A quick & dirty guide to malware (part 1: trojans)

Threats & Hacks

Trojan-Downloader:OSX/Jahlev.A
Trojan-Downloader:OSX/Jahlev.A: Trojan disguised as a MacAccess Installer

Judging by the comments on my previous post, there are readers out there who want more in-depth postings about malware – worms, trojans, viruses and the like. Pleased to hear it! So, just to bolster the more malware-focused side of Safe and Savvy, this will be the first in a 3-part series in which I’ll take a look at the most common computer threats you may encounter.

As this is meant as a rough and ready guide rather than an in-depth technical scrutiny, I’ll be highlighting general features and patterns to help ‘the average user’ distinguish between different malware types, as well as how each can affect your data or computer.  Links to more technical discussions are available below.

The Big Three

In this series, I’ll be covering Trojans, Viruses and Worms. After all, when most users think of malware, they’ll almost always think of these three first. These are the most commonly found computer threats, the ones with the most media attention, the evil shining stars of the malware world – The Big Three. If you only ever learn the difference between three types of malwares, it should be these three.

Now, perhaps you’d ask at this point, “I have an antivirus program on my computer that will tell me what malware it is, and stop it! Why should I bother?” There are a numerous reasons why you still may want to know about how malware works. But for now, I’ll just highlight this one: an antivirus program only handles identifying and disinfecting threats from the computer; the user still has to deal with the real-world repercussions of malware affecting their personal information.

As an example, an AV could identify and clean a trojan-thief infection from your computer – but if you know that trojan-thieves typically steal account credentials and passwords, you’d also know to check your online banking and gaming accounts to make sure they aren’t compromised. Knowing more about the malware gives you a starting point for evaluating the impact the infection had on your data and system, and how to make sure both are secure.

So without further ado, we’re going to take a closer look at today’s Threat Numero Uno, the trojan.

Trojans

Trojans and their more well-known cousins, viruses, aren’t always easy to tell apart.

Merriam-Webster’s definition of a trojan is:

“A seemingly useful computer program that contains concealed instructions which when activated perform an illicit or malicious action (as destroying data files)”.

Meanwhile, their definition for a virus is:

“A computer program that is usually hidden within another seemingly innocuous program and that produces copies of itself and inserts them into other programs and usually performs a malicious action (as destroying data)”.

Both perfectly correct and succinct – but still a bit obscure. How would the average user know the malicious action was done because of ‘concealed instructions’ rather than a ‘hidden program’? Perhaps an easier way to grasp the essence of a trojan, and how it differs from a virus, is to think of the difference between a parasite and a fraud.

Think of a macro virus that infects a Microsoft Word document; the Word document itself is perfectly legitimate, but it’s carrying a parasite. In contrast, a trojan that pretends to be a game but installs a keylogger on the system is a fraud; the program itself is bogus – it appears to work but is really just a front to deliver a nasty payload.

Most trojans are fairly simple and fit this definition neatly enough. Of course, there are particularly sophisticated trojans that blur the boundaries by including virus-like capabilities (or vice versa), just to make life difficult for everyone. Fortunately, at the moment these blended threats are relatively rare birds, and we’ll leave them aside for now.

Getting Infected

Trojan:AndroidOS/Tapsnake
Trojan:AndroidOS/Tapsnake: A trojan that appears to be a game

Trojans are particularly easy run to afoul of because they are deliberately designed and distributed in a way that fools you, the unsuspecting user, into downloading, installing and running it. You could think of trojans as the con men of malwares.

Trojans can appear to be almost any type of program – utilities, games, operating system updates, and so on. Malware authors will often steal the names/facade/details of a legitimate program to make the trojan seem authentic or desirable.

On smartphones, particularly Internet-enabled ones, trojans (and worms) have always been the most common type of threat. Trojans targeted to smartphones are almost always disguised as system-related updates or applications (e.g. Trojan:SymbOS/Skulls) or games (e.g., Trojan:WinCE/Terdial) – both program types a user is likely to trust and/or desire.

For computer users, viruses have traditionally been the more high-profile threat, but in recent years trojans have superseded them and become more prevalent. Trojans used to be most commonly encountered as e-mail file attachments (either spammed out, often by botnets, or sent directly to the recipient in a targeted attack). This strategy required that the e-mail be convincing (or tantalizing) enough to draw the user into executing the authentic-looking attachment.

Fortunately, most users wise up to this tactic pretty fast, which is bad news for attackers. Nowadays, instead of depending on spam e-mails or direct attacks, malware authors or distributors (they might not be the same) seem to be moving their game online; users are now more likely to stumble across trojans when they’re surfing the web.

Trojans Online

Trojans have been found:

  • Hosted on malicious sites (search engine results may be poisoned to direct users to these sites)
  • Hosted on legitimate sites that have been compromised
  • Seeded on torrent sites, forums, newsgroups, and other download sites
  • Offered through hijacked social networking, instant chat messaging (IM) and instant relay chat (IRC) accounts

In the online environment, malware authors/distributors seem to turn their creativity to making the malicious websites that host trojans look really authentic and respectable. Again, there’s that element of deception, though now the trickery is focused more on the website rather than the actual file.

A ‘tried and true’ tactic involves the malicious site offering the trojan as a supposed ‘update for a video player’, or ‘patch for a game’ or similar. Another oft-used trick is for the malicious site to mimic or completely copy a legitimate site to lend authenticity to the offered download (for a particularly complex example, see our Labs Weblog entry ZeuS Variants Targeting Mobile Banking).

A particularly effective tactic has the malicious website itself designed to exploit vulnerabilities in the visitor’s web browser, forcing it to automatically download the trojan to the user’s computer. This sophisticated variation on the classic ‘driveby-download’ attack doesn’t require the user to actively do anything at all on the website.

Trojans – after your data, your computer, or both

Once downloaded and executed, the trojan will perform some unauthorized action. Most trojans will fall into one of two general ‘spheres of action’: dealing with data or stealing control of the computer.

Data-dealers

Trojans that target information will either steal data directly from the user/computer, or monitor the user’s behavior in order to gather data. These trojans are password-stealers and keyloggers, the ones that monitor a user’s web browsing behavior and actions on the computer.

Control-stealers

Trojans designed for control allow, or install programs that allow, a remote attacker to control the infected computer. These are the trojans that download programs to the machine, or turn the user’s computer into a proxy so that an attacker can connect to the Net anonymously. These trojans may also include information-stealing trojans as part of their payload, handily compromising both machine and user data.

Types of Trojans
What Trojans Do

Conveniently, these distinctive behavior groupings makes trojans easy to categorize. You can see the types (right) F-Secure uses to indicate a specific trojan’s actions; most antivirus vendors will use roughly similar categorization schemes.

Some trojans are rather more sophisticated and can perform more than a single type of action. These uber-trojans are generally just categorized as trojans, for simplicity’s sake.

If you’re still interested….

The above is just a very quick highlight of a trojan’s most notable features. You can find more information about trojans here:

Or partially available on Google Books:

  • “Software forensics: collecting evidence from the scene of a digital crime” by Robert Slade
  • “IT security survival guide” By TechRepublic

Next

Up next – Viruses!

Tags

Rate this article

4 votes

12 Comments

[…] (Note: This article is for busy Internet users who are looking for information on how to protect their PCs and their families from malware. For more about the technical side of malware, read Alia’s excellent series “A quick & dirty guide to malware”.) […]

What I have noticed is that major anti virus makers do not class malware as a virus and as such do not guard against it. I have seen someone phone one of these makers as they had bought their full package only to be told we don’t deal with malware. They did offer to remove it at an extra cost which I think is a joke.

Good article and I look forward to reading the rest.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

You might also like