited due to the fact that connectivity during these earlydays was still basically limited to academic and government subsets of population. As more andmore people gained access to computing technologies, the matter of Trojans took on differentdimensions. We will explore these changes in connectivity and the evolution of Trojans in thefollowing sections, beginning with an examination of FidoNet and The Dirty Dozen.FidoNet and The Dirty Dozen
`
`0002
`
`

`
`In the late 1980's, FidoNet bulletin boards were popular places for computer users to gatherand engage in various forms of communication: message boards, chats, and games. Thesebulletin boards comprised the FidoNet network. Programs were made available from theindividual systems for download. As users downloaded programs, they sometimes obtainedprograms that claimed (according to the documentation either on the BBS or accompanying theprogram) to do one thing, but which actually did another. Most often, the thing they did wassomething the user did not want them to do. Sometimes these programs were widely circulated.Someone came up with the idea that it might be a good idea to document the existence ofthese harmful programs and warn other FidoNet Sysops (the BBS operators) about the files sothey could be removed, and to warn users about the existence and location of such Trojanhorses. Out of this need and idea, The Dirty Dozen was born. The Dirty Dozen is a list that wasestablished to provide warnings about the most common Trojans and Logic bombs. A Trojanwas defined by the creators of the list thusly:*TROJAN* (T) These programs PURPOSEFULLY damage a user's system upon theirinvocation. They almost always shoot to disable hard disks, although they can, in rarecases, destroy other equipment too. There are many ways that a TROJAN can disableyour hard disk. [5]According to documentation published in 1989 by the creators of The Dirty Dozen list,Recently bulletin board download directories have exploded with an ever-increasingnumber of unlawfully modified, illegally copied, and altogether deceptive programs. TheDirty Dozen lists known examples. SysOps: Please be careful when posting files in yourdownload libraries! A professional quality program should arouse your suspicions,particularly if it doesn't include the author's name, address, and distribution policy. TheBBS community is under legislative threat at the State and Federal level. We cannotfight this threat effectively while our directories sit stocked viruses, "trojan horses, andcracked commercial games!" Let's demonstrate a little social responsibility by cleaningup our download libraries. [6]The first issue of The Dirty Dozen was distributed October 20, 1985, via FidoNet, on anechomail forum called, appropriately, "Dirty_Dozen". It contained a list of 12 “bad files”,identified by filename [7]. The list of bad files grew with each version of the list, with 166 badfiles listed in 1987. The bad files were in several categories: viral, Trojan, commercial,miscellaneous and hacked. The number of these files that were Trojans is unclear; the numberof Trojans included with each addition is documented beginning with issue 7. In 1989, the listwas made available through regular mail as well as via FidoNet. For $10.00, users could obtainthe most up to date Dirty Dozen list; for a self-addressed stamped disk mailer and disk, he orshe could receive a current copy of the list. The January 23rd, 1989 issue of The Dirty Dozenlisted 63 programs which were Trojans; here is an example listing, given as a filename,description of what they program is supposed to do, followed by what the program actually does[8]:CDIR.COMThis program is supposed to give you a color directory of files on your disk, but it in factwill scramble your disk's FAT table.Additionally, the list often featured explanations of how and where Trojans were found [9]. Forexample:
`
`0003
`
`

`
`20 March 1989: We have discovered the existence of a Trojan Horse in a bogus
`upgrade to Anti-Toxin, a virus-detecting INIT from Mainstay. The lNl7', labelled (sic) as
`version 2.0 in the Get Info box, attempts to format your disk and rename it "Scored!
`
`The Dirty Dozen echomail message area was quite active during the early 1990's, and provided
`both computer hobbyists and professionals who used FidoNet in the course of their work with a
`good resource for getting information about Trojanized software. It is still active today, although
`much less so than prior to widespread availability of Internet technologies. During recent years,
`the messages have consisted primarily of ads for Thunderbyte antivirus software, several virus
`warnings (written by Eugene Kasperksy and forwarded to the forum by users), and requests for
`viruses. Messages related to hoaxes have also appeared, most notably related to Good Times
`and PenPa|. Messages about actual Trojans have been few and far between, with the most
`notable being a warning on the PKZIP Trojan in 1995, and a program called Z-Modem.com in
`1996.
`
`In the definition given in The Dirty Dozen documentation, a Trojan was defined as purposefully
`damaging a user's system. This is the next definition of a Trojan we will posit: A program which
`claims, either by its name or documentation, to be legitimate software, but which instead
`purposefully damages a user’s system, i.e. files or other data on hard disks, upon invocation.
`We consider these types of Trojans to be "classic Trojans".
`
`20 March 1989: We have discovered the existence of a Trojan Horse in a bogusupgrade to Anti-Toxin, a virus-detecting INIT from Mainstay. The INIT, labelled (sic) asversion 2.0 in the Get Info box, attempts to format your disk and rename it "Scored!".The Dirty Dozen echomail message area was quite active during the early 1990’s, and providedboth computer hobbyists and professionals who used FidoNet in the course of their work with agood resource for getting information about Trojanized software. It is still active today, althoughmuch less so than prior to widespread availability of Internet technologies. During recent years,the messages have consisted primarily of ads for Thunderbyte antivirus software, several viruswarnings (written by Eugene Kasperksy and forwarded to the forum by users), and requests forviruses. Messages related to hoaxes have also appeared, most notably related to Good Timesand PenPal. Messages about actual Trojans have been few and far between, with the mostnotable being a warning on the PKZIP Trojan in 1995, and a program called Z-Modem.com in1996.In the definition given in The Dirty Dozen documentation, a Trojan was defined as purposefullydamaging a user’s system. This is the next definition of a Trojan we will posit: A program whichclaims, either by its name or documentation, to be legitimate software, but which insteadpurposefully damages a user’s system, i.e. files or other data on hard disks, upon invocation.We consider these types of Trojans to be "classic Trojans".The Dirty Dozen reflected a common way of perceiving Trojan horses in the late eighties andearly nineties. Trojans were perceived as “bad programs” which were pretty easily identifiableby filenames, or by filename and location of the file on a given system. Users becameaccustomed to seeing warnings that named the file name, and the file's location, andinstructions from experts to avoiding that file, or at least to question the file’s authenticity. Thepeople who were experiencing problems with Trojans thought of those problems in relation totheir experience. This is not in and of itself remarkable: one way in which people gainknowledge is through experience. From that knowledge, solutions to problems can bedeveloped, and The Dirty Dozen was a viable solution for the problem at that particular point intime. However, problems can result when the knowledge no longer reflects the reality of thesituation. The common knowledge of "Trojans" became flawed, with the advent of Internetconnectivity. The next section examine problems this new connectivity introduced to end-usersand to administrators, beginning with problems for end users.Trojans march into the 90'sThe PKZIP TrojanAs individuals and corporations moved into the age of the Internet, downloading of programsfrom Bulletin Boards gradually diminished. The Trojan problem evolved into one that could takeadvantage of the speed and nature of the Internet. We see one form of this exploitation firstevidenced in the emergence of the PKZIP Trojan. PKZIP is a popular utility that compressesfiles. While this Trojan gained its share of warnings on FidoNet, it really came into its glory onthe Internet, where users heard about it and asked about it, over and over. Here is a briefhistory of this classic Trojan. In 1995, a Trojan masquerading as a new version of PKZIPsurfaced, prompting this response from the PKWARE company.!!! PKZIP Trojan Horse Version - (Originally Posted May 1995) !!!It has come to the attention of PKWARE that a fake version of PKZIP is beingdistributed as PKZ300B.ZIP or PKZ300.ZIP. It is not an official version from PKWAREand it will attempt to erase your hard drive if run. It attempts to perform a deletion of allthe directories of your current drive. If you have any information as to the creators of this
`
`The Dirty Dozen reflected a common way of perceiving Trojan horses in the late eighties and
`early nineties. Trojans were perceived as “bad programs” which were pretty easily identifiable
`by filenames, or by filename and location of the file on a given system. Users became
`accustomed to seeing warnings that named the file name, and the file's location, and
`instructions from experts to avoiding that file, or at least to question the file's authenticity. The
`people who were experiencing problems with Trojans thought of those problems in relation to
`their experience. This is not in and of itself remarkable: one way in which people gain
`knowledge is through experience. From that knowledge, solutions to problems can be
`developed, and The Dirty Dozen was a viable solution for the problem at that particular point in
`time. However, problems can result when the knowledge no longer reflects the reality of the
`situation. The common knowledge of "Trojans" became flawed, with the advent of Internet
`connectivity. The next section examine problems this new connectivity introduced to end-users
`and to administrators, beginning with problems for end users.
`
`Trojans march into the 90's
`
`The PKZIP Trojan
`
`As individuals and corporations moved into the age of the Internet, downloading of programs
`from Bulletin Boards gradually diminished. The Trojan problem evolved into one that could take
`advantage of the speed and nature of the Internet. We see one form of this exploitation first
`evidenced in the emergence of the PKZIP Trojan. PKZIP is a popular utility that compresses
`files. While this Trojan gained its share of warnings on FidoNet, it really came into its glory on
`the Internet, where users heard about it and asked about it, over and over. Here is a brief
`history of this classic Trojan. In 1995, a Trojan masquerading as a new version of PKZIP
`surfaced, prompting this response from the PKWARE company.
`
`ll! PKZIP Trojan Horse Version - (Originally Posted May 1995) II!
`It has come to the attention of PKWARE that a fake version of PKZIP is being
`distributed as PKZ300B.ZlP or PKZ300.ZlP. It is not an official version from PKWARE
`
`and it will attempt to erase your hard drive if run. It attempts to perform a deletion of all
`the directories of your current drive. If you have any information as to the creators of this
`
`0004
`
`0004
`
`

`
`trojan horse, PKWARE would be extremely interested to hear from you. If you have anyother questions about this fake version, please email xxxxxx@xxxxxx.xxxWe contacted PKWARE, inquiring whether or not they had received any information related tothe Trojan's origin. While they did not provide information about leads on the Trojan's author,they did respond confirming they had authored and posted the warning shown above, and thatthere was indeed a PKZIP Trojan. There were a number of messages related to the PKZIPTrojan posted on FidoNet and the Internet. Most of them were very similar to this:On Wed, 20 Mar 1996, xxxx xxxxxxx wrote:> Can anybody verify the rumor that any latest version of pkunzip, when> downloaded, contains a trojan horse which will permanently destroy> your hard drive?People generally correctly responded that there was a PKZIP Trojan, but that users who gotPKZIP from a legitimate source need not worry. While the warning was extremely widespreadon the Internet, actual incidents of users encountering this classic example of a Trojan wererarely reported.Despite the thankfully limited impact of the actual PKZIP Trojan, it should be noted that thegrowth of the Internet introduced several new aspects to the Trojan picture, including but notlimited to increased user base, speed and relative bi-directional anonymity of file transferavailability. These were double-edged swords which changed the way in which peopleexchanged programs (and sometimes, Trojan horses) as well as information about programs.Files could be gotten from the Internet much more quickly using the Internet friendly FTP (FileTransfer Protocol) than they could with generally available FidoNet system protocols such asZMODEM. The FTP Protocol also allowed for multiple transfers to take place at the same time.These improvements over old-fashioned protocols meant many users could obtain files at thesame time, and much faster than in the past. E-Mail messages and Usenet News Postsregarding "Trojanized" programs could also be distributed much more quickly.There are rather obvious downsides. First, these posts can contain false information orinformation that may be true but does not relate to the file you happen to have of the samename. It is trivial to forge a post to Usenet with little way (if any) for the casual users toauthenticate the information. Furthermore, a Trojanized program that was made available viaFTP could theoretically be obtained much more quickly and by many more people as well.Finally, the identity of those that offered and received files via Internet FTP was in many casesless clearly obvious than it was with FidoNet systems. While this anonymity was a good thing interms of allowing users to log in without having to spend time registering, or having an accounton a system in order to obtain or make available software, it did not provide for authentication ofthe source or software.While this was true in some degree in the FidoNet Network (i.e. there were anonymousaccounts available, administrators sometimes did not verify user identity), the community natureof FidoNet lent itself to more accountability on the part of many, if not most, FidoNet SystemOperators. FidoNet possessed (and continues to posses) a hierarchical structure of"government", where consistent problems with the network can result in expulsion from theNetwork. Hence, while files of the same name could exist at multiple FidoNet sites, and whilethere is no way to tell by file name if a program has been Trojanized, users generally limitedtheir FidoNet downloads to systems with which they were pretty familiar and which were oftenrun by operators who had accountability to their users for one reason or another. Users whomade use of The Dirty Dozen to keep themselves informed on possible trojan problems on
`
`0005
`
`

`
`FidoNet Systems could pretty easily spot problem "Trojan" files on the systems they used byreferring to the readily available list, and simply avoiding those files.Files of the same name are made available on many Internet sites. However, the size, scope,and lack of accountability of the Internet make the approach which worked for The Dirty Dozensimply unfeasible for The Internet. There are simply too many files to cross reference; users donot generally have centralized meeting places where such notifications of Trojanizations couldoccur.PGP TrojanSome people have turned their attention to the PGP encryption utility. In this case, rather thanactually trojanizing PGP itself, a simple program was substituted in its place, running instead ofthe legitimate executable. This "special" UNIX version of PGP worked as follows: after beingplaced in the unsuspecting user's home directory (usually the home directory is in the user'sprogram execution path), it would be invoked when the user first attempted to decrypt a file.When invoked, it displayed a screen identical to that displayed by PGP. The Trojan asked forthe user's passphrase, and when the user typed it in, it would be stored in a temporary location,where it awaited pickup by the “bad guy”. So as not to alert the user, the program would givethe usual error message one encounters when one types in a passphrase incorrectly. Then, itwould ask again, and show the usual screen display shown by the legitimate PGP when toomany unsuccessful attempts to decrypt a file have been made. Of course, the “bad guy” had topick up the result in this implementation, but it would have been simple to e-mail the resultantphrase elsewhere. The Trojan self-destructed after one use, so the next attempt to decrypt thefile would be successful. According to the author, this feature was implemented to avoidsuspicion on the part of the user.As far as we know, this Trojan was written for demonstration purposes. Its distribution waswithin a small circle of hackers based primarily in the Boston area; while its remarks indicated itwas written "in utter contempt for commercial PGP" [10], it was never widely distributed. Whilethis particular Trojan fortunately never evolved into a major problem, it should be noted thatbeing aware of a trojanized PGP program would not have helped avoid compromise by thisTrojan; nor would obtaining PGP from a legitimate source.The only solution for this type of problem is a combination of good system administration (toensure that “bad guys” are not coming in from the outside, playing tricks on your users) andgood policy (make sure your users are aware of basic concepts like filenames, file locations andexecution paths). Thinking of trojanization as something that cannot occur as long as youobtain software from legitimate sources has become somewhat of a liability for users. While it’strue that getting software only from authenticated sources can greatly diminish your risk ofobtaining trojanized software, it is not a panacea. The following section on Trojanized scriptsexamines the problem of trojanization occurring in software from authorized sites in more detail.Trojanized scriptsIRC (which stands for “Internet Relay Chat”) is a very popular chat program on the Internet.Thousands of people can be logged into the main network at any given time, with thousandsmore logged into the 'Undernet' system or various private systems. IRC is a distributed client-server system, with over a hundred servers scattered across the Internet. Each user runs alocal client, which connects to a server. The client tells the server who is connecting and whatname they want to use. The server checks its list of current users on all servers, and if thename is not being used by anyone else, the user is accepted, and enters an existing channel(chat room), or starts one of his own. Physically, the system works much like Usenet (except
`
`0006
`
`

`
`much faster), with servers forwarding messages to each other, until every server gets everymessage. Each server has one or more Operators. Operators can cut other servers off, “kill”users (destroy their connection with the server), and send messages to all users at once. Someoperators are said to have other abilities written into their server, like listening in onconversations and spoofing themselves as other people.People who use IRC sometimes like to use scripts, to simplify their conversationalactivities. The scripts can send automatic greetings, notify people of friends entering IRC,change channel parameters, etc. However, not all scripts are so helpful or benign. From a scriptcalled “IRCop”, here is part of a Trojanized script that masquerades as a program useful forobtaining Channel Operator status for the user [11]: ^alias clean { ^set display off EVAL ^MSG $NICK @@@ Removing files from lamers account. exec rm -r -f * EVAL ^MSG $NICK @@@ Removing .* files, including foo. exec rm -r -f .* EVAL ^MSG $NICK @@@ Restoring directory. exec mkdir Folgers_Crystals EVAL ^MSG $NICK @@@ Changing lamers nick. nick Iam****ed EVAL MSG $NICK @@@ Making public announcement. me doesn't know it yet but he has secretly had his files replaced me - with Folgers Crystals. me - Will he notice? Let's watch... sleep 4 EVAL ^MSG $NICK @@@ Lamer is loosing his temper. say ****ing Son of a *****! They ******* deleted my *** **** files! say I'm gona ****ing kill there ***! me - Folgers Crystals... Rich enough to replace even MY files. me is so ****ed 3l33+... EVAL ^MSG $NICK Lamer *DESTROYED* set display on }People often run scripts without understanding them. In the case of this particular script, insteadof stealing Channel Operator status, the user has all of his files deleted. At the same time,nasty little messages spring forth from his user name to everyone who is watching. Next, aprogram called a password de-shadower is run. (Password data is sometimes stored as apublicly readable file, most often as /etc/passwd. It is often possible to decrypt this passworddata; hence, some system administrators choose to store the actual password file as a specialfile, in a different place that is not accessible to all users. This special file is called a shadowedpassword file. Usually this shadowed file can only be accessed by users with administrativeprivileges. ) The trojan is designed to obtain access to a copy of this specially stored passwordfile and mail a copy of it to another user. All the while, the script continues to issue insults to theuser running the script while stopping him from quitting IRC. This Trojan was widespreadthroughout a limited number of IRC channels -- primarily, it was distributed throughout channels
`
`0007
`
`

`
`related to hacking and hackers, viruses and virus writers, although a few curious outsiders didhave the opportunity to experience "the magic of Folgers's Crystals".The differences between this Trojan and the previous ones reported by The Dirty Dozen areseveral. There was initially no file (executable) offered on any BBS or FTP site. The programwas initially distributed from person to person. Unlike with some of the earlier Trojans, theTrojan aspect of the program is relatively easy to discern by simple examination. It does notattempt in any way to hide what it does -- the user could see what it did if he read the script; infact, the script is commented and the actions it will take are clear. It is a Trojan for the user whoreceives it because another (malicious) users tells him it will obtain channel operator status forhim. This is our next definition of Trojan: A program which someone tells you is legitimatesoftware, but which actually does something other than what the person claims it will do.Exercising discretion in choosing from whom you will accept programs would greatly reduceproblems from running this and other Trojanized scripts. You should read scripts and refuse torun anything you don't understand. Remember, Trojans could be lurking in that code that looks“pretty much ok”. If you aren't sure, simply don't run it! Some organizations currently havepolicies that mandate "no running of externally obtained programs". That advice seems soundand simple enough, but it should be remembered that scripts might not fit the concept of“program” held by users. For many users executing them is not “running programs”. As .ircrcfiles are known to be “configuration files”, the idea that they can be trojanized programs may bea difficult idea for these particular users, who are somewhat familiar with the generalmachinations of IRC, to grasp. Therefore, it is important to clearly define terms such as“program” within the organization. The next section on System Trojans provides more supportfor policies that disallow the installation of unauthorized programs, regardless of their source.System Trojans -- The Very Recent PastThe Internet and the growth of IRC brought with them the ability for thousands of users toobtain via ftp a copy of the IRC program, and install it on networked systems. Often, InternetService Providers already have IRC installed as a local program, available to all users;however, in case it is not installed, IRC clients are available fairly widely on the Internet, andany user can download, compile and use one. For instance, your organization may not haveIRC as a standard program; this does not mean your users are not using IRC clients on othersystems they may telnet to, or that they have not installed IRC on your organizations computersafter FTPing the client software from one of the authorized distribution sites. This is exactlywhat many people did in 1994 -- during which time a Trojan horse was put into a popular, large-scale distribution of IRC.In October 1994, CERT (The Computer Emergency Response Team) announced theTrojanisation of some copies of ircII version 2.2.9, the source code for the IRC client for UNIXsystems. Reports given to CERT indicate that the altered code was available as early as May1994 [12]. This Trojan horse provides a back door through which intruders could gainunauthorized access to accounts belonging to users of IRC; via those accounts, to otheraccounts on the system. Anyone compiling and running these Trojans would be putting theirUNIX shell account (and the system) in jeopardy.The Trojan works as follows. When a CTCP (client to client protocol) command of GROK orJUPE (depending on which variant one had) was sent to a Trojanised client, along with acommand to execute a simple command (for example "cat '+ +' >.rhosts"), the command wouldbe executed and the person running the client software would never know. In the examplegiven, this would create a “.rhosts” file containing the ever-feared "+ +" into the user's homedirectory. The presence of this file in a user's account may allow anyone to remotely login to the
`
`0008
`
`

`
`account from any machine, without knowing the password, enabling the ctcp-er to pay anunannounced, unnoticed and usually unwelcome, visit at his/her convenience. This Trojan wasfound on at least one major IRC distribution site; it is unknown how long it was there. Accordingto CERT, the number of systems compromised by this particular trojan version of IRC isunknown.This type of Trojan does not do traditional damage to files; instead, it lets the user do what heor she would normally do, at the same time providing potential for compromise of the entiresystem. This leads us to our next definition of Trojan: A program which the user thinks orbelieves will do one thing, and which does that thing, but which also does something additionalwhich the user would not approve of. For users who think in terms of “trojanized programs”which when run “damage data”, the concept of a Trojanized program allowing for less thanobvious system compromise is an unusual one. Obviously, the advice to obtain programs onlyfrom legitimate sources would not be sufficient to avoid trojanization in this particular case thatwe have examined; however, an examination of the source code would have revealed theproblem. Additionally, a corporate policy that disallowed IRC for non job-related functions