Saturday, June 17, 2006

Trojan horse defense

A Trojan horse program is a type of malware, or malicious software. Like other malware, it installs itself surreptitously on a computer; unlike other types of malware, a Trojan horse lets the person who disseminated it remotely control the computer(s) on which it installed itself. The person who controls the Trojan will have complete access to the data on the compromised computer and can copy it, delete it or put new data on the computer.

The last feature is what I want to talk about today. It's given rise to what is called the "Trojan horse defense." A friend and I wrote a law review article analyzing how prosecutors can rebut the defense. (Susan Brenner, Brian Carrier & Jef Henninger, The Trojan Horse Defense in Cybercrime Cases, 21 Santa Clara Computer and High Technology Law Journal 1 (2004)). The article focuses both on legal arguments and technical issues a prosecutor facing the defense can use to rebut it. It goes into a great deal of detail -- today, I want to talk generally about the Trojan horse defense (THD) and some of the issues it raises.

The THD became notorious in 2003, when Aaron Caffrey used in the United Kingdom. Caffrey was charged, basically, with hacking into the Port of Houston computers and causing them to shut down. His defense attorney conceded the attack came from Caffrey's laptop computer, but claimed Caffrey was not responsible for the attack, that he had, in effect, been "framed" by other hackers who installed Trojan horse programs on his laptop and used them to attack the Port of Houston computers. In an effort to rebut this defense, the prosecution pointed out that no trace of Trojan horse programs had been found on the laptop; the defense countered by explaining that the Trojan hourse programs had been "self-erasing" Trojans, so no trace would remain. The jury clearly bought the defense's argument, as it acquitted Caffrey.

This was not the first instance in which the THD had been used in the UK, but the Caffrey case received far more publicity than the earlier instance(s) in which the defense was raised. News stories pointed out that Caffrey's defense raised serious challenges for prosecutors. As one observer noted, the "case suggests that even if no evidence of a computer break-in is unearthed on a suspect's PC, they might still be able to successfully claim that they were not responsible for whatever their computer does, or what is found on its hard drive." And others pointed out that someone could establish the factual basis for such a defense by having Trojan horse programs on their computer.

As we note in the article, the THD is a new version of a very old defense: the SODDI defense (as it is known in the U.S.). SODDI stands for "some other dude did it." When a defendant raises a SODDI defense, he (or she) concedes that a crime was committed but blames someone else for its commission. The SODDI defense is usually not very successful in real-world prosecutions (the O.J. Simpson case is a major exception). When a defendant raises a SODDI defense in a prosecution for a traditional, real-world crime -- like, say, murder or rape -- he claims the crime was committed by an unknown someone else. Jurors tend to be skeptical of claimes like this, especially if, as is usually the case, the prosecution is able to link the defendant to the crime by showing motive, opportunity and/or incriminating evidence that is in his possession or can be traced to him (DNA, fingerprints, etc.). Jurors are skeptical of claims like this because they understand how the real-world works.

The SODDI defense has been much more successful in cybercrime cases because they involve a context which most jurors don't really understand, or understand enough to buy defense claims like Caffrey's contention about being framed by self-erasing Trojan horse programs.

(I'm not a technically trained person, so I cannot opine on the likelihood of self-erasing Trojans. I know people who are technically trained who do not believe they exist. If they do not exist now, I assume they will at some point, so I don't see this as a particularly important issue, at least not for the prosecution.)

In cybercrime cases, the SODDI defense turns the tables on the prosecution: In a criminal case, the prosecution has the burden of proving all the elements of the crime beyond a reasonable doubt and the defense has the burden of proving an affirmative defense by a preponderance of the evidence.
  • The preponderance standard is much lower than the standard the prosecution must meet, but it ensures that the defense cannot present some purely frivolous theory to the jury.
  • Affirmative defenses concede that a crime has been committed by assert there is some reason why the defendant should not be held liable for it, such as that the defendant is insane or that he acted in self-defense.
To get a THD before the jury, the defense must therefore present credible evidence that would let a "reasonable juror" find that the defense had proven that the crime was virtually committed by Some Other Dude, using a Trojan horse. In the Caffrey case, this evidence came in the form of Aaron Caffrey's testimony to the jury; Caffrey, who admitted he was a hacker, acted as his own expert witness, which was particularly important given that no Trojan horse programs were found on this computer

If a Trojan horse program is found on a defendant's computer, that would provide the factual basis for getting the defense to the jury . . . that along with testimony which establishes what a Trojan horse program is and what it does. Once the defense does this, the ball is now in the prosecution's court: The prosecution must rebut the defense, which means it must prove beyond a reasonable doubt that it was the defendant -- not Some Other Dude Using a Trojan Horse -- who committed the crim(s) charged. This is where the difficulty arises.

The prosecution now is obligated to prove a negative: that it was not Some Other Dude Using a Trojan Horse program who hacked the Port of Houston, collected child pornography or committed some other cybercrime. Proving a negative can be difficult, especially in this context.

As opposed to instances in which a defendant raises a SODDI defense in a real-world criminal case, the prosecution cannot rely on the jury's ability to use their common sense to assess the merits of and then reject the defense as implausible because the defense is grounded in what is still, for many, a distinctly "uncommon" context: the virtual environment of computes, hard drives and cyberspace. Some jurors may know nothing about technology, which really gives them no conceptual framework to use in judging the merits of a THD. This, I think, makes them something of a wild card; their decision to go with the prosecution or the defense may be made arbitrarily, a juror's equivalent of flipping a coin.

Other jurors may know a little about technology, enough to know what viruses are and to have a general idea of what they can do. As far as the prosecution is concerned, a little knowledge may be a dangerous thing: These jurors may understand enough about technology to be willing to believe that Trojan horses (and other types of malware) can do things they may not be able to do at all, or may not have been able to do given the facts in the case before them.

(I'm not sure where I come out on jurors who know a lot about technology. They might be able to analyze and reject the factual foundation of a shaky/untenable THD or they might over-analyze the evidence presented and so buy into the defense. I guess one reason I am not sure where I come out on these jurors is that I think they are likely to be very scarce in the jury pool.)

Assuming, as I think is reasonable, that the jury is made up of people with little or no knowledge of technology, how does the prosecution rebut the defense's presentation of a THD? It seems that the prosecution will have to dissect the technical basis of the defense to do so; the Caffrey prosecution showed that no Trojan horses were on Caffrey's laptop, and asked the jury to infer from this that it was Caffrey, not a Trojan horse program being used by someone else, who shut down the computers at the Port of Houston.

But if Trojan horses are found on the suspect's computer, the prosecution will have to get into the specifics of technology -- its capabilities and limitations -- to rebut the THD. This, I think, creates real difficulties for prosecutors, because it requires that they be able to explain abtruse, technical concepts and processes to a lay jury in a way laypeople can understand and can use that understanding to conduct a critical assessment of the THD presented to them. That can be a very difficult process; it will require, I think, not only expert witnesses, but the skillful use of graphics -- animations, diagrams, maybe physical exhibits -- that can really let jurors grasp what would have had to occur for the THD to be valid and why that did not occur (establishing, by inference, that the THD defense is invalid). Doing all that can be a huge undertaking for the average prosecutor/prosecutor's office, as it requires time, expertise and the money to pay for the creation of the necessary demonstrative evidence (animations, diagrams, etc.).

For now, I suspect the defense enjoys the advantage with regard to the THD, which is why I am surprised that we have not seen it used more in this country (it still seems be be used, often successfully, in the United Kingdom).

The only American case I know of in which it has been used successfully is an Alabama state tax fraud/tax evasion prosecution against Eugene Pitts, a Hoover, Alabama accountant. Pitts was accused of underreporting income on his tax returns for 1997, 1998 and 1999. He admitted there were errors on his returns for those years, but blamed the errors on a computer virus. Although prosecutors pointed out that the alleged virus did not affect the client tax returns Pitts prepared on the same computer, the jury acquitted him of all charges after deliberating for 3 hours . . . another "Caffrey verdict."

I assume the infrequency with which a THD is used in this country has something to do with the defense bar's familiarity, or unfamiliarty, with technology. Other than that, I cannot imagine why it does not show up more often, especially given the frequency with which the real-world variant of the SODDI defense is used.

Everything I have said in this post has been directed at the prosecution's burden and ability to rebut a THD defense. Everything I have said so far implicitly assumes that the invocation of the defense is frivolous as it was, IMHO, in the Caffrey and Pitts cases. And I think that is likely to be true in many (most?) of the cases in which a THD is used.

It will not, however, be true in every case. As people knowledgeable about computer technology will tell you, a Trojan horse program could easily be used to frame someone for a crime. While it seems exceedingly unlikely ("incredible") that a Trojan horse program could put 15,000 images of child pornography sorted into folders and sub-folders on someone's hard drive without their knowing it, a Trojan horse could be used to frame someone for, fraud, embezzlement or other crimes, even murder.

Think about it: Do you know everything that is on your hard drive . . . every file folder, every file? I can't imagine that you do, given the amount of data most of us acquire. And how many of us ever check to see what, exactly, is on our hard drive? Maybe other people do; I don't (I hope I am not inviting someone to frame me by admitting that . . . ).

The possibility makes me think of the old TV series, The Fugitive. In the TV series (and in the movie), Dr. Richard Kimble is adventitiously framed by the one-armed man who kills Kimble's wife. Kimble's SODDI defense (asserting that the mysterious one-armed man, whom only he saw, killed his wife) fails, and he is convicted of the crime. The same thing could be done, more calculatedly and with far less risk to the framer, by using a Trojan horse program.

Imagine a twenty-first century version of The Fugitive: Kimble's wife becomes ill so he takes her to the hospital, where she dies; the autopsy shows she died of ricin poisoning. As in the series, Kimble and his wife had been fighting; the evidence of marital discord encourages the police to take him seriously as a suspect in her death. Police obtain a search warrant, seize the computer in their home and search it. On its hard drive, they find evidence (downloaded data, evidence of Internet searches) that Kimble researched the toxicity of ricin poisoning and the processes used to extract ricin from castor beans. (They might also find ricin in the house somewhere, maybe in a place Kimble uses.) This would be enough to charge him with his wife's death (absent other contravening facts) and probably enough to convict him (absent a compelling defense).

In this scenario, Kimble could try asserting a THD to disclaim responsibility for the research into ricin poisoning, but the THD would not be as effective here as it could be in a "pure" cybercrime case. Here, a Trojan horse program is being used, in part, to frame someone for a real-world crime, murder. The potential for persuading the jury (correctly, in this instance) that someone used a Trojan horse program to put the ricin data on the computer as part of a larger plot to frame Kimble for his wife's death would be undermined by that fact because the jurors would be likely to concentrate on the real-world aspects of the crime (death, fighting, ricin, opportunity, etc.) and use their common sense (no one said it's infallible) to conclude that he did it.

I could go on, but I hope I've made my point. The Trojan horse defense is a two-edged sword: It can be used by guilty parties seeking to avoid being held liable for what they have done; but it can also be used to frame the innocent.


Anonymous said...

This essay is up your alley... "Are the Current Computer Crime Laws Sufficient or Should the Writing of Virus Code Be Prohibited?"

Anonymous said...

Since the Pennsylvania law prohibits virus distribution, I have 2 questions:

#1 Can the govt take down virus distribution websites in PA (even if they clearly label their downloads as viruses)?

#2 With an out of state offender: get a PA police officer to download the virus code. Then extradite the offender into PA. Why hasn't this been done?

fimafimovich said...

Here is an article 'browser hijackers ruining lives' written after interview with me

Browser hijackers are doing more than just changing homepages. They are also changing some peoples' lives for the worse.

Browser hijackers are malicious programs that change browser settings, usually altering designated default start and search pages. But some, such as CWS, also produce pop-up ads for pornography, add dozens of bookmarks -- some for extremely hard-core pornography websites -- to Internet Explorer's Favorites folder, and can redirect users to porn websites when they mistype URLs.

Traces of browsed sites can remain on computers, and it's difficult to tell from those traces whether a user willingly or mistakenly viewed a website. When those traces connect to borderline-criminal websites, people may have a hard time believing that their employee or significant other hasn't been spending an awful lot of time cruising adult sites.