Trojan Horses – not exactly viruses!

By: Venet Osmani

The term “Trojan Horse” dates from ancient mythology. The Greek army used it to defeat Troy. Unable to penetrate the strong defence, they built a large wooden horse and presented it as a gift to the Trojans. Greek soldiers were hidden inside it. Once inside the enemy fortress, they waited until nightfall and then opened the castle gates, allowing the whole Greek army to enter the castle and defeat the Trojan soldiers.

In terms of computers security, it means exactly the same thing. A small program that enters your computer, sits quietly and opens a backdoor, enabling remote attacker to gain access to your system.

It’s important to make a distinction between viruses and Trojan horses. Even though they are not the same thing, most people use these terms interchangeably. The main distinction between the two is the way they operate.

Viruses “infect” files, i.e. they attach to a file, usually an executable one, and change its internal structure so that when the file is executed, the virus will be executed also and do whatever the author designed it to do, usually displaying some message, deleting system files or infecting other files. This ability to infect and replicate makes viruses distinct.

On the contrary Trojan horses do not infect files. They do not replicate either. Trojan horses are standalone executable files which, when activated, will modify system settings (typically Windows registry) to allow them to be executed each time computer starts.
Differences between the two is not strict. Nowadays there are more and more Trojan horses that have virus properties, as well allowing hackers to control your computer remotely. Most of the Trojan horses utilise sockets to enable remote control of the computer. An analogy of a socket would be your phone line. When connected to the phone it enables dialling another remote phone. So sockets are the same thing, they are communication endpoints enabling data exchange over the Internet, or between two computers.

Typically Trojan horses are comprised of two parts, the server and the client. The server is the part the attacker sends to the victim’s computer. It quietly sits in the background, waiting for you to go online, and for the attacker to load it. When connection is established the attacker can have full control over the computer as if he were sitting in front of it.

Trojan horses usually spread by downloading suspicious files from the Internet. They can be hidden in an e-mail attachment, masqueraded as a .ZIP files, or even downloaded directly from the Internet.

One of the most famous Trojan horses is called Back Orifice. It’s known for its rich set of features including, opening CD-ROM drive, stealing your passwords, deleting files from your hard disk, sending a shot of your screen to the attacker, shutting-down your computer etc. There are many others as well, like NetBUS, SubSeven, RAT just to name a few. New ones come are released daily, making it a challenging job for anti-virus companies to update their software in order to detect the newest Trojans.

It cannot be overemphasised, how important it is to update your Anti-Virus program on a regular bases. This ensures running Trojan horse free computers. Using firewalls can protect your computer as well, although some networking knowledge might be required to be able to configure it.

Trojan horses can be very destructive indeed. Once activated, your computer is at the mercy of the attacker, so be careful when opening that attachment, or downloading that file from the Internet. IT might be too late when you realise that your computer has been wiped-out!