According to Greek mythology, the Greeks won the Trojan War with the aid of a giant wooden horse. The Greeks built this wooden horse for their soldiers to hide in and left it in front of the gates of Troy. The Trojans thought it was a gift from the Greeks, who had withdrawn from the war, so they transported the horse into their city. At night, the Greek soldiers broke out of the wooden horse and opened the gates for their soldiers, who eventually destroyed the city of Troy.
Taking a cue from Greek mythology, a computer trojan is defined as a “malicious, security-breaking program that is disguised as something benign.” A computer Trojan horse is used to enter a victim’s computer undetected, granting the attacker unrestricted access to any data stored on that computer and causing immense damage to the victim. Users could download, for example, a file that appears to be a movie, but, when run, unleashes a dangerous program that erases the hard drive or sends credit card numbers and passwords to the attacker.
A trojan can also be wrapped with a legitimate program, meaning that this program may have functionality that is hidden from the user.
A victim can also be used as an unwitting intermediary to attack others. Attackers can use a victim’s computer to commit illegal denial-of-service attacks such as those that virtually crippled the DALnet IRC network for months on end. Internet Relay Chat (IRC) is a form of instant text-based communication over the Internet.
Trojan horses work on the same level of privileges that the victim user has. If the victim has the privileges, a trojan can delete files, transmit information, modify existing files, and install other programs (such as pro- grams that provide unauthorized network access and execute privilege-elevation attacks). The Trojan horse can attempt to exploit a vulnerability to increase the level of access beyond that of the user running it. If successful, the trojan can operate with increased privileges and may install other malicious code on the victim’s machine.
A compromise of any system on a network may affect the other systems on the network. Systems that transmit authentication credentials, such as passwords over shared networks in clear text or in a trivially encrypted form, are particularly vulnerable. If a system on such a network is compromised, the intruder may be able to record usernames and passwords or other sensitive information.
Additionally, a trojan, depending on the actions it performs, may falsely implicate the remote system as the source of an attack by spoofing and, thereby, causing the remote system to incur liability.
Reasons for Creating Trojans
Trojans are created for the following reasons:
- To steal sensitive information, such as:
- Credit card information, which can be used for domain registration, as well as for shopping
- Account data such as e-mail passwords, dial-up passwords, and Web service passwords
- Important company projects, including presentations and work-related papers
- To use the victims’ computers for storing archives of illegal materials, such as child pornography
- To use the victim’s computer as an FTP server for pirated software
- To have fun with the user’s system; an attacker could plant a trojan in the system just to make the system act strangely: the CD tray opens and closes frequently, the mouse functions improperly, etc.
- To use the compromised system for other illegal purposes
Different Types of Trojans
Trojans can be classified into different categories according to their composition and functioning. The categories below outline the main types of trojans.
Remote Access Trojans
Remote access trojans provide attackers with full control over the victim’s system, enabling them to remotely access files, private conversations, and accounting data on the victim’s machine. The remote access trojan acts as a server, and listens on a port that is not supposed to be available to Internet attackers; therefore, if the user is behind a firewall on the network, there is less chance that a remote attacker would be able to connect to the trojan. Attackers in the same network located behind the firewall can easily access the trojans. Examples include the Back Orifice and NetBus trojans.
This type of trojan provides attackers with passwords or other confidential data such as credit card numbers and audit sheets. Data-sending trojans can also install a keylogger on the victim’s system. A keylogger is a piece of software or hardware that records keystrokes or mouse movements. Trojans that install keyloggers can record keystrokes and send them back to the attacker. The captured data can be sent to the attacker via e-mail, or by connecting to the attacker’s Web site by using a free Web page provider and submitting data via a Web form. An example of this is the Badtrans.B e-mail virus (released in December 2001) that could log the user’s keystrokes.
The sole purpose of writing this type of trojan is to delete files on the target system. These trojans are destructive because they can delete core system files such as .dll, .ini, or .exe files. They can be activated by the attacker or generated on the basis of a fixed time and date.
Denial-of-Service (DoS) Attack Trojans
This type of trojan empowers the attacker to start a distributed denial-of-service (DDoS) attack. The basic idea behind this kind of attack is that if there are more than 150 infected ADSL users on the network and the victim is attacked simultaneously by each user, it will generate heavy traffic that will eat up bandwidth, causing the victim’s access to the Internet to shut down.
These trojans convert the user’s computer into a proxy server. This makes the computer accessible to the speci- fied attacker. Generally, it is used for anonymous Telnet, ICQ, or IRC in order to purchase goods using stolen credit cards, as well as other such illegal activities. The attacker has full control over the user’s system and can also launch attacks on other systems from the affected user’s network.
If the authorities detect illegal activity, the footprints lead to innocent users and not to the attacker. This can lead to legal trouble for the victims, because the victims are responsible for their network or for any attacks launched from it.
These trojans open port 21, which is used for FTP transfers, allowing the attacker to connect to the victim’s system via FTP.
Security Software Disabler Trojans
These trojans are designed to disable antivirus software or firewalls. After these programs are disabled, the attacker can easily attack the victim’s system.
An example is the infamous Bugbear virus that installed a trojan on the machines of infected users and disabled popular antivirus and firewall software. Another example is the Goner worm, detected in December 2001, that deleted antivirus files.
ICMP Backdoor Trojans
ICMP (Internet Control Message Protocol) is an integral part of IP, and must be implemented by every IP module. It is a connectionless protocol. It is used to provide error messages to unicast addresses. The packets are encapsulated in IP datagrams.
Although this article discusses software Trojans, hardware trojans also exist.
Published on Sun 20 April 2014 by Randy Nugent in Security with tag(s): software trojan