What is a Trojan Horse and what threat does it pose?
Since "Trojan Horses" (or Backdoors) have been in the news just recently, the term probably sounds familiar to you. But perhaps you’re not quite sure what a Trojan Horse is and what damage it is capable of doing to your system. Trojan Horses, of which there are now more than one thousand in circulation (including modifications and variants), are a relatively new and probably the most dangerous strain of viruses that have appeared in recent times. They also threaten to overwhelm systems that only run anti-virus applications and firewalls as a means of combating the threat. Today’s Trojans as they are commonly referred to as, have now attained such a degree of sophistication that they pose a real threat to any user who hasn’t taken adequate precautions to protect their data.
The name "Trojan Horse" derives itself from a page in Greek history when the Greeks had lain siege to the fortified city of Troy for over ten years. Their spy, a Greek called Sinon offered the Trojans a gift in the form of a wooden horse and convinced them that by accepting it, they would become invincible. The horse though was hollow and was occupied by a contingent of Greek soldiers. When they emerged in the dead of night and opened the city gates, the Greeks swarmed in, slaughtered its citizens and subsequently pillaged, burned and laid waste to the city.
In the IT environment, the Trojan Horse acts as a means of entering the victim’s computer undetected and then allowing a remote user unrestricted access to any data stored on the user’s hard disk drive whenever he or she goes online. In this way, the user gets burned and like the unfortunate citizens of Troy, may only discover that fact when it is too late.
These types of viruses were originally designed as a means of self expression by gifted programmers and did little more than to cause the system to lock up, behave abnormally in a specific way or perhaps cause loss of data on the user’s machine.
Nowadays though, Trojans have a much more sinister purpose. Their primary objective is to allow a remote user a means gaining access to a victim’s machine without their knowledge. Once that has been achieved, the intruder can do anything with the machine that the user can do. An intruder’s usual objective is to browse the user’s hard drive in order to detemine if there is anything of value stored on it. That could be almost anything such as valuable research papers, credit card details or passwords to restricted web sites for example. If anything of value is found, then the intruder can copy the data to his own hard drive in exactly the same way that the user can copy a file to a floppy disk. The worse thing is that all these processes are hidden from the user who might be sitting in front of his own machine working on an entirely different document at the time. Unusual hard drive activity for no apparent reason may be the only indication that something is happening that shouldn’t be happening.
The intruder can also cause havoc to the system by deleting (system) files, erasing valuable data or ultimately destroying the hard drive. Simply adding a command to the autoexec.bat file can do that. The next time the unsuspecting victim boots the computer, it will automatically run the format command. Adding a certain flag to that command will also render the hard disk unusable.
Passwords offer no protection at all because today’s Trojans are capable of recording the victim’s keystrokes and then transmitting the information back to the intruder. Those passwords can subsequently be deciphered by the Trojan and even changed in order to prevent the user getting access to his own files!
In order to gain access to a user’s computer, the victim has to be induced to install the Trojan himself. The usual method is to offer a seemingly useful system enhancement or perhaps a free game that has the Trojan attached to it. By installing it, the user also installs the Trojan.
The most common sources of infection are as follows:
Executing any files from suspicious or unknown sources.
Opening an e-mail attachment from an unknown source.
Allowing a "friend" access to your computer while you are away.
By executing files received from any online activity client such as ICQ.
Virtually every Trojan virus is comprised of two main parts. These are the called the "server" and the other, the "client". It is the server part that infects a user’s system.
Once infected, the computer becomes accessible to any remote user, usually referred to as a "cracker" or "intruder", that has the client part of the Trojan. That person can perform any action that the user can. For example, if the user keeps his credit card details on the computer, the intruder can steal that information. He may not necessarily make use of the credit card himself, but he can certainly sell the information to a third party who can then go on a spending spree at the user’s expense. The intruder can also steal passwords in order to gain access to restricted information or to password protected web sites as well.
In addition, the intruder can cause the system to reboot without warning, shutdown without warning, eject the CDROM tray, delete files, add files, make use of the user’s e-mail client, etc. etc. The possibilities are endless.
Let’s suppose that you have already been infected. How do intruders attack and get a full control of your computer?
Practically every Trojan virus has two functional parts called the server and the client. The server part is the part of the program that infects a victim’s computer. The client part is the one that allows a hacker to manipulate data on the infected machine.
Intruders scan the Internet for an infected user (technically speaking, an attacker sends request packets to all users of a specific Internet provider) using the client part of the virus. Once an infected computer has been found (the server part of the virus that is located on infected machine replies to client part’s request) the attacker connects to that user’s computer and creates a "link" between the two just like the one in an ordinary telephone conversation. Once that has happened (this procedure may only take a few seconds), the intruder will be able to get unrestricted access to the user’s computer and can do anything he likes with it. The intruder becomes the master and the user the slave because short of disconnecting from the Internet, the user is helpless and has no means at his disposal to ward off an attack.
Intruders can monitor, administer and perform any action on your machine just as if they were sitting right in front of it.
A Trojan Horse works a bit like the backdoor to your house. If you leave it unlocked, anybody can come in and take whatever they want while you’re not looking. The main difference with a backdoor installed on your computer is that anybody can come in and steal your data, delete your files or format your hard drive even if you are looking. There are no visible outward signs that anything untoward is happening other than perhaps unusual hard disk activity for no apparent reason.
Each of the Trojan classes described next contains a variety of cracker’s tools. Tauscan is capable of removing all of these classes if it detects them. To view the Trojans in each class, click on the Database button on the Tauscan toolbar.
These are the probably the most popular and very likely the most dangerous of the many Trojan classes currently available. It is these types that work in the server/client mode. The server part installs itself on the unsuspecting user’s computer and the client remains on the attacker’s system. Once an infected machine has been discovered, the intruder establishes a link between the two. He can subsequently perform any action the user can and more. For example, let’s assume that the user has valuable data stored in a folder called "ABC" on his C: drive. In order to steal that data, all the intruder needs to do is to drag and drop the folder called ABC from the user’s C: drive onto his own. It’s as simple as that!
Another popular type of Trojan in hackers’ circles is the mail Trojan. It works in server mode only and its main function is to record certain data such as the keystrokes the user enters when passwords are typed, the web sites he regularly visits and files in general. An infected machine will automatically send the information by e-mail to the attacker. These are very difficult to spot because the e-mail client is part of the Trojan itself.
This particular class of Trojan works in server mode only. It allows FTP access to an infected machine and can download or upload files at the intruder’s whim.
Telnet Trojans run in server mode only and allow an intruder to execute DOS commands on a remote machine.
These Trojans record the keystroke input on an infected machine and then stores the information in a special log file that the intruder can access in order to decipher passwords.
This type of Trojan uses fake dialog boxes and other bogus windows that purport to show that the user has attempted to perform an illegal operation. By displaying a dialog box, its sole purpose is to get the user to enter his user name and password. That information is then stored on file so that the intruder can use it at a later date.
This is a Trojan that once installed ascertains the users personal data such as IP address, passwords and other personal data that he or she has stored on their system and then by connecting to the cracker’s web page, submits the online form via HTTP. A cracker can then use the information gained whenever he wishes. The Trojan performs this function without any user intervention and without the user’s knowledge. The user will not see any indication of the transmission such as pop-up windows that would indicate that this is taking place.