Trojans

What Is a Trojan Virus

Trojans are deceptive programs that appear to perform one function, but in fact perform another, malicious function. They might be disguised as free software, videos or music, or seemingly legitimate advertisements.

The term “trojan virus” is not technically accurate; according to most definitions, trojans are not viruses. A virus is a program that spreads by attaching itself to other software, while a trojan spreads by pretending to be useful software or content. Many experts consider spyware programs, which track user activity and send logs or data back to the attacker, as a type of trojan. 

Trojans can act as standalone tools for attackers, or can be a platform for other malicious activity. For example, trojan downloaders are used by attackers to deliver future payloads to a victim’s device. Trojan rootkits can be used to establish a persistent presence on a user’s device or a corporate network.

Trojan Infection Methods

Here are common ways trojans can infect computers in your corporate network:

• A user is targeted by phishing or other types of social engineering, opens an infected email attachment or clicks a link to a malicious website
• A user visits a malicious website and experiences a drive-by download pretending to be useful software, or is prompted to download a codec to play a video or audio stream
• A user visits a legitimate website infected with malicious code (for example, malvertising or cross-site scripting)
• A user downloads a program whose publisher is unknown or unauthorized by organizational security policies
• Attackers install a trojan by exploiting a software vulnerability, or through unauthorized access 

“Daserf” Trojan created by the cyber-espionage group REDBALDKNIGHT is often installed through the use of decoy documents attached in emails.

Types of Trojans

The first trojan was seen in the wild was ANIMAL, released in 1975. Since then, many millions of trojan variants have emerged, which may be classified into many types. Here are some of the most common types.

Downloader Trojan

A downloader trojan downloads and deploy other malicious code, such as rootkits, ransomware or keyloggers. Many types of ransomware distribute themselves via a “dropper”, a downloader trojan that installs on a user’s computer and deploys other malware components. 

A dropper is often the first stage in a multi-phase trojan attack, followed by the installation of another type of trojan that provides attackers with a persistent foothold in an internal system. For example, a dropper can be used to inject a backdoor trojan into a sensitive server.

Backdoor Trojan

A backdoor trojan opens up a secret communication tunnel, allowing the local malware deployment to communicate with an attacker’s Command & Control center. It may allow hackers to control the device, monitor or steal data, and deploy other software.

Spyware

Spyware is software that observes user activities, collecting sensitive data like account credentials or banking details. They send this data back to the attacker. Spyware is typically disguised as useful software, so it is generally considered as a type of trojan.

Rootkit Trojans

Rootkit trojans acquire root-level or administrative access to a machine, and boots together with the operating system, or even before the operating system. This makes them very difficult to detect and remove.

DDoS Attack Trojan (Botnet)

A DDoS trojan turns the victim’s device into a zombie participating in a larger botnet. The attacker’s objective is to harvest as many machines as possible and use them for malicious purposes without the knowledge of the device owners—typically to flood servers with fake traffic as part of a Distributed Denial of Service (DoS) attack.

Trojan Horse Malware Examples

Following are some of the fastest-spreading and most dangerous trojan families.

Zeus

Zeus/Zbot is a malware package operating in a client/server model, with deployed instances calling back home to the Zeus Command & Control (C&C) center. It is estimated to have infected over 3.6 million computers in the USA, including machines owned by NASA, Bank of America and the US Department of Transportation. 

Zeus infects Windows computers, and sends confidential data from the victim’s computer to the Zeus server. It is particularly effective at stealing credentials, banking details and other financial information and transmit them to the attackers. 

The weak point of the Zeus system is the single C&C server, which was a primary target for law enforcement agencies. Later versions of Zeus added a domain generation algorithm (GDA), which lets Zbots connect to a list of alternative domain names if the Zeus server is not available.

Zeus has many variants, including:

• Zeus Gameover—a peer-to-peer version of the Zeus botnet without a centralized C&C.
• SpyEye—designed to steal money from online bank accounts.
• Ice IX—financial malware that can control content in a browser during a financial transaction, and extract credentials and private data from forms.
• Citadel—an open-source variant of Zeus that has been worked on and improved by a community of cybercriminals, and was succeeded by Atmos.
• Carberp—one of the most widely spread financial malware in Russia. Can exploit operating system vulnerabilities to gain root access to target systems. 
• Shylock—uses a domain generation algorithm (DGA), used to receive commands from a large number of malicious servers. 

ILOVEYOU

ILOVEYOU (commonly referred to as the “ILOVEYOU virus”) was a trojan released in 2000, which was used in the world’s most damaging cyberattack, which caused $8.7 billion in global losses. 

The trojan was distributed as a phishing email, with the text “Kindly check the attached love letter coming from me”, with an attachment named “ILOVEYOU” that appeared to be a text file. Recipients who were curious enough to open the attachment became infected, the trojan would overwrite files on the machine and then send itself to their entire contact list. This simple but effective propagation method caused the virus to spread to millions of computers.

Cryptolocker

Cryptolocker is a common form of ransomware. It distributes itself using infected email attachments; a common message contains an infected password-protected ZIP file, with the password contained in the message. When the user opens the ZIP using the password and clicks the attached PDF, the trojan is activated. It searches for files to encrypt on local drives and mapped network drives, and encrypts the files using asymmetric encryption with 1024 or 2048-bit keys. The attackers then demand a ransom to release the files. 

Stuxnet

Stuxnet was a specialized Windows Trojan designed to attack Industrial Control Systems (ICS). It was allegedly used to attack Iran’s nuclear facilities. The virus caused operator monitors to show business as usual, while it changed the speed of Iranian centrifuges, causing them to spin too long and too quickly, and destroying the equipment.

How to Detect Trojans in Your Organization

Trojans are a major threat to organizational systems and a tool commonly used as part of Advanced Persistent Threats (APT). Security teams can use the following technologies and methods to detect and prevent trojans:

Endpoint protection platforms

Modern endpoint protection systems include device traditional antivirus, next-generation antivirus (NGAV) that can prevent zero-day and unknown trojans, and behavioral analytics that identifies anomalous activity on user devices. This combination of protective measures is effective against most trojans.

Web application firewall (WAF)

A WAF is deployed at the network edge, and is able to prevent trojan infections, by preventing downloads of trojan payloads from suspicious sources. In addition, it can detect and block any unusual or suspicious network communication. WAFs can block trojans when they “phone home” to their C&C center, rendering them ineffective, and can help identify the affected systems.

Threat hunting

Threat hunting is the practice of actively searching for threats on corporate networks by skilled security analysts. Analysts use Security Information and Event Management (SIEM) systems to collect data from hundreds of IT systems and security tools, and use advanced searches and data analytics techniques to uncover traces of trojans and other threats present in the local environment.

Triaging user complaints

Often, a simple user complaint about a slow machine or strange user interface behavior could signal a trojan. Triaging IT support requests with behavioral analytics and data from other security tools can help identify hidden trojans.

The following are common symptoms of trojans which may be reported by users:

• Popups appear, launched by the user’s browser or operating system
• Disk space disappears, unexplained persistent disk errors
• Poor system performance, machine suddenly slows down with no apparent cause
• Mouse or keyboard operate on their own
• Computer shuts down or restarts with no user action
• Change to desktop image or configuration
• Change to browser homepage or start page
• Searches redirect to an unknown domain
• System firewall or antivirus turned off without user intervention
• Unusual network activity when the user is not active
• New programs, favorites or bookmarks not added by the user

Imperva Data Protection Solutions

Imperva helps detect and prevent trojans via user rights management—it monitors data access and activities of privileged users to identify excessive, inappropriate, and unused privileges. It also offers the industry’s leading web application firewall (WAF), which can detect and block trojans when they attempt to contact their Command & Control center.

In addition to ransomware detection and prevention, Imperva’s data security solution protects your data wherever it lives—on premises, in the cloud and hybrid environments. It also provides security and IT teams with full visibility into how the data is being accessed, used, and moved around the organization.

Our comprehensive approach relies on multiple layers of protection, including:

• Database firewall—blocks SQL injection and other threats, while evaluating for known vulnerabilities.
• Data masking and encryption—obfuscates sensitive data so it would be useless to the bad actor, even if somehow extracted.
• Data loss prevention (DLP)—inspects data in motion, at rest on servers, in cloud storage, or on endpoint devices.
• User behavior analytics—establishes baselines of data access behavior, uses machine learning to detect and alert on abnormal and potentially risky activity.
• Data discovery and classification—reveals the location, volume, and context of data on premises and in the cloud.
• Database activity monitoring—monitors relational databases, data warehouses, big data and mainframes to generate real-time alerts on policy violations.
• Alert prioritization—Imperva uses AI and machine learning technology to look across the stream of security events and prioritize the ones that matter most.