7/29/2019 Trojan horse overview

http://slidepdf.com/reader/full/trojan-horse-overview 1/6

Trojan-Horse: An OverviewPosted On December 10, 2011 by Sneha Latha filed under Miscellaneous 

Trojan-Horse: An OverviewDr. Sachin Kadam

A Trojan horse is a computer program, which carries out malicious operations without theuser's knowledge. Author explains Trojan horse in detail. 

1: Introduction 

All the computer users come across various malware while using their computer systems. A malware(malicious software) is software designed to secretly access a computer system without the owner'sinformed consent. The expression is a general term used by computer professionals to mean a variety

of forms of hostile, intrusive, or annoying software or program code.Software is considered to be malware based on the perceived intent of the creator rather than anyparticular features. Malware includes computer viruses, worms, Trojan-horses, spyware, adware andother malicious and unwanted software or program.

Out of these types spyware and adware are obvious enough to understand their meaning as they bothcompromises your privacy. The most common blunder people make when the topic of other malwareappears (i.e. virus, worm and Trojan-horse) is by referring all of them as a virus. While the wordsTrojan, worm and virus are often used interchangeably, they are not the same. Viruses, worms andTrojan-horses are all malicious programs that can cause damage to your computer, but there aredifferences among the three, and knowing those differences can help you to better protect yourcomputer from their often damaging effects. The following section discusses their intrinsic nature inbrief.

2: Computer Virus, Worm and Trojan-Horse 

2.1: Computer Virus: 

A computer virus attaches itself to a program or file so it can spread from one computer to another,leaving infections as it travels. Much like human viruses, computer viruses can range in severity:Some viruses cause only mildly annoying effects while others can damageyourhardware, software or files. Almost all viruses are attached to an executable file, which means thevirus may exist on your computer but it cannot infect your computer unless you run or open themalicious program. It is important to note that a virus cannot be spread without a human action,(such as running an infected program) to keep it going. People continue the spread of a computervirus, mostly unknowingly, by sharing infecting files or sending e-mailswith viruses as attachments inthe e-mail.

2.1: Computer Worm 

A computer worm is similar to a virus by its design, and is considered to be a sub-class of a virus.Worms spread from computer to computer, but unlike a virus, it has the capability to travel withoutany help from a person. A worm takes advantage of file or information transport features on yoursystem, which allows it to travel unaided. The biggest danger with a worm is its capability to replicateitself on your system, so rather than your computer sending out a single worm, it could send outhundreds or thousands of copies of itself, creating a huge devastating effect. One example would be

7/29/2019 Trojan horse overview

http://slidepdf.com/reader/full/trojan-horse-overview 2/6

for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the wormreplicates and sends itself out to everyone listed in each of the receiver's address book, and themanifest continues on down the line. Due to the copying nature of a worm and its capability to travelacross networks the end result in most cases is that the worm consumes too much system memory

(or network bandwidth), causing Web servers, network servers and individual computers to stopresponding.

2.3: Trojan-Horse 

A Trojan-horse, at first glance will appear to be useful software but will actually do damage onceinstalled or run on your computer. Those on the receiving end of a Trojan-horse are usually trickedinto opening them because they appear to be receiving legitimate software or files from a legitimatesource. When a Trojan is activated on your computer, the results can vary. Some Trojans aredesigned to be more annoying than malicious (like changing your desktop, adding silly active desktopicons) or they can cause serious damage by deleting files and destroying information on your system.Trojans are also known to create a backdoor on your computer that gives malicious users access toyour system, possibly allowing confidential or personal information to be compromised. Unlike virusesand worms, Trojans do not reproduce by infecting other files nor do they self-replicate.

The analysis of respective functionalities discloses that Trojans are comparatively less complex than

the remaining two. Therefore in this article we will discuss Trojans in detail, leaving the viruses andworms for next articles. Trojan-horse is a platform independent concept. They exist for almost all thepopular platforms including Windows and Linux. As they are more prevalent in the Windows domain(more due to the popularity of this platform rather than technological loopholes in it) this article willconcentrate on Windows platform.

3: Understanding the Concept of Trojan-horse 

The Trojan-horse has borrowed its name from the old mythical story about how the Greeks gave theirenemy a huge wooden horse as a gift, but after the enemy accepted it, during the night the Greeksoldiers crept out of the horse and conquered the city. The Trojan-horse is a tale from the Trojan War.It was the trick that allowed the Greeks finally to enter the city of Troy (whose inhabitants wereknown as Trojans) and end the conflict after a fruitless 10-year siege. The Greeks constructed a huge

wooden horse, and hid a select force of 30 men inside. The Greeks pretended to sail away, and theTrojans pulled the horse into their city as a victory trophy. That night these 30 Greek men crept out of the horse and opened the gates for the rest of the Greek army, which had sailed back under cover of night. The Greek army entered and destroyed the city of Troy, decisively ending the war.

In the light of this mythical story, a Trojan-horse in computer domain can be defined as:

  An unauthorized program contained within a legitimate program. This unauthorized programperforms functions unknown (and probably unwanted) by the user.

  A legitimate program that has been altered by the placement of unauthorized code within it;this code performs functions unknown (and probably unwanted) by the user.

  Any program that appears to perform a desirable and necessary function but (because of unauthorized code within it that is unknown to the user) performs functions unknown (anddefinitely unwanted) by the user.

Note:  The term ‘Trojan-horse’ will now onwards be referred as ‘trojan’ for the sake of brevity. 

4: Working of a Trojan 

Most trojans come in two parts: a client and a server. But there are exceptions where the trojan doesnot need a client, as it's able to automatically do what it was intended to do (stealing passwords,business data etc.), without any intervention from the attacker. However those who use both Clientand Server in order to operate need assistance from the attacker. Once the victim runs the Server

7/29/2019 Trojan horse overview

http://slidepdf.com/reader/full/trojan-horse-overview 3/6

(unknowingly), the attacker will use a port to connect to the Server (your computer) and start usingthe Trojan.TCP/IP is the usual protocol used, but there are exceptions using ICMP, and UDP as well.

When the Server is executed on the victim's machine, it will hide itself somewhere within thecomputer and start listening on the specified by the attacker port. However there are trojans thatautomatically listen for incoming connections once run, which will wait a period of time to reduce therisk of being detected. It's necessary for the attacker to know the victim's IP address to connect tohis/her machine. Many trojans have features such as the ability to mail the victim's IP.

5: Initiation of a Trojan 

Generally for the first time the trojans are started by the uninformed users. Then onwards they usevarious strategies to self-start themselves.

5.1: Auto-Start 

Most of the Trojans use Auto-Starting Methods in order to auto-run each time your computer isstarted. These methods include, but are not limited to, using the Windows Registry, using some of theWindows's System Files, as well as using third party configuration files. System files are located in the

Windows Directory. Here is a brief explanation of most of the common auto-starting methods that usethe Windows System Files:

  Auto-Start Folder 

The Autostart folder is located in C:\Windows\Start Menu\Programs\startup and as its name suggests,automatically starts everything placed within this folder.

  Win.ini 

Windows system file using load=Trojan.exe and run=Trojan.exe to execute the Trojan.

  System.ini 

Using Shell=Explorer.exe trojan.exe results in execution of every file after Explorer.exe

  Wininit.ini 

Mostly used by Setup-Programs. Once it is run, it is auto-deleted, which is very handy for trojans torestart.

  Winstart.bat 

Acting as a normal bat file, the trojan is added as @trojan.exe to hide its execution from the user.

  Autoexec.bat 

It's a DOS auto-starting file and it's used as an auto-starting method like this -> c:\Trojan.exe

  Config.sys 

It could also be used as an auto-starting method for trojans.

  Explorer Startup 

7/29/2019 Trojan horse overview

http://slidepdf.com/reader/full/trojan-horse-overview 4/6

It is an auto-starting method which starts ‘C:\ explorer.exe’, if it exists. It will be started instead of theusual ‘C:\Windows\ explorer.exe’, which is the common path to the file.

Note: The above mentioned auto-starting methods may not be that much relevant with the latestversions of Windows operating systems like Windows-Vista and Windows-7.Note: The ‘Trojan.exe’ file name would get replaced by the respective Trojan’s executable file name. 

5.2: Windows Registry 

Windows Registry is another commonly used place regarding the auto-starting methods of theTrojans. Here are some known ways:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]"Info"="c:\directory\Trojan.exe"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]"Info"="c:\directory\Trojan.exe"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]"Info"="c:\directory\Trojan.exe"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]"Info="c:\directory\Trojan.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]"Info"="c:\directory\Trojan.exe"[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]"Info"="c:\directory\Trojan.exe"[HKEY_CLASSES_ROOT\exefile\shell\open\command][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]

Note: The above mentioned auto-starting methods may not be that much relevant with the latestversions of Windows operating systems like Windows-Vista and Windows-7.

6: Functionality of a Trojan 

Trojans vary in their functions and abilities. Their functionality will be drafted by their programmers.

Following is a brief summary of the most common functionalities found in the trojans:

  Processes Monitoring: The attacker has the ability to monitor all of your processes, start new

ones, as well as the ability to kill current one.

  Registry Editing: It gives to the attacker, the ability to view/create/delete/change everything

in the registry.

  Find Files: Provides the attacker with the opportunity to find any file on the hard drive, if he/she is looking for something particular.

  Disconnect Victim: The attacker can hang up the victim's connection to the Internet at

anytime.

  Screenshot: The attacker can make screenshots of your activities, which are directly

transferred to his/her computer. There are more advanced functions related to this includingweb-cam monitoring and microphone recording.

  FTP Server: The attacker may turn your PC into a FTP server accessible by the whole world orto the attacker only.

  Browser Control: Open the browser at an address specified by the attacker.

  Privacy Invasion: Collect and broadcast information about the victim's computer. e.g. windows

version, user name, company name, screen resolution etc.

  File Manager: This function acts as an explorer for the attacker while browsing through yoursystem.

  Retrieve Passwords: This function will provide the attacker with the recorded passwords onyour computer.

  Key-Logger: It maintains a log of all of the keys a user presses in offline and online mode.

7/29/2019 Trojan horse overview

http://slidepdf.com/reader/full/trojan-horse-overview 5/6

  Fun: Many Trojan writers get fun through annoying the others. Various annoying activitiesmay fall under this category.

 o  The attacker may toggle the Scroll-Lock, Caps-Lock and Num-Lock.

o  The attacker also may hide/show the desktop icons to annoy the users.o  The attacker may hide/show the Start button.o  The attacker may enable/disable keyboard.o  The attacker may start/stop the victim's PC Speaker.

o  The attacker may restart Windows.o  The attacker may open/close the CD-ROM tray.o  The attacker may turn monitor on/off.

The above mentioned listing is not an exhaustive one. The ultimate functionality of a Trojan willalways depend upon the expectations of its writer.

7: Modes of Trojan Contagion 

As we have already seen, the trojans are executable files which require support from the computeruser to start it for the first time on a given system. A computer user may get exposed to a Trojan invarious ways. Following are the most common channels for this exposure:

7.1: e-Mail Attachments 

Most of the computer users are not responsible web surfers. When they receive an email containing anattachment saying that they will a get free resource, they run it without completely understanding therisk to their machines.

Let us consider the following scenario to understand it in a better way. ‘You know your friend is a veryskilled programmer. You also know that he's working on his latest program and you are curious toknow about it. You are anticipating the finished program through an e-mail from him with theattachment. Consider that an attacker also knows that you are waiting for such an e-mail. Theattacker also knows your friend's e-mail address. Then the attacker may use some relaying mail

server to fake the e-mail’s FROM field and make it look like your friend’s, to send an e-mail to you.The attacker will attach a Trojan along with e-mail. Thus now you will receive an e-mail appearing tobe from your friend and including the ‘trojan’ed attachment. You will check your mail and see thatyour friend finally has his program ready and has sent it as an attachment. You will download and runit without thinking that it might be a Trojan or something else, and in this way you have just beeninfected.’  

7.2: Freeware Software 

Freeware programs should be considered suspicious and extremely dangerous due to the fact that it'sa very easy and useful way for the attacker to infect your machine with some freeware program. Nomatter how suitable you find the program, remember that ‘free is not always the best’ and it's veryrisky to use any of these programs. Before using freeware program, you should search for some

reviews on it (check popular search engines to do this) and try to look up for some information aboutit. If you find any reviews written by respected sites, that means they have used and tested it and thechance of infection is hereby minimized. If no reviews or comments about the software are found viathe search engines, then it may be highly risky to start using it.

Let us consider the following scenario to understand it in a better way. ‘Imagine a freeware e-Mailclient program that's very suitable for your needs and very handy with its features like address book,option to check several POP3 accounts and many other functions that make it even better than your e-mail client and the best thing for you is that it's free. Fake programs that have hidden functions oftenhave professional looking web sites. To make you trust the site these websites may contain links to

7/29/2019 Trojan horse overview

http://slidepdf.com/reader/full/trojan-horse-overview 6/6

various anti-Trojan software. ‘Readme.txt’may be also included along with other things in the setup tofool you into trusting it. Thus such a freeware will infect your computer system in the disguise of an e-mail client.’  

7.3: Physical Access 

The attacker may use the auto-run feature of CD to infecting a computer. Almost all the CDsautomatically start when placed the CD-ROM drive. It automatically starts with some setup interfacethrough ‘autorun.inf’ file. Following is an example code of a sample ‘autorun.inf’ file: 

[autorun]open=setup.exeicon=setup.exe

So you can imagine that while running the real setup program a Trojan could be run very easily. Asmost of the users probably may not be aware of the CD contents, their systems will become easilyinfected. To avoid this, a computer user can turn off the auto-start functionality by through followingsettings:

Start Button → Settings → Control Panel → System → Device Manager → CDROM → Properties → 

Settings

This will open a dialog box containing a reference to Auto Insert Notification. Turn it off to disable theauto-run feature.

8: Conclusion 

In this article we have discussed the concept of the Trojan-horse in detail. The objective of it was toliterate a computer user about this computer threat, which may encourage him/her to take informedpreventive measures. Our discussion included the working of a Trojan-horse along with variousinitiation modes associated with it. We concentrated our discussion on the Windows platform as it isthe most prevalent one. We also discussed the contamination strategies observed by the trojans, andrespective preventive measures a computer user should take to block them. I hope that this article

will encourage the reader to be more aware to curtail the spread of this category of malware.