The case of the Trojan Wookiee

The case of the Trojan Wookiee

Summary: The complex nature of trials involving Trojan horses and flaws in Windows not only puts juries to sleep, it also potentially opens the door to some wacky defence arguments

TOPICS: Tech Industry

Aaron Caffrey walked free from Southwark Crown Court last week after being cleared of launching a DDoS attack on one of the busiest ports on the US, even though both the prosecution and defence agreed that Caffrey's machine was responsible for launching the attack. He had a list of 11,608 IP addresses of vulnerable servers on his hard drive, and there was a 'suspicious' script on his system, which was signed by someone called Aaron, but he was found not guilty by a jury.

This is not the first time a Trojan horse has been used to explain illegal activity. In two recent cases, defendants were acquitted of child pornography-related offences by arguing that images found on their computers were placed there by hackers using Trojan horse programs.

In Caffrey's case, a Trojan horse was never discovered, but the defence counsel argued that a Trojan armed with a 'wiping tool' was responsible, giving control of the computer to an attacker who launched the DDoS attack, edited the system's log files and then deleted all traces of the Trojan.

Had the jurors been technology experts, or even computer-literate, I wonder if the ruling would have been the same. I spent most of the first week of the trial in the public gallery and found it didn't take long before the jury's eyes glazed over because the technical arguments sounded like a Russian version of Moby Dick that had been translated into English using Babelfish. By the third day, one of the jury members had to be discharged because of a severe migraine, which was indubitably brought on by the jargon.

The prosecution were confident they had enough evidence to prove their case, which in my own opinion was justified. However, it was the jury that had to be convinced and it was impossible to do so unless they could present the evidence in a manner that made sense -- but however they tried, they could not.
Professor Neil Barrett, technical director at Information Risk Management, seemed like the most knowledgeable person in the room and did a great job. With the help of a diagram, he tried to explain how it was impossible for anyone to have edited Caffrey's log files -- he said that if they had, the physical blocks of data on Caffrey's hard drive relating to the log file would have shown some fracturing. But seeing as Barrett did not examine the actual hard drive, only a "forensically sound" image of it on CD, there was probably enough doubt to dismiss his testimony.

Topic: Tech Industry

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I was also one of the 161 Federal convictions last year. The same thing happened to me and I actually had some proof of an installed trojan. But, never went to trial due to money and being very scared of losing. I'd like to discuss my case (which involved the successful compromise of Wall St. Integrators' sites) with somebody who can advise me going forward.
  • Hang on so what yor saying is Lots of companies are running vital services on computers that can be taken down by a teenager with a personality disorder.
    What gives theres enough books on how to protect systems outthere? Its not like it was a terribly sophisiticated attack that had never been tried before. Are there a lot of useless IT Staff outthere? or do firms only take action after they have been hit. Looks like a job in IT security seems like a good bet unless someone decides to start a 12 step program for windows users. anyone for windoholics anynomous?