Trojan horse:
In the context of computing and software, a Trojan horse, or simply trojan, is a piece of software which appears to perform a certain action but in fact performs another such as a computer virus. Contrary to popular belief, this action, usually encoded in a hidden payload, may or may not be actually malicious, but Trojan horses are notorious today for their use in the installation of backdoor programs. Simply put, a Trojan horse is not a computer virus. Unlike such malware, it does not propagate by self-replication but relies heavily on the exploitation of an end-user (see Social engineering). It is instead a categorical attribute which can encompass many different forms of codes. Therefore, a computer worm or virus may be a Trojan horse. The term is derived from the classical story of the Trojan Horse.
In the field of computer architecture, 'Trojan Horse' can also refer to security loopholes that allow kernel code to access anything for which it is not authorized.
Etymology
The word 'Trojan horse' is generally attributed to Daniel Edwards of the NSA. He is given credit for identifying the attack form in the report "Computer Security Technology Planning Study".[1] The term comes from analogy to an episode during the legendary Trojan War, as mentioned in Homer's Odyssey and Virgil's Aeneid: worn out by the long siege, the attacking Greeks built a giant wooden horse, ostensibly a peace offering, and pretended to sail away, but in fact left soldiers hidden inside the statue. After the Trojans brought the horse inside the city walls, the soldiers emerged, opened the gates to the Greek armies, and sacked the city of Troy.
A very classic example is due to computer pioneer Ken Thompson in his 1983 ACM Turing Award lecture. Thompson noted that it is possible to add code to the UNIX "login" command that would accept either the intended encrypted password or a particular known password, allowing a back door into the system with the latter password. Furthermore, Thompson argued, the C compiler itself could be modified to automatically generate the rogue code, to make detecting the modification even harder. Because the compiler is itself a program generated from a compiler, the Trojan horse could also be automatically installed in a new compiler program, without any detectable modification to the source of the new compiler.[2]
Example
A simple example of a Trojan horse would be a program named "waterfalls.scr" where its author claims it is a free waterfall screensaver. When run, it instead unloads hidden programs, commands, scripts, or any number of commands with or without the user's knowledge or consent. Malicious Trojan Horse programs are often used to circumvent protection systems in effect creating a vulnerable system to allow unauthorized access to the user's computer. Non-malicious Trojan Horse programs are used for managing systems, deploying software, surveillance, and forensics.
Types of Trojan horse payloads
Trojan horse payloads are almost always designed to do various harmful things, but can also be harmless. They are broken down in classification based on how they breach and damage systems. The six main types of Trojan horse payloads are:
* Remote Access
* Data Destruction
* Downloader
* Server Trojan(Proxy, FTP , IRC, Email, HTTP/HTTPS, etc.)
* Security software disabler
* Denial-of-service attack (DoS)
Some examples of damage are:
* Erasing or overwriting data on a computer
* Encrypting files in a cryptoviral extortion attack
* Corrupting files in a subtle way
* Upload and download files
* Copying fake links, which lead to false websites, chats, or other account based websites, showing any local account name on the computer falsely engaging in untrue context
* Allowing remote access to the victim's computer. This is called a RAT (remote access trojan)
* Spreading other malware, such as viruses: this type of Trojan horse is called a 'dropper' or 'vector'
* Setting up networks of zombie computers in order to launch DDoS attacks or send spam.
* Spying on the user of a computer and covertly reporting data like browsing habits to other people (see the article on spyware)
* Making screenshots
* Logging keystrokes to steal information such as passwords and credit card numbers
* Phishing for bank or other account details, which can be used for criminal activities
* Installing a backdoor on a computer system
* Opening and closing CD-ROM tray
* Playing sounds, videos or displaying images.
* Calling using the modem to expensive numbers, thus causing massive phone bills.
* Harvesting e-mail addresses and using them for spam
* Restarting the computer whenever the infected program is started
* Deactivating or interfering with anti-virus and firewall programs
* Deactivating or interfering with other competing forms of malware
* Randomly shutting off the computer
[edit]
The majority of Trojan horse infections occur because the user was tricked into running an infected program. This is why it is advised not to open unexpected attachments on emails -- the program is often a cute animation or an image, but behind the scenes it infects the computer with a Trojan or worm. The infected program doesn't have to arrive via email; it can be sent in an Instant Message, downloaded from a Web site or by FTP, or even delivered on a CD, floppy disk, or USB thumb drive. (Physical delivery is uncommon, but if one were the specific target of an attack, it would be a fairly reliable way to infect a computer.) Furthermore, an infected program could come from someone who sits down at a computer and loads it manually. However, receiving a Trojan in this manner is very rare. It is usually received through a download.
Road apple
A "road apple" is a real-world variation of a Trojan Horse that uses physical media and relies on the curiosity of the victim. The attacker leaves a malware-infected floppy disc, CD ROM or USB flash drive in a location sure to be found or that is commonly visited, gives it a legitimate looking label and then waits in the hopes that someone will eventually use it. An example of this would be to get the corporate logo from the web site of the software that is infected and affixing a legitimate-looking label (e.g. "Employee Salaries Summary FY06") for the infected physical media.
Methods of deletion
Since Trojan horses have a variety of forms, there is no single method to delete them. The simplest responses involve clearing the temporary internet files on a computer, or finding the file and deleting it manually. Normally, anti-virus software is able to detect and remove the trojan automatically. If the antivirus cannot find it, booting the computer from alternate media(cd) may allow an antivirus program to find a trojan and delete it.
Most varieties of Trojan horses are hidden on the computer without the user's awareness. Trojan horses sometimes use the Registry, adding entries that cause programs to run every time the computer boots up. Trojan horses may also work by combining with legitimate files on the computer. When the legitimate file is opened, the Trojan horse opens as well.
Worm
A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
Naming and history
The name worm comes from The Shockwave Rider, a science fiction novel published in 1975 by John Brunner. Researchers John F Shock and Jon A Hupp of Xerox PARC chose the name in a paper published in 1982; The Worm Programs, Comm ACM, 25(3):172-180, 1982), and it has since been widely adopted.
The first implementation of a worm was by these same two researchers at Xerox PARC in 1978.[1] Shoch and Hupp originally designed the worm to find idle processors on the network and assign them tasks, sharing the processing load, and so improving the 'CPU cycle use efficiency' across an entire network. They were self-limited so that they would spread no farther than intended.[2]
[edit] Payloads
Many worms have been created which are only designed to spread, and don't attempt to alter the systems they pass through. However, as the Morris worm and Mydoom showed, the network traffic and other unintended effects can often cause major disruption. A "payload" is code designed to do more than spread the worm - it might delete files on a host system (e.g., the ExploreZip worm), encrypt files in a cryptoviral extortion attack, or send documents via e-mail. A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a "zombie" under control of the worm author - Sobig and Mydoom are examples which created zombies. Networks of such machines are often referred to as botnets and are very commonly used by spam senders for sending junk email or to cloak their website's address.[3] Spammers are therefore thought to be a source of funding for the creation of such worms,[4][5] and worm writers have been caught selling lists of IP addresses of infected machines.[6] Others try to blackmail companies with threatened DoS attacks.[7]
Backdoors can be exploited by other malware, including worms. Examples include Doomjuice, which spreads using the backdoor opened by Mydoom, and at least one instance of malware taking advantage of the rootkit and backdoor installed by the Sony/BMG DRM software utilized by millions of music CDs prior