ARN

17 types of Trojans and how to defend against them

Trojan malware comes in many different types, but all require a user action to initiate

Computer Trojans received their name from the infamous mythological horse. The Trojan’s basic mission is to mislead people of its real goal. A Trojan is malicious software that usually needs to be launched by the user or another malicious program.

Malicious code typically penetrates the system under the guise of a useful utility or tool. However, the main task of such software is to perform one or more of these malicious actions:

  • Delete user or system data
  • Change user or system data
  • Encrypt user or system data
  • Copy user or system data
  • Send and receive files
  • Slow computers
  • Slow networks

Trojans have evolved into different complex forms like backdoors (that can manage distant computers) and downloaders (that can download and install other malicious programs. These are the types of Trojans that you need to be aware of:

1. ArcBombs

These Trojans represent special archives that are designed to behave abnormally when users try to unpack them. ArcBomb archives either freeze or seriously slow the system. Malicious archives use different techniques to achieve their goal.

They may use malcrafted headers or corrupt data that lead to a malfunction of an archiver or an unpacking algorithm. They may also contain a heavyweight object that consists of identical, repeating data that can be packed into a small archive. For example, 10 GB of data is packed into a 400 KB archive.

2. Backdoors

Backdoors allow criminals to control computers remotely. Attackers can do a wide range of actions on an infected computer including receiving, sending, deleting or launching files; displaying screen alerts; or rebooting PCs.

These Trojans can also help attackers install and launch third-party code on the victim's device, record keystrokes (acting like keyloggers), or turn on the camera and microphone. Sometimes backdoors are used to manage a group of infected computers (or recently IoT devices) united into a botnet.

A separate type of backdoor can spread over the network (just like a worm). Unlike woks, they do not spread by themselves, but only after receiving a command from their creator.

3. Banking Trojans

Banking Trojans are created to steal confidential user data such as login credentials, passwords, SMS authentication, or bank card info.  

Emotet
Discovered in 2014, Emotet was initially created to steal banking data. Spam functions and malware download options were added to later versions.

TrickBot
Created in 2016, TrickBot is still one of the most prevalent banking Trojans. Besides targeting banks, TrickBot also steals cryptocurrency from Bitcoin wallets. TrickBot consists of several modules coupled with a config file. Modules have specific tasks such as stealing credentials, gaining persistence, or encryption. Hacked wireless routers are used as command-and-control servers.

4. Clickers

These Trojans are created to access internet sites and servers. Users are not aware of such activity as clickers send commands to browsers. Clickers may also replace Windows host files where standard addresses are indicated. Clickers are used to:

  • Increase website traffic volumes to get more money from ads
  • Run DDoS attacks
  • Redirect potential victims to web pages containing hoaxes or malware

5. DDoS

DDoS Trojans are intended to launch denial of service attacks targeting the victim’s IP address. During such attacks, a flood of requests get sent from multiple infected devices to the DDoS victim thus overloading it and causing it to stop functioning.

To run a successful DDoS attack, cyber crooks need to infect plenty of computers with DDoS Trojans. Mass spam and phishing are often used for this. Once a botnet is ready, all infected computers start to simultaneously attack the victim.

6. Downloaders

Downloaders can download and launch malicious software, including other Trojans. Data about the location and name of the programs that need to be downloaded is stored inside the Trojan code or can be obtained by the Trojan from the server controlled by the Trojan author.

Downloaders are frequently used to get the initial foothold on the system. Innocent users visit infected webpages that contain exploits. These exploits deliver downloaders that then download the rest of the malicious payload.

7. Droppers

These software pieces are designed to install malware covertly. They contain other malware that is obfuscated and deeply hidden inside the dropper’s code. This is done to prevent detection by antivirus software. Many antivirus tools cannot analyse all components of droppers. They usually are saved to a Windows temporary directory. Then they are executed without any user notifications.

8. FakeAV

Malicious software like fakeAV impersonates the operation of antivirus tools. Fake AV shows numerous security warnings to users trying to extort money from them. Inexperienced users get frightened and buy full versions of fakeAVs to get rid of the non-existent security threats.

9. Game thieves

Similar to bankers, game thieves are intended to steal confidential information. Instead of stealing financial records, game thieves steal information related to online gaming accounts. These Trojans then use email, FTP and other data transfer methods to pass stolen info to hackers.

10. Instant messaging Trojans

IM Trojans steal logins and passwords used to access instant messaging services like Skype or WhatsApp. Trojans then pass this data to attackers via email, web requests, FTP and other methods.

11. Loaders

A Loader is a small piece of code needed to install the full version of the virus. A tiny loader enters the computer system (for example, when the user is viewing a malicious image file). During this process, the loader connects to a server and downloads and installs the rest of its components.

12. Mailfinders

Mailfinders steal email addresses from user computers and transmit them to hackers. Criminals then use the collected addresses for spamming and phishing attacks.

13. Notifiers

This type of Trojans sends its developer information about the infected computer and its status. It may include info on open ports, launched software, and running services. Notifiers are used during complex attacks involving multi-component malware. Attackers need to be sure all parts of their malware are successfully installed.

14. Proxies

These Trojans allow attackers to get anonymous access to internet websites using the victim's computer as an intermediary. Crooks use this type of viruses to send spam while hiding behind victims’ IP addresses.

15. Password stealing ware

Password Stealing Ware (PSW) steals passwords from infected computers. Trojans of this type can search for passwords kept by users inside files or by web browsers. Some variants may steal software licenses and system/network passwords.

16. Ransom Trojans

Ransom Trojans may encrypt files and\or block access to a PC, so users are unable to use it. Attackers offer victims to pay the ransom in exchange for their data or restoring the regular operation of the device. These Trojans are extremely popular now. Some operators earn millions of dollars in short periods of time.

17. SMS Trojans

These rogue programs send SMS messages from infected devices (smartphones) to premium-rate numbers. Sometimes, they can be used as SMS interceptors during multi-stage attacks involving two-factor authentication.

How do Trojans work?

All Trojans consist of two parts: server and client. The client connects to the server with the help of the TCP/IP protocol. The client may have a user interface and a set of buttons and input fields for remote administration.

The server part is installed on the victim's device. The server-side processes (executes) commands from the client and transfers various data.

Once entering the computer, the server-side listens on a specific port waiting for commands. An attacker pings a port on an infected host. In case the server part is successfully installed, it responds with the computer IP address and network name. When the connection is established the client starts sending commands to the server part.

Trojan infection symptoms

  • New applications in the Start-up menu
  • Fake alerts informing about viruses, downloaded porn videos, etc.
  • Sudden screenshots
  • Playing sounds or displaying photos
  • Sudden computer rebooting

How to defend against Trojans

Most Trojans require user permission to run. Users usually launch the malware when they click on an email attachment or allow macros in office docs.

So, the best protection against Trojans is to train users to watch what they click or open. Users should be 100 per cent sure of the sources of the files sent to them or downloaded from the internet. In today's busy world, this is not always possible, so a few additional measures should be taken.

Keep all software updated, especially the OS, antivirus, and web browsers. Malefactors exploit security holes in these programs to place Trojans on your computers. Set up and use firewalls to keep the internet connections secure. Firewalls filter out malicious traffic and prevent Trojans from getting delivered onto your device.

As there are many types of Trojan, no single method will get rid of them. The first step is to clean the temporary folder, locate malicious entries in the registry, and manually delete them while in Safe Mode. The best antivirus tools can detect and remove Trojans automatically. Regular antivirus updates are essential to better detection accuracy.