MALWARE HISTORY - TROJAN HORSES

The term “Trojan” defines a piece of software that lets the user think that it performs a specific task, while in fact it performs a totally different action and most of the time it would harm either the users or their computers. Usually, a Trojan horse would download and install a computer virus. Some other times, the Trojan comes with no hidden payload, which means that it is harmless. However, the most important aspect as far as terminology is concerned is the fact that Trojan horses are completely different from viruses. They lack self-replication capabilities, and they heavily rely on computer users to cause damage. Trojan horses are usually spreading using social-engineering techniques (The term covers a wide range of techniques that trick the end-user into divulging confidential information. The social engineer usually appears to come from a legitimate business (banking, credit company or a corporate IT staff member) requesting "verification" of information); the most recent social engineering technique tricks the user trying to watch video content (usually downloaded via P2P networks) to install a special codec, that ultimately proves to be a backdoor or an exploit.

For instance, Trojan-Downloader.Zlob.Media-Codec often claims that it is an important upgrade to Windows Media Player, that allows users enjoy adult video directly from the web. Instead, it downloads and installs rogue security programs such as SpywareQuake, SpyFalcon and WinAntivirusPro. Other variants even feature backdoor functionalities, that allow an attacker to seize control over the entire machine.

As Trojans are extremely specialized software applications, they can be broken down into several categories by the way they affect the host computer. Although there is no nailed classification as far as Trojan horses are concerned, they can be accurately labeled according to their behavior and destination.

• Remote Access Trojans are by far the most aggressive manifestation of this type of malware. Once installed, they grant third-party human users complete control over the system. Another interesting aspect is the fact that Remote Access Trojans (also known as RATs) allows the person at the other end of the Internet connection to monitor users’ desktop, download and install other software, record keystrokes or even export critical files to other locations (either using FTP or HTTP protocols).

The author of such Trojan application gains complete control over the system and can control it in any way to suit their malicious purposes. Many times, RAT authors use the “captured” machine to store games and other cracking tools, taking up nearly all the user's available hard disk space and resources.

The most “popular” Remote Access Trojans are known as Back Orifice or SubSeven. They are all-in-one hacking libraries, that let their authors take screenshots, capture sound and video or intercept keystrokes and sensitive passwords. Such tools come with their own FTP and HTTP server to increase their efficiency. However, their complexity reflects in the large installation file, which varies between 100 and 300 KB.

• Data Destruction Trojans have the ability to completely erase or corrupt the data stored on the computer, be it operating system files or user data.

Data destruction and corruption are usually the result of viruses. However, there are various types of malware that spread like Trojans, while their payload is strikingly similar to the viruses’.

Although such malware does not endanger users’ banking credentials or other confidential information, it takes the computer out of service and causes significant data loss. For instance, imagine that you have a presentation due the next day and it gets wiped out by a data destruction Trojan. This would be a critical blow to your career, not to mention the fact that your system will be out of order until the IT specialists clean it and then re-install the necessary applications. A newer approach at tampering with the users’ files involves a Trojan that launches a crylptoviral attack on users’ personal data. If they want their data back, they have to pay the attacker a specified amount of money, part of the extortion scheme.

Malware users have been using cryptography to hide the payload for quite a while now, but cryptoviral attacks encrypt files with many different extensions, and then advise their owner to send money into a specific account. The first piece of malware to request a ransom in exchange for the affected files was the “Win32.Gpcode.ag” virus.

• Downloader Trojans are software applications that can not hurt a computer by themselves, should the system be not connected to the Internet. Their payload code connects to the Internet, and then it facilitates the installation of other applications on the host computer. Downloaders may install adware and spyware (along other types of malware) or from multiple servers or sources on the Internet.

• Security Software Disablers are Trojans that, once installed onto the host computer, try to stop or kill security software such as antivirus applications or firewalls without the user’s consent. More than that, such Trojans often come bundled with another Trojan or virus that acts like a payload. Once antivirus or firewall applications are disabled, the compromised system is completely unprotected to subsequent attacks coming from the Internet.

• Denial-of-Service (DoS) Trojans are especially-crafted pieces of software that do not affect the host PC. Instead, they are designed to hinder or stop the normal functioning of a web site, server or other network resource by flooding it with more network traffic than it is able to handle. Distributed Denial-of-Service (DDoS) attacks are somewhat similar to the DoS ones, except for the fact that they are carried using multiple compromised machines at the same time. Attackers often use a compromised machine as the “master” – a computer that co-ordinates the attack across other infected machines (also known as zombies).

• Dialers are Trojans that got their glory in the heydays of dial-up connections. This type of Trojans would use the modem / phone line in order to place calls to premium-rate phone numbers. Dialers usually promise instant access to certain resources, and, while the user is aware of its presence, it is often unaware of the premium call costs . The most common incarnation of this type of malware is the so-called porn dialer. Similar approaches use web pages that connect to premium services, also related to the porn industry.

BitDefender was the world’s first antivirus provider to include an anti-dialer module that prevents both known and unknown malicious applications from dialing premium-rate numbers using the computer modem.

• Keyloggers are extremely malicious Trojans, entirely designed for profit. While they do not disrupt normal operation on the infected computers, they monitor, log and send each keystroke to a remote location, either using e-mail or FTP services. While some keyloggers are sold as legit, commercial pieces of software designed to monitor children’s online activity, they are mostly used for malicious purposes, such as stealing banking or other login credentials. Keyloggers have reached an extremely high level of sophistication that allows their creators to monitor only specific activities, in order to keep the size of log files down. For instance, they can record only information passed to specific forms displayed within specific webpages (the primary targets are online stores, e-banking services or e-mail service providers).

You can safely pass sensitive data to a web form using a virtual keyboard application, such as the On-Screen keyboard bundled with the Microsoft Windows operating system.