Trojan horse (computing): Difference between revisions

Content deleted Content added

Inline

Revision as of 18:35, 31 August 2009

A Trojan horse, or trojan for short, is a term used to describe malware that appears, to the user, to perform a desirable function but, in fact, facilitates unauthorized access to the user's computer system. The term comes from the Trojan Horse story in Greek mythology. Trojan horses are not self-replicating which distinguishes them from viruses and worms. Additionally, they require interaction with a hacker to fulfil their purpose. The hacker need not be the individual responsible for distributing the Trojan horse. It is possible for hackers to scan computers on a network using a port scanner in the hope of finding one with a Trojan horse installed^[1]

Purpose of Trojan horses

Trojan horses are designed to allow a hacker remote access to a target computer system. Once a Trojan horse has been installed on a target computer system it is possible for a hacker to access it remotely and perform operations. The operations that a hacker can perform are limited by user privileges on the target computer system and the design of the Trojan horse itself.

Operations which could be performed by a hacker on a target computer system include:

Use of the machine as part of a Botnet (e.g. to perform Distributed Denial-of-service (DDoS) attacks)
Data Theft (e.g. passwords, security codes, credit card information)
Installation of software (including other malware)
Downloading of files
Uploading of files
Deletion of files
Modification of files
Keystroke logging
Viewing the user's screen

Example

An example of a Trojan horse attack is one that was reported in 1999:

This Trojan horse was distributed using email. Reports suggest that it was widely distributed and that there were several versions. The email sent to distribute the Trojan horse purported to be from Microsoft Corporation and to offer a free upgrade for Microsoft Internet Explorer. The email did not originate from Microsoft Corporation nor did it provide an upgrade for Microsoft Internet Explorer. The Trojan horse was an executable file named "ie0199.exe" and was provided as an email attachment. One version of the email included the message:

As an user of the Microsoft Internet Explorer, Microsoft Corporation provides you with this upgrade for your web browser. It will fix some bugs found in your Internet Explorer. To install the upgrade, please save the attached file (ie0199.exe) in some folder and run it.

Once installed the Trojan horse reportedly modified system files and attempted to initiate contact with other remote systems.

Installation

Software downloads (e.g. A Trojan horse included as part of a software application downloaded from File sharing networks)
Websites containing executable content (e.g. A Trojan horse in the form of an ActiveX control)
Email attachments
Application exploits (Flaws in a web browser, media player, messaging client or other software which can be exploited to allow installation of a Trojan horse)
Social Engineering (e.g. A hacker tricking a user into installing a Trojan horse by communicating with them directly)

Additionally, there have been reports of compilers which are themselves Trojan horses. In addition to compiling code to executable form they also insert code into the output executables which cause them to become Trojan horses. This is still distinct from self-replication as the process is not automatic.

Removal

Antivirus software is designed to detect and delete Trojan horses ideally preventing them from ever being installed. It may be possible to remove a Trojan horse manually given a full understanding of how that particular Trojan horse operates, however if it is possible that a Trojan horse has been used by a hacker to access a computer system it will be difficult to know what damage has been done and what other problems have been introduced. in situations where the security of the computer system is critical it is advisable to rebuild it from known good software.

References

^ Jamie Crapanzano (2003): [http://www.sans.org/reading_room/whitepapers/malicious/deconstructing_subseven_the_trojan_horse_of_choice_953, "Deconstructing SubSeven, the Trojan Horse of Choice", SANS Institute], Retrieved on 2009-06-11,

Carnegie Mellon University (1999): "CERT Advisory CA-1999-02 Trojan Horses", Retrieved on 2009-06-10

External links

[1] Jamie Crapanzano (2003): [http://www.sans.org/reading_room/whitepapers/malicious/deconstructing_subseven_the_trojan_horse_of_choice_953, "Deconstructing SubSeven, the Trojan Horse of Choice", SANS Institute], Retrieved on 2009-06-11,

[1]

@@ Line 42: / Line 42: @@
 ==Removal==
-[[Antivirus software]] is designed to detect and delete Trojan horses ideally preventing them from ever being installed.
+[[Antivirus software]] is designed to detect and delete Trojan horses ideally preventing them from ever being '''installed.
-It may be possible to remove a Trojan horse manually given a full understanding of how that particular Trojan horse operates, however if it is possible that a Trojan horse has been used by a hacker to access a computer system it will be difficult to know what damage has been done and what other problems have been introduced. In situations where the security of the computer system is critical it is advisable to rebuild it from known good software.
+It may be possible to remove''' a Trojan horse manually given a full understanding of how that particular Trojan horse operates, however if it is possible that a Trojan horse has been used by a hacker to access a computer system it will be difficult to know what damage has been done and what other problems have been introduced. in situations where the security of the computer system is critical it is advisable to rebuild it from known good software.
 ==See also==