Greek mythology tells of a decade-long war between Achaea and Troy. After holding out under siege for so many years, Troy ultimately falls to a ruse — a wooden horse meant to taken as a victory trophy loaded with Greek troops that open the gates to their army who storm the city. Thus, the legend of the Trojan horse was born, but today this term is more commonly used to describe not a wooden horse, but rather a piece of malware disguised as a legitimate file.
It is not a city that falls to this ruse, but instead computers or even entire networks. The waiting army can be one of any number of payloads meant to achieve this.
In the context of malware, a Trojan horse — generally simply shortened to "Trojan" — describes the method by which malware finds its way onto a device, namely by masquerading as something else and tricking the user. There is no specific universal goal of Trojans aside from gaining access to devices to deploy the actual goal-oriented part of the malware. This is sometimes in the form of another piece of malware embedded in the malware or downloaded remotely, which are described as loaders and downloaders respectively when it comes to the sub-type of the Trojan (both of which are also sometimes simply called "droppers").
Other times, the goal is part of the original piece of malware directly, and Trojan is simply a classification for the aspect of tricking the user while the goal is added as a sub-classification based on commonly co-occurring with the social engineering approach. Ultimately, the Trojan aspect and terminology itself simply refers to the aspect of tricking a user, and thus Trojan would be classified as an infection method — the way in which malware first ends up on a system.
Common goals that are typically used as subclassifications with Trojan include banker, infostealer/password stealer, backdoor, and the dropper/loader/downloader functionality already mentioned. Aside from deploying secondary payloads, the most common goal of Trojans as they are currently typically identified is to steal information. Bankers steal banking information and credentials, while infostealers and password stealers typically target credentials more generally. Backdoors simply grant an attacker future access to the device.
It is entirely possible for these goals to co-occur with other infection methods, however, which is why for the purpose of this series these goals will be explained in more detail in their own articles relating to goals and objectives of malware in general.
A Trojan isn't the only way banking information can be stolen by malware, but it is the most common and first way in which malware did it. It is likely that most, if not all, subclassifications of Trojan came about in the same way and were simply added as subclassifications because they weren't common enough at the time to warrant their own classification, and between co-occurrence and potentially detection logic, lumping them under Trojan made sense at the time. Today, however, between the complexity of malware and cobbling together of different types and techniques, understanding that these objectives are separate from the infection method is important.
As technology in general has advanced, so has malware and specifically Trojans. Many document formats include some form of scripting to make them more versatile, and as it has become increasingly easy to block malware in the form of executable files (sometimes by simply blocking executable files in general as is very often the case with email), Trojans have increasingly come to rely on different file formats and, in particular, document file formats. Especially in the case of droppers, the actual logic of the malware doesn't need to be particularly complex nor the feature set of the scripting language robust since all that is required is getting the next payload onto the system and executing it.
Microsoft Office files have been a very common file format for Trojans to use for many years now, largely taking advantage of the macros feature. Exploiting Dynamic Data Exchange (DDE) was very popular a few years ago when it was discovered since the vast majority of detection methods relied on detection and analysis of macros. DDE was eventually disabled by default, leading to macros starting to regain popularity, but with macros now also disabled by default it's likely other methods or file formats will dominate in the coming years.
Adobe PDF files are also a common format, although they have been far less common than Microsoft Office likely due to their use of JavaScript as the scripting language, which is far more limited from an attacker perspective than the VBScript language used by macros. In fact, it is quite common for PDF malware to invoke VBScript, which can account for the lesser popularity of PDF malware given there are really no reasons for legitimate files to do this, making detection easier.
As security practices and software advance, social engineering has increasingly taken a front seat in attack methods because it only takes one user being tricked to gain access to an entire network. Social engineering is also less costly than finding and exploiting software bugs while at the same time being effective. Conversely, using technology is far simpler of a security method than adequate security awareness training for every user or employee, and even adequate training doesn't always provide consistent and effective results. Nonetheless, adequate security training is crucial to combating today's threats, including malware.
By Jonathan Tanner
This article originally appeared on Journey Notes, the Barracuda blog.
Back