Trojan horse (computer program)

from Wikipedia, the free encyclopedia

As a Trojan horse ( English Trojan horse ), in computer jargon short Trojans called, refers to a computer program that is disguised as a useful application, but fulfills a different function in the background without the user's knowledge.

Trojan horses are among the undesirable or harmful programs known as malware . The term is often used colloquially as a synonym for computer viruses and as a generic term for backdoors and rootkits , but must be clearly differentiated.

Etymology and spelling

The name is metaphorically derived from the Trojan horse of mythology . According to legend, the impregnable city of Troy could only be captured by a trick: the attackers presented the residents with a huge wooden horse as an offer of peace. Enemy soldiers were hiding inside, gaining access to the city center. Since then, the term “Trojan horse” has been synonymous with “pretending to be something”. Similarly, a Trojan, disguised as something useful, intends to be brought into the protected area of ​​the system by the attacked person himself.

The formerly binding set of rules of the Dudens classifies the two identical terms differently after the spelling reform of 1996 . The recommendation of the EDP term is the lower case Trojan horse and that of the mythological “ name ” is upper case.


Trojan horses are programs that are deliberately smuggled onto third-party computers, but can also get there by chance, and which perform functions not mentioned for the user. They are disguised as useful programs, for example by using the filename of a useful file, or by actually having useful functionality in addition to their hidden function .

Many Trojan horses stealthily install malware on the computer while they are running . These malicious programs then run independently on the computer, which means that they cannot be deactivated by exiting or deleting the Trojan program. So can u. a. Independent spy programs get onto the computer (e.g. sniffers or components that record keystrokes, so-called keyloggers ). It is also possible to secretly install a backdoor program that allows the computer to be controlled remotely over a network (e.g. the Internet) without being noticed.

However, Trojan horses do not necessarily have to install malware. Any program to which important functionality has been added that is unrelated to the obvious part of the program is by definition a Trojan horse as long as the function is not disclosed to the user. Therefore it is even possible that the hidden part of the program does not cause any direct damage.

Types of Trojan horses

Numerous Trojan horses are created by combining two independent programs into a single program file. A linker (also called a binder or joiner ) attaches the second program to any executable host file, without this process having any effect on the functionality of both programs. By starting the first program, the hidden second program is started unnoticed. The author of the Trojan Horse can misuse any executable file as a host program with the help of an appropriate utility program without having to have programming knowledge.

There are Trojan horses that secretly start an installation routine. This type of trojan is often used to silently install malware on a system as soon as the trojan horse is executed. That is why they are called “droppers” (from the English to drop - “to put something in the system”). An autostart mechanism usually ensures that the malware is automatically loaded every time the computer is restarted. The Trojan horse is no longer required on this system for the malware to start.

In contrast, there are also Trojan horses that hide the secret functions within themselves. If the Trojan horse is terminated or deleted, the secret functions are no longer available. An example of this are numerous plug-ins . A plug-in is a kind of expansion module for a specific program with which additional functions can be added. A Trojan horse disguised as a useful browser plug-in can run on a web browser, for example to communicate with the Internet via the browser, thereby easily bypassing a firewall .

In general, it is also possible for a Trojan horse to use the external interface of a program. Similar to a plug-in Trojan, this type of Trojan also requires an existing program by the user. It often uses the possibilities of the operating system to influence the program in its work. Such a Trojan horse can start the existing browser and open an invisible window, use it to establish an Internet connection and thus send data to the attacker. Here, too, a firewall cannot prevent the clandestine connection being established if the connection to the Internet has been allowed for the browser. The advantage of this method over a plug-in Trojan is that it can independently set up an Internet connection, i.e. not only when the user has started the web browser.

To spread Trojan horses

Trojan horses can get on a computer in any way that brings data to the computer. These are in particular disk or network connections such as the Internet (eg. As file sharing , prepared websites ( see Drive-by download ), shipment by e-mail ). The Trojan horse is then distributed by the user of the computer himself. Depending on the attractiveness of the bogus program, the probability increases that the user will pass the program on to other users.

A computer worm that transports the Trojan horse is usually used for spreading via e-mail . However, the fact that it appears to be spreading does not make the Trojan itself a virus . Rather, two pests are used in combination: A worm that transports the Trojan horse as an attachment.

In 2006, 55.6% of the malicious programs registered by the Federal Information Network were Trojan horses, while only 9.9% were viruses. Vulnerabilities in browsers and office applications are sometimes exploited on the day they become known. Modern Trojans are now difficult to detect by virus scanners.

The malicious routine

As a rule, the Trojan horse program is started directly by the user of a computer, which gives it access authorization to use all functions that the logged on user is also allowed to access. The malicious routine can therefore independently or remotely carry out all actions undetected that the computer user could deliberately carry out (the same applies to all kinds of malicious programs that a Trojan horse secretly installs on the computer). Since numerous users work permanently with administration rights out of convenience or ignorance, the spectrum of manipulation options through the malicious routine is unlimited.

Here are some typical malicious functions:

  • Monitoring of data traffic or all user activities with the help of sniffers .
  • Spying on sensitive data ( passwords , credit card numbers , account numbers and the like), copying and forwarding files.
  • Remote control of the computer by strangers, etc. a. for criminal purposes, e.g. B. for sending advertising e-mails or carrying out DoS attacks .
  • Deactivation or replacement of security-relevant computer services (such as an anti-virus program or a personal firewall ).
  • Installation of illegal dialer programs (secret dialing in to telephone premium rate numbers , sending premium SMS for a fee ), which causes financial damage to the injured party.
  • Use of memory resources to store illegal files in order to make them available to other users on the Internet from here.
  • Display of unwanted advertising or redirecting the surfing user to prepared websites (see also phishing ).
  • Encryption of files stored on the computer to extort ransom money ( ransomware ).

It is conceivable that the hidden program part of the Trojan horse does not cause any direct damage. For example, if the program sends insensitive data to the programmer without the knowledge of the user that is unrelated to the program, and the obvious part of the program does not allow any conclusions to be drawn about the hidden functionality, the program fulfills all the conditions to be classified as a Trojan horse to become, although it does no direct harm. On the other hand, a secret function can also become a malicious routine without the program developer having intended it. In relation to this example, this would be the case if the program was used in an environment not foreseen by the developer. There, the secret data transfer could, for example, lead to the establishment of an Internet connection and thus cause costs without being asked.

The camouflage

Under Unix , frequently used commands such as ls (list files) or ps (display of running processes) are often replaced by Trojan horses. On the one hand, they are only noticeable when comparing their checksums; on the other hand, this increases the likelihood that an administrator will start the Trojan horse, which gives them extended access rights without attracting attention through manipulated file rights.

In contrast to Unix, in a Microsoft Windows operating system an executable program is not recognized by its file rights. Rather, the extension of the file name determines whether and how the file is executed. Since Trojan horses can only work if someone starts their code, they too are forced to use an appropriate file extension, such as .exe, .com, .scr, .bat, .cmd, .vbs, .wfs, .jse, .shs, .shb, .lnkor .pif. In the standard configuration, however, the operating system does not display these file extensions in Explorer. This allows a Trojan horse to be masked as a file of any kind. Many executable file formats also allow icons to be assigned to a file, so that a damaging file “ Bild.jpg.exe” is not only Bild.jpgdisplayed to the user as “ ”, but can also receive the icon of an image file and thus appear with the Windows configuration mentioned above is indistinguishable from a harmless image file at first glance.

Another popular way of masking is to hide a file extension with the help of numerous spaces. At harmlos.txt<zahlreiche Leerzeichen>Checked By Norton Antivirus.exefirst glance , a file named “ ” appears to the user like a text file, although the rest of the file name is often only interpreted as a hint. Depending on the program that is displaying the file, it may also happen that the complete file name cannot be seen, which means that the user does not even see the * .exe extension of the file. Because many users are unfamiliar with masking, Trojan horses often run unnoticed.

Another possibility to hide executable code under a "harmless" file extension is offered by programs that analyze the file type independently of its extension and treat it according to its actual type. As an example, it is theoretically not possible to store executable macro code in an RTF file, since this file format does not support macros. However, a file named “ gefährlich.doc”, which is renamed to “ harmlos.rtf”, is recognized by Office as a DOC file based on the file content, whereupon the macro code stored in it is executed despite the file extension .rtf.

Trojan horses based on an exploit are also an exception here. They take advantage of programming errors or other weaknesses in a program to get their code to execute. Depending on the program on whose vulnerability the Trojan horse is based, it can be hidden in any file type, including files that are normally not executable. There are, for example, Trojan horses whose code was stored in a graphic file. Assuming a vulnerability in the respective browser, it is also possible to prepare a website in such a way that simply calling up the page leads to the execution of the Trojan code. E-mail programs that automatically display the HTML code of a message also run the risk of malicious code executing as soon as the message is read. However, the Trojan code can only be started if the loaded file is actually opened with the program for which the Trojan horse is intended.

Often times, Trojan horses use filenames that make it difficult to distinguish them from important system files. To do this, they usually put themselves in confusing directories, such as B. in the Windows system folder. If they are loaded via an autostart entry in the registry, they are also happy to use obfuscation techniques such as this entry: "c: \ windows \ system32 \ userinit.exe \\ localhost \ IPC $ -n" . When checking all of the autostart entries, a possible search on the Internet will reveal that this is userinit.exea regular part of the operating system. And checking the file will confirm to the user that it is the original (even with a possible certificate). Also "\\ localhost \ IPC $" is a regular, system-generated default share for internal purposes. Everything seems to be fine, except for the fact that "c: \ windows \ system32 \ userinit.exe" is not loaded here, but "IPC $ -n.exe" , which is in the directory "c: \ windows \ system32 \ userinit.exe \ localhost \ " is located (whereby under the current versions of Windows the supposed space before" \ localhost \ "must actually be a special character, which can be generated with Alt + 255). In addition to the different storage locations of a file, the spelling of the file name can also differ from the "original", for example the file name should be scvhost.exereminiscent of the file svchost.exe.

Differentiation from the computer virus

In contrast to a computer virus , the Trojan horse lacks the ability to spread independently. If a file virus is called, it reproduces itself by infiltrating other files. A file infected by a virus thus consists of two components: the host file (any program) and the virus attached there .

Because the host program has been infected, it contains a hidden component that loads the virus into the system unnoticed when the program starts. This means that the host file (but not the virus) fulfills all the conditions to be classified as a Trojan horse. Strictly speaking, every file infected by a virus is a Trojan horse. The virus definition, on the other hand, only includes the growing virus code and its malicious routine, but not the infected file that houses the virus.

This exact distinction is seldom made in the professional world. A program to be classified is usually only referred to as a Trojan horse if it was expanded to include a malicious component not by chance by a virus, but by its developer or with the help of a tool. This means that the usage of the language only partially does justice to the definition that was widespread in parallel.

The Trojan horse as a means of spreading viruses

If the programmer of the secret part of the program has intended it, Trojan horses can also be used to spread viruses. For example, a Trojan program disguised as a game could use the malicious routine e.g. B. Macro viruses attach to office files while the game is running. The Trojan horse would no longer be needed on the infected system, as the virus can now spread automatically as soon as one of the infected files is opened. The Trojan horse merely introduced the virus into the system.

Programs with linked Trojan and virus functionality

It is difficult to distinguish between Trojan horse and virus if, for example, the malicious routine copies the Trojan horse in addition to its other function. In this way it can get to other data carriers unnoticed. The fact that its own program code is secretly reproduced means that the program fulfills all the requirements to be classified as a virus. Therefore, such a file is a Trojan horse and a virus combined in one program.

Differentiation from the generic term for backdoors and rootkits

Sometimes malware secretly installed by a Trojan horse is also referred to as a “Trojan horse”. Based on the associative origin of the term from Greek mythology, according to this thesis, the wooden frame used for camouflage would not be the Trojan horse, but also the soldiers hidden in it.

As an example, a Trojan horse could secretly install a backdoor program. An intruder will now access the installed program and not the Trojan horse, which in this case only acted as an auxiliary program for the stealth installation. It can then be deleted at any time without this affecting the further function of the backdoor program. Such utility programs are by definition Trojan horses because they pretend to be a useful application (e.g. a game or a screen saver) but perform functions that are not mentioned to the user and have no connection with the obvious part of the program (here the secret Installation of the backdoor).

The majority of "common" Trojan Horses install or contain backdoor programs or rootkits , but do not necessarily have to contain them. There are various other programs that are known as Trojans (e.g. those whose malicious routine sends user data).

Historical summary

Almost three years after Daniel Edwards presented a theoretical concept that he dubbed “Trojan horse” in 1972 to characterize a particular computer security threat, his hypothesis came true. The game "Pervading Animal" from 1975 was written for the Univac 1108 and is referred to as the first known Trojan horse. The rules of the game stipulated that the player had to think of an animal that the program tried to guess by asking specific questions. If the animal could not yet be identified, the program updated itself and asked a new question, each time the old version of the program was overwritten by the updated version. In addition, the program secretly copied itself into other directories, so that after a certain time the entire system was filled with copies of this program. The question of whether this was a programming error or an intended damage routine has remained unanswered to this day.

The program copied itself to every directory, but it was small, didn't clog the hard drive, as claimed above, and was seen as an amusement by the system administrators:

"ANIMAL would indeed copy itself into every directory on a system, but it was small, and when updating itself overwrote the old copy, so it would not clog the disc with multiple copies. Throughout the entire episode, the ANIMAL phenomenon was viewed with benign amusement by the managers of the systems on which it established itself. "

In his book At the Abyss , Thomas C. Reed, former secretary of the United States Air Force , describes a Trojan horse that the United States secretly added to industrial control software that was shipped to the Soviet Union . After the installation of the system on the Trans-Siberian gas pipeline in June 1982, it malfunctioned, which caused a large explosion. This is likely to be the first case where a Trojan was used as a weapon in cybernetic warfare during the Cold War .

In 1984, the computer pioneer Ken Thompson presented a classic example of a Trojan horse during his Turing Award speech, which would be questionable in terms of security and, moreover, difficult to track down. We were talking about a login program for Unix that is changed in such a way that it also accepts a general password in addition to the normal password. This backdoor can, as Thompson, an appropriately engineered C - compiler of the login program Add in translating automatically, making the source code of the login program provides no evidence of tampering. If the compiler of the C compiler were prepared accordingly, the manipulation would no longer even be evident from the source code of the C compiler.

In December 1989, the first Trojan horse, designed to blackmail its victims, appeared, attracting worldwide attention. Dr. Joseph W. Popp, a 39-year-old scientist from Cleveland at the time , sent 20,000 contaminated disks labeled "AIDS Information Introductory Diskette" to addresses in Europe, Africa, Asia and the WHO . After a while, his trojan hid all directories, encrypted the file names and left a request on the computer to send 378 US dollars to a fictitious "PC Cyborg Corporation" on an existing mailbox in Panama for restoration. Although the perpetrator was declared insane in England, an Italian court sentenced him in absentia to two years in prison.

In August 2000, the first known Trojan horse for PDAs appeared . The pest, christened "Liberty Crack", was developed by Aaron Ardiri, co-developer of the Palm Game Boy emulator of the same name. He disguises himself as a crack for the emulator, secretly deletes the installed software and initializes important settings of the Palm. When the Trojan horse got out of hand, Ardiri helped contain its spread.

In October 2005, the renowned systems specialist Mark Russinovich discovered that a rootkit was secretly installed on his system when he was playing a recently purchased SONY BMG music CD on his computer. Thanks to a parallel system analysis, he accidentally discovered the first Trojan horse that found its way onto the computer via legally acquired music CDs. The “ XCP ” Trojan, which SONY BMG deliberately put into circulation, was part of a very aggressive copy protection campaign. The secretly installed malware collects information about the user and sends it to the company via the Internet. In addition, it creates new security holes and, due to a design weakness, slows down the system even if no CD is played. Just two weeks after this discovery, "Ryknos" appeared, the first Trojan horse that made use of the security holes in "XCP" and installed a backdoor program on the infected computers.

Since 2006 at the latest, the Federal Criminal Police Office has been developing a program called “ Federal Trojan ” in Internet jargon for spying on data for the purpose of criminal prosecution .

Protection options

The only effective protection against Trojan horses is not to use programs from unknown or unsafe sources. As with all malware, providers of programs or services on the verge of legality are to be classified as particularly dangerous. This is not absolute protection, as commercial software has also been delivered contaminated with malware in some cases. This affected many driver disks with the Michelangelo virus in 1991 or IBM disks with the Quandary virus in 1996. In 1999, IBM computers were infected with the CIH virus and in 2017 the Czech software company Avast made headlines. Avast is best known as an antivirus software maker, but it accidentally offered a spyware-contaminated version of the CCleaner program for download for a month. The CCleaner was a classic definition of a Trojan horse.

In addition to computer viruses , many antivirus programs also detect other malware, including a large number of well-known Trojan horses. However, their recognition rate does not claim to be complete. If a Trojan horse is detected before the user starts it, the protective mechanism is quite effective, whereas already running Trojan horses can only be removed reliably from the system by the antivirus software to a limited extent. The same applies to malware that may have been installed by a Trojan horse. Numerous Trojan horses also succeed in deactivating the antivirus software or manipulating the system in such a way that the software can no longer detect them. Another problem that arose around 2005 was the so-called rougeware, a special form of scareware that masquerades as a virus scanner. In the worst case scenario, ignorant users who want to remove malware will only install more of it.

Personal firewalls or other network monitoring programs do not provide protection against the installation of a Trojan horse, but can under certain circumstances draw attention to unauthorized network communication after an infection. Some personal firewalls also offer monitoring of the system's startup entries as additional protection, which provides the user with an indication of a Trojan installation, although the firewall software can also be deactivated by numerous Trojan horses and often be outwitted.

As a new way to protect against Trojan horses and computer viruses in general, one can see the efforts of the Trusted Computing Group (TCG), which allow the execution of unchecked, i. H. untrustworthy software, wants to make it technically preventable or tries to isolate the function calls of checked and unchecked software from one another. However, it should be borne in mind that due to the principle of Trojan horses of exploiting human trust or inexperience, even in this technical way one only shifts the trust that is generated during the installation of software to another instance.

If an already installed Trojan horse is detected, it is advisable to clean up the system through the recording of the last "clean" image of the hard disk ( Image can) make, as a software product (eg. As virus scanners) that task only partially reliable do .

There is a test file known as EICAR that you can download to see how detailed an antivirus program is. The file can be found packed as .exe , .txt , .zip and .zip in a .zip file. The code of this test virus is: X5O! P% @ AP [4 \ PZX54 (P ^) 7CC) 7} $ EICAR-STANDARD-ANTIVIRUS-TEST-FILE! $ H + H *, where the one separated by a "$" character Part of it is just a comment, the rest is a sign of malicious code.

See also

Broadcast reports


  1. Due to the common short form “Trojan”, the meaning is exactly opposed to the mythological origin of the term , thus to a Janus word . Since the attackers were the Greeks who built the Trojan horse and hid in it, the victims, however, were the Trojans (the inhabitants of Troy ).

Web links

Individual evidence

  1. The Trojan Horse: Myth and Reality ,, August 1, 2018, based on a documentation that traces the myth of the Trojan horse
  2. Duden online: Trojan
  3. Sophos: 30,000 newly infected websites per day. "[...] This means that the spread of Trojans via websites is now one of the most common attack methods used by financially motivated cyber criminals."
  4. BSI Security Congress: Computers are increasingly threatened.
  5. Computer Security Technology Planning Study (PDF; 8.1 MB) , 1972, p. 62.
  6. ^ Don Reisinger: 25th anniversary of the computer virus? Not so almost., July 16, 2007, accessed November 30, 2013 .
  8. ^ John Markloff: On the Brink Of Cyberwarfare. The New York Times, October 11, 2010.
  9. Ken Thompson: Reflections on Trusting Trust (PDF; 225 kB). Communications of the ACM, August 1984.