This article is about computer system security. For Odysseus' subterfuge in the Trojan War, see Trojan Horse.

In the context of computer software, a Trojan horse is a malicious program that is disguised as legitimate software. The term is derived from the classical myth of the Trojan horse. In the siege of Troy, the Greeks left a large wooden horse outside the city. The Trojans were convinced that it was a gift, and moved the horse to a place within the city walls. It turned out that the horse was hollow, containing Greek soldiers who opened the city gates of Troy at night, making it possible for the Greek army to pillage the city. Trojan horse programs work in a similar way: they may look useful or interesting to an unsuspecting user, but are actually harmful when executed.

Often the term is shortened to simply Trojan, even though this turns the adjective into a noun, reversing the myth (Greeks were gaining malicious access, not Trojans).

Trojan horse programs cannot replicate themselves, in contrast to some other types of malware, like viruses or worms. A Trojan horse can be deliberately attached to otherwise useful software by a programmer, or it can be spread by tricking users into believing that it is a useful program.

Definition

A trojan horse computer program has a useful and desired function, or at least it has the appearance of having such. Secretly the program performs other, undesired functions. The useful, or seemingly useful, functions serve as camouflage for these undesired functions. The kind of undesired functions are not part of the definition of a Trojan Horse; they can be of any kind.

In practice, Trojan Horses in the wild do contain spying functions (such as a Packet sniffer) or backdoor functions that allow a computer, unbeknownst to the owner, to be remotely controlled from the network. Because Trojan horses often have these harmful functions, there often arises the misunderstanding that such functions define a Trojan Horse.

The basic difference from computer viruses is: a Trojan horse is technically a normal computer program and does not possess the means to spread itself. Originally Trojan horses were not designed to spread themselves. They relied on fooling people to allow the program to perform actions that they would not have voluntarily performed. Trojans of recent times also contain functions and strategies that enable their spreading. This moves them closer to the definition of computer viruses, and it becomes difficult to clearly distinguish such mixed programs between Trojan horses and viruses.

Examples

Example of a simple Trojan horse

A simple example of a Trojan horse would be a program named "SEXY.EXE" that is posted on a website with a promise of "hot pix"; but, when run, it instead erases all the files on the computer and displays a taunting message. There is an example of a trojan available at www.freewebs.com/em_ce_do/doctor.exe. This example program will automatically shut down the computer when run, and will copy itself to the Startup directory so the computer will shut down as soon as it boots. It self terminates after one hour, or it can alternatively be removed by booting into the command prompt and deleting the file manually. This program only operates in Windows XP.

Example of a somewhat advanced Trojan horse

On the Microsoft Windows platform, an attacker might attach a Trojan horse with an innocent-looking filename to an email message which entices the recipient into opening the file. The Trojan horse itself would typically be a Windows executable program file, and thus must have an executable filename extension such as .exe, .scr, .bat, or .pif. Since Windows is sometimes configured by default to hide filename extensions from a user, the Trojan horse's extension might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file. Icons can also be chosen to imitate a different file type. When the recipient double-clicks on the attachment, the Trojan horse might superficially do what the user expects it to do (open a text file, for example), so as to keep the victim unaware of its malicious purpose. Meanwhile, it might discreetly modify or delete files, change the configuration of the computer, or even use the computer as a base from which to attack local or other networks.

Types of Trojan horses

Trojan horses can be designed to do various harmful things. Examples are

• erasing or overwriting data on a computer
• corrupting files in a subtle way
• spreading other malware, such as viruses. In this case the Trojan horse is called a 'dropper'.
• setting up networks of zombie computers in order to launch DDoS attacks or send spam.
• spying on the user of a computer and covertly reporting data like browsing habits to other people (see the article on spyware)
• logging keystrokes to steal information such as passwords and credit card numbers
• phish for bank or other account details, which can be used for criminal activities.
• installing a backdoor on a computer system.

Precautions against Trojan horses

Trojan horses can be protected against through end user awareness. If a user does not open unusual attachments that arrive unexpectedly, any unopened Trojan horses will not affect the computer. This is true even if you know the sender or recognize the source's address. Even if one expects an attachment, scanning it with updated antivirus software before opening it is prudent. Files downloaded from file-sharing services such as Kazaa or Gnutella are particularly suspect, because file-sharing services are regularly used to spread Trojan horse programs.

See also

• Farewell Dossier
• Malware
• Secure computing

External links

• Trojan Horse Primer
• Virus & Malware Resources on the Internet
• Anti-Trojan.Org: good Trojan horse information site