A quick guide to trojans - what they are, how they work and the potential consequences of a having a trojan unwittingly installed on your computer or smartphone.
What is a Trojan?
Trojans - 'Malware in Disguise'
Trojans aren't Viruses
How are Trojans different from Viruses?
How a Trojan arrives on a computer
What A Trojan Does
Trojans and Smartphones
A trojan horse program, or trojan, is a program that performs actions which are unknown to and/or unauthorized by the user.
To be strictly precise, any program that performs an action that hasn't been authorized by a user could be considered a trojan. Usually though, antivirus vendors will only consider a program a 'trojan' if is has been deliberately designed to perform an action that has potentially harmful repercussions on the computer system or the user's information.
Some of the actions a trojan can perform are:
- Copy information stored in specific files on the computer
- Modify and open network connections
- Install and run other programs on the computer
- Connect to and communicate with another computer or server
A legitimate program that also performs a harmful action because of a bug in its coding or flaw in its design may also be considered a trojan, at least until the problem is fixed.
Trojans take their name from the Trojan Horse of Greek mythology and just like the wooden horse in the story, a trojan program 'disguises' itself to appear desirable or harmless, but secretly carries a dangerous payload. In the legend, the trojan horse held a secret cargo of armed soldiers; in the modern trojan program, the payload could be anything, from a virus-infected file to password-stealing routine.
Trojans are particularly easy for an unsuspecting user to run afoul of because they are disguised as a desirable legitimate program. For example, a trojan may appear to be a simple game - but while the game is running, the trojan also silently harvests information from the computer and sends the data to an unknown external location.
Malware authors will often go to significant lengths to make their trojans look authentic and acceptable, even to a skeptical user. For this reason, trojans can be disguised as movie files, sounds files, documents and legitimate programs. Another popular tactic is to desguise the trojan as a product update. For example, many trojans appear to be updates for popular programs, such as video players or online game patches.
Most users use the term 'virus' and 'trojan' interchangeably to refer to malware in general. Technically though, a virus and a trojan are two distinct types of malware.
It's important to distinguish between the two because even though a virus and a trojan may be designed to produce the same visible end result (for example, they both delete files on the computer), they each use very different means to achieve the same effect.
Practically, this means that for the user, identifying, stopping and removing the two types of malware will require different actions.
For most users, a trojan seems very similar to a virus - after all, they both perform harmful actions on the computer! An easy way to distinguish the two however is to think of the difference between a parasite and fraud.
Much like the parasites that affect humans, a virus is a malicious program that 'piggybacks' or attaches itself to a host, in this case a legitimate program. For example, macro viruses both infect and are distributed in Microsoft Word documents.
In contrast, just like human con artists, a trojan is a deceptive program, one that's camouflaged to look legitimate but secretly does something unexpected and nasty. As an example, a trojan would be a computer game that also steals your credit card details.
The distinction is important because a trojan depends on its deceptive 'front' to trick the user into unwittingly infect their own computer, by convincing them to download, install and run the malware. If a user can successfully see through the disguise, avoiding the threat is easy.
Another important characteristic of a trojan is that it doesn't independently propagate or spread copies of itself to new victims, which is the main characteristic of a virus. Instead, one copy of a trojan usually targets one victim; once infected, the trojan doesn't try to find a new target. In practical terms, this means that the user usually only has to focus on getting rid of one bad program, rather than digging out multiple corrupted files.
Most programs can be easily identified as either trojans or viruses. The only exceptions are trojan-virus hybrids, in which a trojan has virus-like code for an infection routine tacked on. Fortunately, such multi-type malware is currently quite rare, as they are technically more complex to create.
As little as five years ago, trojans and other malware were most commonly sent directly to their victims, usually in file attachments to e-mail messages. This strategy is a form of social engineering - the attacker has to make the e-mail seem authentic enough to trick the user into downloading and executing the attachment. Fortunately, most users eventually wised up to this tactic, which was bad news to the attackers.
In the last few years however, as broadband Internet connections have become commonplace, millions of users around the world are now online. For malware authors trying to find new victims, this explosive growth in the online population has translated into easily accessible pool of new victims, so nowadays most people come into contact with trojans most frequently when they are surfing online.
In today's online world, trojans can be found on legitimate sites that have been compromised, seeded on download sites and even offered through instant chat messaging (IM) and instant relay chat (IRC) channels.
Other strategies that have been used to distribute trojans include:
- Compromising a legitimate website and injecting the malware onto the site
- Creating a copy of a webpage or even an entire website (phishing) in order to host and server trojans to the website's unsuspecting visitors
- Rigging search engine results (SEO poisoning) to direct unsuspecting visitors to a malicious or compromised legitimate site
- Hijacking a legitimate e-mail or social networking account and using it to distribute links to malicious or compromised sites (or less likely, to distribute the trojans themselves)
More often, trojans are hosted on malicious sites which are specifically created by attackers for distributing malware. These websites are often short-lived, only lasting for days, or sometimes even hours, before they are taken down. This setup is a popular tactic with attackers, probably because:
- Success doesn't necessarily depend on a user actively falling for a social engineering trick
- It puts direct control of the website in their hands
There are multiple ways to hijack and redirect traffic to a website A particularly effective tactic involves the attacker designing the website itself to exploit vulnerabilities in the visitor's web browser, forcing it to automatically download the trojan onto the user's computer. This is a more sophisticated variation on the classic 'driveby download' attack, and it doesn't require the user to actively do anything at all on the website.
So, once a trojan is on the system and executed...what does it do, exactly? That depends on the type of trojan infecting the computer. Most trojans will fall into two general spheres of action: those that target the user's information, and those that target the computer system itself.
Information stealing trojans will generally either look for and steal specific data from the computer (credit card numbers, passwords, even specific documents) or monitor the user to gather data (monitoring keystrokes entered into the computer, or the user's web browsing behavior).
Meanwhile, trojans targeting the system itself focus on taking control of the computer, for example by opening a network port, or installing a backdoor program that allows an attacker to directly command the computer.
Most antivirus vendors will classify a trojan based on the specific type of action it performs. Fortunately, trojans can be easily categorized into discrete, easy-to-understand subtypes:
A trojan-spy secretly monitor's user's activities and saves them to a log file; activities may include mouse and keyboard operations, file and Registry manipulation, Internet browser activities. Usually, trojan-spies will forward the collected data to an external site; very rarely, an attacker must communicate and retrieve the data from the computer, or even more dangerously, physically retrieve the data.
A trojan-thief deliberately and secretly tracks user's input looking for logins, passwords, verification numbers and other sensitive data. Much like the trojan-spy, a trojan-thief deliberately collects and secretly sends our certain data or confidential files.
This type of trojan secretly extracts one or more malicious files from its body or from accompanying data file to a specified location, may activate one or more extracted files.
A trojan-downloader downloads files from the Internet onto a compromised computer, then executes the files (either immediately, or at a set time). Some more sophisticated trojans of this type will use a program already on the computer, such as an FTP program, to download files
This type of trojan listens on certain port for commands and traffic; commands allow to control the settings of a trojan, traffic is automatically routed to a different destination based on configuration
A trojan-dialer dials a premium rate number without showing any license agreement or asking for or confirmation, may open inappropriate web sites
Of course, there are also sophisticated trojans that can perform more than a single type of function - for example, it can download a file, execute it, monitor a user's browsing behavior and communicate with a remote attacker. A trojan this complex is categorized as 'trojan', for simplicity's sake.
It's not just computers that are infected by trojans - smartphones are also targeted, though in this case, a trojan designed for a computer won't work on a mobile phone, and vice versa. Much like computer-based trojans, smartphone-targeted ones are usually disguised as desirable programs, most often as games or operating system updates.
Traditionally (as in less than five years ago), a trojan would be sent to the phone in an MMS message, or would need to be downloaded on a computer, then transferred to the phone by a cable or wireless connection. Very rarely, the user would download the trojan directly onto the device.
Things are starting to change, though. Just as the growth of the online population has affected how trojans are distributed to computers, the increasing demand for smartphones - particularly smartphones with Internet connection - is altering the way users encounter trojans.
More people nowadays are surfing the Web via their mobile devices, and downloading a program from the Web directly onto their device is becoming a popular way for smartphone owners to install legitimate programs. Inadvertently, this greater connectivity has also introduced a whole new set of victims ripe for targeting by the enterprising malware author.
Currently, most mobile malware are targeted at phones running versions of the Symbian operating system. The prevalence of Symbian trojan is most likely because globally, despite competition from Apple's iOS, Google's Android and Windows Mobile, the majority of smartphones today are running Symbian, with market share of about 41 percent as of Q2 2010 (reported in Techcrunch). A small handful of malware also affect the other mobile operating systems though, and as they gain more market share in the coming years, it's entirely possible that more malware for these platforms will appear.
One advantage mobile phones enjoy over their computer counterparts (at least for some platforms) is that before any program can be installed, it must display a security summary, generally indicating how the program will affect the phone's connections and data. The user would then evaluate how intrusive the program might be, and if they are comfortable with it, approve the program's installation.
Unfortunately, the usefulness of the approval process as a security mechanism really depends on the user reading it and understanding the implications of allowing a program to, for example, 'transmit geo-location data'. If user behavior on computers is any indication though, it's far more likely that users will simply approve the installation without fully investigating the program's potential impact - only to later regret the oversight.
Back in the days when malware was mostly being distributed by e-mail, it was relatively easy to avoid being infected. An alert user only had to refrain from executing any attachment until they could check with the sender and confirm the attachment was safe. The same was true for e-mails offering links to websites - it was easy to avoid clicking the link, until it could be verified.
Nowadays, users are more likely to encounter trojans while browsing online. For example a free utility program offered by a website may be legitimate - or it may be malware. How could a user decide whether it's safe to download?
Verifying the authenticity of a program offered online can be challenging. Fortunately, it's still possible to do so by observing certain precautions, such as:
- Downloading only from credible sources
- Searching for and reading credible reviews of a program
- Scanning the download with an antivirus program before executing it
Another concern related to online trojans are the malicious sites, particularly the numerous methods used to redirect users to these sites. How can a user identify a site as malicious, in order to avoid it?
Usually, there are small indicators on the malicious site that can help an alert user identify it as fraudulent: a suspicious URL; log-in processes that inexplicably capture details but don't work; odd phrasings or language in the page's copy; and much more. Microsoft Support offers a number of other useful precautions.
Even then, a knowledgeable and cautious user visiting an unknown website may still be subject to a silent driveby download even as they examine the site. To address the difficulty most users face in identifying malicious sites, a number of antivirus companies, search engines, web browser developers and independent providers now offer website rating services, which monitor popular sites and evaluate their security.
These services are usually available as a plugin or toolbar for the user's web browser, and integrate their findings into the web browsing session by marking whether a link leads to a malicious website, or showing a notification page if the user attempts to visit a site rated as 'harmful'.
There are a plethora of such web security rating services available, giving users a wide range of choices to suit their needs. Some suggested starting places are F-Secure's Browsing Protection, Google's Safe Browsing and Firefox's Firekeeper, but a quick search in any decent search engine will turn up plenty of options.