My mailer insists that Nathaniel Borenstein wrote:
Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Rich Salz@osf.org (255)
There are many ways to spread it besides a virus. Zillions of 'em. And
There are zillions (what, more than one thousand?) ways to get someone to run a random piece of software that will capture their keystrokes?
Yes, zillions, although I'm not using that as a technical term.
I don't believe you. Name six.
Sure thing, always glad to clarify my claims.
1. (my current favorite) post it to MSN. There, Microsoft has made getting infected with a Trojan Horse as easy as clicking on an icon embedded in a mail or news message. (You want to try convincing the average consumer that it isn't safe, if Microsoft makes it that easy?)
2. Get the sources to a public domain image viewer. Change them slightly. Claim that you've improved it by 13.7%. Post your improved (and infected) image viewer to the net.
3. Ditto for an audio viewer, a mail reader, a news reader,.... (zillions right there alone)
I count numbers 1, 2 and 3 as one way (Trojan Horse).
4. Imitate the IBM Christmas exec. Break into someone's site and steal their mail aliases file. Now send mail to everyone on their alias list, pretending to be them, offering them a cute animation program they can install. The animation will happen, but it will also send mail to all THEIR aliases (like the Christmas exec) and (unlike that) install our malicious snooping software.
If you can break in that far, I can think of much more imaginative things to do with the access.
5. Write a genuinely useful program (or a game) of your own, but embed your attack in it.
Again, 4 and 5 are the same as 1,2 and 3. (I thought I smelled horse biscuits.)
(Caution: Being the real author will increase your traceability.)
Insultingly obvious.
6. Write a pornographic screen saver. Not only will zillions of people download it, but they will EXPECT the code to watch keystrokes.
YATH (Yet Another Trojan Horse)
7. [*maybe*] Spread it by Java applet. This is a maybe because the level of Java security seems to be browser-discretionary. Even a relatively conservative let-the-user-choose approach like Netscape's, however, can be defeated with a little social engineering, as in "this is a really cool Java applet to do XYZ, but you'll have to set Netscape's Java security level to minimum to run it....."
Yes. Trojan Horse. Whinny. Neigh.
8. Internet-based breakin/installations, e.g. to NT or anything else that runs incoming services.
Ahh, finally something other than a Trojan Horse attack, but it only affects sites with poor security. In that case, this attack is the least of their problems.
9. Traditional virus techniques.
Oh, you only asked for 6, sorry..... Feel free to ignore a few.
Wow, a whole three different attacks and most of them much more useful for things other than gathering credit card numbers. It's sad to think that a lot of people may actually believe this crap. Let's just hope that enough technical users provide rebuttals in the other fora where this stuff appears. --- Paul M. Cardon -- I speak for myself. 'nuff said. MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e