A Trojan horse, or Trojan, in computing is generally a non-self-replicating type of malware program containing malicious code that, when executed, carries out actions determined by the nature of the Trojan, typically causing loss or theft of data, and possible system harm. The term is derived from the Ancient Greek story of the large wooden horse used to trick defenders of Troy into taking warriors concealed in the horse into their city in ancient Anatolia. The use of this name references how computer Trojans often employ a form of social engineering, presenting themselves as routine, useful, or interesting in order to persuade victims to install them on their computers.
A Trojan often acts as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. While Trojans and backdoors are not easily detectable by themselves, computers may appear to run slower due to heavy processor or network usage. Malicious programs are classified as Trojans if they do not attempt to inject themselves into other files (computer virus) or otherwise propagate themselves (worm). A computer may host a Trojan via a malicious program that a user is duped into executing (often an e-mail attachment disguised to be unsuspicious, e.g., a routine form to be filled in), or by drive-by download.
Purpose
A Trojan may give a hacker remote access to a targeted computer system. Operations that could be performed by a hacker, or be caused unintentionally by program operation, on a targeted computer system include:
- Crashing the computer, e.g. with “blue screen of death” (BSOD)
- Data corruption
- Formatting disks, destroying all contents
- Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)
- Electronic money theft
- Infects entire Network banking information and other connected devices
- Data theft, including confidential files, sometimes for industrial espionage, and information with financial implications such as passwords and payment card information
- Modification or deletion of files
- Downloading or uploading of files for various purposes
- Downloading and installing software, including third-party malware and ransomware
- Keystroke logging
- Watching the user’s screen
- Viewing the user’s webcam
- Controlling the computer system remotely
- Encrypting files; a ransom payment may be demanded for decryption, as with the CryptoLocker ransomware
- System registry modification
- Using computer resources for mining cryptocurrencies
- Using the infected computer as proxy for illegal activities and/or attacks on other computers.
Trojan horses in this way may require interaction with a malicious controller (not necessarily distributing the Trojan horse) to fulfill their purpose. It is possible for those involved with Trojans to scan computers on a network to locate any with a Trojan horse installed, which the hacker can then control.
Some Trojans take advantage of a security flaw in older versions of Internet Explorer and Google Chrome to use the host computer as an anonymizer proxy to effectively hide Internet usage, enabling the controller to use the Internet for illegal purposes while all potentially incriminating evidence indicates the infected computer or its IP address. The host’s computer may or may not show the internet history of the sites viewed using the computer as a proxy. The first generation of anonymizer Trojan horses tended to leave their tracks in the page view histories of the host computer. Later generations of the Trojan horse tend to “cover” their tracks more efficiently. Several versions of Sub7 have been widely circulated in the US and Europe and became the most widely distributed examples of this type of Trojan horse.
In German-speaking countries, spyware used or made by the government is sometimes called govware. Govware is typically a trojan horse software used to intercept communications from the target computer. Some countries like Switzerland and Germany have a legal framework governing the use of such software. Examples of govware trojans include the Swiss MiniPanzer and MegaPanzer and the German “state trojan” nicknamed R2D2.
Due to the popularity of botnets among hackers and the availability of advertising services that permit authors to violate their users’ privacy, Trojan horses are becoming more common. According to a survey conducted by BitDefender from January to June 2009, “Trojan-type malware is on the rise, accounting for 83-percent of the global malware detected in the world.” Trojans have a relationship with worms, as they spread with the help given by worms and travel across the internet with them.
The anti-virus company BitDefender has stated that approximately 15% of computers are members of a botnet, usually recruited by a Trojan infection.
Notable Trojan horses
- Netbus Advance System Care(by Carl-Fredrik Neikter)
- Subseven or Sub7(by Mobman)
- Back Orifice (Sir Dystic)
- Beast
- Zeus
- Flashback Trojan (Trojan BackDoor.Flashback)
- ZeroAccess
- Koobface
- Vundo
Trojan Types
Trojans can be grouped into seven primary types, which is simply their way of organizing them. In reality, it’s hard to place some Trojans into a single type, as many have more that one function. To better understand what Trojans can do, these types are outlined in the following list:
- Remote access Remote access Trojans (RAT) allow the attacker full control over the system. SubSeven is an example of this type of Trojan. Remote access Trojans are usually set up as client/server programs so that the attacker can connect to the infected system and control it remotely.
- Data sending The idea behind this type of Trojan is to capture and redirect data. Eblaster is an example of this type of Trojan. These programs can capture keystrokes, passwords, or any other type of information and redirect it to a hidden file or even email it there as a predefined email account.
- Destructive These Trojans are particularly malicious. Hard Disk Killer is an example of this type of Trojan. The sole purpose of these types of programs is to destroy files or wipe out a system. Your only warning of an infection might be that you see excessive hard drive activity or hear your hard drive making noise. However, it is most likely that by the time you realize something is wrong, your files might already have been wiped out.
- Denial of service (DoS) These Trojans are designed to cause a DoS. They can be designed to knock out a specific service or to bring an entire system offline.
- Proxy These Trojans are designed to work as proxies. These programs can help a hacker hide and allow him to perform activities from the victim’s computer, not his own. After all, the farther away the hacker is from the crime, the harder it becomes to trace.
- FTP These Trojans are specifically designed to work on port 21. They allow the hacker or others to upload, download, or move files at will on the victim’s machine.
- Security software disablers These Trojans are designed to attack and kill antivirus or software firewalls. The goal of disabling these programs is to make it easier for the hacker to control the system.
Infection Mechanisms
After a hacker has written a Trojan, he will still need to spread it. The Internet has made this much easier than it used to be. There are a variety of ways to spread malware, including
- Peer-to-peer networks (P2P) Although users might think that they are getting the latest copy of a computer game or the Microsoft Office package, in reality, they might be getting much more. P2P networks such as Kazaa, imesh, aimster, and gnutella are generally unmonitored and allow anyone to spread any programs they want, legitimate or not.
- Instant messaging (IM) IM was not built with any security controls. So, you never know the real contents of a file or program that someone has sent you. IM users are at great risk of becoming targets for Trojans and other types of malware.
- Internet Relay Chat (IRC) IRC is full of individuals ready to attack the newbies who are enticed into downloading a free program or application.
- Email attachments – Attachments are another common way to spread a Trojan. To get you to open them, these hackers might disguise the message to appear to be from a legitimate organization. It might also offer you a valuable price, a desired piece of software, or similar message to pique your interest. If you feel that you must investigate these programs, save them first and then run an antivirus on them.
- Physical access If a hacker has physical access to a victim’s system, he can just copy the Trojan horse to the hard drive. The hacker can even take the attack to the next level by creating a Trojan that is unique to the system or network. It might be a fake logon screen that looks like the real one or even a fake database.
- Browser bugs Many users don’t update their browsers as soon as updates are released. Web browsers often treat the content they receive as trusted. The truth is that nothing in a web page can be trusted to follow any guidelines. A website can send your browser data that exploits a bug in a browser, violates computer security, and might load a Trojan.
- Freeware Nothing in life is free, and that includes most software. Users are taking a big risk when they download freeware from an unknown source. Not only might the freeware contain a Trojan, but also freeware has become a favorite target for adware and spyware.
Trojans Tool Kits
Some malicious code writers have taken these tools even further by creating construction kits to build new, unique Trojans. Trojan construction kits make it relatively easy for even script kiddies to build Trojans. Several of these tools are shown in the following:
- Trojan horse construction kit is one example of such a destructive tool. This command-line utility allows you to construct a Trojan horse with a multitude of destructive behavior, such as destroying the partition table, MBR, or even the entire hard drive.
- Senna Spy is another example of a Trojan generator. It requires Visual Basic to compile the generated source code. It is capable of many types of custom options, such as file transfer, executing DOS commands, keyboard control, and list and control processes.
- Stealth tool is not a Trojan construction kit, but it’s close. Stealth tool is a program designed to make Trojans harder to detect. Its purpose is to change up the file by adding bytes, changing strings, or splitting and combining files. It includes a fake version of netstat to further help the hacker hide his deeds.