Trojan Horse

Go back to Tutorial

A Trojan horse is a useful program or command, such as a game, utility or software upgrade that contains hidden malware. This malware performs some unwanted or harmful function, permits an attacker to gain access where they are not allowed, and is used to propagate a virus/worm or install a backdoor. The backdoor is simply a secret entry point into a program that allows those without legal access to bypass security procedures.

It misrepresents itself as useful, routine, or interesting in order to persuade a victim to install it. The term is derived from the Ancient Greek story of the wooden horse that was used to help Greek troops invade the city of Troy by stealth.

By exploiting vulnerabilities in operating systems and browsers, malware can sneak malicious Trojan horse programs onto unsecured PCs. Unsuspecting and unprotected users can also download Trojans, thinking they are legitimate game, music player, movie, and greeting card files. Trojans can also lurk in files shared between friends, family, and coworkers using peer-to-peer file sharing networks.

Trojans have traditionally hidden in worms and viruses spread by email, but they’re increasingly showing up in instant messages and on PDAs and cell phones. Organized crime rings have devised insidious new ways of delivering Trojans, and consumers must stay informed of the latest tricks. Protection against these multi-faceted attacks requires integrated anti-virus, firewall, and anti-spyware technologies.

Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an e-mail attachment disguised to be unsuspicious, (e.g., a routine form to be filled in), or by drive-by download. Although their payload can be anything, many moderns forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. While Trojans and backdoors are not easily detectable by themselves, computers may appear to run slower due to heavy processor or network usage.

Unlike computer viruses and worms, Trojans generally do not attempt to inject themselves into other files or otherwise propagate themselves.

Infection Mechanisms

After a hacker has written a Trojan, he will still need to spread it. The Internet has made this much easier than it used to be. There are a variety of ways to spread malware, including

Peer-to-peer networks (P2P) Although users might think that they are getting the latest copy of a computer game or the Microsoft Office package, in reality, they might be getting much more. P2P networks such as Kazaa, imesh, aimster, and gnutella are generally unmonitored and allow anyone to spread any programs they want, legitimate or not.
Instant messaging (IM) IM was not built with any security controls. So, you never know the real contents of a file or program that someone has sent you. IM users are at great risk of becoming targets for Trojans and other types of malware.
Internet Relay Chat (IRC) IRC is full of individuals ready to attack the newbies who are enticed into downloading a free program or application.
Email attachments – Attachments are another common way to spread a Trojan. To get you to open them, these hackers might disguise the message to appear to be from a legitimate organization. It might also offer you a valuable price, a desired piece of software, or similar message to pique your interest. If you feel that you must investigate these programs, save them first and then run an antivirus on them.
Physical access If a hacker has physical access to a victim’s system, he can just copy the Trojan horse to the hard drive. The hacker can even take the attack to the next level by creating a Trojan that is unique to the system or network. It might be a fake logon screen that looks like the real one or even a fake database.
Browser bugs Many users don’t update their browsers as soon as updates are released. Web browsers often treat the content they receive as trusted. The truth is that nothing in a web page can be trusted to follow any guidelines. A website can send your browser data that exploits a bug in a browser, violates computer security, and might load a Trojan.
Freeware Nothing in life is free, and that includes most software. Users are taking a big risk when they download freeware from an unknown source. Not only might the freeware contain a Trojan, but also freeware has become a favorite target for adware and spyware.

Trojans Tool Kits

Some malicious code writers have taken these tools even further by creating construction kits to build new, unique Trojans. Trojan construction kits make it relatively easy for even script kiddies to build Trojans. Several of these tools are shown in the following:

Trojan horse construction kit is one example of such a destructive tool. This command-line utility allows you to construct a Trojan horse with a multitude of destructive behavior, such as destroying the partition table, MBR, or even the entire hard drive.
Senna Spy is another example of a Trojan generator. It requires Visual Basic to compile the generated source code. It is capable of many types of custom options, such as file transfer, executing DOS commands, keyboard control, and list and control processes.
Stealth tool is not a Trojan construction kit, but it’s close. Stealth tool is a program designed to make Trojans harder to detect. Its purpose is to change up the file by adding bytes, changing strings, or splitting and combining files. It includes a fake version of netstat to further help the hacker hide his deeds.

Types

Trojans are classified according to the type of actions that they can perform on your computer:

Backdoor – A backdoor Trojan gives malicious users remote control over the infected computer. They enable the author to do anything they wish on the infected computer – including sending, receiving, launching, and deleting files, displaying data, and rebooting the computer. Backdoor Trojans are often used to unite a group of victim computers to form a botnet or zombie network that can be used for criminal purposes.
Exploit – Exploits are programs that contain data or code that takes advantage of a vulnerability within application software that’s running on your computer.
Rootkit – Rootkits are designed to conceal certain objects or activities in your system. Often their main purpose is to prevent malicious programs being detected – in order to extend the period in which programs can run on an infected computer.
Trojan-Banker – Trojan-Banker programs are designed to steal your account data for online banking systems, e-payment systems, and credit or debit cards.
Data sending The idea behind this type of Trojan is to capture and redirect data. Eblaster is an example of this type of Trojan. These programs can capture keystrokes, passwords, or any other type of information and redirect it to a hidden file or even email it there as a predefined email account.
Destructive These Trojans are particularly malicious. Hard Disk Killer is an example of this type of Trojan. The sole purpose of these types of programs is to destroy files or wipe out a system. Your only warning of an infection might be that you see excessive hard drive activity or hear your hard drive making noise. However, it is most likely that by the time you realize something is wrong, your files might already have been wiped out.
Denial of service (DoS) These Trojans are designed to cause a DoS. They can be designed to knock out a specific service or to bring an entire system offline.
Proxy These Trojans are designed to work as proxies. These programs can help a hacker hide and allow him to perform activities from the victim’s computer, not his own. After all, the farther away the hacker is from the crime, the harder it becomes to trace.
Trojan-Spy – Trojan-Spy programs can spy on how you’re using your computer – for example, by tracking the data you enter via your keyboard, taking screen shots, or getting a list of running applications.

Impact

Today, Trojans can be spread by browser drive-bys, where the program is downloaded in the background when you simply surf to a rigged web site. Shell code runs a Trojan that downloads additional payload code over HTTP—various forms of bots, spyware, back doors, and other Trojan programs. Hackers then send phishing emails to lure users to web sites, where unsuspecting victims are tricked into revealing personal information. Hackers can also exploit security weaknesses on sites, and then piggyback their Trojans onto legitimate software to be downloaded by trusting consumers. If installed or run with elevated privileges a Trojan will generally have unlimited access. What it does with this power depends on the motives of the attacker.

Destructive

Crashing the computer or device.
Modification or deletion of files.
Data corruption.
Formatting disks, destroying all contents.
Spread malware across the network.
Spy on user activities and access sensitive information.

Use of resources or identity

Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)
Using computer resources for mining cryptocurrencies
Using the infected computer as proxy for illegal activities and/or attacks on other computers.
Infecting other connected devices on the network.

Money theft, ransom