Trojan programs. What is a Trojan Horse? And how to remove it manually

Trojan horse is a program that is used by attackers to extract, destroy and change information, as well as to cause device malfunctions.

This program is malicious. However, a Trojan is not a virus in terms of the method of penetration into the device and the principle of operation, because it does not have the ability to self-replicate.

The name of the program “Trojan” comes from the phrase “Trojan horse”. As the legend says, the ancient Greeks presented the inhabitants of Troy with a wooden horse in which warriors were hiding. At night they got out and opened the city gates to the Greeks. Likewise, a modern Trojan program is dangerous and hides the real goals of the program developer.

A Trojan program is used to penetrate a security system. Such programs can be launched manually or automatically. This leads to the fact that the system becomes vulnerable and attackers can gain access to it. To launch automatically, the development is attractively named or disguised as other programs.

They often resort to other methods. For example, Trojan functions are added to the source code of an already written program and replaced with the original. For example, a Trojan can be disguised as a free desktop screensaver. Then, when installing it, hidden commands and programs are loaded. This can happen with or without the user's consent.

There are many different types of Trojans. Because of this, there is no one way to destroy them. Although now almost any antivirus can automatically find and destroy Trojan programs. If the antivirus program still cannot detect the Trojan, loading the operating system from an alternative source will help. This will help the antivirus program find and destroy the Trojan. Don't forget to constantly update your antivirus database. The quality of Trojan detection directly depends on the regularity of updates. The simplest solution is to manually find the infected file and delete it in safe mode or completely clean out the Temporary Internet Files directory.

A Trojan program that disguises itself as games, application programs, installation files, pictures, documents, is capable of imitating their tasks quite well (and in some cases, even completely). Similar masking and dangerous functions are also used in computer viruses, but they, unlike Trojans, can spread on their own. Along with this, a Trojan can be a virus module.

You may not even suspect that a Trojan program is on your computer. Trojans can be combined with regular files. When you launch such a file or application, the Trojan program is also activated. It happens that Trojans are automatically launched after turning on the computer. This happens when they are registered in the Register.

Trojan programs are placed on disks, flash drives, open resources, file servers, or sent via email and messaging services. The bet is that they will run on a specific PC, especially if that computer is part of a network.
Be careful, because Trojans may only be a small part of a larger, multi-layered attack on a system, network, or individual devices.

Trojan program. (also - Trojan, Trojan, Trojan horse) is a malicious program used by an attacker to collect information, destroy or modify it, disrupt the operation of a computer or use its resources for unseemly purposes. The effect of a Trojan may not actually be malicious, but Trojans have earned their notoriety for their use in the installation of programs such as Backdoor. Based on the principle of distribution and action, a Trojan is not a virus, since it is not capable of self-propagation.

The Trojan horse is launched manually by the user or automatically by a program or part of the operating system running on the victim computer (as a module or utility program). To do this, the program file (its name, program icon) is called a service name, disguised as another program (for example, installing another program), a file of a different type, or simply given an attractive name, icon, etc. for launching. A simple example of a Trojan can be a program waterfalls.scr, whose author claims to be a free screen saver. When launched, it loads hidden programs, commands and scripts with or without the user's consent or knowledge. Trojan horses are often used to trick security systems, leaving the system vulnerable, thereby allowing unauthorized access to the user's computer.

A Trojan program can, to one degree or another, imitate (or even completely replace) the task or data file it is disguised as (installation program, application program, game, application document, picture). In particular, an attacker can assemble an existing program with Trojan components added to its source code, and then pass it off as the original or replace it.

Similar malicious and camouflage functions are also used by computer viruses, but unlike them, Trojan programs cannot spread on their own. At the same time, a Trojan program can be a virus module.

Etymology

The name “Trojan program” comes from the name “Trojan horse” - a wooden horse, according to legend, given by the ancient Greeks to the inhabitants of Troy, inside which hid warriors who later opened the gates of the city to the conquerors. This name, first of all, reflects the secrecy and potential insidiousness of the true intentions of the program developer.

Spreading

Trojan programs are placed by the attacker on open resources (file servers, writable drives of the computer itself), storage media, or sent via messaging services (for example, e-mail) with the expectation that they will be launched on a specific, member of a certain circle, or arbitrary “ target computer.

Sometimes the use of Trojans is only part of a planned multi-stage attack on certain computers, networks or resources (including third parties).

Trojan body types

Trojan program bodies are almost always designed for a variety of malicious purposes, but can also be harmless. They are broken down into categories based on how Trojans infiltrate and cause harm to a system. There are 6 main types:

1. remote access;
2. destruction of data;
3. bootloader;
4. server;
5. security program deactivator;
6. DoS attacks.

Goals

The purpose of the Trojan program can be:

* uploading and downloading files;
* copying false links leading to fake websites, chat rooms or other registration sites;
* interfering with the user's work (as a joke or to achieve other goals);
* theft of data of value or secret, including information for authentication, for unauthorized access to resources (including third systems), fishing for details regarding bank accounts that can be used for criminal purposes, cryptographic information (for encryption and digital signatures);
* file encryption during a code virus attack;
* distribution of other malicious programs such as viruses. This type of Trojan is called Dropper;
* vandalism: destruction of data (erasing or overwriting data on a disk, hard-to-see damage to files) and equipment, disabling or failure to service computer systems, networks, etc., including as part of a botnet (an organized group of zombie computers), for example , to organize a DoS attack on the target computer (or server) simultaneously from many infected computers or send spam. For this purpose, hybrids of a Trojan horse and a network worm are sometimes used - programs that have the ability to quickly spread across computer networks and capture infected computers in a zombie network.;
* collecting email addresses and using them to send spam;
* direct computer control (allowing remote access to the victim computer);
* spying on the user and secretly communicating information to third parties, such as, for example, website visiting habits;
* registration of keystrokes (Keylogger) for the purpose of stealing information such as passwords and credit card numbers;
* obtaining unauthorized (and/or free) access to the resources of the computer itself or third resources accessible through it;
* Backdoor installation;
* using a telephone modem to make expensive calls, which entails significant amounts of telephone bills;
* deactivating or interfering with the operation of anti-virus programs and firewalls.

Symptoms of Trojan infection

* appearance of new applications in the startup registry;
* displaying fake downloads of video programs, games, porn videos and porn sites that you did not download or visit;
* taking screenshots;
* opening and closing the CD-ROM console;
* playing sounds and/or images, demonstrating photographs;
* restarting the computer while an infected program is starting;
* random and/or random shutdown of the computer.

Removal methods

Because Trojans come in many types and forms, there is no single method for removing them. The simplest solution is to clean out the Temporary Internet Files folder or find the malicious file and delete it manually (Safe Mode is recommended). In principle, antivirus programs are capable of detecting and removing Trojans automatically. If the antivirus is unable to find the Trojan, downloading the OS from an alternative source may allow the antivirus program to detect the Trojan and remove it. It is extremely important to regularly update the anti-virus database to ensure greater detection accuracy.

Disguise

Many Trojans can be on a user's computer without his knowledge. Sometimes Trojans are registered in the Registry, which leads to their automatic launch when Windows starts. Trojans can also be combined with legitimate files. When a user opens such a file or launches an application, the Trojan is also launched.

How the Trojan works

Trojans usually consist of two parts: Client and Server. The server runs on the victim machine and monitors connections from the Client used by the attacking party. When the Server is running, it monitors a port or multiple ports for a connection from a Client. In order for an attacker to connect to the Server, it must know the IP address of the machine on which the Server is running. Some Trojans send the IP address of the victim machine to the attacking party via email or other means. As soon as a connection has been made with the Server, the Client can send commands to it, which the Server will execute on the victim machine. Currently, thanks to NAT technology, it is impossible to access most computers through their external IP address. And now many Trojans connect to the attacker's computer, which is set to accept connections, instead of the attacker itself trying to connect to the victim. Many modern Trojans can also easily bypass firewalls on the victim’s computer.

This article is licensed under

Today on the World Wide Web you can find so many underwater reefs in the form of viruses that you can’t even count them. Naturally, all threats are classified according to the method of penetration into the system, the harm caused and methods of removal. Unfortunately, one of the most dangerous is the Trojan virus (or Trojan). We will try to consider what this threat is. Ultimately, we’ll also figure out how to safely remove this crap from a computer or mobile device.

"Trojan" - what is it?

Trojan viruses are a self-copying type with their own executable codes or embedded in other applications, which pose a fairly serious threat to any computer or mobile system.

For the most part, Windows and Android systems are most affected. Until recently, it was believed that such viruses did not affect UNIX-like operating systems. However, just a few weeks ago, Apple mobile gadgets were also attacked by the virus. It is believed that the Trojan poses a threat. We will now see what this virus is.

Analogy with history

The comparison with historical events is not accidental. And before we figure it out, let’s turn to Homer’s immortal work “The Iliad,” which describes the capture of rebellious Troy. As you know, it was impossible to enter the city in the usual way or take it by storm, so it was decided to give the residents a huge horse as a sign of reconciliation.

As it turned out, there were soldiers inside it, who opened the city gates, after which Troy fell. The Trojan program behaves in exactly the same way. The saddest thing is that such viruses do not spread spontaneously, like some other threats, but purposefully.

How does the threat enter the system?

The most common method used to penetrate a computer or mobile system is to disguise itself as some kind of attractive or even standard program for the user. In some cases, a virus may embed its own codes into existing applications (most often these are system services or user programs).

Finally, malicious code can enter computers and networks in the form of graphic images or even HTML documents - either arriving as email attachments or copied from removable media.

With all this, if the code is embedded in a standard application, it can still partially perform its functions; the virus itself is activated when the corresponding service is launched. It’s worse when the service is at startup and starts with the system.

Consequences of exposure

Regarding the impact of the virus, it may partially cause system crashes or interruption of Internet access. But this is not his main goal. The main task of the Trojan is to steal confidential data for the purpose of using it by third parties.

Here you will find PIN codes for bank cards, logins with passwords for accessing certain Internet resources, and state registration data (numbers and personal identification numbers, etc.), in general, everything that is not subject to disclosure, according to the opinion of the owner of the computer or mobile device (of course, provided that such data is stored there).

Unfortunately, when such information is stolen, it is impossible to predict how it will be used in the future. On the other hand, you don’t have to be surprised if one day they call you from some bank and say that you have a loan debt, or all the money will disappear from your bank card. And these are just flowers.

on Windows

Now let's move on to the most important thing: how To do this is not as easy as some naive users believe. Of course, in some cases it is possible to find and neutralize the body of the virus, but since, as mentioned above, it is capable of creating its own copies, and not just one or two, finding and removing them can become a real headache. At the same time, neither a firewall nor standard anti-virus protection will help if the virus has already been missed and infiltrated into the system.

In this case, it is recommended to remove the Trojan using portable anti-virus utilities, and in the case of RAM capture, with special programs loaded before starting the operating system from an optical media (disk) or USB device.

Among portable applications, it is worth noting products like Dr. Web Cure It and Kaspersky Virus Removal Tool. Of the disk programs, Kaspersky Rescue Disc is the most functional. It goes without saying that their use is not a dogma. Today you can find any amount of such software.

How to remove a Trojan from Android

As for Android systems, things are not so simple. Portable applications have not been created for them. In principle, as an option, you can try connecting the device to a computer and scanning the internal and external memory with a computer utility. But if you look at the other side of the coin, where is the guarantee that when connected, the virus will not penetrate the computer?

In such a situation, the problem of how to remove a Trojan from Android can be solved by installing the appropriate software, for example from Google Market. Of course, there are so many things here that you are simply at a loss as to what exactly to choose.

But most experts and specialists in the field of data protection are inclined to think that the best application is 360 Security, which is capable of not only identifying threats of almost all known types, but also providing comprehensive protection for the mobile device in the future. It goes without saying that it will constantly hang in RAM, creating an additional load, but, you see, security is still more important.

What else is worth paying attention to

So we have dealt with the topic “Trojan - what is this type of virus?” Separately, I would like to draw the attention of users of all systems, without exception, to a few more points. First of all, before opening email attachments, always scan them with an antivirus. When installing programs, carefully read the proposals for installing additional components such as add-ons or browser panels (the virus can be disguised there too). Do not visit dubious sites if you see an antivirus warning. Do not use the simplest free antiviruses (it is better to install the same Eset Smart Security package and activate using free keys every 30 days). Finally, store passwords, PIN codes, bank card numbers and everything else in encrypted form exclusively on removable media. Only in this case can you be at least partially confident that they will not be stolen or, even worse, used for malicious purposes.

I think we should start with the name and answer the question: "PWhy was this creation called the Trojan program (Trojan)?" The origins of this name come from the legendary battle, during which a wooden horse called the “Trojan” was built. The principle of operation of this horse was “cunning harmlessness”, having pretended to be a gift item and finding itself in the very fortress of the enemy, the warriors sitting on the horse opened the gates of Troy, allowing the main troops to break into the fortress.

The situation is exactly the same in the modern digital world with a Trojan program. Let me immediately note the fact that the “Trojan” cannot be classified as a virus, since it does not have the principle of self-propagation and the essence of its action is slightly different. Yes, and it is spread by people, and not independently, just like regular viruses do. Trojans are oftenclassified as malicious software.

So here it is operating principle Trojan horse (Trojan) can also open the gates of your computer to a fraudster, for example, to steal valuable passwords or to gain unauthorized access to your data. Very often, computers infected with Trojans, without the user’s permission, take part in large-scale DDos -attacks on websites. That is, innocentThis user calmly surfs the Internet, and at the same time his computer dispassionately “crashes” some government website with endless requests.

Often, Trojans disguise themselves as completely harmless programs, simply copying its icon. There are also cases when the code of a Trojan program is embedded in an ordinary, useful software that correctly performs its functions, but at the same time the Trojan commits its malicious attacks from underneath it.

Infections have become very popular these days. winlocks (trojan. winlock ), which display a screen with text like this: “To unlock your operating system, sendSMS to number xxxx , otherwise your data will be transferred to the security service." There were a lot of users who sent this message (more than once), and the scammers, in turn, received almost millions from a huge number of deceived people.

As you can see, the use of Trojan programs is designed to obtain a certain benefit, in contrast to ordinary viruses, which simply cause harm by deleting files and disabling the system. We can conclude that this malicious software is more intelligent and subtle in its operation and results.

How to deal with Trojans?

To combat Trojans, you must have an antivirus with constantly updated detection databases. But here another problem arises: precisely because of its secrecy, information about Trojans is much worse and later reaches anti-virus software developers. Therefore, it is also advisable to have a separate firewall (for example,Comodo Firewall), which, even if it misses, will certainly not allow uncontrolled transfer of data from your computer to scammers.

Certain categories of Trojan programs cause damage to remote computers and networks without disrupting the operation of the infected computer (for example, Trojan programs designed for distributed DoS attacks on remote network resources). Trojans are distinguished by the absence of a mechanism for creating their own copies.

Some Trojans are capable of autonomously overcoming the protection of a computer system in order to penetrate and infect the system. In general, a Trojan enters a system along with a virus or worm, as a result of careless user actions or active actions of an attacker.

Most Trojan programs are designed to collect confidential information. Their task, most often, is to perform actions that allow access to data that is not subject to wide publicity. Such data includes user passwords, program registration numbers, bank account information, etc. Other Trojans are created to cause direct damage to a computer system, rendering it inoperable.

Types of Trojans

The most common types of Trojans are:

• Keyloggers (Trojan-SPY)- Trojans that are permanently in memory and save all data coming from the keyboard for the purpose of subsequently transferring this data to an attacker. Typically, this is how an attacker tries to find out passwords or other confidential information
• Password Thieves (Trojan-PSW)- Trojans, also designed to obtain passwords, but do not use keyboard tracking. Typically, such Trojans implement methods for extracting passwords from files in which these passwords are stored by various applications.
• Remote control utilities (Backdoor)- Trojans that provide complete remote control over the user’s computer. There are legitimate utilities with the same properties, but they differ in that they indicate their purpose during installation or are provided with documentation that describes their functions. Trojan remote control utilities, on the contrary, do not reveal their real purpose in any way, so the user does not even suspect that his computer is under the control of an attacker. The most popular remote control utility is Back Orifice
• Anonymous smtp servers and proxies (Trojan-Proxy)- Trojans that perform the functions of mail servers or proxies and are used in the first case for spam mailings, and in the second for covering their tracks by hackers
• Browser settings modifiers (Trojan-Cliker)- Trojans that change the browser start page, search page or other settings to organize unauthorized access to Internet resources
• Installers of other malicious programs (Trojan-Dropper)- Trojans that allow an attacker to covertly install other programs
• Trojan Downloader- Trojans designed to download new versions of malware or advertising systems onto the victim computer
• Successful attack notifications (Trojan-Notifier)- Trojans of this type are designed to inform their “master” about an infected computer
• "Bombs" in the archives (ARCBomb)- Trojans, which are archives specially designed in such a way as to cause abnormal behavior of archivers when trying to unarchive data - freezing or significantly slowing down the computer, filling the disk with a large amount of “empty” data
• Logic bombs- often not so much Trojans as Trojan components of worms and viruses, the essence of which is to perform a certain action under certain conditions (date, time of day, user actions, external command): for example, data destruction
• Dialing utilities- a relatively new type of Trojans, which are utilities for dial-up Internet access through paid email services. Such Trojans are registered in the system as default dialing utilities and entail large bills for Internet use.

How Trojans work

All Trojan horses have two parts: client and server. The client controls the server part of the program using the TCP/IP protocol. The client can have a graphical interface and contain a set of commands for remote administration.

The server part of the program is installed on the victim’s computer and does not contain a graphical interface. The server part is designed to process (execute) commands from the client part and transfer the requested data to the attacker. After entering the system and seizing control, the server part of the Trojan listens to a specific port, periodically checking the connection to the Internet and if the connection is active, it waits for commands from the client part. The attacker, using the client, pings a specific port of the infected host (the victim’s computer). If the server part has been installed, it will respond with a confirmation to the ping that it is ready to work, and upon confirmation, the server part will tell the hacker the IP address of the computer and its network name, after which the connection is considered established. As soon as a connection has been made with the Server, the Client can send commands to it, which the Server will execute on the victim machine. Also, many Trojans connect to the attacker's computer, which is set to accept connections, instead of the attacker itself trying to connect to the victim.

Known Trojans

2019

About 90% of infection attempts with banking Trojans Buhtrap and RTM occurred in Russia

This Trojan has not yet been detected by antivirus software from any security software provider. It was distributed through a series of exploits based on command center command sequences, including the 8th, most exploited vulnerability - command injection in HTTP headers. Check Point researchers consider Speakup to be a serious threat because it can be used to download and distribute any malware.

In January, the first four places in the ranking of the most active malware were occupied by cryptominers. Coinhive remains the top malware, attacking 12% of organizations worldwide. XMRig was again the second most common malware (8%), followed by the cryptominer Cryptoloot (6%). Although the January report featured four cryptominers, half of all malicious forms in the top ten could be used to download additional malware onto infected machines.

The most active malware of January 2019:

(The arrows show the change in position compared to the previous month.)

• ↔ Coinhive (12%) - a cryptominer designed for online mining of the Monero cryptocurrency without the user’s knowledge when he visits a web page. Embedded JavaScript uses a large amount of computing resources on end users' computers for mining and may cause system crashes.
• ↔ XMRig (8%) - Open source software first discovered in May 2017. Used for mining Monero cryptocurrency.
• Cryptoloot (6%) - a cryptominer that uses the victim’s CPU or video card power and other resources to mine cryptocurrency, the malware adds transactions to the blockchain and issues new currency.

HeroRat is a RAT Trojan (Remote Administration Tool) for remote management of compromised devices. The authors offer it for rent using the Malware-as-a-Service model (malware as a service). Three configurations are available (bronze, silver and gold), which differ in the set of functions and price - $25, $50 and $100, respectively. The source code of the malware sells for $650. A video technical support channel is provided.

HeroRat is looking for victims through unofficial Android application stores, social networks and instant messengers. Attackers disguise Trojans as applications promising bitcoins as a gift, free mobile Internet, or boosting subscribers on social networks. However, this threat was not detected on Google Play. Most infections have been recorded in Iran.

When the user installs and runs the malicious application, a pop-up window will appear on the screen. It informs you that the program cannot run on the device and will be removed. Samples with messages in English and Persian (depending on language settings) were observed in Eset. After “uninstallation,” the application icon will disappear, and the Trojan will continue to work hidden from the user.

HeroRat operators control infected devices via Telegram using a bot. The Trojan allows you to intercept and send messages, steal contacts, make calls, record audio, take screenshots, determine the location of the device and change settings. To control functions, interactive buttons are provided in the Telegram bot interface - the user receives a set of tools in accordance with the selected configuration.

The transmission of commands and theft of data from infected devices is implemented within the framework of the Telegram protocol - this measure allows you to counteract the detection of the Trojan.

Eset antivirus products detect threats like Android/Spy.Agent.AMS and Android/Agent.AQO.

Microsoft Security Intelligence Report

How to distinguish fake apps from genuine ones

1. Official applications will be distributed only through Google Play; Download links are published on the websites of the banks themselves. If the apps are hosted somewhere else, they are most likely fake.
2. Particular attention should be paid to the domain names from which you are offered to download the application. Attackers often use domains whose names are similar to the official ones, but differ by one or two characters, or they use domains of the second level and lower.
3. Smartphones are equipped with protection measures against the most common threats, and if a smartphone displays a message that a particular application is dangerous, you should never install it. If you discover fake banking applications, it is strongly recommended that you notify bank security services. By doing this, users will save themselves and others from a lot of trouble.
4. If you notice anything suspicious on the site from which you are offered to download the application, immediately report it to the bank's security service or to the bank's official group on social networks, not forgetting to attach a screenshot.

A ransomware Trojan paralyzed the work of an entire city in the USA

Licking County, Ohio, was forced to shut down its servers and telephone systems in February to stop the spread of a ransomware Trojan.

It became known that more than a thousand computers in the United States belonging to the networks of the administration of one of the American districts were infected. All systems were shut down to block further spread of the malware, prevent data loss and preserve evidence for the investigation.

All reception and administrative institutions are open, but working with them is only possible with a personal visit.

Administration officials do not disclose the amount of the required ransom; they also refuse to comment on the likelihood of payment. According to Licking County Commissioner Tim Bubb, consultations are underway with cybersecurity experts and law enforcement agencies.

Manual mode

The shutdown of telephone lines and network communications means that all county services that rely on information technology have switched to "manual mode." This even applies to the 911 help center: phones and radios of rescuers work, but there is no access to computers. At least police, fire and ambulance calls are still being accepted, but as the rescue center's director, Sean Grady, put it, the service has been set back a quarter of a century in terms of call processing speed.

And deprive the college of the opportunity to regain access to the data.

It immediately became clear that it was impossible to restore data from backup copies. After a meeting with the security experts involved, the college administration came to the conclusion that it had no other options but to pay the required amount.

28 thousand dollars is the largest ransom, information about which has entered the public space. According to some reports, larger payments also occur, but the victims - usually large ones - prefer not to advertise them. In 2016, the average "rate" from cyber extortionists was $679, a year earlier - $294.

The more than two-fold increase appears to be due to an increased number of incidents that resulted in ransom payments, and in amounts significantly higher than the “average rate.” In February 2016, Hollywood Presbyterian Medical Center paid a ransom of $17,000 following a ransomware attack.