Trojan Detection and Avoidance

by Elizabeth Rankin

Security threats are an ever-evolving issue for the proper administration of computers and computer networks.

Among these threats, one of the most common is known as the Trojan virus.

This piece of malicious software, otherwise known as malware, disguises itself as a useful program that tricks the user into downloading and running it.  Its insidiousness stems from its use of the most vulnerable part of any network: the human component.

Fortunately, through proper planning and training, the end users can mitigate the threat of Trojans.  Due to the nature of both Trojans and social engineers, training for one will typically help protect against the other, so it is a good use of resources to train against both.  Trojan viruses can be difficult to tell apart from legitimate software, but basic situational awareness and caution can mitigate the issue to manageable levels.

We are all familiar with Trojan viruses, the insidious pieces of software disguised as something useful, or at least entertaining.

They come packaged in so many different ways that it can be hard to determine what, exactly, is and isn't safe to run.  This is in addition to the move away from selling software in retail stores, which just further causes problems by making it more difficult to tell what can and cannot be trusted, as the software isn't necessarily vetted by a known and trusted company as it would be prior to being sold in a brick-and-mortar store.

Trojans are used often as a way to remotely access infected machines¹ which further allows them to gain access to networks that are otherwise protected.

Unlike worms, Trojan viruses require an action to be taken by the victim in order to infect their machine.

Typically, this is done through deceptive link labeling or in conjunction with phishing emails.  Because of this, a key way to protect yourself from Trojan viruses is through careful vetting of any files sent to your email.

Not all Trojan viruses are simply disguised as another software or ensconced within a seemingly innocuous file.  Sometimes the software itself was made so that the Trojan could infect computers which it could then spy upon or serve ads to anyone using the infected machine.

There are a multitude of Trojan viruses out there, with more being created every day.

Ways to defeat them tend to be added to anti-virus software as they are discovered, but the source code for that software isn't always available to make that happen.  In some cases, it may be more due to the contentious nature of the label "Trojan virus" that might stop the program from being detected as such.

One of the most well known programs that is considered a Trojan by many, though not actually labeled as such, is BonziBuddy.

This software is generally labeled a "desktop virtual assistant" and is one of the earliest examples of what would eventually become the AI personal assistants Siri and Alexa, created more than a decade ahead of either.²

It utilized Microsoft's Office Assistant, a program similar to Clippy, but for Windows as a whole rather than just Microsoft Word.²

As it wasn't tied to any one program, it supposedly could act as a virtual assistant in many different ways, however it wasn't really that useful.

The creators of BonziBuddy, Bonzi Software, faced legal troubles for their use of deceptive ads in 2002.  They had been employing fake "X" buttons on ads that didn't actually close the ad and, as a result of that lawsuit, had to pay over $170,000 in legal fees and clearly label their pop-ups as ads.²

Additionally, in 2004 Bonzai Software was fined $75,000 for a violation of COPPA² due to its gathering of data from children through a registration procedure that didn't have any sort of warning or preventative measure in place for those under-13 trying to register.

COPPA, or the Children's Online Privacy Protection Act, is an act that many may be more familiar with now, thanks to the uproar that occurred regarding its application to YouTube.  Ultimately, Bonzi Software, in an attempt to monetize its user base, changed BonziBuddy into a malware that would do a number of things found in malicious software, such as installing toolbars, resetting your browser's homepage to bonzi.com, and tracking statistics about your Internet usage - all of which resulted in BonziBuddy ceasing its useless but benign existence and shifting into a Trojan that infected your computer with adware and tracked your data.

It is not just companies that create Trojan viruses, either.

The U.S. government, and presumably most other governments, develop them as well.

"Magic Lantern" is one known to have been developed by the .  This Trojan installs keylogging software on a suspect's machine.  It is used primarily to gain encryption keys used by suspects as a way to quickly and easily break any encryption they have on their computer as a means of expediting investigations into computer crimes or crimes where incriminating evidence may be stored in a computer.³

It was one of a series of tools being developed by the FBI for its Carnivore project.³

Using a keylogger in this way is not a new thing for the FBI, though the FBI using a Trojan method was new.  They have physically broken into offices to install keyloggers before, such as in the high-profile Nicodemo Scarfo case.³  Utilizing a Trojan just allows them to skip the physical break-in, saving extensive amounts of time and effort for what may be very little gain.

Malicious actors are not just targeting laptop and desktop computers.

Mobile devices are also at risk, as seen with the Shedun adware Trojan.  Shedun is from a particularly prolific family of adware Trojans that had been found in more than 20,000 Android applications, so the likelihood of getting this virus is rather high without proper precautions.⁴

The way it affected infected machines is that it would gain root access through asking for permissions and would then take advantage of accessibility services to be able to read the ads that it would cause to pop-up, scroll to the installation button, and automatically press it to install the third-party software.

Doing this allowed for the creators of apps with Shedun packaged with it to generate more revenue by getting users to download apps from the advertisements.  This malicious practice is ultimately more annoying than destructive; however, the same techniques could be used to make a far more destructive Trojan if properly implemented.

Cybersecurity developers also often develop viruses for experimentation and education purposes.

One such case is the MEMZ.  This Trojan was made for the YouTube series "Viewer Made Malware" by danooct1.⁵

This Trojan was created for educational purposes and has a video showing all of the actions it takes.  This virus is very obvious in its infection and is extremely annoying to deal with, if one were to actually be infected by it.  However, it is fortunately something that is very obviously a Trojan, and anyone that wishes to read the source code to find out its effects, rather than purposely infecting a virtual machine or partition with it, can simply go to the GitHub cited in this article to find it.⁵

The source code is in Python and is well documented.⁵

There are a few different ways that Trojans will infect a user's machine.

The most common is through phishing emails with file attachments.¹

This method is popular due to its simplicity and the number of complacent individuals that will not double-check that emails are actually from who they say they are.¹

Another popular method is through downloads from seemingly innocuous sites that either have a number of buttons labeled "download," only one of which is for the actual software, or through having a software bundle that seems to be legitimate, but can have the virus embedded into it.

Mobile devices can be infected in those ways as well, but have the additional threat of text messages containing a viral payload.⁶

A more obscure way to deliver a Trojan, though one that is easy for even IT specialists to fall for, is through USB delivery.

This method only requires that the victim plug an infected USB drive into their computer for the payload to be delivered.⁷  This method preys upon the natural curiosity that is so common among people that it makes them easy marks.⁷

Fortunately, this one is rather easy to avoid by just not plugging any unknown USBs into a computer.

Even if someone falls prey to their curiosity, though, they can still satiate it through the use of hard drive partitions or virtual machines to prevent any irreversible damage or loss of data.

Trojan viruses are a concealed threat that you may never even realize that you have been infected with, but with proper precautions and good vetting, you can avoid infections and save a lot of time and heartache that they can so easily cause.

References

1. The Editors of Encyclopaedia Britannica  "Trojan"  Encyclopedia Britannica, 06-Jul-2018
2. E. Ravenscraft  "A Brief History of BonziBuddy, the Internet's Most Friendly Malware"  How, 14-Aug-2017
3. B. Sullivan  "FBI Software Cracks Encryption Wall"  NBCNews.com, 03-Dec-2003.
4. E. Kovacs  "Android Adware Abuses Accessibility Service to Install Apps"  SecurityWeek, 20-Nov-2015
5. Leurak  "Leurak/MEMZ"  GitHub, 20-May-2018
6. K. Hamandi, A. Chehab, I. H. Elhajj, and A. Kayssi  "Android SMS Malware: Vulnerability and Mitigation"  2013 27th International Conference on Advanced Information Networking and Applications Workshops, Barcelona, 2013, pp. 1004-1009
7. Mathero11  "Destroying a PC with a Trojan Horse Virus DRY.exe"  YouTube, Jan. 19, 2016