Judging by the comments on my previous post, there are readers out there who want more in-depth postings about malware – worms, trojans, viruses and the like. Pleased to hear it! So, just to bolster the more malware-focused side of Safe and Savvy, this will be the first in a 3-part series in which I’ll take a look at the most common computer threats you may encounter.
As this is meant as a rough and ready guide rather than an in-depth technical scrutiny, I’ll be highlighting general features and patterns to help ‘the average user’ distinguish between different malware types, as well as how each can affect your data or computer. Links to more technical discussions are available below.
In this series, I’ll be covering Trojans, Viruses and Worms. After all, when most users think of malware, they’ll almost always think of these three first. These are the most commonly found computer threats, the ones with the most media attention, the evil shining stars of the malware world – The Big Three. If you only ever learn the difference between three types of malwares, it should be these three.
Now, perhaps you’d ask at this point, “I have an antivirus program on my computer that will tell me what malware it is, and stop it! Why should I bother?” There are a numerous reasons why you still may want to know about how malware works. But for now, I’ll just highlight this one: an antivirus program only handles identifying and disinfecting threats from the computer; the user still has to deal with the real-world repercussions of malware affecting their personal information.
As an example, an AV could identify and clean a trojan-thief infection from your computer – but if you know that trojan-thieves typically steal account credentials and passwords, you’d also know to check your online banking and gaming accounts to make sure they aren’t compromised. Knowing more about the malware gives you a starting point for evaluating the impact the infection had on your data and system, and how to make sure both are secure.
So without further ado, we’re going to take a closer look at today’s Threat Numero Uno, the trojan.
Trojans and their more well-known cousins, viruses, aren’t always easy to tell apart.
Merriam-Webster’s definition of a trojan is:
“A seemingly useful computer program that contains concealed instructions which when activated perform an illicit or malicious action (as destroying data files)”.
Meanwhile, their definition for a virus is:
“A computer program that is usually hidden within another seemingly innocuous program and that produces copies of itself and inserts them into other programs and usually performs a malicious action (as destroying data)”.
Both perfectly correct and succinct – but still a bit obscure. How would the average user know the malicious action was done because of ‘concealed instructions’ rather than a ‘hidden program’? Perhaps an easier way to grasp the essence of a trojan, and how it differs from a virus, is to think of the difference between a parasite and a fraud.
Think of a macro virus that infects a Microsoft Word document; the Word document itself is perfectly legitimate, but it’s carrying a parasite. In contrast, a trojan that pretends to be a game but installs a keylogger on the system is a fraud; the program itself is bogus – it appears to work but is really just a front to deliver a nasty payload.
Most trojans are fairly simple and fit this definition neatly enough. Of course, there are particularly sophisticated trojans that blur the boundaries by including virus-like capabilities (or vice versa), just to make life difficult for everyone. Fortunately, at the moment these blended threats are relatively rare birds, and we’ll leave them aside for now.
Trojans are particularly easy run to afoul of because they are deliberately designed and distributed in a way that fools you, the unsuspecting user, into downloading, installing and running it. You could think of trojans as the con men of malwares.
Trojans can appear to be almost any type of program – utilities, games, operating system updates, and so on. Malware authors will often steal the names/facade/details of a legitimate program to make the trojan seem authentic or desirable.
On smartphones, particularly Internet-enabled ones, trojans (and worms) have always been the most common type of threat. Trojans targeted to smartphones are almost always disguised as system-related updates or applications (e.g. Trojan:SymbOS/Skulls) or games (e.g., Trojan:WinCE/Terdial) – both program types a user is likely to trust and/or desire.
For computer users, viruses have traditionally been the more high-profile threat, but in recent years trojans have superseded them and become more prevalent. Trojans used to be most commonly encountered as e-mail file attachments (either spammed out, often by botnets, or sent directly to the recipient in a targeted attack). This strategy required that the e-mail be convincing (or tantalizing) enough to draw the user into executing the authentic-looking attachment.
Fortunately, most users wise up to this tactic pretty fast, which is bad news for attackers. Nowadays, instead of depending on spam e-mails or direct attacks, malware authors or distributors (they might not be the same) seem to be moving their game online; users are now more likely to stumble across trojans when they’re surfing the web.
Trojans have been found:
In the online environment, malware authors/distributors seem to turn their creativity to making the malicious websites that host trojans look really authentic and respectable. Again, there’s that element of deception, though now the trickery is focused more on the website rather than the actual file.
A ‘tried and true’ tactic involves the malicious site offering the trojan as a supposed ‘update for a video player’, or ‘patch for a game’ or similar. Another oft-used trick is for the malicious site to mimic or completely copy a legitimate site to lend authenticity to the offered download (for a particularly complex example, see our Labs Weblog entry ZeuS Variants Targeting Mobile Banking).
A particularly effective tactic has the malicious website itself designed to exploit vulnerabilities in the visitor’s web browser, forcing it to automatically download the trojan to the user’s computer. This sophisticated variation on the classic ‘driveby-download’ attack doesn’t require the user to actively do anything at all on the website.
Once downloaded and executed, the trojan will perform some unauthorized action. Most trojans will fall into one of two general ‘spheres of action’: dealing with data or stealing control of the computer.
Trojans that target information will either steal data directly from the user/computer, or monitor the user’s behavior in order to gather data. These trojans are password-stealers and keyloggers, the ones that monitor a user’s web browsing behavior and actions on the computer.
Trojans designed for control allow, or install programs that allow, a remote attacker to control the infected computer. These are the trojans that download programs to the machine, or turn the user’s computer into a proxy so that an attacker can connect to the Net anonymously. These trojans may also include information-stealing trojans as part of their payload, handily compromising both machine and user data.
Conveniently, these distinctive behavior groupings makes trojans easy to categorize. You can see the types (right) F-Secure uses to indicate a specific trojan’s actions; most antivirus vendors will use roughly similar categorization schemes.
Some trojans are rather more sophisticated and can perform more than a single type of action. These uber-trojans are generally just categorized as trojans, for simplicity’s sake.
The above is just a very quick highlight of a trojan’s most notable features. You can find more information about trojans here:
Or partially available on Google Books:
In less than two months, the world has seen the two biggest ransomware outbreaks ever…
July 7, 2017
UPDATE: For the latest on Petya, check this F-Secure Labs post. Are we still calling…
June 28, 2017