Trojan

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

Historically speaking, computer Trojans (Trojan horses) have been defined as a class of threats which attempt to present themselves as useful programs and thus trick users into running them.

Since Trojans are a very broad category, it is often divided into several subcategories.

Downloader

These terms usually signify malicious programs, components or functionality whose (usually sole) purpose is to download additional (usually malicious) software onto an infected system and execute it.

Dropper

A trojan dropper is a type of malware that acts as a carrier, containing within itself another malicious executable. When launched, it “drops” or installs the contained file and executes it.

Historically-speaking, the term “dropper” was used to describe a file whose sole purpose was to introduce a computer virus into the wild and these were sometimes called “zero generation” viruses by antivirus researchers, in much the same way that “patient zero” was used by doctors and epidemiologists when discussing infectious diseases. In the case of a polymorphic computer virus, its dropper might not be encrypted but could consist solely of the decrypted computer virus code.

Packer, Crypter, Protector

Packers are the “outer shells” of some trojan horses, the purpose of which is to make detection and analysis by anti-virus software and malware analysts (respectively) more difficult by hiding the payload they contain, making it first necessary to unpack them so as to ascertain their purpose. To make the tasks even more challenging, packers often employ various anti-debugging, anti-emulation (anti-VM) techniques and code obfuscation.

Packers also usually make the resulting executable smaller in size, and are therefore also used by legitimate software, not only malware. They serve several purposes, mainly compressing the executable and protecting applications against software piracy.

Backdoor, Remote Access Tool/Remote Access Trojan

A backdoor is an application allowing remote access to a computer. The difference between this type of malware and a legitimate application with similar functionality is that the installation is done without the user’s knowledge.

Typical backdoor functionality includes the capability to send files to the host computer and execute files and commands on it, and to exfiltrate (send) files and documents back to the attacker. Often this is coupled with key-logging and screen-grabbing functionality for purposes of spying and data theft.

The term “RAT” (Remote Access Tool) can be considered a synonym to “backdoor”, but it usually signifies a full bundle including a client application meant for installation on the target system, and a server component that allows administration and control of the individual ‘bots’ or compromised systems.

Keylogger

A program used to record keystrokes typed on a computer.

Keyloggers can be used for both beneficial purposes, such as monitoring employees in a regulated industry, or malignant ones, such as to steal account credentials. Sophisticated keyloggers may also record mouse movements and button clicks, keystrokes typed on on-screen virtual keyboards, and capture screenshots or videos of what is being displayed on screen.

Hardware keyloggers also exist that may be plugged between a computer and a keyboard to record keystrokes.

Dialer

A dialer is a program designed to redirect the user’s telephone connection (dial-up) to the Internet to use a premium rate number.

These programs can be used legally when paying for Internet services, but fraudulent dialers can be used for redirecting a connection to a more expensive number without the computer user’s knowledge. This type of threat has become rare in areas where broadband is available.

If a file on your computer is detected as a Trojan, it is advisable to delete it, since it most likely contains nothing but malicious code.

˄˅