Trojans and password managers

[David H. Lipman]

From: "Gary S. Terhune" <none>

| Well, to further the discussion, is it not also true that trojans and
| viruses have different goals? One to steal data and the other to wreck the
| systems it infects? And whereas a virus can install a trojan, the obverse is
| not true? Or are those lines also blurred?
|

Goals ?

No. All malware have similar goals and do it with various payloads.
Both viruses and Trojans can steal data. Both Trojans and viruses can wreak a computer.

A Trojan is malware that can have the same intent as a virus but not self replicate. The
replication can be via appending, prepending or inserting itself into executables or the
hard disk data structure. It could also be performed by utilizing networking protocols such
as; NNTP, SMTP, SMB, NetBIOS over IP, FTP, TFTP, etc... A Trojan needs assistance to
spread like deliberate email distribution, exploitation, social engineering or peer malware.

A virus can install a Trojan. A Trojan can install a virus. Many forms of malware have
symbiotic relationships. Look at McAfee's Stinger utility. It main target are Internet
worms. Viruses that spread via network protocols. There are also a few Trojans in the
target list. They are there because the Trojans work in a symbiotic relationship and/or
associated with the I-worms.

As for the goals of malware one must relate the malware to the time period of when they were
released. A virus propagated in 1994 will have different goals and objectives then a virus
propagated in 2004. As a function of time the goals shift. Today the goal is often related
to monetary gains over a decade ago where the goal was destruction. Malware Today WANTS a
running computer, not a broken computer.

 

[David H. Lipman]

From: "Brian A." <gonefish'n@afarawaylake>

| Is it not true that certain Trojans can be a virus?
|
| In 2002 the Trojan.Fatkill, a DOS program that overwrote the FAT on the HD.
| Is it not a virus since it doesn't meet two "protocols"? It has a payload yet does not
| replicate.

If Trojan.fatkill had the ability to spread vuia a network protocol it woould have been a
virus. Since it did not self replicate and spread, it is a mere Trojan.

|
| Is it not true that a Trojan can be used to open a backdoor and then deliver the payload?
| Not execute it, but simply drop it off inside the threshold like a newspaper waiting to be
| read.

Yep. Once a backdoor Trojan is installed it has opend the door to both Trojans and viruses.


|
| Is the Trojan.Exponny from 2006 not considered a virus since it doesn't meet two
| "protocols"? It replicated itself using the name host.exe in %system%\drivers, wrote an
| entry in the registry so it would run at every boot, replaced a file so that all the files
| in on the local fixed drives were exposed and a few other tasks before the final task,
| emailing all files found in a directory.
|

Not a Trojan. Spawning files on the smae PC is is not replicating. If the Exponny loaded
in memory and appened/prepended/inserted itself in other executables then it would be a
virus. However, the Exponny doesn't have this capability. If the Exponny emailed itself to
email addresses that it harvested then it would be a virus but again, the Exponny doesn't
have this capability.

 

[Gary S. Terhune]

Thanks for the exposition. Really, <s>.