In computing, a Trojan horse is a program that appears harmless, but is, in fact, malicious. Unexpected changes to computer settings and unusual activity, even when the computer should be idle, are strong indications that a Trojan is residing on a computer.
A Trojan horse may also be referred to as a Trojan horse virus, but that is technically incorrect. Unlike a computer virus, a Trojan horse is not able to replicate itself, nor can it propagate without an end user's assistance. This is why attackers must use social engineering tactics to trick the end user into executing the Trojan. Typically, the malware programming is hidden in an innocent-looking email attachment or free download. When the user clicks on the email attachment or downloads the free program, the malware that is hidden inside is transferred to the user's computing device. Once inside, the malicious code can execute whatever task the attacker designed it to carry out.
Because the user is often unaware that a Trojan horse has been installed, the computing device's security depends upon antimalware software that can recognize malicious code, isolate it and remove it. To avoid being infected by Trojan malware, users should keep their antivirus software up to date and never click on links from untrusted sources or download files from unknown senders.
The term Trojan horse stems from Greek mythology. According to legend, the Greeks built a large wooden horse that the people of Troy pulled into the city. During the night, soldiers who had been hiding inside the horse emerged, opened the city's gates to let their fellow soldiers in and overran the city.
In computing, the term was first named in a 1974 U.S. Air Force report that discussed vulnerability in computer systems. It was later made popular by Ken Thompson when he received the Turing Award in 1983 -- an award given by the Association for Computing Machinery to an individual of technical importance in the computer field.
Uses of a Trojan horse
When a Trojan horse becomes active, it puts sensitive user data at risk and can negatively impact performance. Once a Trojan has been transferred, it can:
- Give the attacker backdoor control over the computing device.
- Record keyboard strokes to steal the user's account data and browsing history.
- Download and install a virus or worm to exploit a vulnerability in another program.
- Install ransomware to encrypt the user's data and extort money for the decryption key.
- Activate the computing device's camera and recording capabilities.
- Turn the computer into a zombie bot that can be used to carry out click fraud schemes or illegal actions.
- Legally capture information relevant to a criminal investigation for law enforcement.
How a Trojan horse works
Here is one example of how a Trojan horse might be used to infect a personal computer:
The victim receives an official-looking email with an attachment. The attachment contains malicious code that is executed as soon as the victim clicks on the attachment. Because nothing bad happens and the computer continues to work as expected, the victim does not suspect that the attachment is actually a Trojan horse and his computing device is now infected.
The malicious code resides undetected until a specific date or until the victim carries out a specific action, such as visiting a banking website. At that time, the trigger activates the malicious code and carries out its intended action. Depending upon how the Trojan has been created, it may delete itself after it has carried out its intended function, it may return to a dormant state or it may continue to be active.
Examples of Trojan horse malware
Over the years, Trojan horses have been discovered by antimalware vendors, security researchers and private individuals. Some of the most famous discoveries include:
- Bitfrost -- remote access Trojan (RAT) that infected Windows clients by changing, creating and altering components.
- Tiny Banker -- allowed attackers to steal sensitive financial information. Researchers in the Center for Strategic and International Studies Security Group identified 'Tinba' in 2012 after two dozen major U.S. banks were infected.
- FakeAV Trojan -- embedded itself in the Windows system tray and continuously delivered an official-looking pop-up window, alerting the user to a problem with the computer. When users followed directions to fix the problem, they actually downloaded more malware.
- Magic Lantern -- a keystroke logging Trojan created by the FBI around the turn of the century to assist with criminal surveillance.
- Zeus -- a financial services crimeware toolkit that allows a hacker to build his own Trojan horse. First detected in 2007, the Trojans built with Zeus still remain the most dangerous banking Trojans in the world, using form grabbing, keylogging and polymorphic variants of the Trojan that use drive-by downloads to capture victim credentials.