It wasn’t me, it was a Trojan.
Back in 2007, Sophos published a news story highlighting the abuse of forums and user comments in order to distribute links to child abuse content [1]. Recently, we became aware that some of the news articles that resulted from this article were being referenced by individuals facing charges related to the possession of offensive content. Definitely a topic worthy of a blog post in which I can highlight some of the complexities involved in making a sound judgement for any particular case.
Legal trials relating to the possession of offensive or illegal images have historically been punctuated with the argument of “It wasn’t me, it was a Trojan horse“. Why? Because historically it has proven to be something of a successful line of defence. Ironically, there are cases where it has not been able to be used in defence, despite a Trojan allegedly being responsible for the offensive content [2].
You may ask how the presence of a Trojan on a machine can possibly be related to content stored on its hard drive. It is a reasonable question, and one that those who have not seen a backdoor Trojan before may ask. The concept is simple - a machine running some form of backdoor Trojan can be remotely controlled by the attacker. The extent to which it can be controlled, and for what purpose, is entirely dependant on the specific functionality of the Trojan in question.
The huge growth in the malicious use of the Web changes the game further. No longer is it just Trojans running on a machine that could potentially expose the user to offensive content. Unwanted pop-ups [3], poisoned advertising streams [4] or compromised site content [5] are just some of the things that can result in users getting exposed to unwanted content, even if they follow good practice and only browse known, trusted, legitimate sites.
Proving beyond reasonable doubt whether or not content found on a machine was the work of malware or the person sitting behind the screen is complex. It requires a sound understanding of computing technologies and practices, and painstaking IT forensic work.
Let’s consider the specific example of our article concerning the abuse of message boards [1] being used to explain offensive content being found on a machine. By peppering message boards or comment fields with links to offensive content, there is certainly more chance of a user clicking on a link and browsing one of the offensive sites. This in itself would result in offensive content being saved to disk (in the browser cache). But you expect this to be something of a one-off event for an innocent victim - they click on a link, are disgusted by the offensive content and terminate their browser. This is where IT forensics is so important - differentiating between content cached from multiple browser sessions over time versus someone who may have inadvertently clicked on a rogue link.
Some of the cases that have gone to court and subsequently been made public, highlight some of the failings of the legal systems. On one hand individuals guilty of possessing offensive content have used the “Trojan” argument to successfully clear their name. On the other, innocent parties whose machines have been compromised in some way have been found guilty, despite evidence about relevant malware being present on their machines.
Posted on September 17th, 2008 by Fraser Howard, SophosLabs UKFiled under: General
Windows 7 security - A great leap forward or business as usual?
