A Trojan horse is a computer program that is disguised as a useful application, but performs another function in the background without the user’s knowledge. Trojan horses are among the unwanted or harmful programs, the so-called malware. The term is often used colloquially as a synonym for computer viruses and as a generic term for backdoors and rootkits, but must be clearly distinguished from it.
Trojan horses can get onto a computer via any route, which is used to bring data to the computer. These are, in particular, data carriers or network connections such as the Internet (e.g. file sharing platforms, prepared websites, dispatch by e-mail). The Trojan horse is then distributed by the user of the computer itself. Depending on the attractiveness of the bogus program, the probability that the user will pass on the program to other users increases.
For distribution via e-mails, a computer worm is usually used, which transports the Trojan horse. However, the Trojan itself does not become a virus because it appears to be spreading. Rather, two types of malware are used in combination: a worm that carries the Trojan horse in its appendix. Vulnerabilities in browsers and office applications are sometimes exploited on the day they become known. Modern Trojans are difficult for virus scanners to detect.
---
The Malicious Routine
As a rule, the Trojan program is launched directly by the user of a computer, which gives it access authorization to use all functions that the logged-in user is allowed to access. The malicious routine can therefore independently or remotely carry out all actions undetected that the user of the computer could also carry out voluntarily (the same applies to malware of all kinds that secretly install a Trojan horse on the computer). Since many users permanently work with administration rights out of convenience or ignorance, the range of manipulation possibilities through the malicious routine is unlimited.
Here are some typical malicious features:
- Monitoring traffic or all user activity with the help of sniffers.
- Spying on sensitive data (passwords, credit card numbers, bank account numbers and the like), copying and forwarding files.
- Remote control of the computer of unknown persons, including for criminal purposes, e.g. to send advertising e-mails or carry out DoS attacks.
- Disabling or replacing security-related computer services (such as an anti-virus program or personal firewall).
- Installation of illegal dialer programs (secret dial-in to value-added telephone numbers, sending premium SMS for a fee), which causes financial damage to the injured party.
- Use of storage resources to store illegal files in order to make them available to other users from the Internet.
- Displaying unwanted advertisements or redirecting the surfing user to prepared websites (see also phishing).
- Encryption of files stored on the computer for ransom extortion (ransomware).
It is conceivable that the hidden program part of the Trojan horse does not cause any direct damage. If, for example, the program sends insensitive data to the programmer without the user’s knowledge, which is unrelated to the program, and the obvious part of the program does not allow any conclusions to be drawn about the hidden functionality, the program fulfills all the conditions to be classified as a Trojan horse, even though it does not cause any direct harm. On the other hand, a secret function can also become a malicious routine without the program’s developer intending it. In this example, this would be the case if the program is used in an environment not foreseen by the developer. There, the secret transmission of data could, for example, lead to the establishment of an Internet connection and thus cause costs without being asked.
The Camouflage
In Unix, commonly used commands such as ls or ps are often replaced by Trojan horses. On the one hand, they only stand out when comparing their checksums, and on the other hand, it increases the probability that an administrator will start the Trojan horse, which gives them extended access rights without attracting attention through manipulated file permissions.
Unlike Unix, a Microsoft Windows operating system does not recognize an executable program (executable) by its file privileges. Rather, the extension of the file name determines whether and how the file is executed. Since Trojan horses can only work if someone starts their code, they are also forced to use a corresponding file extension. However, in the default configuration, the operating system does not display these file extensions in Explorer. As a result, a Trojan horse can be masked as a file of any type. Many executable file formats also allow icons to be assigned to a file, so that a malicious file cannot be distinguished from a harmless image file at first glance in the above-mentioned Windows configuration.
Another popular way of masking is to conceal a file extension with the help of numerous spaces. Depending on the program that displays the file, it may also happen that the complete file name is not visible, which means that the user does not even see the *.exe extension of the file. Since many users are not familiar with the possibility of masking, Trojan horses often run unnoticed.
Another way to hide executable code under a “harmless” file extension is to use programs that analyze the file type itself, regardless of its extension, and treat it according to its actual type.
Trojan horses, which are based on an exploit, are also an exception. They exploit programming bugs or other vulnerabilities of a program to execute their code. Depending on the program on whose vulnerability the Trojan horse is based, it can hide in any type of file, including files that are not normally executable. For example, there are Trojan horses whose code has been stored in a graphic file. Assuming a vulnerability of the respective browser, it is also possible to prepare a website in such a way that a mere call to the page leads to the execution of the Trojan code. Even e-mail programs that automatically display the HTML code of a message run the risk of malicious code being executed as soon as the message is read. However, the Trojan code can only be started if the loaded file is actually opened with the program for which the Trojan horse is intended.
Oftentimes, Trojan horses also use filenames that make it difficult to distinguish them from important system files. To do this, they are usually placed in confusing directories, such as in the Windows system folder.
