Trojans: What's the real deal?

Trojans: What’s the real deal?

The fictional Greeks hiding in their legendary Trojan horse would probably be excited to learn that the default Wiki page for Trojan is, in fact, their big wooden horse thingy (vs. computer infections or dubious businesses).

Sorry, fictional ancient Greek warriors. It’s not that we don’t think you’re a big deal—that film with Brad Pitt was at least a 6 out of 10. It’s just that at this point in time, the Trojans we’re most concerned about are the tiny ones that sneak onto your PC under cover of darkness, then lay waste to Troy.

And by Troy I mean our PCs.

The term “Trojan” as we understand it first came to life in the 1970s, used in a USAF report about vulnerabilities in computers [PDF]. The application of said digital Trojan horse is fairly straightforward: a computer program, pretending to be something it’s not, is installed and executed on the target system. For example, a victim could open up a file named dolphin.exe and thinks they’re looking at a fun game called Dolphin. But in reality, all of their personal information is being harvested covertly and sent back to base.

The Trojan hall of shame

The first big-name Trojans many of us in the IT space may remember dealing with date back to the late 1990s and early 2000s. That includes Netbus, Bifrost, and Sub7, though the bulk of the cybercrime spoils went to the notorious Zeus in 2007. After that, Trojans were in business, with DarkComet, the Blackhole exploit kit, which would (for example) push Java or Carberp Trojans, and Koobface (an anagram of Facebook), which would typically pretend to be a video as bait to install a worm.

Most of these have long since gone to the great wooden horse paddock in the sky, but Zeus continues to linger by virtue of having its code leaked in 2011, forming the building blocks for many, many Trojan attacks since then.

Social engineering at its finest

Fittingly, social engineering plays a major part in the Trojan proceedings. A splash of societal pressure, or even just a “Hey, this is cool” is often enough to get someone to compromise their personal computer by their own hand.

You’ve won this free thing! Click here and take a look!

Wait, are hackers bearing gifts now? Though there are no ancient Trojan warriors offering up towering wooden structures, you can bet there’ll be a wide variety of confidence tricks on display. You might get a cool laptop sticker or a pair of novelty-branded socks at an event. Or, you might get this:

Email: Hi, check out this adorable dolphin! Run this file dolphin.exe, it’s great! Social media: Enter our sweepstakes to win an adorable dolphin!!! Be sure to run dolphin.exe to stand a chance of winning. Instant messaging: Adorable dolphin webcams. Only $4.99 a month! Download this dolphincam.exe to get started. Suspiciously abandoned USB stick: Wow, you’ve found my suspiciously abandoned USB stick. Way to go! If you want to return my adorable dolphin photos, please run adorabledolphinphotos.exe to see my address.

Despite the variance in attack methods described above, they’re all using executables disguised as harmless files (Trojans). Types of Trojan vary wildly and encompass everything from government-developed files to people on forums making their own special home-brew versions. We’ve listed the main categories of Trojans below.

Types of Trojans

Financial

Plenty of financially-motivated Trojans exist, typically doubling up with keyloggers to try and exfiltrate online banking information. Some may try and snoop connections by performing man-in-the-middle attacks, or dropping a fake bank login page on the PC so the victim happily hands over their credentials. Others take an alternative approach and simply scan the PC for anything that looks like login data stored in a text file, or insecure passwords saved in a browser.

Botnets

Backdoor the system, and the sky’s the limit. However, botnets are an old favourite of malware authors, and dropping some files that can take commands from a Command & Control server is just what the doctor ordered. Once tagged into a botnet, your machine’s power as a rogue node is amplified many times over, alongside its compromised brethren. In situations where the attackers aren’t particularly interested in your personal information, they may well just use you to join in on a Distributed Denial of Service (DDoS) attack instead.

Ransomware

The ubiquitous ransomware is often served up to potential victims disguised as something else in order to lock up the target PC then demand a ransom. It could be delivered via malspam or phishing and spearphishing campaigns, which tricked users into opening emails from untrustworthy sources.

General data collection/system tampering

The intention behind using a Trojan may be to try and grab card details, or personal information, or download additional malware files, or even just sit quietly in the background and monitor all activity for reasons known only to the attackers. It’s really up to the attacker, and as a result, the definition of “Trojan” can sometimes be murky.

For example, droppers and downloaders are two types of Trojans that do exactly what their names suggest: adding additional bad files onto the system. But what’s the motivation for adding more bad files? Maybe they just want to keep an eye on things for a later date, installing a remote administration tool that keeps a backdoor open and gathers fresh data as you go about your business. Maybe some of your browsing habits trigger another social engineering attack, which attackers can now do easily with access to your system. Or perhaps the data gathered on you is sold to other organizations for marketing purposes, and now you can’t stop getting junk email.

This is nowhere near an exhaustive list, but just an example of the kind of mischief Trojans can cause and create.

Emotet: A Trojan you can bank on

Emotet, a mainstay of Trojan activity since 2014, is a great example of the threats we’re talking about. It’s evolved over the years to present a challenge for even the most experienced network administrator. Spam mails containing fake invoices and dubious links eventually result in compromised systems, and from there the network is under siege. Brute force attacks are waged on network passwords, traffic is intercepted and logged, banking modules are dropped on target systems with the intention of stealing credentials, and it can even be used to perform DDoS attacks.

As time has passed and more online banking customers turn to two-factor authentication, so too has Emotet evolved by virtue of moving away from focusing primarily on banking. Just like Zeus, it never seems to go away and instead keeps on coming back with more tricks up its sleeve. Thankfully, users of Malwarebytes are protected from this threat and many more like it.

Gift horse, mouth, do not look

Regardless of intention, turning your PC into an open access gateway for Trojan dolphins—er, horses—is a bad idea indeed. Even if the initial Trojan is removed from the computer (assuming it hasn’t already self deleted), there’s often no way of telling what else has been placed onboard.

Unlike some other forms of attack, Trojans never really go out of fashion. Only a few weeks ago, fake Fortnite files were causing waves over in Androidland, promising free game points but offering up unrelated downloads instead. Social engineering will never go away, and dressing up a rogue file in attractive packaging goes a long way toward compromising a system.

Feel free to read up on our many social engineering posts because that’ll give you a great head start against your horsey adversary. And if the ancient Greeks had practiced better deduction and use of common sense—You’re in the middle of war. Why invite a giant wooden structure inside your walls?!—they would have surely vanquished the clever Trojans.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.