Trojans

If you’ve ever heard the story of the Trojan War, the Trojan Horse was a wooden horse used by the Greeks to enter the city of Troy and win the war.

It is said that the city of Troy was so well defended, that the Greeks simply couldn’t penetrate its walls. As a last-ditch effort, the Greek army came up with a clever trick. They were going to build a large wooden horse as a supposed peace gift, and then pretend to have retreated via their ships. When the Trojans saw the horse and saw that the Greeks had left, they brought the horse within their walls and had a long night of celebrations.

After most of the city fell asleep, Greek soldiers hidden and stuffed within the wooden horse broke out, opened the city gates, and signaled to the rest of the hidden Greek army. Within hours, the Greek army had control of the city.

It turns out that this is a mythical story, but the meaning of the Trojan Horse has extended far beyond this story.

In cybersecurity, it’s used to describe a form of malware that pretends to be something harmless, when in reality, it’s designed to take over control of your devices.

Examples of trojan horses

For example, an attacker could build a trojan horse to look like an image file or video file. The unsuspecting victim, thinking they were receiving a legitimate image, would open the file, which would trigger the hidden malware to execute.

Trojan horses don’t always have to be completely fake, however. For example, someone may be offering a premium application for free that you can download via torrents. Also known as a cracked application. Someone goes to download that application, and when they open the application, maybe it functions properly. However, they may not realize that a piece of malware also executed and silently took control of their device.

This could also happen with fake video downloads of movies, online courses, or even “PDF downloads” of books, to name just a few examples.

Impact of trojan horses

This type of malware is typically designed to:

• Steal information from a device (ie: harvest credentials)
• Monitor what gets typed on your keyboard
• Take over control of your peripherals, such as your keyboard, mouse, webcam, etc…
• Install additional malware, such as ransomware
• and more, which we’ll explore in other lessons

So trojan malware is typically used to gain access to a device through deception, and only then do something else.

Important concepts

In fact, important concepts to keep in mind with Trojans are:

1. A Trojan is a form of malware that disguises itself
2. Trojans are usually “door openers” — meaning that they give an attacker access to the device in order to then do something else
3. Trojans are not considered viruses, because they do not self-replicate

Defenses against trojans

What are effective defenses? They’re similar to what we’ve already mentioned:

• Ensure you have up-to-date defensive software — for example, make sure you keep Windows Defender updated
• Don’t blindly open files from complete strangers — especially if the file extension looks odd (for example, if an image file has a .exe file extension)
• Be very careful what you download from the Internet in general
• Be on the lookout for social engineering attacks that we covered in the prior section, and which will oftentimes be used to try and get you to download and open trojans

Case studies

As we wrap up this lesson, let’s a quick look at some examples of real-world trojans.

Qbot

According to RedCanary.com, Qbot is one of the top-most seen trojans currently in the wild, and it is considered a banking trojan that focuses on stealing user data and banking credentials. So at its core, it’s a credentials harvester. But, over time, additional functionality has been added.

It now also adds something called command and control (aka C2 or C&C) which we will talk about later. It’s also added anti-analysis features. It has the ability to move laterally within an environment in order to spread further, and it’s now also added the ability to execute ransomware.

The most common way that this trojan gains initial entry is through phishing.

If you’re interested, this article also outlines detection opportunities, although this gets a little bit more technical and is beyond the scope of this course, so I’ll leave that up to you.

Emotet

One more example we’ll look at is the Emotet trojan. Despite having what I think is a pretty cool name, it’s actually a really nasty piece of software. Emotet is primarily known for delivering follow-on payloads. What I mean by that is Emotet is designed to function as a downloader or dropper of other malware. Once it’s been executed on a device, it will then download, or “drop” additional malicious software onto that device, including (but not limited to) that Qbot trojan we talked about previously, TrickBot (which is another trojan), or even the famous Ryuk ransomware.

Conclusion

As you can see, some of the most common trojans nowadays focus on harvesting credentials, enabling the attacker to deploy ransomware, or even on turning devices into bots.

The credentials can then be used to steal funds from bank or crypto accounts, they can be sold on the dark web, or they can be used to further exploit a corporate network.

Whereas ransomware is designed to prevent organizations from accessing their data and systems, and then demanding a monetary reward.

Bots, as we’ll talk about in an upcoming lesson, can then be controlled by the attacker.

Either way, trojans have been around for a long time, and they’ll continue to be around, because they are effective ways of spreading additional malware.