What is the Trojan Defense?
You may or may not have heard of the “Trojan Defense.” Normally how this works is someone is charged with possessing child pornography, hacking NASA, sharing copyrighted material or any number of other reasons. Many of these people then claim that their computer was under “remote control” by persons unknown via a trojan horse or backdoor.
Has this defense been used successfully?
Yes, in fact in the UK there was a defendent that claimed that the prosecution could not prove that there was in fact no trojan horse on his computer and he was acquitted by the jury based on just these claims. This is old news now but it is still very relevant. Am I suggesting you infect your computer purposely? No. I’m not suggesting anything at all. There have been other defendents who have been acquitted in the UK as well with the Trojan Defense.
There are hundreds probably thousands of new malware spread into the wild every month. Much of this malware is now a form of backdoor which connects an infected PC to an IRC channel on some remote server to await command. These backdoors are usually modular in design, allowing them to be upgraded with new routines and functions. Such as the ability to log keystrokes on the local machine or capture form information from web pages (credit card information, bank logins, etc.) that will be sent back to the new owner of the system.
What is possible?
Backdoors are limited to the programmers skill and imagination. Maybe the trojan that was on your PC was used as the vehicle to deface numerous government websites and then after the successful attack it was removed and deleted from your system with a simple command. There would probably be no evidence left behind if your PC was infected with a backdoor like this. It would most likely act as a proxy server or node that directs traffic to and from the attackers machine, effectively masking the attackers identity from the victim of the website defacement. If the infected machine was a personal home computer, there would probably be no relevent data in the firewall or router logs either.
Most forensic examiners do not have the specialized knowledge to reverse engineer malware. This takes specialized knowledge and most definitely could be used to someones advantage. If this person were to want to use the Trojan Defense as their defense, that is.
Ideas, ideas…
A simple program could be created to trigger a false positive with anti-virus heuristic analysis. It would probably need the following features:
- Self replication
- Attempts to send ICMP/ping packets out to remote addresses
- Attempts to cloak or remove itself from the task manager and other system processes
What would really trip off a heuristics scan is to find some source code for a known virus programmed in the same language as your simple application and throw that source code into yours, bundle it but don’t use any of the routines. Then code your program to attempt some sort of network communications with a random IP address every few minutes and you’re set.
Most examiners should know how to boot acquired images of a system into a virtual environment. Doing a bit of live forensics would show that a rogue process is attempting to communicate with foreign hosts. You might as well throw in a function that creates a logfile in the main installation directory that has random strings appended to it every week or so. The examiner will probably think it’s some encrypted log file with stolen passwords.
This rogue process will have all the characteristics of malware and even trigger a positive when scanned with anti-virus. Is it actually malware? No. Does the examiner know this? Most likely not. They probably won’t examine the “malware” any further either.
Someone, somewhere would probably be acquitted when using this method depending on the circumstances of their case and what other evidence is presented against them. People are being acquitted when there are no signs of any backdoors on their system to begin with though and if they added this jewel to the mix they’d be golden.
This is most definitely an anti-forensics technique that directly attacks a forensic examiners lack of knowledge in malware analysis as well as the ignorance of a jury. This could plant the possibility in the juries mind that maybe, just maybe the defendent is innocent.