Definitions
Named after the wooden horse from Greek mythology, a Trojan horse is a
| “ | program that conceals malicious computer code. Typically, a Trojan horse masquerades as a useful program that users would want or need to execute. It performs, or appears to perform, as expected, but also does surreptitious harm.[1] | ” |
| “ | computer program that conceals harmful code. A Trojan horse usually masquerades as a useful program that a user would wish to execute.[2] | ” |
How it works
A Trojan horse may enter a user's computer by presenting itself as an attractive tool of some sort, which the user intentionally downloads and installs, unaware of its ulterior purpose. Trojan horses typically build in the functionality of keylogging software and other spyware and a range of other functions to disable system security.
A Trojan horse, once delivered to its host and executed, might be activated at any time, either by remote control, by a timer mechanism, or through detecting certain events on the host (or a combination of all three).
Some Trojan horses are intended to replace existing files, such as system and application executables, with malicious versions; others add another application to systems instead of overwriting existing files. Trojan horses tend to conform to one of the following three models:
- Continuing to perform the function of the original program and also performing separate, unrelated malicious activity (e.g., a videogame that also collects application passwords);
- Continuing to perform the function of the original program but modifying the function to perform malicious activity (e.g., a Trojan horse version of a login program that collects passwords) or to disguise other malicious activity (e.g., a Trojan horse version of a process-listing program that does not display other malicious processes); and
- Performing a malicious function that completely replaces the function of the original program (e.g., a file that claims to be a videogame but actually just deletes all system files when it is run).
Trojan horses can be difficult to detect. Because many are specifically designed to conceal their presence on systems and perform the original program's function properly, users and system administrators may not notice them. Many newer Trojan horses also make use of some of the same obfuscation techniques that viruses use to avoid detection.
The use of Trojan horses to distribute spyware programs has become increasingly common. Spyware is often bundled with software, such as certain peer-to-peer file-sharing client programs; when the user installs the supposedly benign software, it then covertly installs spyware programs. Trojan horses also often deliver other types of attacker tools onto systems, which can provide unauthorized access to or usage of infected systems. These tools may be bundled with the Trojan horse or downloaded by the Trojan horse after it is placed onto a system and run.
Trojan horses can cause serious technical issues on systems. For example, a Trojan horse that replaces legitimate system executables may cause certain functionality to be performed incorrectly or lost altogether. Spyware-related Trojan horses have been particularly disruptive to many systems because they are often intentionally invasive, making many modifications to systems and deploying themselves so that their removal causes serious disruption to the system, in some cases to the point where the system can no longer function.
Trojan horses and the tools they install can also be resource-intensive, causing noticeable performance degradation on infected systems. Some well-known Trojan horses are SubSeven, Back Orifice, and Optix Pro.
References
- ↑ Information Superhighway: An Overview of Technology Changes, at 20 n.7.
- ↑ Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems, at 5 n.3.