Trojan horse (computing): Difference between revisions

This article's tone or style may not reflect the encyclopedic tone used on Wikipedia. See Wikipedia's guide to writing better articles for suggestions. (Learn how and when to remove this message)

This article is about computer system security. For Odysseus's subterfuge in the Trojan War, see Trojan Horse.

In the context of computer software, a Trojan horse is a program that unlike a virus, contains or installs a malicious program (sometimes called the payload or 'trojan') while under the guise of being something else. The term is derived from the classical myth of the Trojan Horse. Trojan horses may appear to be useful or interesting programs (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed. (See Social engineering.)

Often the term is shortened to simply Trojan, even though this turns the adjective into a noun.

There are two common types of Trojan horses. One is otherwise useful software that has been corrupted by a hacker inserting malicious code that executes while the program is used. Examples include various implementations of weather alerting programs, computer clock setting software, and peer to peer file sharing utilities. The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives.

Trojan horse programs cannot operate autonomously, in contrast to some other types of malware, like viruses or worms. Just as the Greeks needed the Trojans to bring the horse inside for their plan to work, Trojan horse programs depend on actions by the intended victims. As such, if trojans replicate and even distribute themselves, each new victim must run the program/trojan. Therefore their virulence is of a different nature, depending on successful implementation of social engineering concepts rather than flaws in a computer system's security design or configuration.

However there is another meaning for the term 'Trojan Horse' in the field of computer architecture. Here it basically represents any piece of User Code which makes the Kernel Code access anything it would not have been able to access itself in the first place (i.e making the OS do something it wasn't supposed to be doing). Such security loopholes are called Trojan Horses.

Example of a simple Trojan horse

A simple example of a trojan horse would be a program named "waterfalls.scr" claiming to be a free waterfall screensaver which, when run, instead would allow access to the user's computer remotely.

Types of Trojan horse payloads

Trojan horse payloads are almost always designed to do various harmful things, but could be harmless. They are broken down in classification based on how they breach systems and the damage they cause. The nine main types of Trojan horse payloads are:

• Remote Access
• Email Sending
• Data Destructive
• Downloader
• Proxy Trojan (disguising others as the infected computer)
• FTP Trojan (adding or copying data from the infected computer)
• security software disabler
• denial-of-service attack (DoS)
• URL trojan (directing the infected computer to only connect to the internet via an expensive dial-up connection)

Some examples are:

• erasing or overwriting data on a computer
• encrypting files in a cryptoviral extortion attack
• corrupting files in a subtle way
• upload and download files
• allowing remote access to the victim's computer. This is called a RAT (remote administration tool)
• spreading other malware, such as viruses: this type of Trojan horse is called a 'dropper' or 'vector'
• setting up networks of zombie computers in order to launch DDoS attacks or send spam.
• spying on the user of a computer and covertly reporting data like browsing habits to other people (see the article on spyware)
• making screenshots
• logging keystrokes to steal information such as passwords and credit card numbers
• phishing for bank or other account details, which can be used for criminal activities
• installing a backdoor on a computer system
• opening and closing CD-ROM tray
• harvesting e-mail addresses and using them for spam
• restarting the computer whenever the infected program is started
• deactivating or interfering with anti-virus and firewall programs
• deactivating or interfering with other competing forms of malware

Time bombs and logic bombs

"Time bombs" and "logic bombs" are types of trojan horses.

"Time bombs" activate on particular dates and/or times. "Logic bombs" activate on certain conditions met by the computer.

Droppers

Droppers perform two tasks at once. A dropper performs a legitimate task but also installs a computer virus or a computer worm on a system or disk at the same time.

Methods of Infection

The majority of trojan horse infections occur because the user was tricked into running an infected program. This is why it is advised to not open unexpected attachments on emails -- the program is often a cute animation or a sexy picture, but behind the scenes it infects the computer with a trojan or worm. The infected program doesn't have to arrive via email, though; it can be sent to you in an Instant Message, downloaded from a Web site or by FTP, or even delivered on a CD or floppy disk. (Physical delivery is uncommon, but if you were the specific target of an attack, it would be a fairly reliable way to infect your computer.) Furthermore, an infected program could come from someone who sits down at your computer and loads it manually. The chances of receiving the virus through an instant message are very low. It is usually received through a download.

Open ports:

Computers running their own servers (HTTP, FTP, or SMTP, for example), allowing Windows file sharing, or running programs that provide filesharing capabilities such as Instant Messengers (AOL's AIM, MSN Messenger, etc.) may have vulnerabilities similar to those described above. These programs and services may open a network port giving attackers a means for interacting with these programs from anywhere on the Internet. Vulnerabilities allowing unauthorized remote entry are regularly found in such programs, so they should be avoided or properly secured.

A firewall may be used to limit access to open ports. Firewalls are widely used in practice, and they help to mitigate the problem of remote trojan insertion via open ports, but they are not a totally impenetrable solution, either.

Some modern trojans that come through important looking messages, containing executable files that look similar to system files, for example "Svchost32.exe", resembling 'Svchost.exe'.

Road apple

A road apple is a real-world variation of a Trojan Horse that uses physical media and relies on the curiosity of the victim. The attacker leaves a malware infected floppy disc, CD ROM or USB key in a location sure to be found (bathroom, elevator, sidewalk), gives it a legitimate looking and curiosity piquing label - and simply waits.

Example: Get corporate logo off target's web site, make a disk label using logo and write "Executive Salary Summary Q1 2007" on the front.

Methods of Deletion

Since trojan horses take a variety of forms, there isn't a single method for deleting them. The simplest responses involve clearing the temporary internet files on a computer, or finding the file and deleting it manually. In some cases, registry editing or other treatments are needed.

Well-known trojan horses

• Downloader-EV
• Pest Trap
• NetBus
• flooder
• Tagasaurus

See also

• List of trojan horses
• Trojan-Proxy
• Spy software
• Farewell Dossier
• Malware
• Secure computing
• Social engineering (security)
• Remote administration tool
• Employee monitoring software
• Botnets

External links

• What is a Trojan Horse? Webopedia
• The Difference between a Virus, a Worm and a Trojan Horse Webopedia
• Analysis of targeted trojan e-mail attacks
• Trojan horses and how they are used en-masse in botnets Virus Bulletin's The World of Botnets by Dr Alan Solomon and Gadi Evron-->
• How to manually get rid of a trojan backdoor Symantec