Trojans

Short bio

Trojan is a malware that uses simple social engineering tricks in order to tempt users into running it. It may pretend to be another, legitimate software (spoofing products by using the same icons and names). It may also come bundled with a cracked application or even within a freeware.

Once it is installed on the computer, it performs malicious actions such as backdooring a computer, spying on its user, and doing various types of damage.

Trojans are not likely to spread automatically. They usually stay at the infected host only.

History

The name Trojan comes from the Trojan horse described in Greek mythology. It was also a weapon wrapped in a socio-technical trick. Greeks were unable to break into a fortified city, so they built a wooden horse filled with soldiers and pretended that they were giving up the fight, leaving a gift for Troy. The trick brought a big military success for its inventors. Trojans brought the “gift” into the fortress and were destroyed in return.

Many centuries have passed, but people still are fooled by the same trick and get tempted by goodies from unknown sources.

A malware that some classify as the first Trojan appeared in 1974 called ANIMAL. It was spread with a simple game, but functionality-wise it was rather a harmless prank.

In the 90s an infamous NetBus appeared. It was spreading disguised as a game, Whack-A-Mole, and provided  remote access tools along with set of pranks, like opening the CD slot.

In 2000, a malware called ILOVEYOU came through a spam campaign. It was a malicious macro, pretending to be a loveletter for the recipient.

In late 2005, a Trojan called Zlob was distributed in disguise of a required video codec in the form of ActiveX. It was in reality a backdoor.

Nowadays, Trojans no longer have properties of pranks. Instead, they are serious cybercriminal tools used mostly  for data stealing, espionage, and DDoS attacks.

Common infection method

  • Downloading cracked applications
  • Downloading unknown free programs (games, screensavers, and simple, entertainment-related applications)
  • Opening infected attachments
  • Opening an image or any other type of file that is in reality an executable with changed extension
  • Visiting shady websites, i.e providing videos (they may nag a user to download a codec containing a Trojan)

Associated families

There are different types of Trojans and they may carry into the system various malicious modules. They are associated with threats such as:

  • Remote Access Trojans (RATs) provide backdoors and illegitimate remote access tools
  • Information Stealers
  • Denial-of-Service (DoS) Trojans
  • Ransomware (encrypting data) or malicious Data Destruction Trojans
  • Spyware, such as keyloggers and Form Grabbers
  • Downloader Trojans (used to download and deploy other malicious modules)
  • Dialers (popular in times of dial-up modems)

Remediation

The most universal way is to use good quality, automated anti-malware tools and make a full system scan.

Some Trojans that do not use sophisticated persistence can be manually removed by more advanced users. In order to do this, the user should disable hiding files and folders, and check for suspicious files in the typical locations (TEMP, APPDATA and their sub folders). If the Trojan is currently running, it must be found on the list of active processes and killed. Tools like ProcessExplorer are very helpful in finding other linked processes and registry keys to be cleaned.

Aftermath

Having a Trojan running on the machine results in having an associated malicious module deployed (RAT, DDoS tool etc).

Avoidance

Due to the fact that Trojans by definition rely on human naivety, most of the infections can be avoided by being vigilant and keeping good security habits. This includes not opening unknown attachments or cracked software, and being skeptical of websites offering free movies or gambling. It is better to download free programs directly from the site of the producer rather than from unauthorized mirrors.

It is beneficial to change default Windows settings in such a way that real extensions of applications will be visible to avoid being fooled by an innocent-looking icon.

Good quality anti-malware software is an important second line of defense. In case if the user opened the malicious program, its activity will be blocked before causing harm.

Screenshots