Malware has been around for decades, and Trojans are one of the oldest forms. Despite their age, they’re more advanced than ever.
Here we examine:
- What they are
- A little bit of their history
- How they work
- Common variants
- How to identify symptoms of a breach
- Best practices for protecting yourself and your organization against them
What is a Trojan?
Trojan malware, often simply referred to as a “Trojan” or “Trojan Horse” is a type of malware that deceives users by appearing to be legitimate or innocuous software.
Unlike viruses that replicate themselves, or worms that spread across networks, Trojans typically don’t self-replicate. Instead, they rely on users to inadvertently install them, mostly through downloading what appears to be a useful program or clicking on deceptive links.
Once the Trojan installs it can perform a range of harmful activities like stealing sensitive data, creating backdoors for unauthorized access, downloading additional malware, or disrupting the performance of the infected device.
Their deceptive nature and the potentially severe impacts they cause make them a significant cybersecurity threat.
History of Trojan Malware
The name is obviously inspired by the ancient Greek story. The cybersecurity term “Trojan Horse” is an appropriate moniker for the way this type of malware functions. It was coined in the 1970s to describe malicious software that disguises itself as legitimate software.
One of the earliest known Trojans was the “ANIMAL” program that was created in the early 1970s. It was originally just a simple game, but included a component called “PERVADE” that copied itself to other directories, demonstrating the potential for seemingly harmless programs to carry hidden malicious code.
Trojans evolved through the 1980s and 1990s as personal computing became more widespread. During this time they began to be used more frequently to gain unauthorized systems access. One notable example is the “AIDS Trojan” from 1989, also known as the “PC Cyborg Trojan.”
It was distributed on floppy disks and claimed to be a program providing information about the AIDS virus. But instead it encrypted files on the victim’s computer, demanding a ransom for their decryption. This was one of the earliest instances of ransomware.
The Internet Helps Trojans Evolve
With the meteoric rise of the internet in the late 1990s and early 2000s created an easy way for Trojans to spread. The malware was getting more sophisticated too, with variants like the remote access Trojan “Black Orifice” and the rise of banking Trojans like “Zeus” financial data theft became an increasing concern worldwide.
The landscape of Trojan malware is more dangerous and complex than ever. The rise of sophisticated attack vectors and the increasing interconnectivity of devices have led to the development of advanced variants that can evade detection and persist within systems for extended periods of time.
Examples include “Emotet”, that got its start as a banking Trojan in 2014 but evolved into a versatile malware distribution platform, and “Dridex”, which has been used in multiple large-scale financial fraud campaigns.
How Trojans Work
Trojans deceive users into executing a program that appears legitimate but secretly performs malicious actions on the host machine. The first stage distributes the Trojan, often through phishing emails, deceptive websites, or even bundled with legitimate software.
They trick users into downloading and running the Trojan, believing it to be a harmless application like a game, utility, or document.
Once it executes, the Trojan installs itself on the victim’s device, often embedding deeply into the system to avoid detection. It then performs a variety of malicious activities depending on its design and the attacker’s intent.
Common actions Trojans take include creating backdoors that allow remote attackers to gain access and control over the infected system, keystroke logging that captures sensitive information, and data exfiltration to remote servers under the attackers’ control.
Some are designed to download and install additional malware. This turns the compromised device into part of a larger botnet used for coordinated attacks such as distributed denial of service (DDoS).
Trojans often disguise their presence by disabling security software, altering system settings, and using advanced evasion techniques. They might change code to avoid signature-based detection by antivirus programs or encrypt communications to evade network monitoring.
The impact can be severe and includes financial loss, identity theft, and loss of sensitive or personal data. In corporate environments, Trojans can lead to significant data breaches, operational disruptions, financial loss, and reputation damage.
Most Common Types of Trojans
There are multiple types of Trojans. Let’s briefly run down some of the most common and some popular examples.
Information Theft Trojans
Attackers use this type of Trojan to collect and steal data from the victim’s system. Examples include Agent Tesla and FormBook.
Remote Access Trojans
These Trojans give attackers remote access over the infected system. Examples include Poison Ivy and Gh0st RAT.
Backdoor Trojans
These create a backdoor on a system and allow attackers to bypass normal authentication procedures and gain remote control. NetBus and Back Orifice are two of the most popular.
Ransomware Trojans
Trojans are one of the mechanisms hackers use to leverage ransomware. They encrypt the victim’s data and demand a ransom for decryption. Sometimes even if the victim pays the ransom the data isn’t decrypted. Examples include WannaCry and CryptoLocker.
Fake Antivirus Trojans
These simulate antivirus software and scare users into believing their system is infected. This prompts them to pay for fake malware removal. Some refer to this type of malware as “scareware”.
DDoS Trojans
This category infects a network of computers and turns them into a botnet to launch Distributed Denial of Service (DDoS) attacks. Examples include Mirai and LOIC (Low Orbit Ion Cannon).
Downloader Trojans
Downloaders install additional malicious software on the victim’s device and include other categories of Trojans, ransomware, or spyware. Emotet and Upatre are two of the most common.
Symptoms of a Trojan Attack
By design attackers create Trojan to operate with stealth and avoid detection. Diagnosing one can be difficult. But there are several symptoms that may indicate the presence of a Trojan infection.
Performance Issues
One tell-tale sign is a significant decrease in system performance. If your computer suddenly becomes sluggish, starts crashing frequently, or takes much longer to boot up or shut down it could be a Trojan affecting system resources.
Behavior Anomalies
Another symptom is unusual behavior from your applications or operating system. This includes programs opening or closing on their own, settings being altered without your knowledge, or unfamiliar icons or files appearing.
Trojans are designed to disable antivirus software and other security measures, so if you find that your antivirus program is unexpectedly turned off or you can’t update it, this could be an indicator of compromise.
Network Abnormalities
Network activity can also provide clues to a Trojan infection. If your connection is slower than usual, or if you notice unusual spikes in data usage, this could indicate that the Trojan is communicating with remote servers, uploading stolen data, or downloading additional malware. Monitor your network traffic for unknown or suspicious connections.
Pop-ups and Advertisements
Pop-ups and unwanted advertisements are another clue. They might urge you to visit certain websites or download specific programs. Furthermore, some claim that your computer is infected and prompt you to buy fake antivirus software. Such behavior is typical of adware and fake AV Trojans.
How to protect from Trojans
Like most malware, cyber awareness and good cyber hygiene are key. Make sure patches are current and up to date. Run scans on a schedule, and stay vigilant against phishing attempts.
Keep an eye on URLS you visit, and inspect links before you click on them through a resource like AbuseIPDB. Looking into a security or privacy plugin from your browser’s extension store can’t hurt, just do your research before you install anything. Trojans even hide in them!
To mitigate the risks posed by Trojans, users and organizations should adopt a multi-layered approach to cybersecurity. Make sure software and systems are up to date and you’re using reputable antivirus and anti-malware applications,
Additionally, cyber awareness training helps identify adversarial tactics like phishing and social engineering. Implement strong access controls and network security. Back up data at regular intervals and have incident response plans in place to minimize damage.
Summary
Trojans might be one of the oldest forms of malware, but they’re more advanced than ever. Multiple variants present different attack vectors, but they have goal – to disrupt systems and exfiltrate data.
Knowing what symptoms to look for makes it easier to diagnose a breach, but the best offense is a good defense. Practicing a defense in depth cybersecurity strategy that includes security awareness training equips organizations to prevent malware infections.