In the last few years, we’ve seen an increase in the number of Trojans: they have now become the favourite weapon of malware authors. Unlike viruses, Trojans don’t have their own on-board replication capability. For this reason, they’re often perceived as being less dangerous than viruses or worms. Yet their effects can be dangerous and very far-reaching, not only increasing in numbers, but in sophistication too. Consequently, they are being put to a growing number of malicious uses.
Let’s take a closer look at Trojans. What exactly are they, how do they work and what effects can they have? The term Trojan is taken from the wooden horse used by the Greeks to sneak inside Troy and capture it. The first Trojans, which appeared in the late 1980s, masqueraded as innocent programs and once the unsuspecting user ran the program they would deliver their harmful payload.
Hence the copy-book definition: a non-replicating program that appears to be legitimate but is designed to carry out some harmful action on the victim computer. Trojans remained relatively uncommon, compared to viruses, because they didn’t contain the self-replication code that would let them spread automatically.
However, increasing connectivity and development of the World Wide Web in the mid-1990s brought about significant change. By tapping into the far reach of the Internet, a Trojan author could distribute code automatically, or simply wait for masses of unsuspecting users to download it themselves from a web site or forum. This period saw the emergence of password stealing Trojans; the first, aimed at AOL, appeared in 1996 and within a few years there were hundreds of them. Unlike earlier Trojans, there was no damage to data. Instead, as the name suggests, they were designed to steal confidential login information and send it to the author, or ‘master’, of the Trojan, giving them access to the victim’s account.
Things have moved on considerably since the days when most ‘copy-book’ definitions of Trojans were written. Far from appearing to be something benign, most Trojans don’t ‘appear’ at all. In other words, they install silently and the victim has no idea that the Trojan is there. One of the biggest factors driving this change has been the ‘commercialisation’ of malicious code – the computer underground has realised the potential for making money from their creations in a ‘wired’ world; with Trojan usage central to their strategy.
Often, victim machines are combined into networks, using IRC channels or web sites where the author has placed additional functionality. The more complex Trojans combine infected machines into a single P2P network. These so-called ‘bot’ networks offer an effective way of controlling victim machines. They can be used to harvest confidential information [password, PIN, etc.], for computer fraud: including ‘phishing’ scams. Or they can be ‘conscripted’ into a ‘zombie army’ to launch a DDoS attack on a victim organisation. This could be to extort money, for example: a ‘demonstration’ DDoS attack offers the victim a ‘taster’ of what will happen if they don’t pay up. Alternatively, victim machines can become proxies for distribution of spam e-mail.
Since mid 2004, there has been a shift in tactics from writers of malicious code. The relative decline in the number of global epidemics seems to signal a move away from the use of mass attacks on victims worldwide. Instead, attacks are becoming more targeted.
It’s worth recalling the point made above that many of today’s attacks are designed to steal confidential data to make money illegally. From this, it follows that harvested data has to be processed and used. Where millions of victim machines are involved, not only does this make detection more likely; it’s also a huge logistical operation. For this reason too, it makes more sense for malware authors to focus their attacks. This may mean targeting machines one thousand at a time in small-scale, low-key ‘hit and run’ operations. Or it may mean tailoring a piece of code to attack a single or small number of victims. One high profile example of this was flagged by Operation Horse Race in May 2005, when several senior Israeli executives were arrested for allegedly planting a Trojan in the computers of competitors.