The Trojan Horse: A viral defense?
By Matt Bean
(Court TV) -- In the latest bout of computer mischief, hackers have developed the ability to make their victims look like criminals.
New "Trojan horse" viruses -- downloaded via seemingly harmless e-mail, shared files or links -- allow a hacker to secretly take over someone's computer and then use it to send out more viruses, pornography or other illegal materials.
"They can basically come and go at will," said Paul Coggins, a former U.S. attorney from Texas. "The amount of damage they can do is incalculable, really. They might take over your e-mail, attach a kiddie porn picture, and send it out to everyone on your e-mail list with the subject line, 'Thought you might be interested in this.'"
In England, criminal complaints against two defendants have already been thrown out after their attorneys argued that child pornography on their computers was secretly installed by hackers. The technique can not only make the unwitting computer user appear guilty, but can complicate criminal cases in which a defendant's guilt is tied to his Web surfing, e-mailing, or file-downloading habits.
The problem for law enforcement is clear. Sophisticated sting techniques like Operation Candyman, which brought down more than 80 child porn downloaders and 27 child abusers in 2002, rely on hard-drive records to tie defendants to their surfing activity. If such records are made by a hacker, not the user, prosecuting those crimes becomes even more complex.
"How you're going to work that kind of presumption of innocence into these kind of evidentiary questions is something we're just beginning to come to grips with," said Lee Tien, the senior staff attorney for the Electronic Frontier Foundation, an Internet rights advocacy group in San Francisco. "I don't think the legal question has really been examined in any systematic way."
Tien views computer crime as a pendulum. At one end lies the belief that "if it's on your hard drive you must have deliberately put it there." At the other is the belief that "I must not have because someone could have planted it there."
The swing between the two extremes has concerned privacy and free speech advocates since the government began prosecuting child pornography cases in earnest in the late 1990s.
Coggins, who prosecuted dozens of child porn cases as a Texas prosecutor and now works at a Dallas-based intellectual property firm, Fish & Richardson, said that lawyers on both sides need to be aware of the problem.
"You've got to ask yourself the question, who's got access to this computer," he said. "Just bringing the charges can be devastating."
Julian Green, one of the two English men on the wrong side of a Trojan virus attack, knows well the opprobrium that can come with a child porn prosecution.
Green was acquitted in August of possessing 172 images of child pornography after his lawyers successfully argued that a Trojan virus was responsible -- but not before he lost custody of his youngest child and his home, and served nine days in prison and three months in a halfway house for sexual offenders.
"I had never been in trouble before," Green told an English paper, The Evening Standard. "In cases like this it is not innocent until proven guilty, but the other way around."
The problem has not yet emerged in U.S. courts, but experts say it is only a matter of time.
As recently as this July, a virus thought to have originated in Russia infected 2,000 American computers and used them to shuttle pornography advertising around the world.
And in New York, a man was arrested for taking over dozens of computers after he exploited a remote-access program called GoToMyPC by installing a keystroke logging program on several Kinko's computers, then collecting login information for users who dialed up their home computers.
Though it raises new and important issues, say industry sources, the Trojan Horse problem won't likely mint a new defense strategy: It's just a riff on the standard "not me" defense.
"There are a lot of child porn defendants who say, well, somebody else might have done it," said the EFF's Tien. "But it doesn't fare very well, for obvious reasons."
In the end, experienced computer forensics investigators should be able to tell whether the computer's owner, or a Trojan Horse, spawned the material in question.
"You wouldn't want to just throw that out there as your defense," said Marcus Lawson, a computer forensic analyst who testified in the trial of convicted child rapist and murderer David Westerfield. "An experienced computer forensics person could tell you whether it was because of [a Trojan virus] or not."
Corroborating details, such as when the files were created on the computer, which directory they were created in, and when and how they were accessed, are all important to pinpointing the person responsible for the material.
And the virus itself, if still detectable, could suggest a hacker's presence.
"There would be a trace of the program that was left on the computer," said Josiah Roloff, a network security specialist who works with Coggins. "That's definitely something that should be looked at."
The hope, say experts, is that all of this could be determined long before hacking victims like Green and the other English defendant, who had 14 child porn pictures on his computer, become defendants.
"In many ways it helps that there's a public awareness that just because something is on someone's computer doesn't mean they put it there," said Coggins.