CYBER CRIME HISTORY

1. Historical Genesis and Evolution of
Cyber Crimes
ARUN VERMA
ARUN VERMA (C)
1

2. • "Offences that are committed against individuals or groups of individuals
with a criminal motive to intentionally harm the reputation of the victim or
cause physical or mental harm to the victim directly or indirectly, using
modern telecommunication networks such as Internet (Chat rooms, emails,
notice boards and groups) and mobile phones (SMS/MMS)". Such crimes
may threaten a nation’s security and financial health.
…. Dr. Debarati Halder and Dr. K. Jaishankar
• "Cyber" is a prefix used to describe a person, thing, or idea as part of the
computer and information age. Taken from kybernetes, Greek word for
"steersman" or "governor," it was first used in cybernetics, a word coined
by Norbert Wiener and his colleagues. The virtual world of internet is
known as cyberspace and the laws governing this area are known
as Cyber laws and all the netizens of this space come under the
ambit of these laws as it carries a kind of universal jurisdiction.
Cyber law can also be described as that branch of law that deals with legal
issues related to use of inter-networked information technology. In short,
cyber law is the law governing computers and the internet.
• Computer crime, or Cybercrime, refers to any crime that involves a computer
and a network. The computer may have been used in the commission of a
crime, or it may be the target.
• Net crime is criminal exploitation of the Internet.
ARUN VERMA (C)
2

3. • The first recorded cyber crime took place in the year 1820.
In 1820, Joseph-Marie Jacquard, a textile manufacturer in
France, produced the loom. This device allowed the
repetition of a series of steps in the weaving of special
fabrics. This resulted in a fear amongst Jacquard's
employees that their traditional employment and
livelihood were being threatened. They committed acts of
sabotage to discourage Jacquard from further use of the
new technology. This is the first recorded cyber crime!
• That is not surprising considering the fact that the abacus,
which is thought to be the earliest form of a computer, has
been around since 3500 B.C. in India, Japan and China.
• The era of modern computers, however, began with the
analytical engine of Charles Babbage.
• Today computers have come a long way, with neural
networks and nano-computing promising to turn every
atom in a glass of water into a computer capable of
performing a Billion operations per second.
ARUN VERMA (C)
3

4. ARUN VERMA (C)
4
• Cybercrime first started with hackers trying to break
into computer networks.
• Some did it just for the thrill of accessing high-
level security networks, but others sought to
gain sensitive, classified material.
• Eventually, criminals started to infect computer systems
with computer viruses, which led to breakdowns on
personal and business computers.
• Computer viruses are forms of code or malware
programs that can copy themselves and damage or
destroy data and systems. When computer viruses are
used on a large scale, like with bank, government or
hospital networks, these actions may be categorized
as cyberterrorism.
• Computer hackers also engage in phishing scams, like
asking for bank account numbers, and credit card theft.

5. ARUN VERMA (C)
5
• Hacking is a term used to describe the activity of modifying a
product or procedure to alter its normal function, or to fix a
problem. The term purportedly originated in the 1960s,
when it was used to describe the activities of certain
MIT model train enthusiasts who modified the
operation of their model trains. They discovered ways
to change certain functions without re-engineering the
entire device.
• These curious individuals went on to work with early computer
systems where they applied their curiosity and resourcefulness
to learning and changing the computer code that was used in
early programs.
• Some of their hacks became so successful they outlived
the original product, such as the UNIX operating
system, developed as a hack by Dennis Ritchie and
Keith Thompson of Bell Labs.
• To the general public a “hack” became known as a clever way to
fix a problem with a product, or an easy way to improve its
function.

6. • The malicious association with hacking became evident in the 1970s when early
computerized phone systems became a target. Technologically savvy individuals, called
“phreakers” discovered the correct codes and tones that would result in free long distance
service. They impersonated operators, dug through Bell Telephone company
garbage to find secret information, and performed countless experiments on
early telephone hardware in order to learn how to exploit the system. They were
hackers in every sense of the word, using their resourcefulness to modify
hardware and software to steal long distance telephone time.
• This innovative type of crime was a difficult issue for law enforcement, due in
part to lack of legislation to aid in criminal prosecution, and a shortage of
investigators skilled in the technology that was being hacked. It was clear that
computer systems were open to criminal activity, and as more complex communications
became available to the consumer, more opportunities for cyber crime developed.
• In 1986 the systems administrator at the Lawrence Berkeley National Laboratory, Clifford
Stoll, noted certain irregularities in accounting data. Inventing the first digital forensic
techniques, he determined that an unauthorized user was hacking into his computer
network. Stoll used what is called a “honey pot tactic,” which lures a hacker back into a
network until enough data can be collected to track the intrusion to its source. Stoll’s effort
paid off with the eventual arrest of Markus Hess and a number of others located in
West Germany, who were stealing and selling military information, passwords
and other data to the KGB.
ARUN VERMA (C)
6

7. • The Berkeley lab intrusion was soon followed by the discovery of
the Morris worm virus, created by Robert Morris, a Cornell
University student. This worm damaged more than 6,000
computers and resulted in estimated damages of $98 million. More
incidents began to follow in a continuous, steady stream. Congress responded
by passing its first hacking-related legislation, the Federal Computer
Fraud and Abuse Act, in 1986. The act made computer tampering a felony
crime punishable by significant jail time and monetary fines.
• The Steve Jackson Games publishing company was nearly forced
out of business after being accused of possessing an illegally copied
document. The Secret Service believed this document was in
Jackson’s possession, and confiscated the computers used in his
business. When the equipment was not returned in a timely manner, he was
forced to lay off employees, miss deadlines and his business was nearly
ruined. When the computers were returned, Jackson discovered that
company emails had been accessed and customer data was deleted. The Secret
Service never pressed charges for any crime.
ARUN VERMA (C)
7

8. • In 1990, during a project dubbed Operation Sundevil, FBI agents confiscated
42 computers and over 20,000 floppy disks that were allegedly being used by
criminals for illegal credit card use and telephone services. This two-year effort
involved 150 agents. Despite the low number of indictments, the operation was seen as a
successful public relations effort by law enforcement officials. Garry M. Jenkins, the
Assistant Director of the U.S. Secret Service, explained at a press conference that this
activity sent a message to criminals that, “they were on the watch everywhere, even in
those sleazy and secretive dens of cybernetic vice, the underground boards.”
• The Electronic Frontier Foundation (EFF) formed in 1990 as a response to threats on civil
liberties that can occur through overzealous activities and mistakes made by law
enforcement personnel who are investigating cyber crime and related matters. It is a
collection of technologists, lawyers and other professionals who act to defend and protect
consumers from unlawful prosecution.
• Crime and cyber crime will continue to be present in our society, regardless of the best
efforts of the criminal justice system. The public and private sector need highly skilled
individuals to combat this threat and help prevent the prosecution of innocent people.
Talented individuals who want to pursue a cybersecurity career in criminal justice must
have proficiency with communication technology, understand regulatory concerns and be
familiar with homeland security law. Cybersecurity is an exciting field for people with a
curious nature and who never tire of learning new things while balancing complex social
and technological concerns.
ARUN VERMA (C)
8

9. ARUN VERMA (C)
9

10. ARUN VERMA (C)
10

11. ARUN VERMA (C)
11
Elements of Cybercrime
• Cyber crimes—harmful acts committed from or against a computer or network—
differ from most terrestrial crimes in four ways.
• They are easy to learn how to commit;
• they require few resources relative to the potential damage caused;
• they can be committed in a jurisdiction without being physically present in it;
• and they are often not clearly illegal.
• Laws of most countries do not clearly prohibit cyber crimes. Existing terrestrial
laws against physical acts of trespass or breaking and entering often do not cover
their “virtual” counterparts. Web pages such as the e-commerce sites recently hit
by widespread, distributed denial of service attacks may not be covered by
outdated laws as protected forms of property.
• Criminal statutes have been extended into cyberspace to cover ten different types
of cyber crime in four categories:
• data-related crimes, including interception, modification, and theft;
• network-related crimes, including interference and sabotage;
• crimes of access, including hacking and virus distribution;
• and associated computer-related crimes, including aiding and abetting cyber
criminals, computer fraud, and computer forgery.

12. Evolution of Cybercrime
• In the early decades of modern information technology (IT), computer crimes were largely
committed by individual disgruntled and dishonest employees.
• Physical damage to computer systems was a prominent threat until the 1980s.
• Criminals often used authorized access to subvert security systems as they modified data for
financial gain or destroyed data for revenge.
• Early attacks on telecommunications systems in the 1960s led to subversion of the long-
distance phone systems for amusement and for theft of services.
• As telecommunications technology spread throughout the IT world, hobbyists with criminal
tendencies learned to penetrate systems and networks.
• Programmers in the 1980s began writing malicious software, including self-replicating
programs (Virus), to interfere with personal computers.
• As the Internet increased access to increasing numbers of systems worldwide, criminals
used unauthorized access to poorly protected systems for vandalism, political action and
financial gain.
• As the 1990s progressed, financial crime using penetration and subversion of computer
systems increased.
• The types of malware shifted during the 1990s, taking advantage of new vulnerabilities and
dying out as operating systems were strengthened, only to succumb to new attack vectors.
• Illegitimate applications of e-mail grew rapidly from the mid-1990s onward, generating
torrents of unsolicited commercial and fraudulent e-mail.
ARUN VERMA (C)
12

13. 1970-1972: Albert - the Saboteur
• One of the most instructive early cases of computer sabotage occurred at the National
Farmers Union Service Corporation of Denver, where a Burroughs B3500 computer suffered
56 disk head crashes in the 2 years from 1970 to 1972. Down time was as long as 24 hours per
crash, with an average of 8 hours per incident. Burroughs experts were flown in from all over
the United States at one time or another, and concluded that the crashes must be due to
power fluctuations. By the time all the equipment had been repaired and new wiring, motor
generators, circuit breakers and power-line monitors had been installed in the computer
room, total expenditures for hardware and construction were over $500,000 (in 1970
dollars). Total expenses related to down time and lost business opportunities because of
delays in providing management with timely information are not included in this figure. In
any case, after all this expense, the crashes continued sporadically as before. By this time, the
experts were beginning to wonder about their analysis. For one thing, all the crashes had
occurred at night. Could it be sabotage? Surely not! Why, old Albert the night-shift operator
had been so helpful over all these years; he had unfailingly called in the crashes at once, gone
out for coffee and donuts for the repair crews, and been meticulous in noting the exact times
and conditions of each crash. On the other hand, all the crashes had in fact occurred on his
shift. Management installed a closed-circuit television (CCTV) camera in the computer
room—without informing Albert. For some days, nothing happened. Then one night, another
crash occurred. On the CCTV monitor, security guards saw good Albert open up a disk
cabinet and poke his car key into the read/write head solenoid, shorting it out and causing
the 57th head crash.
ARUN VERMA (C)
13

14. • The next morning, management confronted Albert with the
film of his actions and asked for an explanation. Albert
broke down in mingled shame and relief. He confessed to
an overpowering urge to shut the computer down.
Psychological investigation determined that Albert, who
had been allowed to work night shifts for years without a
change, had simply become lonely. He arrived just as
everyone else was leaving; he left as everyone else was
arriving. Hours and days would go by without the slightest
human interaction. He never took courses, never
participated in committees, never felt involved with others
in his company. When the first head crashes occurred—
spontaneously—he had been surprised and excited by the
arrival of the repair crew. He had felt useful, bustling
about, telling them what had happened. When the crashes
had become less frequent, he had involuntarily, and almost
unconsciously, re-created the friendly atmosphere of a
crisis team. He had destroyed disk drives because he
needed company.
ARUN VERMA (C)
14

15. IMPERSONATION
• Using the insignia and specialized
language of officials as part of social
engineering has a long history in
crime; a dramatization of these
techniques is in the popular movie
―Catch Me If You Can about Frank
William Abagnale Jr, the teenaged
scammer and counterfeiter who
pretended to be a pilot, a doctor and a
prosecutor before eventually
becoming a major contributor to the
United States government‘s anti-
counterfeiting efforts and then
founding a major security firm.
Several criminals involved in
computer-mediated or computer-
oriented crime became notorious for
using impersonation.
ARUN VERMA (C)
15

16. DATA DIDDLING
• One of the most common forms of computer crime since the start of
electronic data processing is data diddling -- illegal or unauthorized data
alteration. These changes can occur before and during data input or
before output. Data diddling cases have included banks records,
payrolls, inventory data, credit records, school transcripts, telephone
switch configurations, and virtually all other applications of data
processing.
1994: Vladimir Levin and the Citibank Heist
• In February 1998, Vladimir Levin was convicted to three years in prison
by a court in New York City. Levin masterminded a major conspiracy in
1994 in which the gang illegally transferred $12M in assets from Citibank
to a number of international bank accounts. The crime was spotted after
the first $400,000 were stolen in July 1994 and Citibank cooperated with
the FBI and Interpol to track down the criminals. Levin was also ordered
to pay back $240,000, the amount he actually managed to withdraw
before he was arrested. The incident led to Citibank‘s hiring of Stephen R.
Katz as the banking industry‘s first Chief Information Security Officer
(CISO).
ARUN VERMA (C)
16

17. LOGIC BOMBS
• A logic bomb is a program which has deliberately been written or
modified to produce results when certain conditions are met that are
unexpected and unauthorized by legitimate users or owners of the
software. Logic bombs may be within standalone programs or they
may be part of worms (programs that hide their existence and spread
copies of themselves within a computer systems and through
networks) or viruses (programs or code segments which hide within
other programs and spread copies of themselves).
• Time bombs are a subclass of logic bombs which ―exploded at a
certain time.
• The Michelangelo virus of 1992 was designed to damage hard disk
directories on the 6th of March every year.
• In 1992, computer programmer Michael Lauffenburger was fined
$5,000 for leaving a logic bomb at General Dynamics. His intention
was to return after his program had erased critical data and be paid to
fix the problem.
ARUN VERMA (C)
17

18. EXTORTION
• Computer data can be held for ransom. For example, according to Whiteside, in
1971, two reels of magnetic tape belonging to a branch of the Bank of America
were stolen at Los Angeles International Airport. The thieves demanded money
for their return. The owners ignored the threat of destruction because they had
adequate backup copies. Other early cases of extortion involving computers:
• In 1973, a West German computer operator stole 22 tapes and received $200,000
for their return. The victim did not have adequate backups.
• In 1977, a programmer in the Rotterdam offices of Imperial Chemical Industries,
Ltd. (ICI) stole all his employer‘s tapes, including backups. Luckily, ICI informed
Interpol of the extortion attempt. As a result of the company‘s forthrightness, the
thief and an accomplice were arrested in London by officers from Scotland Yard.
• In the 1990s, one of the most notorious cases of extortion was the 1999 theft of
300,000 records of customer credit cards from the CD Universe Web site by
―Maxus,‖ a 19-year old Russian. He sent an extortion note that read, ―Pay me
$100,000 and I‘ll fix your bugs and forget about your shop forever....or I‘ll sell
your cards [customer credit data] and tell about this incident in news.‖ Refused by
CD Universe owners, he promptly released 25,000 credit card numbers via a Web
site that became so popular with criminals that Maxus had to limit access to one
stolen number per visit.
ARUN VERMA (C)
18

19. ARUN VERMA (C)
19
• Internet time theft
• This connotes the usage by an unauthorized person of the Internet hours paid
for by another person.
• In May 2000, the economic offences wing, IPR section crime branch of Delhi
police registered its first case involving theft of Internet hours. In this case, the
accused, Mukesh Gupta an engineer with Nicom System (p) Ltd. was sent to
the residence of the complainant to activate his Internet connection. However,
the accused used Col. Bajwa’s login name and password from various places
causing wrongful loss of 100 hours to Col. Bajwa. Delhi police arrested the
accused for theft of Internet time.
• On further inquiry in the case, it was found that Krishan Kumar, son of an ex
army officer, working as senior executive in M/s Highpoint Tours & Travels
had used Col Bajwa’s login and passwords as many as 207 times from his
residence and twice from his office. He confessed that Shashi Nagpal, from
whom he had purchased a computer, gave the login and password to him.
• The police could not believe that time could be stolen. They were not aware of
the concept of time-theft at all. Colonel Bajwa’s report was rejected. He
decided to approach The Times of India, New Delhi. They, in turn carried a
report about the inadequacy of the New Delhi Police in handling cyber crimes.
• The Commissioner of Police, Delhi then took the case into his own hands and
the police under his directions raided and arrested Krishan Kumar under
sections 379, 411, 34 of IPC and section 25 of the Indian Telegraph Act.

20. Web jacking
• This occurs when someone forcefully takes control of a website (by
cracking the password and later changing it). The actual owner of the
website does not have any more control over what appears on that
website.
• In a recent incident reported in the USA the owner of a hobby website for
children received an e-mail informing her that a group of hackers had
gained control over her website. They demanded a ransom of 1 million
dollars from her. The owner, a school teacher, did not take the threat
seriously. She felt that it was just a scare tactic and ignored the e-mail.
• It was three days later that she came to know, following many telephone
calls from all over the country, that the hackers had web jacked her
website. Subsequently, they had altered a portion of the website which
was entitled ‘How to have fun with goldfish’. In all the places where it had
been mentioned, they had replaced the word ‘goldfish’ with the word
‘piranhas’.
• Piranhas are tiny but extremely dangerous flesh-eating fish. Many
children had visited the popular website and had believed what the
contents of the website suggested. These unfortunate children followed
the instructions, tried to play with piranhas, which they bought from pet
shops, and were very seriously injured!
ARUN VERMA (C)
20

21. ARUN VERMA (C)
21
• CREDIT CARD FRAUD
• In April 2001, the Hyderabad police arrested two persons, namely,
Manohar, an unemployed computer operator and his friend, Moses
who was a steward in a prominent five-star hotel in the city. They
were arrested and charged under various sections of the IPC and
the IT Act for stealing and misusing credit card numbers belonging
to others.
• Moses, being a steward in the hotel noted down the various details
of the credit cards, which were handed by clients of the hotel for
paying their meal bills. Then, he passed all the details of the
various credit cards to his computer operator friend Manohar.
Manohar used the details to make online purchases on various
websites such as sify.com and rediff.com. The case was unearthed
on the complaint of a prominent businessman who had visited the
five-star hotel for dinner and had paid the bill by credit card
through the steward, Moses.

22. ARUN VERMA (C)
22
• In United States v. Lee, the defendant knew that the Hawaii
Marathon Association operated a Website with the Uniform Resource
Locator (URL) "www.hawaiimarathon.org" to provide
information about the Marathon and enable runners to register online.
Although he had no affiliation with the real Hawaii Marathon, he
copied the authorized Marathon Website, and created his own Website
with the confusingly similar name, "www.hawaiimarathon.com."
Runners who came to his Website thinking that it was the real Hawaii
Marathon site were charged a $165 registration fee -- $100 more than
the real site charged for entry. The defendant also operated another
Website where he sold Viagra over the Internet without a prescription.
(The defendant later pleaded guilty to wire fraud and unlawful sale of
Viagra, and in February 2001 was given a split sentence of ten months
imprisonment.)

23. ARUN VERMA (C)
23
• "Pump-and-Dump." The most widely publicized form of online
market manipulation is the so-called "pump and dump" scheme. In a
"pump and dump," criminals identify one or more companies whose
stock is thinly traded or not traded at all, then adopt various means to
persuade individual online investors to buy that company's stock. These
means can include posting favorable, but false and misleading,
representations on financial message boards or Websites, and making
undisclosed payments to people who are ostensibly independent but
who will recommend that stock.
• Once the price has increased sufficiently, the participants in the scheme
-- who may be company insiders, outsiders, or both, sell their stock, and
the stock price eventually declines sharply, leaving uninformed investors
with substantial financial losses. While an outsider who merely
expresses his opinions about the worth or likely increase or decrease of a
particular stock may not be committing criminal fraud, outsiders or
insiders whose conduct extends beyond mere advocacy to manipulation
of markets for their personal profit by giving the public false and
misleading information may violate securities fraud statutes and other
criminal statutes.

24. ARUN VERMA (C)
24
Hacking
• An active hackers’ group, led by one “Dr. Nuker”, who
claims to be the founder of Pakistan Hackerz Club,
reportedly hacked the websites of the Indian Parliament,
Ahmedabad Telephone Exchange, Engineering Export
Promotion Council, and United Nations (India).
Direct Damage to Computer Centers
• In February 1969, the largest student riot in Canada was
set off when police were called in to put an end to a
student occupation of several floors of the Hall Building.
The students had been protesting against a professor
accused of racism, and when the police came in, a fire
broke out and computer data and university property
were destroyed. The damages totalled $2 million, and 97
people were arrested.

25. ARUN VERMA (C)
25
•
"Cyber smear" The converse of the "pump and dump" is the "cyber
smear." A "cyber smear" scheme is organized in the same basic manner as
a "pump-and- dump," with one important difference: the object is to
induce a decline in the stock's price, to permit the criminals to realize
profits by short-selling. To accomplish a sufficiently rapid decline in the
stock's price, the criminal must resort to blatant lies and
misrepresentations likely to trigger a substantial sell off by other
investors.
• In United States v. Moldofsky, the defendant, a day trader, on the
evening of March 22, 2000, and the morning of the next day, posted a
message nearly twenty times what was designed to look like a Lucent
press release announcing that Lucent would not meet its quarterly
earnings projections. For most of those postings, he used an alias
designed to resemble a screen name used by a frequent commentator on
the Lucent message board who had historically expressed positive views
of Lucent stock. He also posted additional messages, using other screen
names that commented on the release or on the message poster's conduct.
On March 23, Lucent's stock price dropped more than 3.7 percent before
Lucent issued a statement disavowing the false press release, but rose by
8 percent within ten minutes of Lucent's disavowal.

26. ARUN VERMA (C)
26
• In United States v. Jakob, the defendant engaged in even more elaborate
fraudulent conduct to effect a "cyber smear." After he tried to short-sell
stock in Emulex, but found that the market was bidding up the price, he
wrote a press release falsely reporting that Emulex was under investigation
by the SEC, that Emulex's Chief Executive Officer was resigning, and that
Emulex was reporting a loss in its latest earnings report. He then caused his
former employer, a company that distributed online press releases, to send
it to major news organizations, which reported the false statements as fact.
When Emulex stock rapidly declined, the defendant covered his short-sale
position by buying Emulex stock and realizing nearly $55,000 in profits. He
also bought more Emulex stock at lower prices, and sold when the stock had
recovered most of its value.
• In United States v. Christian, No. 00-03-SLR (D. Del. filed Aug. 3,
2000), two defendants obtained the names and Social Security numbers of
325 high-ranking United States military officers from a public Website, then
used those names and identities to apply for instant credit at a leading
computer company and to obtain credit cards through two banks. They
fenced the items they bought under the victims' names, and accepted orders
from others for additional merchandise. The two defendants, after pleading
guilty to conspiracy to commit bank fraud were sentenced to thirty-three
and forty-one months imprisonment and restitution of more than $100,000
each.

27. ARUN VERMA (C)
27
• Email bombing
• Email bombing refers to sending a large number of emails to the victim
resulting in the victim’s email account (in case of an individual) or mail servers
(in case of a company or an email service provider) crashing.
• In one case, a foreigner who had been residing in Simla, India for almost thirty
years wanted to avail of a scheme introduced by the Simla Housing Board to
buy land at lower rates. When he made an application it was rejected on the
grounds that the scheme was available only for citizens of India. He decided to
take his revenge. Consequently he sent thousands of mails to the Simla
Housing Board and repeatedly kept sending e-mails till their servers crashed.
• Data diddling
• This kind of an attack involves altering raw data just before it is processed by a
computer and then changing it back after the processing is completed.
Electricity Boards in India have been victims to data diddling programs
inserted when private parties were computerizing their systems.
• The NDMC Electricity Billing Fraud Case that took place in 1996 is a typical
example. The computer network was used for receipt and accounting of
electricity bills by the NDMC, Delhi. Collection of money, computerized
accounting, record maintenance and remittance in the bank were exclusively
left to a private contractor who was a computer professional. He
misappropriated huge amount of funds by manipulating data files to show less
receipt and bank remittance.

28. ARUN VERMA (C)
28
• Salami attacks
• These attacks are used for the commission of financial
crimes. The key here is to make the alteration so insignificant
that in a single case it would go completely unnoticed. E.g. a
bank employee inserts a program, into the bank’s servers,
that deducts a small amount of money (say Rs. 5 a month)
from the account of every customer. No account holder will
probably notice this unauthorized debit, but the bank
employee will make a sizeable amount of money every
month.

29. ARUN VERMA (C)
29
• DEFAMATION
• India’s first case of cyber defamation was reported when a
company’s employee started sending derogatory, defamatory
and obscene e-mails about its Managing Director. The e-mails
were anonymous and frequent, and were sent to many of their
business associates to tarnish the image and goodwill of the
company.
• The company was able to identify the employee with the help
of a private computer expert and moved the Delhi High Court.
The court granted an ad-interim injunction and restrained the
employee from sending, publishing and transmitting e-mails,
which are defamatory or derogatory to the plaintiffs.

30. TROJAN HORSES
• In the 12th century BC, Greece declared war on the city of Troy. The dispute was caused
due to the fact that the prince of Troy and the Queen of Sparta eloped. Hence declaring
that they intend to marry.
• The Greeks besieged Troy for 10 years but met with no success as Troy was very well
fortified. In a last effort, the Greek army pretended to be retreating, and left behind a
huge wooden horse. The people of Troy saw the horse and thought it was a gift from the
Greeks. They pulled the horse into their city, unaware that the hollow wooden horse had
some of the best Greek soldiers hiding inside it. Under the cover of night, the soldiers
snuck out and opened the gates of the city, and later, together with the rest of the army,
besieged and destroyed Troy.
• Similar to the wooden horse, a Computer Trojan (also referred to as Trojan Horse
program) pretends to do one thing while actually doing something completely different.
• A Trojan Horse program is a program that appears to have some useful or benign
purpose, but really masks some hidden malicious functionality.
• Today’s Trojan horses try to sneak past computer security fortifications (such as
firewalls), by employing like-minded trickery. By looking like normal software, Trojan
horse programs are used for the following goals:
• Duping a user or system administrator into installing the Trojan horse in the first place. In
this case, the Trojan horse and the unsuspecting user becomes the entry vehicle for the
malicious software on the system.
ARUN VERMA (C)
30

31. Blending in with the “normal”
programs running on a machine. The
Trojan horse camouflages itself to
appear to belong on the system so
users and administrators continue
their activity, unaware of the
malicious code’s presence. Attackers
have devised a myriad of methods for hiding
malicious capabilities inside their wares on
your computer.
These techniques include
• employing simple, yet highly effective naming
games,
• using executable wrappers, attacking software
distribution sites,
• manipulating source code,
• co-opting software installed on your system,
and
• disguising items using polymorphic coding
techniques.
As we discuss each of these elements,
we must bear in mind that the
attackers’ main goal is to disguise the
malicious code so that the victims do
not realize what the attacker is up to.
ARUN VERMA (C)
31

32. Types of Trojans
The most common types of Trojans found today are:
1. Remote Administration Trojans (RATs)
• These are the most popular Trojans. They let a hacker access the victim's hard disk, and also
perform many functions on his computer (shut down his computer, open and shut his CD-
ROM drive etc.).
• Modern RATs are very simple to use. They come packaged with two files - the server file and
the client file. The hacker tricks someone into running the server file, gets his IP address
and gets full control over the victim computer.
• Some Trojans are limited by their functions, but more functions also mean larger server files.
Some Trojans are merely meant for the attacker to use them to upload another Trojan to the
target's computer and run it; hence they take very little disk space. Hackers also bind Trojans
into other programs, which appear to be legitimate, e.g. a RAT could be bound with an
egreeting card.
• Most RATs are used for malicious purposes - to irritate or scare people or harm
computers. There are many programs that detect common Trojans. Firewalls and anti-virus
software can be useful in tracing RATs.
• RATs open a port on your computer and bind themselves to it (make the server file listen to
incoming connections and data going through these ports). Then, once someone runs his
client program and enters the victim's IP address, the Trojan starts receiving commands from
the attacker and runs them on the victim's computer.
• Some Trojans let the hacker change this port into any other port and also put a password so
only the person who infects the specific computer will be able to use the Trojan. In some
cases the creator of the Trojan would also put a backdoor within the server file itself so he'll be
able to access any computer running his Trojan without the need to enter a password.
• This is called "a backdoor within a backdoor" e.g. CIA, Netbus, Back Orifice, Sub7.
ARUN VERMA (C)
32

33. 2. Password Trojans
Password Trojans search the victim’s computer for passwords and then send them to
the attacker or the author of the Trojan. Whether it's an Internet password or an email
password there is a Trojan for every password. These Trojans usually send the
information back to the attacker via email.
3. Privileges-Elevating Trojans
These Trojans are usually used to fool system administrators. They can either be bound
into a common system utility or pretend to be something harmless and even quite
useful and appealing. Once the administrator runs it, the Trojan will give the attacker
more privileges on the system. These Trojans can also be sent to less-privileged users
and give the attacker access to their account.
4. Key loggers
These Trojans are very simple. They log all of the victim’s keystrokes on the keyboard
(including passwords), and then either save them on a file or email them to the attacker
once in a while. Key loggers usually don't take much disk space and can masquerade as
important utilities, thus becoming very hard to detect.
5. Joke Programs
Joke programs are not harmful. They can either pretend to be formatting your hard
drive, sending all of your passwords to some hacker, turning in all information about
illegal and pirated software you might have on your computer to the police etc. In
reality, these programs do not do anything.
ARUN VERMA (C)
33

34. 6. Destructive Trojans
• These Trojans can destroy the victim’s entire hard drive, encrypt or just
scramble important files. Some might seem like joke programs,
while they are actually destroying every file they encounter.
• In an unreported case in India, a Trojan almost led to the
death of a reporter: A young lady was working on an article about
‘online relationships’. During the course of researching for the article,
she befriended many strangers online. One of these people remotely
implanted a Trojan on her home computer. Staying in a small one-
bedroom apartment in Mumbai, her computer was in one corner.
Unknown to her, the Trojan had hijacked her web-camera and her
microphone, both of which were attached to her computer.
• Numerous pictures of her in compromising positions were
hijacked by the hacker who then uploaded them on to a
pornographic website. When the young lady came to know
about it a year later, she attempted suicide. Fortunately she
survived.
• This is a shocking reminder of the disastrous effects that a Trojan can
have.
ARUN VERMA (C)
34

35. 1. UK child porn case
• A British citizen, Julian Green, was arrested in October 2002 after the police raided his home
and found 172 indecent pictures of children on the hard disk of his home computer.
• Green was an IT contractor in the UK defence industry. He was a divorcee with two children. As a
result of 13 paedophile related charges brought against him, he lost his job, was attacked and was
unable to see his children.
• Under British law the maximum sentence for possession of such images is ten years'
imprisonment, and anyone convicted in such a matter would have become subject to
registration with the police as a sex offender for a period of five years.
• Green claimed that the pictures found on his computer had nothing to do with him and that he
had no interest in pedophilia and had no pornographic magazines or videos at his home. He had
no history of sexual offences and was an honest man trusted with a sensitive job that required
security clearance.
• An extensive examination of Green’s computer hard disk showed the presence of 11
Trojan horse programs. These Trojans were set to log onto "inappropriate sites"
without Green's permission whenever he accessed the Internet. These Trojans were
believed to have come from unsolicited emails that Green opened before he deleted
them.
• The charges against him were finally dropped on account of the discovery of these Trojans on his
computer. In previous instances, the prosecution had been able to show that the Trojan defense
was implausible. On behalf of the police, computer experts have been able to show that pictures
were viewed and moved around the computer; that they did not appear in the locations that would
indicate pop-ups; that there was no emaining indication of the spam email; and no evidence of any
Trojan application.
ARUN VERMA (C)
35

36. • Armed with this weight of evidence, courts have had no problem in
dismissing the Trojan defense in other cases. In this case, though, it was
certain that there was evidence: the Trojan was indeed found and it was
discovered that it referred to the pedophile pictures explicitly. Experts were
able to show that the defendant had not accessed the pictures and that he
could not have known they were on his computer.
• This final point is important. The actual offence under which most charges of
computer pedophilia are brought is UK’s 1988 Criminal Justice Act. Section
160 makes it an offence to be in possession of an indecent photograph of a
child.
• In this case there was no dispute about the fact that the pictures were indeed
on his computer and were indeed indecent photographs of children. There
are, however, three defenses: that the picture was in his possession for a
legitimate reason; that he had not seen the picture or had any reason to
believe it was indecent; and that it was unsolicited and not kept for any length
of time.
• The first defense is the one that gives permission for experts working on
behalf of the courts to possess the pictures in the course of their
investigations.
• The second and third defenses were claimed in this case: the pictures were not
solicited and were not viewed. The third defense also provides protection for
those increasingly common situations in which extreme material – including
pedophile content - is being transmitted in spam.
ARUN VERMA (C)
36

37. 2. The Texas port DoS case
• Aaron Caffrey, a 19 year old UK citizen, was accused of crashing systems at the port of Houston
in Texas, USA. He faced a charge of unauthorized modification of computer material at a UK
court.
• During the trial, it was claimed Caffrey had perpetrated a complex crime, involving computer
hacking, identity theft and fraudulent financial-market trading.
• The prosecutor in the case claimed that Caffrey hacked into the computer server
at the port in order to target a female chatroom user called Bokkie, following an
argument. It was said in court that they had argued over anti-US remarks she had
made. Caffrey, who suffers from a form of autism called Asperger's Syndrome,
was said to be in love with an American girl called Jessica. The court was told he
named his computer after her and dedicated his "attack script" to her. Scheduling
computer systems, at the port, were bombarded with thousands of electronic
messages on 20 September, 2001.
• The attack froze the port's web service, which contained vital data for shipping, mooring
companies and support firms responsible for helping ships navigate in and out of the harbor.
An investigation by US authorities traced the computer's IP address to a computer at Caffrey's
home. But the teenager claimed an unidentified third party had planted the instructions for the
attack script on his website without his knowledge.
• He also criticized the authorities for not uncovering the virus during their investigation. On the
final day of the trial, Caffrey admitted being part of a group of hackers called Allied Haxor
Elite, but denied he had ever illegally hacked into a computer.
• The teenager told the court that hackers operated legally, but that people who entered
computer systems illegally were known as "crackers". He said: "I have hacked into computers
legally for friends to test their server security because they asked me to but never illegally."
• Caffrey was found not guilty of computer crime after the jury accepted his story that attackers
used an unspecified Trojan to gain control of his PC and launch the assault. The prosecution
argued that no trace of Trojan infection was found on Caffrey's PC but the defense was able to
counter this argument with testimony from Caffrey that it was possible for a Trojan to delete
itself.
ARUN VERMA (C)
37

38. Illustration:
• In May 2002, Monkey.org, a website that distributes popular security
and hacking tools, was hacked into.
• The hackers modified the following tools distributed through
Monkey.org:
1. The Dsniff sniffing program,
2. The Fragroute IDS evasion tool and
3. The Fragrouter IDS evasion tool.
• The hackers replaced each tool with a Trojan horse version that
created a backdoor on the systems of anyone who downloaded and
installed these tools.
• This attack was especially lethal as these tools are widely used by
security professionals as well as by hackers.
Illustration:
• From July 30 to August 1, 2002, an attacker loaded a Trojan horse
version of the Open Secure Shell (OpenSSH) security tool onto the
main OpenSSH distribution Website (OpenSSH is widely used to
provide tight security for remote access to a system).
• However, diligent administrators who tried to protect their systems
by downloading this security tool in late July 2002, unwittingly
installed a backdoor.
ARUN VERMA (C)
38

39. Illustration:
• From September 28 until October 6, 2002, a period of more
than one week, the distribution point for the most popular
email server software on the Internet was subverted.
• The main FTP server that distributed the free, open source
Sendmail program was Trojanized with a backdoor.
Illustration:
• From November 11 to 13, 2002, tcpdump, the popular sniffing
program, and libpcap, its library of packet capture routines,
were replaced with a Trojan horse backdoor on the main
tcpdump website.
• Not only is the tcpdump sniffer widely used by security,
network, and system administrators around the world, but the
libpcap (pronounced lib-pee-cap, which is short for “library for
packet capture”) component is a building block for numerous
other tools.
• Administrators who installed tcpdump, libpcap, or any other
package built on top of libpcap during this time frame were
faced with a backdoor running on their systems.
ARUN VERMA (C)
39

40. PROTECTION TIPS:
• Turn on ‘auto update’ option for your browser and
plug-ins.
• Install Anti- malware.
• For extra security, run anti-malwares by different
brands.
• Set a strong password for your FTP.
• Configure FTP client settings. Activate the option to
“Always use SFTP”.
• Avoid sites that do not look trustworthy.
• Avoid sites in which ‘https’ is clearly removed.
• Scan pen drives and flash drives when you insert
them into your systems.
• Scan your systems frequently.
ARUN VERMA (C)
40