In Virgil’s epic poem, The Aeneid, a clever Greek war strategist named Odysseus devises a plan to get his men inside the walled city of Troy. Instead of destroying or climbing the city’s walls, Odysseus sees another way in: with deception. Trojan soldiers watch as the Greeks appear to sail away, leaving behind a giant wooden horse as a token of surrender. Drunk on victory, the Trojans bring the horse inside their walls, only to discover Odysseus and his men were hidden inside the whole time.
Like its namesake, Trojan horse attacks, or simply “Trojans” use deception and social engineering to trick unsuspecting users into running seemingly benign computer programs that hide malicious ulterior motives.
People sometimes think of a Trojan as a virus or a worm, but it is really neither. A virus is a file infector which can self-replicate and spread by attaching itself to another program. Worms are a type of malware similar to viruses, but they don’t need to be attached to another program in order to spread. Most viruses are now seen as legacy threats. Worms have also become rare, though they do pop up from time to time.
“A Trojan can be like a Swiss Army knife of hacking.”
Think of Trojans as an umbrella term for malware delivery, because there are various kinds of Trojans. Depending on the criminal programmer’s intent, a Trojan can be like a Swiss Army knife of hacking—acting as a bit of standalone malware, or as a tool for other activities, such as delivering future payloads, communicating with the hacker at a later time, or opening up the system to attacks just as the Greek soldiers did from inside the Trojan fortress.
Put another way, a Trojan is a delivery strategy that hackers use to deliver any number of threats, from ransomware that immediately demands money, to spyware that conceals itself while it steals valuable information like personal and financial data.
Keep in mind that adware or PUPs (potentially unwanted programs) can be confused with Trojans because the delivery method is similar. For example, sometimes adware sneaks onto your computer as part of a bundle of software. You think you’re downloading one piece of software, but it’s really two or three. The program authors usually include the adware for marketing affiliate reasons so they can monetize their installer with offers—usually clearly labeled. Such adware bundlers are typically less malicious than Trojans. Also, they do not conceal themselves as Trojans do. But since the adware distribution vector resembles that of a Trojan, it can cause confusion.
Trojans can look like just about anything, from free software and music, to browser advertisements to seemingly legitimate apps. Any number of unwise user behaviors can lead to a Trojan infection. Here are a few examples:
A program called ANIMAL, released in 1975, is generally considered the world’s first example of a Trojan attack. It presented itself as a simple game along the lines of twenty questions. However, behind the scenes, the game copied itself onto shared directories where other users could find it. From there, the game could spread across entire computer networks. For the most part, it was a harmless prank.
By December 1989, Trojan attacks weren’t for pranks anymore. Several thousand floppy disks containing the AIDS Trojan, the first known ransomware, were mailed to subscribers of PC Business World magazine and a World Health Organization AIDS conference mailing list. This DOS Trojan would lay dormant for 90 boot cycles, encrypt all filenames on the system, then display a notice asking the user to send $189 to a post office box in Panama in order to receive a decryption program.
In the 1990s, another infamous Trojan appeared disguised in the form of a simple Whack-A-Mole game. The program hid a version of NetBus, a program that allows one to remotely control a Microsoft Windows computer system over a network. With remote access, the attacker could do any number of things to a computer, even open its CD tray.
In 2000, a Trojan called ILOVEYOU became the most destructive cyberattack in history at the time, with damages estimated up to $8.7 billion. Recipients received an email with what looked like a text attachment named “ILOVEYOU.” If they were curious enough to open it, the program would launch a script that would overwrite their files and send itself to every email in the user’s contact list. As clever as the worm was from a technical perspective, its use of social engineering was arguably its most ingenious component.
Through the 2000s, Trojan attacks continued to evolve, as did the threats they carried. Instead of targeting people’s curiosity, Trojans leveraged the rise of illegal downloading, disguising malware as music files, movies, or video codecs. In 2002, a Windows-based backdoor Trojan horse called Beast emerged and was capable of infecting almost all versions of Windows. Then, in late 2005, another backdoor Trojan called Zlob was distributed disguised as a required video codec in the form of ActiveX.
The 2000s also saw a rise in the number of Mac users, and cybercriminals followed suit. In 2006, the discovery of the first-ever malware for Mac OS X, a low-threat Trojan Horse known as OSX/Leap-A or OSX/Oompa-A, was announced.
The motivations behind Trojan attacks also began to shift around this time. Many early cyberattacks were motivated by a lust for power, control, or pure destruction. By the 2000s, an increasing number of attacks were motivated by greed. In 2007, a Trojan named Zeus targeted Microsoft Windows in order to steal banking information by means of a keylogger. In 2008, hackers released Torpig, also known as Sinowal and Mebroot, which turned off anti-virus applications, allowing others to access the computer, modify data, and steal confidential information like passwords and other sensitive data.
As cybercrime entered the 2010s, the greed continued, but hackers started thinking bigger. The rise of untraceable cryptocurrencies like Bitcoin led to a rise in ransomware attacks. In 2013, the Cryptolocker Trojan horse was discovered. Cryptolocker encrypts the files on a user's hard drive and demands a ransom payment to the developer in order to receive the decryption key. Later that same year, a number of copycat ransomware Trojans were also discovered.
“Many of the Trojans we hear about today were designed to target a specific company, organization, or even government.”
The 2010s have also seen a shift in how victims are targeted. While many Trojans still use a blanket approach, attempting to infect as many users as possible, a more targeted approach seems to be on the rise. Many of the Trojans we hear about today were designed to target a specific company, organization, or even government. In 2010, Stuxnet, a Windows Trojan, was detected. It was the first worm to attack computerized control systems, and there are suggestions that it was designed to target Iranian nuclear facilities. In 2016, Tiny Banker Trojan (Tinba) made headlines. Since its discovery, it has been found to have infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC, and Bank of America.
As one of the oldest and most common ways to deliver malware, the history of Trojans follows the history of cybercrime itself. What started as a way to prank one’s friends morphed into a way to destroy networks, steal information, make money, and seize power. The days of pranks are long gone. Instead, they continue to be serious cybercriminal tools used mostly for data stealing, espionage, and Distributed Denial of Service DDoS attacks.
Trojans are versatile and very popular, so it’s difficult to characterize every kind. That said, most Trojans are designed to take control of a user’s computer, steal data, spy on users, or insert more malware on to a victim’s computer. Here are some common threats that come from Trojan attacks:
Trojans aren’t just a problem for laptops and desktops. They attack mobile devices as well, which makes sense given the tempting target presented by the billions of phones in use.
As with computers, the Trojan presents itself as a legitimate program, although it’s actually a fake version of the app full of malware.
Such Trojans usually lurk on unofficial and pirate app markets, enticing users to download them. The Trojans run the full gamut of mischief, infecting the phone with ads and keyloggers, which can steal information. Dialer Trojans can even generate revenue by sending out premium SMS texts.
“Browser extension add-ons can act as Trojans as well….”
Android users have been the victims of Trojanized apps even from Google Play, which is constantly scanning and purging weaponized apps (many times after the Trojan’s discovery). Browser extension add-ons can act as Trojans as well, since it’s a payload capable of carrying embedded bad code.
While Google can remove browser add-ons from computers, on phones the Trojans can place transparent icons on the screen. It’s invisible to the user, but nonetheless reacts to a finger touch to launch its malware.
As for iPhone users, there’s good news: Apple’s restrictive policies regarding access to its App Store, iOS, and any other apps on the phone do a good job of preventing Trojan incursions. The only exception occurs for those who jailbreak their phones in their quest to download freebies from sites other than the App Store. Installing risky apps outside the Apple settings makes you vulnerable to Trojans.
Once a Trojan infects your device, the most universal way to clean it up and restore it to a desired state is to use a good quality, automated anti-malware tool and make a full system scan.
There are many free anti-malware programs—including our own products for Windows, Android, and Mac—which detect and remove adware and malware. In fact, Malwarebytes detects all known Trojans and more, since 80% of Trojan detection is done by heuristic analysis. We even help mitigate additional infection by cutting off communication between the inserted malware and any backend server, which isolates the Trojan. The only exception is for protection against ransomware, for which you need our premium product.
Since Trojans rely on fooling users into letting them into the computer, most infections are avoidable by remaining vigilant and observing good security habits. Practice a healthy skepticism about websites offering free movies or gambling, opting instead to download free programs directly from the producer’s site rather than from unauthorized mirror servers.
Another precaution to consider: change the default Windows settings so that the real extensions of applications are always visible. This avoids getting tricked by an innocent looking icon.
At Malwarebytes, we are serious about infection prevention, which is why we aggressively block both websites and advertisements that we consider fraudulent or suspicious. For example, we block torrent sites like The Pirate Bay. Though many savvy users have used such sites without issue, some of the files they offer for download are really Trojans. For similar reasons, we also block cryptomining through browsers, but the user can choose to turn off the block and connect.
Our reasoning is that it’s better to err on the side of safety. If you want to take the risk, it’s easy to whitelist a site, but even tech-savvy types can fall for a convincing Trojan.
To learn more about Trojans, malware, and other cyberthreats, check out the Malwarebytes Labs blog. The things you learn may just help you avoid an infection down the road.