nather@ut-sally.UUCP (Ed Nather) (04/10/86)
I have posted a program to net.sources which searches MS-DOS executable
files for ASCII strings and sends them to stdout. It is modeled after the
Unix utility "strings" to operate in the more chaotic MS-DOS environment.
While it is not a general "Trojan Horse" detector it can find typical kinds
of "gloats" left by the terrorist. It readily found the infamous Microsoft
"...bitter fruit -- Trashing Disk" message in MS Word, for example.
If the terrorist does not include a gloating message, of course, this program
won't help -- but what good is wanton destruction if you can't gloat about it?
--
Ed Nather
Astronomy Dept, U of Texas @ Austin
{allegra,ihnp4}!{noao,ut-sally}!utastro!nather
nather@astro.AS.UTEXAS.EDUpeter@gumby.UUCP (Peter Wu) (04/11/86)
It won't be long before people start to write trojan horse programs with encrypted ascii strings so looking for ascii strings in .exe files won't do any good. peter
woolsey@umn-cs.UUCP (Jeff Woolsey) (04/17/86)
Trojan horse programs with (nominally-)encrypted strings are not new. Our
site got bit by one last April. Someone had stuck code in /etc/update
to write HAPPY APRIL FOOL'S DAY in /etc/motd every 10 minutes. We couldn't
find that string in any of the running processes. If the message did not
also include a line of asterisks I never would have found it. There was
a line of some other character of the same length in /etc/update.
--
--
"Clorox bottles! Millions of MY Clorox bottles! This is where they hid 'em--
Zeigler and Kissinger. I'll get 'em on the way back!"
Jeff Woolsey
...ihnp4{!stolaf}!umn-cs!woolsey
woolsey@umn-cs.csnet