Named after the wooden horse from Greek mythology, a Trojan horse is a
|“||program that conceals malicious computer code. Typically, a Trojan horse masquerades as a useful program that users would want or need to execute. It performs, or appears to perform, as expected, but also does surreptitious harm.||”|
|“||program that performs a desired task, but also includes unexpected (and undesirable) functions. In this respect, a Trojan horse is similar to a virus, except a Trojan horse does not replicate. An example of a Trojan horse would be an editing program for a multi-user system which has been modified to randomly delete one of the user's files each time that program is used. The program would perform its normal, expected function (editing), but the deletions are unexpected and undesired. A host program that has been infected by a virus is often described as a Trojan horse.||”|
How it works
A Trojan horse program typically falls into one of the following categories:
- Legitimate application designers will often insert unauthorized instructions within their products, as either a backdoor mechanism, or as a way of collecting personal information about the users of their product. These instructions perform these operations without the knowledge or permission of the user.
- A legitimate-appearing program that has been obtained from a questionable source is altered by the placement of unauthorized instructions within it. These instructions perform secondary functions unknown to the user.
- Any other program that appears to perform one operation or function but that, because of the unknown instructions within it (by design), performs functions unknown to the user.
A Trojan horse may enter a user's computer by presenting itself as an attractive tool of some sort, which the user intentionally downloads and installs, unaware of its ulterior purpose. Trojan horses typically build in the functionality of keylogging software and other spyware and a range of other functions to disable system security.
A Trojan horse, once delivered to its host and executed, might be activated at any time, either by remote control, by a timer mechanism, or through detecting certain events on the host (or a combination of all three).
Some Trojan horses are intended to replace existing files, such as system and application executables, with malicious versions; others add another application to systems instead of overwriting existing files. Trojan horses tend to conform to one of the following three models:
- Continuing to perform the function of the original program and also performing separate, unrelated malicious activity (e.g., a videogame that also collects application passwords);
- Continuing to perform the function of the original program but modifying the function to perform malicious activity (e.g., a Trojan horse version of a login program that collects passwords) or to disguise other malicious activity (e.g., a Trojan horse version of a process-listing program that does not display other malicious processes); and
- Performing a malicious function that completely replaces the function of the original program (e.g., a file that claims to be a videogame but actually just deletes all system files when it is run).
Trojan horses can be difficult to detect. Because many are specifically designed to conceal their presence on systems and perform the original program's function properly, users and system administrators may not notice them. Many newer Trojan horses also make use of some of the same obfuscation techniques that viruses use to avoid detection.
The use of Trojan horses to distribute spyware programs has become increasingly common. Spyware is often bundled with software, such as certain peer-to-peer file-sharing client programs; when the user installs the supposedly benign software, it then covertly installs spyware programs. Trojan horses also often deliver other types of attacker tools onto systems, which can provide unauthorized access to or usage of infected systems. These tools may be bundled with the Trojan horse or downloaded by the Trojan horse after it is placed onto a system and run.
Trojan horses can cause serious technical issues on systems. For example, a Trojan horse that replaces legitimate system executables may cause certain functionality to be performed incorrectly or lost altogether. Spyware-related Trojan horses have been particularly disruptive to many systems because they are often intentionally invasive, making many modifications to systems and deploying themselves so that their removal causes serious disruption to the system, in some cases to the point where the system can no longer function.
Trojan horses and the tools they install can also be resource-intensive, causing noticeable performance degradation on infected systems. Some well-known Trojan horses are SubSeven, Back Orifice, and Optix Pro.
- Information Superhighway: An Overview of Technology Challenges, at 20 n.7.
- NIST Special Publication 800-5, at §1.3.