What are Trojans?

What are Trojans?

A Trojan (horse) in computer-terms is a type of malware that does not replicate itself.

The name is based on the mythological tale of Greek warriors who hid inside a giant wooden horse that was suppose to be a “present” to the city of Troy. After dark, the Greek warriors opened the previously impenetrable gates of Troy to let in the rest of their army and sacked the city.

So, the name is very fitting, because computer Trojans often disguise themselves as something useful or at least innocent. Once they are inside, however, they often download or install other malware on the user’s computer.

wooden horse

Definitions on what is a Trojan horse differ greatly, but the common factors are that Trojans:

  • do not self-replicate
  • come disguised as harmless
  • open your system to more harm

Self-replication is what we understand to be creating and distributing copies of itself to other parts of a computer or to other computers. A property commonly assigned to viruses.

Coming disguised as harmless can be interpreted in many ways. It is not uncommon for Trojans to be offered as cracks or keygens, something which I personally would not call harmless, but users could download these files as something they feels is useful.

Opening your system to more harm is also a wide field of possibilities because there are  many types of Trojans — most of them named after their main function. Please note that it is not uncommon for Trojans to have multiple functions and the definition of Trojans is not narrowed down and is open to discussion, so the list will never be complete.

  • Password stealers: these are usually targeting a certain kind of password. Considered the most harmful are
    • banker Trojans, which try to steal your banking credentials in order to book money from your account. Other common types are
    • Gamethief: steals account information for online games
    • Trojan-IM: steals account information for instant messaging programs
    • Key-loggers: these simply steal anything you type. As you can imagine it takes a lot of work to find the information you are looking for in a log produced and sent by this type of Trojan.
  • Destructive Trojans: beside the kind that simply destructs for the sake of being a nuisance there are a few kinds that have a purpose
    • Ransom Trojan: these alter, encrypt or pack your files in a way that makes it unable for the user to have access to his own files. On receipt of payment the criminal promises to send a program to the victim to restore the data or restore the computer’s normal performance.
    • security software disabler: these Trojans are constructed to take out as many security programs as possible, leaving the user without a firewall, AV, HIPS or any kind of protection. The ultimate goal usually is to make the user vulnerable to the net level of the attack.
  • Backdoor aka RAT (Remote Access Trojan) : arguably the most widespread type of Trojan, although often combined with other functions or other types of malware. Backdoor trojans leave the computer open to be controlled by someone else for different functions.
    • DDoS attack: In order to conduct a successful DDoS attack, malicious users often infect a large number of computers with this type of Trojan in advance (for example, as part of a mass spam mailing.) As a result, all the infected computers will attack the target machine/server/site at the signal given by the controller. Large groups of computers under control in this way are often referred to as botnets.
    • Trojan Clicker: used to perform online actions in order to boost hit-counts.
    • Proxy Trojan: the victims computer is turned into a proxy, so the operator can perform online business anonymously.
  • Mailfinder Trojans: these harvest email-addresses from the infected computer in any way they can and send the list of addresses to the operator.
  • Dropper: this type of trojan installs other malware on the infected computer. Usually they’re an executable file that contain other files compressed inside its body. Generally speaking one distraction to keep the user occupied  and one or more malicious programs, which it will secretly install and run.
    • Trojan FakeAV installs a fake AV that asks payment for the removal of threats only the fake AV detects. These so-called “rogues” use intentional false positives to convince users that their systems have been compromised. Then they try to sell you their software, claiming it will remove these threats. In extreme cases the false threats are actually the very trojans that advertise or even directly install the rogue.
  • Trojan Spy: this detection often refers to specialized software to spy on a certain victim. The specialization can range for example from one country to one particular person. The more specialized these spies are, the harder they will be to find, especially by signature based scanners.
  • Trojan-ArcBomb: these are usually aimed to cripple or slow down mailservers. The Trojans aim to slow down or crash a computer by packing enormous (amounts of) files in a relatively small package. When the package is opened, the volume increase is so enormous that the server has to dedicate a large portion of its CPU time and drive space to handling the Trojan. The bombs use the given that packing files with many repetitions or large numbers of equal files can be compressed into much smaller packages.
  • Trojan SMS: usually aimed at mobile devices these Trojans sent text messages to premium rate numbers and thus earning money for the creator for the Trojan.

Famous Trojans

Long after Helen of Troy, the war against Trojans has rekindled in a different manner. Famous computer Trojans are Beast, which made the client-server model very popular. The server being on the infected computer and the client on the operator. Its many features and the ease of use for the client made it very popular. Another Backdoor that was very popular and well-known is Sub7. Zeus on the other hand started as a banker Trojan, originally aimed at a limited group of people, but years later the various Zeus’ botnets are estimated to include millions of compromised computers. A more recent giant is the ZeroAccess Rootkit, held responsible for a botnet spread estimated to have been present on millions systems.

Power in numbers

In this day and age of commercial malware the power is in the numbers. Even if only a small percentage of users falls for the tricks and schemes used by malware writers (and phishing the like) there is still an enormous amount of money to be stolen. Valid email addresses get sold by the thousands. A botnet controller can be hired to use his bots to take down any site or server. The fee will depend on how many bots it takes to get the job done. And the money the malware writers and operators make is only a small portion of the cost as business week showed us a year ago.

How does Malwarebytes Anti-Malware help you?

Malwarebytes Anti-Malware  detects all known Trojans and more, since 80 % of Trojan detection is done by heuristics.

Sources:

http://www.securelist.com/en/threats/detect/trojan-programs?behavior=41#list

http://www.ehow.com/about_5110319_kinds-trojan-horse-viruses.html

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.