Trojan

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

Historically, computer trojan (Trojan horses) have been defined as a class of threats that attempt to present themselves as useful programs and thus trick users into running them.

Since Trojans are a broad category, they are often divided into several subcategories.

Downloader

These terms usually signify malicious programs, components or functionality whose (usually sole) purpose is to download additional (usually malicious) software onto an infected system and execute it.

Dropper

A trojan dropper is a type of malware that acts as a carrier, containing another malicious executable within itself. When launched, it “drops” or installs the contained file and executes it.

Historically, the term “dropper” was used to describe a file whose sole purpose was introducing a computer virus into the wild. These were sometimes called “zero generation” viruses by antivirus researchers, in much the same way that “patient zero” was used by doctors and epidemiologists when discussing infectious diseases. In the case of a polymorphic computer virus, its dropper might not be encrypted but could consist solely of the decrypted computer virus code.

Packer, Crypter, Protector

The Packers are the “outer shells” of some trojan horses. The purpose is to make detection and analysis by anti-virus software and malware analysts (respectively) more difficult by hiding the payload they contain. It is first necessary to unpack them so as to ascertain their purpose. The Packers often employ various anti-debugging, anti-emulation (anti-VM) techniques and code obfuscation to make the tasks even more challenging.

Packers also usually reduce the size of the resulting executable, so they are used by legitimate software, not only malware. They serve several purposes, mainly compressing the executable and protecting applications against software piracy.

Backdoor, Remote Access Tool/Remote Access Trojan

A backdoor is an application that allows remote access to a computer. The difference between this type of malware and a legitimate application with similar functionality is that the latter is installed without the user’s knowledge.

Typical backdoor functionality includes the capability to send files to the host computer, execute files and commands on it, and to exfiltrate (send) files and documents back to the attacker. This is often coupled with key-logging and screen-grabbing functionality for purposes of spying and data theft.

The term “RAT” (Remote Access Tool) can be considered a synonym for “backdoor”, but it usually signifies a full bundle including a client application meant for installation on the target system, and a server component that allows administration and control of the individual ‘bots’ or compromised systems.

Keylogger

A program used to record keystrokes typed on a computer.

Keyloggers can be used for beneficial purposes, such as monitoring employees in a regulated industry, or malignant ones, such as stealing account credentials. Sophisticated keyloggers may also record mouse movements and button clicks, keystrokes typed on on-screen virtual keyboards, and capture screenshots or videos of what is being displayed.

Hardware keyloggers may also be plugged between a computer and a keyboard to record keystrokes.

Dialer

A dialer is a program designed to redirect the user’s telephone connection (dial-up) to the Internet to use a premium rate number.

These programs can be used legally when paying for Internet services, but fraudulent dialers can be used for redirecting a connection to a more expensive number without the computer user’s knowledge. This type of threat has become rare in areas where broadband is available.

If a file on your computer is detected as a Trojan, it is advisable to delete it since it most likely contains only malicious code.

˄˅