Trojan horse 

In computing, a Trojan horse is any malware that misleads users of its true intent. The term
is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of
the city of Troy.[1][2][3][4][5]
Trojans generally spread by some form of social engineering; for example, where a user is
duped into executing an email attachment disguised to appear innocuous (e.g., a routine form
to be filled in), or by clicking on some fake advertisement on social media or anywhere else.
Although their payload can be anything, many modern forms act as a backdoor, contacting a
controller who can then have unauthorized access to the affected computer.
[6]
 Ransomware attacks are often carried out using a trojan.
Unlike computer viruses, worms, and rogue security software, trojans generally do not
attempt to inject themselves into other files or otherwise propagate themselves
What Is a Trojan Virus

Trojans are deceptive programs that appear to perform one function, but in fact perform
another, malicious function. They might be disguised as free software, videos or music, or
seemingly legitimate advertisements.

The term “trojan virus” is not technically accurate; according to most definitions, trojans are
not viruses. A virus is a program that spreads by attaching itself to other software, while a
trojan spreads by pretending to be useful software or content. Many experts consider spyware
programs, which track user activity and send logs or data back to the attacker, as a type of
trojan. 

Trojans can act as standalone tools for attackers, or can be a platform for other malicious
activity. For example, trojan downloaders are used by attackers to deliver future payloads to a
victim’s device. Trojan rootkits can be used to establish a persistent presence on a user’s
device or a corporate network.

Trojan Infection Methods

Here are common ways trojans can infect computers in your corporate network:

 A user is targeted by phishing or other types of social engineering, opens an infected email
attachment or clicks a link to a malicious website
 A user visits a malicious website and experiences a drive-by download pretending to be useful
software, or is prompted to download a codec to play a video or audio stream
 A user visits a legitimate website infected with malicious code (for
example, malvertising or cross-site scripting)
 A user downloads a program whose publisher is unknown or unauthorized by organizational
security policies
 Attackers install a trojan by exploiting a software vulnerability, or through unauthorized access 
“Daserf” Trojan created by the cyber-espionage group REDBALDKNIGHT is often installed
through the use of decoy documents attached in emails.

Types of Trojans

The first trojan was seen in the wild was ANIMAL, released in 1975. Since then, many
millions of trojan variants have emerged, which may be classified into many types. Here are
some of the most common types.

Downloader Trojan

A downloader trojan downloads and deploy other malicious code, such as

rootkits, ransomware or keyloggers. Many types of ransomware distribute themselves via a
“dropper”, a downloader trojan that installs on a user’s computer and deploys other malware
components. 

A dropper is often the first stage in a multi-phase trojan attack, followed by the installation of
another type of trojan that provides attackers with a persistent foothold in an internal system.
For example, a dropper can be used to inject a backdoor trojan into a sensitive server.

Backdoor Trojan
A backdoor trojan opens up a secret communication tunnel, allowing the local malware
deployment to communicate with an attacker’s Command & Control center. It may allow
hackers to control the device, monitor or steal data, and deploy other software.

Spyware

Spyware is software that observes user activities, collecting sensitive data like account
credentials or banking details. They send this data back to the attacker. Spyware is typically
disguised as useful software, so it is generally considered as a type of trojan.

Rootkit Trojans

Rootkit trojans acquire root-level or administrative access to a machine, and boots together

with the operating system, or even before the operating system. This makes them very
difficult to detect and remove.

DDoS Attack Trojan (Botnet)

A DDoS trojan turns the victim’s device into a zombie participating in a larger botnet. The
attacker’s objective is to harvest as many machines as possible and use them for malicious
purposes without the knowledge of the device owners—typically to flood servers with fake
traffic as part of a Distributed Denial of Service (DoS) attack.

Trojan Horse Malware Examples

Following are some of the fastest-spreading and most dangerous trojan families.

Zeus

Zeus/Zbot is a malware package operating in a client/server model, with deployed instances

calling back home to the Zeus Command & Control (C&C) center. It is estimated to have
infected over 3.6 million computers in the USA, including machines owned by NASA, Bank
of America and the US Department of Transportation. 

Zeus infects Windows computers, and sends confidential data from the victim’s computer to
the Zeus server. It is particularly effective at stealing credentials, banking details and other
financial information and transmit them to the attackers. 

The weak point of the Zeus system is the single C&C server, which was a primary target for
law enforcement agencies. Later versions of Zeus added a domain generation algorithm
(GDA), which lets Zbots connect to a list of alternative domain names if the Zeus server is
not available.

Zeus has many variants, including:

 Zeus Gameover—a peer-to-peer version of the Zeus botnet without a centralized C&C.
 SpyEye—designed to steal money from online bank accounts.
 Ice IX—financial malware that can control content in a browser during a financial transaction,
and extract credentials and private data from forms.
 Citadel—an open-source variant of Zeus that has been worked on and improved by a
community of cybercriminals, and was succeeded by Atmos.
 Carberp—one of the most widely spread financial malware in Russia. Can exploit operating
system vulnerabilities to gain root access to target systems. 
 Shylock—uses a domain generation algorithm (DGA), used to receive commands from a large
number of malicious servers. 

ILOVEYOU

ILOVEYOU (commonly referred to as the “ILOVEYOU virus”) was a trojan released in

2000, which was used in the world’s most damaging cyberattack, which caused $8.7 billion
in global losses. 

The trojan was distributed as a phishing email, with the text “Kindly check the attached love
letter coming from me”, with an attachment named “ILOVEYOU” that appeared to be a text
file. Recipients who were curious enough to open the attachment became infected, the trojan
would overwrite files on the machine and then send itself to their entire contact list. This
simple but effective propagation method caused the virus to spread to millions of computers.

Cryptolocker

Cryptolocker is a common form of ransomware. It distributes itself using infected email

attachments; a common message contains an infected password-protected ZIP file, with the
password contained in the message. When the user opens the ZIP using the password and
clicks the attached PDF, the trojan is activated. It searches for files to encrypt on local drives
and mapped network drives, and encrypts the files using asymmetric encryption with 1024 or
2048-bit keys. The attackers then demand a ransom to release the files. 

Stuxnet

Stuxnet was a specialized Windows Trojan designed to attack Industrial Control Systems
(ICS). It was allegedly used to attack Iran’s nuclear facilities. The virus caused operator
monitors to show business as usual, while it changed the speed of Iranian centrifuges, causing
them to spin too long and too quickly, and destroying the equipment.

How to Detect Trojans in Your Organization

Trojans are a major threat to organizational systems and a tool commonly used as part
of Advanced Persistent Threats (APT). Security teams can use the following technologies and
methods to detect and prevent trojans:

Endpoint protection platforms

 Modern endpoint protection systems include device traditional antivirus, next-generation
antivirus (NGAV) that can prevent zero-day and unknown trojans, and behavioral analytics
that identifies anomalous activity on user devices. This combination of protective measures is
effective against most trojans.

Web application firewall (WAF)

A WAF is deployed at the network edge, and is able to prevent trojan infections, by
preventing downloads of trojan payloads from suspicious sources. In addition, it can detect
and block any unusual or suspicious network communication. WAFs can block trojans when
they “phone home” to their C&C center, rendering them ineffective, and can help identify the
affected systems.

Threat hunting

Threat hunting is the practice of actively searching for threats on corporate networks by
skilled security analysts. Analysts use Security Information and Event Management (SIEM)
systems to collect data from hundreds of IT systems and security tools, and use advanced
searches and data analytics techniques to uncover traces of trojans and other threats present in
the local environment.

Triaging user complaints

Often, a simple user complaint about a slow machine or strange user interface behavior could
signal a trojan. Triaging IT support requests with behavioral analytics and data from other
security tools can help identify hidden trojans.

The following are common symptoms of trojans which may be reported by users:

 Popups appear, launched by the user’s browser or operating system

 Disk space disappears, unexplained persistent disk errors
 Poor system performance, machine suddenly slows down with no apparent cause
 Mouse or keyboard operate on their own
 Computer shuts down or restarts with no user action
 Change to desktop image or configuration
 Change to browser homepage or start page
 Searches redirect to an unknown domain
 System firewall or antivirus turned off without user intervention
 Unusual network activity when the user is not active
 New programs, favorites or bookmarks not added by the user

Imperva Data Protection Solutions

Imperva helps detect and prevent trojans via user rights management—it monitors data access
and activities of privileged users to identify excessive, inappropriate, and unused privileges.
 It also offers the industry’s leading web application firewall (WAF), which can detect and
block trojans when they attempt to contact their Command & Control center.

In addition to ransomware detection and prevention, Imperva’s data security solution

protects your data wherever it lives—on premises, in the cloud and hybrid environments. It
also provides security and IT teams with full visibility into how the data is being accessed,
used, and moved around the organization.

Our comprehensive approach relies on multiple layers of protection, including:

 Database firewall—blocks SQL injection and other threats, while evaluating for known
vulnerabilities.
 Data masking and encryption—obfuscates sensitive data so it would be useless to the bad
actor, even if somehow extracted.
 Data loss prevention (DLP)—inspects data in motion, at rest on servers, in cloud storage, or
on endpoint devices.
 User behavior analytics—establishes baselines of data access behavior, uses machine learning
to detect and alert on abnormal and potentially risky activity.
 Data discovery and classification—reveals the location, volume, and context of data on
premises and in the cloud.
 Database activity monitoring—monitors relational databases, data warehouses, big data and
mainframes to generate real-time alerts on policy violations.
 Alert prioritization—Imperva uses AI and machine learning technology to look across the
stream of security events and prioritize the ones that matter most.