Wednesday, July 3, 2013

The Malware Trilogy: Trojan Horses

Finally, we have arrived at the end of The Malware Trilogy.  Today, we're going to be talking about a type of malware that really stands out—and is by far the most commonly-seen today.

The Trojan Horse

Trojan Horses, or "Trojans" for short, are perhaps some of the strangest bugs that lurk about cyberspace—and also some of the most frightening.  Unlike viruses and worms, Trojans NEITHER self-replicate NOR infect files.  They are literally rogue standalone files, just like any other program on your computer, except they're written to do bad stuff.

So you can already tell that there's an obvious disadvantage to using Trojans: they don't spread all that much.  They can't make more of themselves, after all, and they don't copy their own code into other files.  So why use them?

Well, think about the major disadvantages of using viruses or worms: viruses require a great deal of human intervention, and are not very stealthy.  And while worms do spread more freely and more discreetly, any program that makes copies upon copies of itself and runs around computer networks is going to be discovered eventually.  In addition, neither viruses nor worms are good for targeted, contained attacks.

Why would hackers want to carry out targeted, contained attacks anyway?  Are we talking digital espionage?

Well, not necessarily.  A hacker might also be interested in stealing passwords, copying credit card numbers, or attempting identity theft (which is all extremely serious stuff, but not quite as dramatic as digital espionage.)  In this case, the hacker would be perfectly content with sending a "spy" program out to infect whoever was so unlucky to chance upon it first.  The hacker really doesn't know anything about the victim (yet), and doesn't really care who is infected.  The hacker just wants a single, random person to scam.

Having said that, Trojans can also be used for targeted attacks, such as those commonly seen in cyber-terrorism.  The Shamoon Trojan is actually an excellent example of that, though it's far more destructive than what you normally see in today's malware (by the way: notice how the changing motives of hackers are mentioned in the article).

Trojans are, basically, extremely stealthy "spy" programs.  Think about it: if you are infected by a Trojan, you're only going to have one copy of that Trojan on your machine, which severely decreases your antivirus's chance of finding it.  In addition, there aren't even any infected files to tip you or your antivirus off.  Trojans are exactly what hackers want for clandestine operations.

However, this isn't their most frightening trait.  Rather, it is the very meaning behind their name that makes them a serious enemy.

How do "Trojans" Work?

A common definition for Trojans is: "They're programs that pretend to be harmless, but aren't."  Well, that's not entirely false, but it's over-simplified.  Yes, a Trojan can tell you it's a harmless program, and it may even behave like one.  For example, a Trojan claiming to be an antivirus program may very well detect and remove certain pieces of malware.  However, this isn't exactly a good explanation to give to people who aren't familiar with malware, because nowadays, deception isn't exactly uncommon in the realm of cybercrime.  Most pieces of malware either download themselves silently on your computer or they have to lie to get you to download them yourself.

This definition also lacks a good explanation of the name.  The idea behind Trojans is far more complicated than simple deception, and it does indeed invoke images of the Greeks offering up the Trojan Horse.

Here's a hypothetical for you: let's say you got a lovely suspicious email from a friend, and it contained an attachment that claimed, "Oh no, don't worry about me.  I'm a PDF, really!".  If your "friend" was trying to infect you with a worm, that attachment would not be a PDF, but an actual worm.  If your friend was trying to give you a virus, the "PDF" might be an actual virus or it might be a PDF infected by a virus.

However, if your friend felt like you deserved a nice, state-of-the-art Trojan Horse, that PDF would be...a PDF.  A plain-old, non-infected PDF.  Maybe even one you were expecting anyway.

This is where it gets creepy.  Listen to me very closely: Trojans are the most common pieces of malware in cyberspace.  It's good to know about all three main categories, but Trojans are the most important because a) regardless of whether you use a desktop, tablet, smartphone, Windows, Apple OSX, Linux, etc. you're probably going to be infected by something at some point in your computing life and b) it's most likely going to be a Trojan.  It is crucial that you understand how Trojans work so that you can catch the inevitable infection early on, and hopefully prevent many more.

That hypothetical PDF you just got may be a perfectly normal PDF.  But it's got a dirty secret: it has a Trojan hiding inside.

Yes.  You heard me: Trojans can "hide" inside legitimate files the way the Greeks hid inside the Trojan Horse in The Iliad.  Even if you just open the PDF, the Trojan will automatically install itself.  You'll be given no warning, no'll all be done silently.

And don't think this is limited to files, either.  Trojans can also "hide" inside perfectly legitimate websites.  Some websites are more shady (and more vulnerable) than others, but just today I was visiting the website of an old village and local tourist spot I wanted to go visit, and my antivirus blocked a Trojan trying to automatically download itself.

This is what makes Trojans scary: not only can they hide well on your computer, but they hide well everywhere—in other files, on the Internet, in perfectly safe places that you would never suspect could be vulnerable to infection.  And there isn't much you can do about it.  The only way to protect yourself from Trojans is to KEEP YOUR ANTIVIRUS UPDATED.  A good, updated antivirus program should be able to catch most Trojans before they even reach your computer.

(In case you were wondering: I use Avast! Free Antivirus.  Usually it's difficult to find really good free software, but I'm more than happy with the job Avast has done.  It might even be over-sensitive in blocking programs trying to download themselves from websites, but I'm okay with that, because it's certainly saved me some grief.)


The Basics of the Trojan:
  • Neither self-replicates nor infects files
  • "Hides" inside other files the way the Greeks in the Iliad hid inside the Trojan Horse
  • No, not the most technically-accurate name in the world.  However, some might object if we began calling these incredibly dangerous malicious programs "Greeks", so they're Trojans.
  • The most stealthy of the three categories
  • Great for contained attacks, easy to control
  • Difficult to avoid infection
  • Opportunity for a hacker to "hide" a Trojan in a virus or worm (these are called blended threats)
  • Can't spread
  • Once user finds and deletes the Trojan, the infection is gone forever (no additional copies)
As I said back in the first chapter of this trilogy, malware has about a gazillion classifications to it.  Still, these are the main three, and chances are I'll be discussing other prominent threats in the future.  Now that you have a better understanding of what you're up against, you'll be more vigilant online and more aware of what happens on your computer.  And while it's almost impossible to go your whole computing life without being infected at least once, hopefully you'll be able to stop these infections early on (or before they even begin!).  Stay safe!  : )

No comments:

Post a Comment