Trojans can be classified according to the actions which they carry out on victim machines.
Backdoors Today backdoors are the most dangerous type of Trojans and the most widespread. These Trojans are remote administration utilities that open infected machines to external control via a LAN or the Internet. They function in the same way as legal remote administration programs used by system administrators. This makes them difficult to detect.
The only difference between a legal administration tool and a backdoor is that backdoors are installed and launched without the knowledge or consent of the user of the victim machine. Once the backdoor is launched, it monitors the local system without the user's knowledge; often the backdoor will not be visible in the log of active programs.
Once a remote administration utilitiy has been successfully installed and launched, the victim machine is wide open. Backdoor functions can include:
Sending/ receiving files Launching/ deleting files Executing files Displaying notification Deleting data Rebooting the machine In other words, backdoors are used by virus writers to detect and download confidential information, execute malicious code, destroy data, include the machine in bot networks and so forth. In short, backdoors combine the functionality of most other types of Trojans in one package.
Backdoors have one especially dangerous sub-class: variants that can propagate like worms. The only difference is that worms are programmed to propagate constantly, whereas these 'mobile' backdoors spread only after a specific command from the 'master'.
General Trojans This loose category includes a variety of Trojans that damage victim machines or threaten data integrity, or impair the functioning of the victim machine.
Multi-purpose Trojans are also included in this group, as some virus writers create multi-functional Trojans rather than Trojan packs.
PSW Trojans This family of Trojans steals passwords, normally system passwords from victim machines. They search for system files which contain confidential information such as passwords and Internet access telephone numbers and then send this information to an email address coded into the body of the Trojan. It will then be retrieved by the 'master' or user of the illegal program.
Some PSW Trojans steal other types of information such as:
System details (memory, disk space, operating system details) Local email client IP-address Registration details Passwords for on-line games Trojan-AOL are PSW Trojans that steal passwords for aol (American Online) They are contained in a sub-groups because they are so numerous.
Trojan Clickers This family of Trojans redirects victim machines to specified websites or other Internet resources. Clickers either send the necessary commands to the browser or replace system files where standard Internet urls are stored (e.g. the 'hosts' file in MS Windows).
Clickers are used:
To raise the hit-count of a specific site for advertising purposes To organize a DoS attack on a specified server or site To lead the victim to an infected resource where the machine will be attacked by other malware (viruses or Trojans) Trojan Downloaders This family of Trojans downloads and installs new malware or adware on the victim machine. The downloader then either launches the new malware or registers it to enable autorun according to the local operating system requirements. All of this is done without the knowledge or consent of the user.
The names and locations of malware to be downloaded are either coded into the Trojan or downloaded from a specified website or other Internet location.
Trojan Droppers These Trojans are used to install other malware on victim machines without the knowledge of the user. Droppers install their payload either without displaying any notification, or displaying a false message about an error in an archived file or in the operating system. The new malware is dropped to a specified location on a local disk and then launched.
Droppers are normally structured in the following way:
Main file contains the dropper payload File 1 first payload File 2 second payload ... as many files as the coder chooses to include
The dropper functionality contains code to install and execute all of the payload files.
In most cases, the payload contains other Trojans and at least one hoax: jokes, games, graphics and so forth. The hoax is meant to distract the user or to prove that the activity caused by the dropper is harmless, whereas it actually serves to mask the installation of the dangerous payload.
Trojan Spies This family includes a variety of spy programs and key loggers, all of which track and save user activity on the victim machine and then forward this information to the master. Trojan-spies collect a range of information including:
Keystrokes Screenshots Logs of active applications Other user actions These Trojans are most often used to steal banking and other financial information to support online fraud.
Friday, 2 October 2009
