Trojan Horses
Trojans
A Trojan horse (or simply Trojan) in computing terms refers to a type of computer security threat advertised by its developer as a useful application but carries undesirable functions.
These types of software applications are known for their malicious functionality of allowing remote users with an unauthorized access to an infected computer system. This feature allows the unauthorized user (hacker) with the means of performing operations on the compromised machine as if he was physically in front of it.
According to many anti-virus experts, a Trojan is technically not a virus despite its malevolent payload. This type of unwanted program proliferates on various host websites and is commonly bundled in different free and demo applications. These types of malware (malicious software) are intentionally designed by their developers to cause unwarranted actions on its host machine.
Due to the many variants that have been spawned by this type of threat, the computer industry has classified its strains based on the type of damage they cause to the infected machine and the manner by which they are delivered. Based on these criteria, Trojans generally belong to at least one of the following classifications based on their payloads:
• Data Destruction;
• DoS (Denial-of-service) attack;
• Disable security software;
• Downloader or dropper;
• Remote Access;
• and Server Trojan (uses Email, FTP, HTTP/HTTPS, IRC, Proxy, etc.).
Despite the many classifications of Trojans, they share common properties by which they are identified. These types of threats rely on the use of deceit and misleading procedures to gain entry into a vulnerable computer system. In most instances, the computer user is deceived into launching them because they appear to be legitimate programs or seem to be sent by known sources.
Another characteristic of this malware is that they are known for creating backdoors (unauthorized communication ports) in the infected machine, which may be used for different operations depending on the intentions of the hacker. Trojans also do not have the ability to replicate themselves nor do they infect files for the purpose of spreading their codes. These security threats are deployed to carry out specific actions, which may support a larger orchestrated attack.
In the early part of the 1970s, the Creeper virus infected the ARPANET, the founding technology for the Internet. This virus was an experimental program developed by Bob Thomas, which targeted DEC PDP-10 computer systems using the TENEX Operating System platform.
Supposedly, this was the very first security threat for computer systems. The term Trojan horse was believed to have been coined by Daniel Edwards of NSA for his identification of a 1972 attack of computer systems. Edwards derived the term from the dangerous gift given to the city of Troy during the Trojan War. This story was mentioned and popularized in the Aeneid by Virgil as well as the Iliad and Odyssey written by Homer.
One of the earliest Trojan examples was introduced in 1983 by Ken Thompson wherein he added a code into the UNIX login process. This allowed the acceptance of specially formatted or encrypted passwords that allowed the creation of backdoor components on the host machine. He also noted that it is entirely possible to modify the C compiler to automatically create rogue codes to complicate the detection process. Furthermore, since the compiler is a product of another compiler, the Trojan may be installed automatically into new compiler applications without any noticeable modification to its source.
By 1986, the first Trojan horse for the Personal Computer systems made its appearance. In contrary to what many computer users believe, the PC-Write Trojan is the first to target this emerging computing platform. It operated by misrepresenting itself as the 2.72 version of the PC-Write shareware word processing program. However, the developer of this program (Quicksoft) never released this version.
When the unsuspecting computer user attempts to execute this malware, it initially wiped out the File Allocation Table (FAT). FAT is used by the system to organize the contents of the local storage drive. It then proceeds to format the hard drive, erasing all stored information.
The improvements in Internet connection bandwidth availability, coupled with the development of scripting languages, saw the introduction of new Internet-based services and online networks. This also led to the introduction of social engineering attacks near the end of 2003. This type of attack is described as the act of influencing computer users into doing executing actions or revealing confidential data by using deception or trickery.
The motivation for these types of attack is normally the need to gather information to access computer systems to commit online fraud. In majority of these attacks, the hacker never encounters the victimized user face-to-face.
The year 2004 began with the deployment of the Trojan.Xombe, which made use of social engineering attacks. This threat mimicked messages from the Microsoft Windows Update service prompting the computer user to execute a revised version of the Service Pack 1 for the Microsoft Windows XP Operating System platform. These types of actions gave birth to the term PHISH which is defined as the process of fishing personal data from the unwary user. The actual technique is termed as PHISHING.
In the same year, the Mac OS X Operating System was not spared from threats posed by Trojans. The MP3Concept Trojan made its debut in early April. It was eventually declared by most security professionals as benign because it proved to be just a proof-of-concept, which was never deployed in the wild.
The developments in methods of propagation and payload delivery continued. By September of 2004, previously malware-free file types became carriers and triggers for the launching of Trojan attacks. The JPEG image format began to be used by malicious developers to attack computer systems.
The threat however does not lie within the format of the image file but rather on the Dynamic Link Library (DLL) component used by the Microsoft Windows Operating System to process the image type. When hit by this particular Trojan, it resulted in a buffer overrun error, which may allow the adding of dangerous codes in a JPEG format image file.
Execution of this file may lead to the creation of security holes that can be exploited by hackers. More recent innovations in newer strains of Trojan horses include the bundling with other types of security threats. This process of bundling combined the payload of both components resulting in what many computer experts term as Blended Threats.
A Blended Threat may be in the form of a virus and a Trojan. When the virus is executed in the host machine, the virus will cause the launching of the Trojan with both components executing their respective payloads.
Many computer users make the mistake of thinking that Trojans, worms, and viruses are synonymous. Although acceptably interchangeable since they are all malware programs, they are not entirely similar. Knowing the differences between these threats may allow the computer user to implement security mechanisms that will protect the computer better from their damaging payloads.
In general, a virus attaches itself to data files and copies its codes when launched by specific applications. Traces of its infections are normally left in the machine despite traveling to other systems. Viruses require user intervention to deliver its payload.
A worm on the other hand is similar to a virus in design and may even be considered as a sub-class. It however does not require any user intervention in order to go from one computer system to another. It normally makes use of the data or file transfer capability of the computer system.
Based on these characteristics, a Trojan is differentiated initially by its use of false or deceptive pretenses to disguise itself as useful software. In general, it is never deployed for the purpose of transferring from one machine to another or to replicate its code.
As a comparison, a virus may be activated when an infected document file is opened using the Microsoft Word program. A Trojan on the other hand may pose as an alternative word processing application to the Microsoft Word software.
There are also instances wherein Trojans may pose as security programs prompting unsuspecting users to download and launch it in the host machine. As a computer user, this is where the practice of updating not only the security applications but the Operating Systems as well comes into focus. Normally, computer systems with updated anti-virus engine databases and Operating System patches may deter the entry of security threats like Trojans.
About the Author
Jessie Jackson is a freelance writer who the author of articles such as What Trojan Virus, Trojan Horse Viruses, and Trojan AD.Clicker Visit Trojan Horses.
Rating: Not yet rated