Trojans are malicious programs that require activation by a user or other malicious program. Now I will try to tell you about known types of Trojans.
All Trojans Known
They got their name from the notorious mythological horse of the same name – a malicious component penetrates the system under the guise of some useful program or utility.
As a rule, a Trojan program is offered to download under the guise of a legitimate application, but instead of the declared functionality it does what the attackers need. And the main task of a Trojan program is exactly different destructive activities: from blocking different programs or installing ad banners to encrypting files and intercepting passwords to payment systems.
Modern Trojans have evolved to such complex forms as backdoor (intercepts the operating system’s administrative functions on the computer) and bootloader (installs malicious code on the victim’s computer).
This highly dangerous app can perform the following unauthorized actions:.
- data deletion
- blocking data
- change of data
- copy data
- Slowdown of computers and computer networks.
Further we will consider classification of Trojan programs by the type of actions they perform on the computer, in more detail.
These Trojans are archives that are specially formed in such a way as to cause the archivers’ abnormal behavior to hang or significantly slow down the computer or fill the disk with a large amount of “empty” data when trying to unpack the data.
Three types of such Trojan archives are encountered:.
- containing an incorrect archive header or corrupted data inside the archive – all this can lead to failure of a specific archiver or decompression algorithm when parsing the archive contents;
- Containing object of significant size, consisting of repetitive data – this allows you to pack it into a small archive (for example, 5 GB of data is packed into a RAR archive of 200 KB);
- containing identical objects – a huge number of identical objects in the archive. Also practically does not affect the size of the archive when using special methods (for example, there are methods of packing 10 thousand identical objects in a RAR- archive with the size of 30 Kbytes).
A Backdoor type Trojan program allows attackers to remotely manage infected computers. Once infected, attackers can remotely perform any action on a computer, including sending, receiving, opening and deleting files, displaying data and rebooting. Depending on the functionality of a particular backdoor, an attacker can install and run any software on a victim’s computer, save all keystrokes, download and save any files, and include a microphone or camera. Backdoors are often used to combine a group of victim computers into a botnet (zombie network) for criminal purposes.
A group of backdoors capable of spreading over the network and infiltrating other computers, as network worms do, should be mentioned separately. What distinguishes such backdoors from worms is that they do not spontaneously spread over the network (like worms), but only by a special developer team.
Bank Trojans are designed to steal the credentials of Internet banking systems, electronic payments and bank cards (both credit and debit).
Such Trojans are designed for non-user-initiated access to certain Internet resources from an infected computer (usually web pages). This is achieved either by sending appropriate commands to the browser or by replacing system objects that specify “standard” addresses of Internet resources (for example, a hosts file in Windows).
Instruders can do this with the following goals:.
- access to any sites in order to increase advertising impressions;
- organize a DoS attack (see below) on a server;
- involving potential victims to be infected with viruses or Trojan horses.
Trojans of DoS type are designed to perform Denial of Service attacks on target web addresses. In such an attack, a large number of requests are sent from infected computers to the system with a specific address, which may cause its overload and lead to denial of service requests from real visitors.
Often, in order to conduct a successful DoS attack, the attackers pre-infect many computers with Trojans of this type (for example, by means of massive spam mailing), after which each of the infected computers attacks the specified victim. This attack is called DDoS (Distributed Denial of Service).
Trojans like Downloader can download and install new versions of malicious programs, including Trojans and adware, on the victim’s computer. The programs downloaded from the Internet are then either launched or registered by the Trojan for auto-boot.
This type of destructive programs has recently become common for the initial infection of computers of visitors to infected web pages containing exploits.
These programs are used by attackers to covertly install Trojans and/or introduce viruses that are in the body of Trojans of this type, as well as to prevent the detection of malicious programs, because not every antivirus program can detect all the components of such Trojans.
After saving a Dropper-type malicious program on disk (often in the Windows system directory), it is executed
As a result, the attackers achieve two goals:.
- closed installation of Trojans and viruses;
- protection against detection of destructive programs by antivirus, because, as already mentioned, not all of them are able to check all components inside such Trojans.
Exploits are programs with data or code that exploit a vulnerability (or several vulnerabilities) in applications running on the computer with a known destructive purpose. Attackers usually use exploits to penetrate the victim’s computer in order to introduce malicious code (for example, to infect all visitors to a compromised website with a malicious program).
Exploits are also used intensively by worms to penetrate the computer without the knowledge of the administrator. Widely known are the so-called Nuker programs, which send special requests to a local or remote computer and as a result the system stops working.
Programs like FakeAV simulate the work of antivirus software. Using them, cybercriminals try to extort money from a user in exchange for a promise to detect and remove non-existent threats that they report.
Gaming Trojans steal information about the accounts of participants in online games and pass it to the attacker.
Trojans like IM steal logins and passwords to instant messaging programs, such as ICQ, MSN Messenger, Skype, etc., and pass this information to the attacker. E-mail, FTP protocol, web requests and other methods can be used to transfer data.
Rootkits are programs designed to hide certain objects or actions in the system. Often, their main purpose is to prevent the detection of malicious programs in order to increase their time on an infected computer. The rootkit itself does not do anything malicious, but in the vast majority of cases, it is used by malicious programs to increase their own life time in the affected systems due to the difficulty of detection. As a rule, registry keys (e.g., those responsible for autorun of malicious objects), objects and processes in the memory of the infected computer, destructive network activity are subject to concealment. This is made possible by tight integration of the rootkit with the operating system. And some rootkits (so-called bootkits) can start working even before the operating system boots up. However, no matter how this type of Trojanware develops, today’s sophisticated antivirus programs are capable of detecting and neutralizing almost all existing types of rootkits.
Trojan action principle
All Trojan Horses have two parts: client and server. The client manages the server part of the program via TCP/IP protocol. The client can have a graphical interface and contains a set of commands for remote administration.
The server part of the program is installed on the victim’s computer and does not have a graphical interface. Server part is intended for processing (executing) commands from client part and transferring requested data to intruder. After entering the system and capturing control the server part of the trojan listens to a certain port, periodically checking connection to the Internet and if the connection is active it waits for commands from the client part.
The attacker uses a client to ping a certain port of the infected host (the victim computer). If the server part has been installed, it will respond with a confirmation ping about readiness to work, and when confirmed, the server part will tell the cracker the IP address of the computer and its network name, after which the connection is considered established. Once the connection has been established, the Client can send commands to the server, which the server will execute on the victim machine. Also, many Trojans connect to the attacker’s computer, which is set to accept connections, instead of the attacker himself trying to connect to the victim.
- new apps appear in the autostart registry
- display fake downloads of videos, games, pornos and porn sites that you have not downloaded or visited;
- create screen shots;
- open and close the CD-ROM console;
- play sounds and/or images, show photos
- restart the computer at the start of an infected program;
- Accidental and/or random computer shutdown.
Since Trojans have many species and shapes, there is no single method to remove them. The simplest solution is to clean the Temporary Internet Files folder or find a malicious file and delete it manually (Safe Mode is recommended). In principle, antivirus programs are able to detect and remove trojans automatically.
If the antivirus is unable to find a Trojan, booting the OS from an alternative source may allow the antivirus program to detect the Trojan and remove it. It is extremely important to ensure better detection accuracy by regularly updating the antivirus database.
Many Trojans can be on a user’s computer without his knowledge. Sometimes Trojans are registered in the Registry, which causes them to start automatically when Windows starts. Trojans can also be combined with legitimate files. When a user opens such a file or launches an application, the Trojan runs in the same way.
Trojans are named so because they need your permission to run on your computer – either when you run the program yourself or when you open a document or image that then runs the program.
With this in mind, the first and best protection against Trojans is never to open an email attachment or run the program
- Always update your software. This is doubly true for important programs, such as your operating system and browser. Hackers use known security holes in these types of programs and send Trojans to your computer through them to do their black jobs. The software manufacturer usually releases patches for these vulnerabilities, but they will not do you any good if you do not support the latest version of the software on your device. For your Internet connection to be as secure as possible, you should always have a network screen enabled. Both software and hardware firewalls are great at filtering out malicious traffic and can often prevent Trojans from downloading to your computer.
- in order to fully protect yourself, you should install antivirus or utility to remove Trojan programs. This software (provided it’s regularly updated) scans your system for Trojans and automatically checks any program or file you run to ensure its security. There are free Trojan Removal Tools on the Internet, but few of them are updated regularly, and some are even Trojans themselves.
By following a few simple rules of safe behavior on the Internet and using a reliable security solution, you can be sure that your computer is protected from the vast majority of Trojans and other malicious programs.