A healthy equinophobia: Trojan horses explained

“Trojan” in computing is a misleading shortening from the self-descriptive “Trojan horse”, the ubiquitous and probably the most dangerous sort of malware.

The cybersecurity term “Trojan” is quite curious in its origin. It has little to do with the citizens of ancient Troy: actually it’s a shortening of “Trojan horse”. Now, that is quite descriptive. As we know since high school, the original Trojan horse was built by Greeks after they sieged Troy for ten fruitless years. The wooden horse “of mountainous size” was left before the gates of the city, and its defenders had a folly to roll it inside, considering this to be a gift. Actually, thirty armed men were hiding inside, and the following night Troy fell.

 

 

Now, Trojan horse commonly means something seemingly benevolent or at least innocent, while concealing very harmful stuff within.

The point here – the “legendary” one, in all senses, – is that victims brought the woe upon themselves, against their better judgement.

In computer security, Trojan horses (or, again, just Trojans) work exactly that way. This sort of malware – currently, perhaps, the most popular kind – doesn’t attempt to inject itself into other files (like virii do), doesn’t replicate itself indefinitely (like worms do), and in most cases get through by trickery, which is supposed to be ensuring end-users’ cooperation. The more advanced Trojans, however, may use drive-by download or even drive-by installation, which occurs without users’ knowledge, after all. 

But, again, in most cases Trojans are infiltrating our systems because we allow them to do just that.

The first (ever) Trojan “in the wild” had been created as early as in 1975, although it was a non-malicious program, but rather a game. In April 1975 John Walker, then-future creator of Autodesk (CAD software, not company) wrote a game ANIMAL for UNIVAC 1108 platform. According to Wikipedia, “ANIMAL asked a number of questions of the user in an attempt to guess the type of animal that the user was thinking of, while the related program PERVADE would create a copy of itself and ANIMAL in every directory to which the current user had access. It spread across the multi-user UNIVACs when users with overlapping permissions discovered the game, and to other computers when tapes were shared.”

The program itself did not cause any damage, but its “undercontrolled” propagation really made it look like a malware.

Another early example, this time really harmful, was Trojan “ARF-ARF”, which emerged in 1983. The malware claimed to be able to sort DOS Diskette Directory, which was a desirable feature: back then DOS didn’t list the files in alphabetical order in 1983. After the users installed the program (which was distributed via BBS sites), it just deleted all files on the diskette, cleared the screen and typed ARF – ARF (a reference to a notorious “Abort, Retry, Fail” message).

Trojans really grew into fashion in early 2000s. Broadband connections became more and more accessible, numbers of networked computers grow, the dominating Windows operating systems are vulnerable, and the users are often inexperienced yet. Even though the most fabulous global pandemics just took place – Melissa worm (1999), ILOVEYOU (2000), AnnaKournikova, Sircam, Code Red, Nimda, Klez (2001). Those are still well-remembered. But not many pepole, apparetly, remember RATs (Remote Administration Tools) such as Beast, emerging in 2002 and later.

Zlob Trojan, however, gained a lot of notoriety: first detected in late 2005, it masqueraded itself as a required video codec in the form of the Microsoft Windows ActiveX component. Apparently, it had Russian origin; an English counterpart for the Russian word “zlob” (or, “zhlob”), depending on context, would be “a douchebag” or even “an a–hole”: a mean person doing mean things just out of malice. That’s exactly what Zlob Trojan did initially. Getting installed, it displayed pop-ups similar to real Microsoft Windows warning, declaring that the PC is infected with spyware, and – with user’s consent – installed a fake anti-spyware program (Virus Heat, MS Antivirus/Antirvirus 2009) with another Trojan horse inside. It was also downloading occasionally atnvrsinstall.exe malware, which used Windows Security shield icon to look legitimate. Installing this could wreak havoc within the network, as another malware that Zlob brings along would shut down random PCs with various comments. ‘Cause that’s such fun, why?

Otherwise, Zlob is a spamming Trojan.

 

800

Worse even, Zlob’s “family” (or, should I say, “descendants”) grew into a global problem with DNSChanger malware, which infected routers and changed their DNS settings to re-route all traffic via malicious hosts. This resulted in a lot of problems for the end users such as unremovable “adult content” pop-ups and banners. Eventually FBI seized the DNSChanger’s host servers, and then had to keep them running for months while broadcasting the messages how to clean up this “beast” off your PC.

Into a global problem also grew ZeuS: first detected in 2007, this Trojan steals personal information – first it was a focused banking malware. The source code for ZeuS “leaked” in 2011. Currently it has multiple derivatives those are used to “lift” credentials for online social networks, e-mail accounts and financial services.

The “main” ZeuS botnet used to be one of the largest over the web. Currently experts have to deal with an entire “galaxy” of botnets based on various ZeuS derivatives, such as Gameover ZeuS which uses an encrypted peer-to-peer communication system to communicate between its nodes and its command and control servers which make it especially difficult to root out.

This botnet is largely used for banking fraud and distribution of the CryptoLocker ransomware – which is also a Trojan, by the way.

As we can see, Trojans don’t just come alone, they often bring “friends”. In numbers, even. Some are easy to “pick up” (especially those using drive-by downloads), and not exactly easy to bust. So aside from keeping your security software updated, it is very advisable to stay vigilant and don’t let anything get installed, unless you are positive it is what you really need right now.

For businesses it is also a requirement to set up an additional protection for financial transactions, such as Kaspersky Lab’s Safe Money. Safe Money ensures that your money go exactly where you want them, and the malicious interference attempts (via Trojans, Backdoors etc) are futile. Safe Money, among other things, prevent keyloggers from working (which is a weapon of choice for banking Trojans), beat off phishing attempts and secures the connection with the financial services from interception attempts. So it is a necessary (or at least, a highly recommended) protective measure capable of preventing some dire problems.

Tips