A destructive action - usually performed by malware on a system or network - that is triggered when a specific time or date condition is met.
A type of browser plug-in, toolbars are applications which are "added on" to Web browser programs to provide additional functionality.
Many toolbars are innocuous, but some toolbars are designed to monitor a user's online browsing behavior.
Toolbars tend to be associated with adware programs, as they are often bundled together.
A plain text file containing a unique ID and browsing information related to the user, which is constantly updated during an active browsing session, in order to track the user's browsing habits.
Tracking cookies are generally used by websites to determine the pages and advertisements a user has seen or any other activity performed during the last visit on that particular website. This allows websites to 'recreate and continue' any activity from the previous visit - for example, a visitor who's seen Ad A on the first visit is next shown Ad B at the next visit - and helps provide the visitor with a seamless browsing experience.
Different websites can share tracking cookies, and each website with the same tracking cookie can read the information and write new information into it. Websites that use tracking cookies continue to recreate cookies in the browser's cache at each visit.
In general, a tracking cookie is not dangerous. They may potentially infringe upon your privacy and may be removed. A tracking cookie cannot cause any system instability. Current versions of popular web browsers include options to empty the browser cache folder when the application is closed.
Software that monitors user behavior or gathers information about the user.
Trackware is considered a security concern because the information gathered can sometimes include personally identifiable details, passwords or other confidential data. Once gathered, the collected information may be forwarded to a remote server. This type of information gathering may be objectionable if the user is unaware it is happening and/or has not authorized it.
Trackware is most commonly associated with programs dealing with advertising (adware). They are also often distributed bundled together with other, legitimate programs.
A program that appears to perform one action, while silently performing another action without the knowledge or authorization of the user.
Trojans were named after the Trojan Horse of Greek legend, and are sometimes referred to as Trojan Horse programs.
Though often confused with a virus or a worm, a trojan has features that make it distinct from either type of malware.
Unlike a virus, a trojan typically does not replicate. It may be combined with other malware, which have their own replicating or propagating capabilities, but the trojan itself does not make copies of its own code.
Unlike a worm, a trojan does not spread itself independently. Typically, once a trojan is installed on a system, it will not leave it again unless the trojan file itself is inadvertently transferred by the user.
Instead, like its namesake the Trojan Horse, a trojan's main hallmark is its unauthorized or silent entry into a system. This is most often done by simply naming the trojan's main executable file to appear legitimate and desirable. For example, a trojan may name itself 'update.exe' or 'system.dll', both of which appear to be proper system file names. This is a form of social engineering.
Another distinguishing characteristic of a trojan is that it silently executes an unauthorized action while pretending to perform an authorized one. Quite often, the trojan will have, or pretend to have, a functionality that offers a useful service to the user - a screensaver, a utility program, a service pack or application update and so on - in order to encourage the user to run the file. While the legitimate action is executing, the trojan silently performs its unauthorized routines in the background.
Types of Trojans
There are numerous types of trojans, which may be categorized based on the action(s) they perform and/or how they deliver their payload:
Trojans can also be categorized based on when they discharge their payload:
- Direct action: Immediately upon execution
- Time bomb: After a specified period of time
- Condition triggered: Only under certain conditions
Impact of a Trojan Infection
The effects of a trojan's payload on a computer system can range from mildly annoying pranks (like changing desktop icon positions), to serious, user-inhibiting functions (like disabling the keyboard or mouse) to critically destructive actions (like erasing files or stealing data).
Trojans can also cause significant real-life damage by stealing financially sensitive data such as bank account credentials, or personal information that could be used for identity theft.
Unfortunately, the majority of trojans today carry a payload designed to cause harm.
The type 'Trojan-Clicker' was formerly used by F-Secure to identify a trojan that remains resident in system memory and continuously or regularly attempts to connect to specific websites. This is done to inflate the visit counters for those specific pages.
The purpose of a trojan-clicker is to either earn money for appearing to drive traffic to specific sites (fraud) or to drain the budget of a competitor (attack) by artificially inflating the referrals that are paid for.
With changes in the threat landscape, programs previously identified as ' Trojan-Clickers' would now be classified as 'Trojans'.
A type of trojan that, once installed on computer, silently downloads files from remote web and ftp sites. Once downloaded, the trojan-downloader installs and runs the files on the infected computer. Both the download and execution of files is done without the user's knowledge or authorization.
A trojan-downloader, when run, usually installs itself to the system and waits until an Internet connection becomes available. Once its primary download/execution routine is completed, it may also proceed to a secondary payload routine.
A type of trojan that drops one or more malware onto a system. A typical trojan-dropper is a file that contains other files (its payload) compressed inside its body. In many cases, trojan-droppers also contain innocent files or multimedia files to disguise malicious activities.
When a trojan-dropper is run, it extracts all the files in its payload ad drops the extracted files to a folder (usually a temporary folder) on the system. It then runs all the dropped files simultaneously.
Trojan-droppers are usually created by special programs called 'joiners'. These programs allow the malware author to customize the trojan-dropper's functionalities and to add as many files as needed into the package.
A type of trojan that, once installed, allows an attacker to use the infected computer as a proxy to connect to the Internet.
Trojan-proxies are often used by hackers to hide the location of the original host from any investigating authorities, as the connection can only be traced back to the computer where the trojan is installed.
A Trojan-PSW is very similar to a Trojan-Spy and the two terms are sometimes considered interchangeable. A Trojan-PSW may be thought of as a specific kind of Trojan-Spy, as it is geared mainly towards stealing account login details, including passwords (the PSW stands for password). In addition, some Trojan-PSWs may also include spying and data-stealing routines.
To perform its password-stealing routine, a Trojan-PSW will usually drop a keylogging component. Such components stays active in Windows memory and starts keylogging (recording keystrokes) when a user is asked to input a login and a password. Stolen logins and passwords can allow an attacker to read a user's e-mail on public and corporate mail servers, as well as giving access to more sensitive material, such as online banking accounts.
This type of malware is quite prevalent. It may be distributed as a standalone malware; also, some backdoors and worms will drop Trojan-PSWs to the systems they infect.
A type of trojan that, once installed, allows a hacker to monitor the user's activities on an infected computer. A Trojan-Spy has a wide range of capabilities, including performing keylogging, monitoring processes on the computer and stealing data from files saved on the machine.
To perform its keystroke monitoring routine, a Trojan-Spy will usually drop a keylogging component. Such components stays active in Windows memory and starts keylogging (recording keystrokes) when a user is asked to input a login and a password. Stolen logins and passwords can allow an attacker to read a user's e-mail on public and corporate mail servers, as well as giving access to more sensitive material, such as online banking accounts.
A Trojan-Spy may also perform more general monitoring: keeping the list of applications that a user ran, archiving URLs that a user opened and so on. In some cases, the Trojan-Spy's monitoring routine is restricted to a certain time window. For example, it may work only until a certain date and then uninstall themselves from a system.
A Trojan-Spy designed to steal data will searches for specific files or data on an infected computer, which can be forwarded to, or retrieved by, the attacker. The type of information sought varies: some trojans try to locate 'key' files that contain authentication information for certain programs or services; others steal the serial numbers of software installed on an infected system. A few e-mail worms steal random data files (Excel or Word files, images) and attach them to e-mails that they send from infected systems.
About Detection Names
A quick guide to Detections - why they are important, how they work and how to read them. Also includes Generic Detections and how they differ from traditional Detections.