What is a Trojan horse? How this tricky malware works
- 20 June, 2019 20:00
Trojan horse definition
A Trojan or Trojan horse is a variety of malware that disguises itself as something you want in order to trick you into letting it through your defenses.
Like other types of malware, a Trojan is deployed by attackers to damage or take control of your computer. Its name comes from the method by which it infects your computer: it disguises itself as something you want in order to trick you into letting it through your defenses.
In the story of the Trojan War, the Greeks, unable to break through the walls of Troy to conquer the city, hid inside a giant wooden horse which they left outside the city gates; the Trojans, thinking it was an offering to the gods, brought it inside, and the Greek soldiers, led by Odysseus, emerged at night to destroy the city and kill its inhabitants. Like Odysseus, cyber-attackers hope that you'll be fooled by a tempting piece of bait to let malicious code inside your network.
As the saying goes, always beware Greeks — or strangers online — bearing gifts.
Trojan vs. virus
Is a Trojan a virus? You'll often see the phrase "Trojan virus" used to identify this type of malware, but that's strictly speaking not correct: Trojan and virus are names for different types of malware that infect computers in different ways. (See our guide to malware types) Like the Trojan horse, Trojan malware masquerades as something benign so you'll let it in, but contains a hostile cargo. By contrast, a virus, much like its biological counterpart, embeds itself into the code of a host program and then uses that host to spread itself and reproduce — no user intervention required. (A worm is a third malware type: a program that doesn't need a host application to reproduce and spread.)
These distinctions are important if you want to stay strictly correct, and we'll aim to use all three names correctly here and elsewhere on CSO. But be aware that many people use virus and malware interchangeably, and so it isn't uncommon to encounter the phrase Trojan virus in the wild. People who do that are almost certainly talking about Trojans, not viruses.
How does a Trojan horse infect a computer?
So far we've been speaking in somewhat general terms. But how does a Trojan really work in practice? How do attackers trick you into downloading nefarious code? In a classic method, as Malwarebytes explains, websites might tempt users with a free game or screensaver that turns out to contain malware. Most of us probably believe we're not naive enough to fall for this, but somewhat more sophisticated Trojan sites might emulate a more reputable organization to convince us that we're downloading something we're not. For instance, when everyone was in a panic over the revelation of the Spectre and Meltdown vulnerabilities within x86 chips, a website that looked very much like the site for the official German government cybersecurity agency appeared and offered a Spectre/Meltdown patch for download; the "patch" turned out to be a Trojan, dubbed "Smoke Loader."
Once downloaded, the Trojans often request administrator permissions — something that too many legitimate programs also do, so many users will just click "Agree" and sign their computer over to their attackers.
Another common way Trojans spread is via phishing — a cyberattack in which you receive an email that purports to be from someone it isn't. These emails will often have malicious code — the Trojan — attached, and will attempt to convince you that you should download and open the attachment. Phishing scams can be targeted with various degrees of precision. At the low end you have mass spam mail that claim to bear news of lottery winnings in an attachment; at the high end, you have emails individually tailored for a high-value targeted person in an attempt to gain access to their specific computer.
In these phishing emails, the malicious code generally lives in an attachment. Since many of us are trained to not download and run random executable files, Trojans have learned to take advantage of holes in the macro scripting languages that are in Microsoft Office or various PDF readers. There's an interesting StackExchange thread that discusses how one particular Trojan hides executable code inside an innocent-looking PDF.
A real-world example of a Trojan that spread like this is Emotet, which is particularly advanced and malicious. It initially propagated via Word and PDF files with malicious embedded macros, often identified as "your invoice" or "payment details." Once executed, these macros downloaded further code that took over the victim's computer and sought out banking credentials.
Much of what we've described here pertains more to computers than mobile devices, which tend to be more locked down and less prone to malware. However, there are mobile Trojans too, which usually propagate via unofficial and pirate app stores.
Types of Trojan horse malware
Once downloaded and installed on your computer, Trojans can do all sorts of damage in lots of different ways. Symantec has a handy list of different types of Trojan; there are a couple of different ways they can be categorized:
- By method (i.e., how they get their hooks into your computer)
- Backdoor Trojans open holes in your computer's defenses that hackers can penetrate.
- Downloader Trojans download more malicious code from a hacker site to extend its control over your machine.
- Rootkit Trojans, install a hidden hacking toolkit that others can exploit.
- By goal (i.e., what they do once they're installed)
- Mailfinders scrape your address book for emails to spam.
- DDoS Trojans hijack your machine as a zombie to launch a DDoS attack against some other victim
- Banking Trojans look for login financials to steal
- Ransomware Trojans encrypt your files and demand a bitcoin ransom to restore them to you.
A specific Trojan can fit into more than one of these categories. Emotet, which we discussed above, is both a download Trojan (because the initially executed Word or PDF macro downloads more malicious programs) and a banking Trojan (because once fully in place, it seeks out banking login credentials).
And, one more point of interest here: the distinction we talked about up top, between Trojans, viruses,and worms, is mostly about the methods used to infect a computer. Once the initial breach is made, many malware programs from different categories can act in similar ways. For instance, the Petya ransomware malware is a Trojan, but the similar NotPetya ransomware is a virus.
How to remove trojan malware
Once a Trojan is installed on your computer, the process of removing it is similar to that of removing any other kind of malware — but that isn't easy. CSO has information on how to remove or otherwise recover from rootkits, ransomware, and cryptojacking. We also have a guide to auditing your Windows registry to figure out how to move forward.
If you're looking for tools for cleansing your system, Tech Radar has a good roundup of free offerings, which contains some familiar names from the antivirus world along with newcomers like Malwarebytes.
Trojan horse examples
The first Trojan was probably a computer program called ANIMAL, which was written in 1974 for Univac computers by John Walker. ANIMAL was a "20 questions" program that tried to guess the user's favorite animal, using some clever machine learning to improve its questions as it went along. As Walker explains it, enough Univac users requested copies that it was starting to occupy a lot of his time in the days before easy computer networking. So he created a subroutine called PERVADE that would, while the user was answering the questions, save copies of ANIMAL to any user-accessible directories it could find. Many of these directories were actually on reel-to-reel tapes that were shared between offices, so the Trojan spread via that vector as well. Walker insists that ANIMAL was a "very good citizen" and did no damage, merely copying itself so he could tell interested parties that the program was probably already on their machine. He also notes that the widespread story that another program, HUNTER, was written to track down and erase ANIMAL copies is an urban legend.
Modern Trojans are more malicious, of course. We've already met Emotet and Petya, two of the most wide-ranging and destructive Trojans. Other prominent examples include:
- Storm Worm, which despite its name was a Trojan that spread rapidly in the early '00s via emails with attention-grabbing subject lines
- Zeus, which spread in the early '10s and installed a keylogger that stole banking credentials
- Rakhni, a clever family of Trojans that started spreading in 2013 and that now looks at your hard drive to determine whether it should install ransomware or a cryptojacking program that uses your CPU cycles to mine bitcoin
And sadly more Trojan horse malware is emerging every day, so watch this space.