What is a Trojan Virus? A Master of Disguise

By
Dave McKay
-
Wooden Trojan Horse close-up of head
Hans Rohmann / Pixabay

What is a Trojan virus? An impostor, a saboteur, and a master of disguise. But it isn’t actually a virus. Find out how this masquerading malware operates, and keep your systems safe.

What is a Trojan Virus?

The Trojan or Trojan Horse is a form of malware that pretends to be something it isn’t, such as legitimate software or a document attachment on an email. It’s a digital wolf in sheep’s clothing.

When a user tries to run the bogus software or open the malignant document, the Trojan delivers its payload. The payload might be a keystroke logger to track keystrokes. It might hunt for banking credentials on your computer. It might install a backdoor for the threat actors to allow them to access your computer remotely.

The malware gets its name from the fabled wooden horse built by the Greeks as they lay siege to Troy, around 1190 BC. Packed with hidden warriors led by Odysseus, the horse was brought inside the city walls by the Trojans who mistook the horse as an offering made to Athena by the retreating Greeks.

Trojan malware works in the same way. It tries to trick you into taking the bait. Trojans are not viruses, though. A virus attaches itself to another file, program, or document and piggy-backs on them for transport. Viruses can replicate to spread their infection by attaching copies of themselves to other files. Trojans cannot replicate themselves and do not attach themselves to other files.

How Trojans Spread

If Trojans can’t replicate like viruses, how do they infect computers? They do so using common cyberattack methods like phishing campaigns.

Phishing campaigns send emails that look like they have come from a trusted source. They may carry a malicious payload hidden in an attachment, or they may contain a link that takes you to a fraudulent website masquerading as a legitimate website.

Cybercriminals are quick to react to current affairs and to re-skin their existing cyber threats to take advantage of news items. And the bigger the item the better. The COVID-19 pandemic has provided a perfect cover story for threat actors to send out emails purporting to be from official medical or governmental channels. Opening the attachment—which might pretend to offer medical advice, COVID-10 test kits, or information regarding financial aid and furlough schemes—infects your computer.

Not all phishing emails have attachments. Others contain links that take you to bogus websites. The sole purpose of these sites is to compel you to download something. It might be dressed up as information packs, software to help track and fight the virus, or information on financial aid and furlough schemes. Whatever it says it is, it isn’t. It’s just a mechanism to get their software onto your computer.

Threat actors also place Trojans on download and file sharing sites. The victim might think they are downloading a film, a video game, or some music, but they’re actually downloading malicious software. This doesn’t just happen on illegal file sharing and torrent sites. For example, legitimate sites that share desktop wallpaper can have Trojans uploaded to them pretending to be compressed files containing a wallpaper collection.

Types of Trojan

Trojans can be grouped according to their behavior and activity.

  • Backdoor Trojans: Allows the threat actors to access your machine at any time.
  • Rootkit Trojans. Sophisticated backdoor Trojans that install rootkits so they can evade detection and provide covert access to your computer for the threat actors.
  • Downloader Trojans: These download further malicious software packages. The downloader Trojan might be a very small macro in a Word document or a program masquerading as a PDF. Its purpose is to simply download the actual payload once the file is opened.

A Trojan is a delivery mechanism, designed to get malware installed on your computer. They are usually a means to an end, not the end themselves. The malware they install is usually one of the following:

  • Address Book Hijackers: This malware collects all of the email addresses from your address book. They may be used to send spam or phishing emails to your contacts.
  • DDoS: These allow your computer to be used in collaboration with other infected machines as the source of the data requests that are sent to a victim’s website, in order to conduct a Distributed Denial of Service (DDoS) attack against them.
  • Banking Malware: These search your computer and monitor your keystrokes, looking for login credentials for online banking services, PayPal, and other financial portals.
  • Ransomware: Conducts a ransomware attack by encrypting your files and demanding payment in a cryptocurrency in exchange for the decryption key.
  • Cryptojackers: These run covertly on your computer, sapping its speed, in order to cryptomine cryptocurrencies for the threat actors.

Some advanced Trojans will inspect your computer before deciding what their best course of action is. Should it install ransomware and take a one-off payment, or should it install cryptojacking software and repeatedly make small amounts of money for an indefinite period of time? The Rakhni Trojan, for example, uses this approach. It can install two different threats and makes a decision about which to deploy on a per machine basis.

Examples of Trojans

  • Zeus: A successful Trojan with many variants. One of its common ploys is to capture keystrokes as they are entered into browsers. It tries to detect and capture the online banking login credentials of the victim.
  • Wirenet: A password-stealing Trojan that was developed to be cross-platform, and able to target macOS, Linux, and Windows computers.
  • Emotet: Usually spread by phishing campaigns with malicious Word documents or fake PDF files as attachments, Emotet is a banking trojan that steals credentials. Uniquely, it has a non-Trojan characteristic of being able to spread across a network, from machine to machine.
  • Rakhni: This Trojan is predominantly spread by phishing campaigns. Rakhni searches for Bitcoin service folders on the target machine. If it finds any, the files on the PC are encrypted and a Bitcoin ransom is demanded. If it doesn’t find any Bitcoin service folders, it installs a cryptomining program for the cryptocurrency Monero.
  • Mobile banking Trojans: These Trojans are written to target cell phone banking apps. They steal login credentials or overwrite the legitimate apps with malicious ones.

Detecting Infection

The signs of infection by a Trojan are the same as for most malware.

  • Loss of Speed: Your computer is running slower than usual.
  • Pop-Up Adverts: You see pop-up adverts or notifications, especially in browser windows.
  • Crashes and Freezes: Your system becomes unstable.
  • Low Hard Drive Space: Your hard drive is full, without explanation.
  • Unusual Internet Activity: This can be an indication that keystrokes are being sent back to the threat actors.
  • Your Computer is Laboring: If the fan is always loud and the computer is running hot, it might be cryptomining in the background.
  • Browser Changes: Home page changes or increased pop-up alerts are signs of infection.
  • Anti-Virus is Throttled: You can’t scan your computer. Some malware can disable anti-virus and other end-points
  • The Ransomware Tells You!: If you have ransomware, the malware will tell you itself.

Avoiding Infection

Cybersecurity is a blend of human behavior and technical defenses—and don’t underestimate how critical the human behavior element is.

  • Adopt a healthy degree of caution and treat all unsolicited email as suspicious, and don’t open attachments or click on links in emails that you do not have a reason to trust.
  • Hover your mouse over links in all emails, trusted or otherwise, and check that the address that appears in the pop-up tooltip is the same as the one the link says you’ll be taken to.
  • Don’t install or download software—or anything else—from websites that you do not trust, or that operate illegally.
  • Keep your operating system and all applications on your computer patched up to date with bug-fix patch releases and security updates.
  • Ensure your end-point security suite (anti-virus, anti-malware) is automatically updated with malware signatures.

When you’re treating unsolicited emails as if they were anonymous packages that have been found in reception, you’re doing it right.

RELATED ARTICLESMORE FROM AUTHOR