Trojan Horse Attack Analysis Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Trojan Horses, like their original namesake from Greek legend [1], are seemingly innocuous pieces of software that have malicious code hidden inside. Or inversely, Trojan Horses can be described as malware, presented to look like innocent software.

Some commentators believe that the first example of a "classic Trojan Horse attack" [2] occurred in 1975, when a UNIVAC programmer - John Walker - released a combination of programs called ANIMAL and PERVADE on his workplace's network. ANIMAL was a game, a version of 20 questions where the program attempted to guess what kind of animal the user was thinking of. PERVADE was a hidden piece of code, designed to distribute ANIMAL to Walker's workmates by automatically copying the game into every directory on the user machine (including the tape drive) and eventually spreading the program across the entire corporate network. Whilst ANIMAL and PERVADE were largely innocuous, Walker's actions did raise questions about what could have occurred if a malicious user had exploited the UNIVAC operating system in the same way [2].

Into the1980s computer hackers begin to design the first forms of sophisticated, malicious Trojan Horses. In a climate where conventional computer viruses had existed for several years, the development of Trojan Horses may have represented the next phase in malware: programs designed to perform nefarious actions that were largely hidden from the unsuspecting victim. In this way Trojan Horses differed from the viruses of old, as viruses typically had only one function (to cripple the victim's computer) and would usually perform that function in an obvious manner. Trojan Horses on the other hand revealed themselves to be slightly more insidious [3].

After ANIMAL and PERVADE, the next reference to a sophisticated Trojan Horse attack appears to originate from the final years of the cold war. In a recently published book, former Secretary of the US Air Force, Thomas C Reed, stated that the US Defence Force used a Trojan Horse to sabotage Russia's Trans-Siberian gas pipeline in 1982 [4]. Reed claimed that after discovering Russia's plans to steal pipeline control software being developed by the US, the US retaliated by planting a Trojan Horse in the software before allowing it to be stolen. The Trojan Horse lay dormant for a pre-determined period of time, before becoming active and causing the control systems in the Trans-Siberian gas pipeline "to go haywire" [4], resulting in an explosion the equivalent of a three-kiloton nuclear weapon and extensive damage to the pipeline which took over a year to repair [4].

The 1990s saw the emergence of Trojan Horses as a threat to the common PC user. With the internet more accessible than ever before, there were greater opportunities and incentives for hackers to develop new ways to perpetrate remote attacks against targeted users. Back Orifice, developed by hacker collective "Cult of the Dead Cow", was perhaps the most famous Trojan Horse developed at this time. The intent was to release a highly functional, multi-purpose malware tool as an indictment of security flaws present in Microsoft Windows 95 [5]. The Cult of the Dead Cow had not only succeed in publicly exposing Windows security flaws, it also had also succeeded in creating an easily distributable Trojan Horse that could open up a victim's PC to a range of attacks, including key logging, screen capturing and file stealing [6].

In the present day, there has been a slight shift in the motivations behind the development and deployment of Trojan Horses. During the 1990s, these types of activities were typically confined to hobbyists or low-level hackers operating out of their bedrooms. The hackers' motivations were generally about notoriety, rather than the use of malware for criminal gain. In the present day however, the motivations appear to be a little more sinister and security researchers are beginning to believe that the hackers of today are often "white-collar criminals" or "criminals in foreign countries" seeking to leverage information for profit [7]. This belief has been supported by research conducted by The Internet Fraud Complaint Centre, which has indicated that present-day malware attacks are more-likely to be used in the commission of crimes such as identify theft, credit card fraud or online retail scams [8].

Features of a Trojan Horse Attack

Every Trojan Horse is different. Whilst there is no definitive list of features you will find in every Trojan, there are certainly common threads and functions. Famous Trojans such as Back Orifice, Net Bus or Sub7 contain a similar list of features, including the abilities to:

"Execute any application on the target machine.

Log keystrokes from the target machine.

Restart the target machine.

Lockup the target machine.

View the contents of any file on the target machine.

Transfer files to and from the target machine" [9]

The above features, similar to the features of many Trojan Horses, dictate that interactions between the hacker and the Trojan Horse are often required to make the Trojan Horse a significant threat. Not only will a hacker usually be required to manually deploy the Trojan horse onto the victim's PC, the hacker is usually also required to connect to the target PC via client software to make use of the features of the Trojan Horse, such as downloading specific files off the victim's PC, which can only occur when both the hacker and the victim's PCs to be switched on and connected to the internet at the same time [10].

Needless to say, clever programming is a vital feature of any sophisticated Trojan Horse. The more insidious Trojan Horses have been developed to imbed themselves in a system's startup register, whilst being evasive to detection by keeping themselves hidden from running process logs (such as Windows Task Manager). These characteristics, and others, will be explored further in this text.

Common Types of Trojan Horses

Whilst the previous section describes the features of multi-purpose Trojan Horses, there are other specific varieties of Trojan horse which have been identified:

Remote control Trojans

This kind of Trojans is the most widely used and the most popular ones. Attackers use these Trojans to control victim's computer completely. Remote control Trojans are always integrated with other kinds of Trojans, so that they have many functions, such as record keystrokes, upload and download files, modify the registry etc.

Password sending Trojans

They can find hidden passwords and send them to the attackers' email address. Some people like to store their passwords in document style, they think it is very convenient; other people prefer to use the passwords memory function provided by WINDOWS itself, because they don't need to enter the passwords for every time. Password sending Trojans can find such files, and send them back to attackers.

Key loggers

Very simple Trojans is used to record the keystrokes of the victim and search for passwords or other sensitive data in the log files. Most of them have online and offline recording functions. When they find some useful information, they can send them to attackers automatically. [1]

Destructive Trojans

The only function of these Trojans is to destruct and delete automatically the files on the victim's computer, such as DLL, INI, and EXE files.

DoS (Denial of service) attack Trojans

An attacker infects a victim's computer with such Trojans; the computer will be a helpful assistant for the attacker to do DoS attack. When the attacker controls many such infected computers, he can uses them to attack some computer together, which can do a lot of damage to network.

Software detection killers

These Trojans will destruct the popular anti-virus/firewall software which can protect victim's computer. When the software are disabled, it is very easy for other Trojans to attack the victim's computer. [2]

Proxy Trojans

It is very important for hackers to conceal their identities, so these Trojans are used to make the infected computer as a springboard between the hackers and victims.

FTP Trojans

These Trojans are the oldest and most simple Trojans. The only function is to open port 21, and wait for connection.

Technical Analysis: Structure of Trojan Horses

Typically, Trojan Horses are structured to rely on elements of hardware, software and connectivity.

1. Hardware:

Firstly, the hacker must possess a functioning PC or mobile device. Similarly, the victim must also be using a PC or mobile device to be vulnerable. In a successful attack, the hacker's machine will become connected to victim's machine in a client and server relationship.

2. Software:

A Trojan Horse is usually made up of two pieces of software: the "client" or controller (used by the hacker) and the Trojan or "server" which is executed on the victim's machine. The software is pre-programmed by the hacker to suit the purpose of the attack, and will have been designed to exploit certain features or vulnerabilities in the victim's operating system [13].

3. Connectivity:

A communication channel needs to exist between the client and server components of the Trojan Horse. In the age of "always on" broadband internet, this usually just means that both the victim and the attacker need to have their machines on at the same time. The specific mode of connection is usually via open TCP or UDP ports on the victim's machine [10]. In this regard, Trojan Horses usually fall into one of two connectivity categories: "covert channel" or "overt channel" [10].

Covert channel connection involves the Trojan Horse opening its own, seemingly random port on the victim's PC. For example, the NetBus Trojan is known to open TCP port 20034 to allow the hacker to access to the victim's PC. On the other hand, overt channel connection involves the use of known ports, such at TCP 80 (HTTP), to allow access to the victim's PC. Trojan Horses that operate on the overt channel are often seen as a greater security risk, perhaps because firewalls will not always recognise malicious activity when it is occurring on legitimate ports [10].

Technical Analysis: Attack Process


Given that a Trojan Horse is typically a remote attack, executed via a piece of malware, the hacker has to find a way to get the malware onto the target machine in the first place. Social engineering is key at this point, as the hacker will first have to send the Trojan Horse to the victim, and convince the victim to accept and execute the program. Sometimes this may be as simple as sending an email to victim, posing as a trusted contact. Other times, hackers have been known to exploit social networking sites such as Facebook to send Trojan Horses to victims via features such as video sharing [14]. Typically, the Trojan Horse executable file will be renamed to resemble a patch or a software update that the potential victim will be encouraged to install. For an extra layer of deception, some hackers have been known to "wrap" the Trojan with a functioning, non-malicious program, so that the Trojan is hidden inside. The victim runs the program, for argument's sake: a video codec installer, and whilst the legitimate installation is taking place, the Trojan Horse will discretely install itself in the background [10].


After a Trojan Horse has been installed, it will typically infect the system in one of two ways. One method is for the Trojan Horse to create an entry in the system startup, so that the Trojan is launched each time the machine is switched on. This method is common to Trojans such as Back Orifice, which are documented to "rerun every time the computer is started" [15]. A second method is for the Trojan to inject itself into a common process such as explorer.exe (or indeed any other process which will run in the background by default). Recent Trojans such as "The Beast" are known to employ this method, where the payload (often a .dll file) will be called by the infected process [16]. The screenshot on the next page is an illustration of how The Beast's payload (dxgns.dll) is called by an infected version of explorer.exe:

Image source: Mischel Internet Security -

Trojan Horse Case Study: Setiri

In 2002, developers Roelof Temmingh and Haroon Meer designed a Trojan Horse called Setiri. Setiri was the cause of both excitement and concern in the information security community as it demonstrated a new technique of "Trojanizing" web browsers [17]. Its ability to "co-opt" web browsers, combined with an array of advanced concealment techniques (including name-concealment and encrypted communication via a proxy server), made Setiri extremely difficult to detect or track [17].

Composition of Setiri

Setiri is made up of a connection broker and a "backdoor" [17]. The connection broker is installed on a server of the attacker's choice, possibly a server belonging to a third-party which the hacker has infiltrated, and allows the hacker to "launder" his or her connection to the victim's PC. The backdoor component of Setiri is similar to the server component of other Trojans, and is installed on the victim's PC to allow remote commands to be issued by the hacker [17]. It should be noted that despite some similarities, Setiri differs from the traditional "client and server" Trojan Horses in that the hacker does not have direct access to the victim's PC. Instead of a pathway being opened between the hacker's client software and the victim's server software, Setiri creates a system where the hacker places a prescribed list of commands in the connection broker, which are executed when the backdoor code causes the victim's PC to open a hidden window in Internet Explorer and navigate to the connection broker [17].

Attack process

The hacker installs the backdoor code on the victim's PC.

The hacker uses his or her own PC to access the connection broker and creates CGI scripts to suit the purpose of the attack - Setiri accepts commands to upload files, download files, or execute programs on the victim's PC.

The backdoor code opens a hidden Internet Explorer window on the victim's PC. The hidden browser window navigates to the connection broker and carries out the commands therein [17].

Setiri Attack Model

Figure1 Image source:

Concealment Techniques

In order to avoid detection, hide the attacker's identity, and mask the communication between the attacker and the target machine, Setiri utilises some advanced techniques including:

Allowing the attacker to use an anonymous browsing service (or proxy server) as a springboard - thus hiding the attacker's IP address and other traceable information that could be stored online (such as information stored inside cookies).

Using the HTTPS (HTTP Secure) protocol to encrypt the communication between the attacker and connection broker, as well as between the connection broker and the victim.

Exploitation of Microsoft OLE technology, enabling the attack to be carried out via Internet Explorer, rather than a piece of malware running on the victim's machine [18].

Detection of Trojan Horses

There are numerous anti-virus/anti-spyware packages out there that provide a reasonable level of security against Trojan Horse attacks. Known Trojans will be quickly detected by most commercial security software, however, there is often a point of vulnerability between when a new Trojan Horse is developed, and when security vendors update their software definitions. The following is an exercise in a general detection model, designed to thwart Trojan Horses that have been developed with common systemic vulnerabilities in mind.


List TCP/UDP connections

Matching Trojan ports database

Detect open Trojan ports

Scan the registry, match Trojan registry database

Detect matching items?

Find Trojans, alarm

Exit system






Figure2 Testing process of the detection model

Structure and Implementation of the Detection Model

The model utilizes a process of elimination, first looking at the machine's connection to the internet and determining if any security breaches have occurred at the transport layer (of the OSI reference model). Given that the transport layer is the cornerstone of "peer to peer" (p2p) communication [19], it makes sense to determine early in the detection model if an attacker has created an unauthorized p2p connection to the victim's machine.

If no security breaches have been found in the transport layer, the detection model gradually progresses to the application layer and attempts to identify if there has been a security breach in any of the associated protocols such as HTTP, FTP, SMTP or SSL [20]. This extends to checking software that interacts with the application layer, such as Windows processes, and other items referred to in the system registry. This is an important consideration as the registry is typically viewed as the "soul" of an operating system, meaning that an entire machine can be compromised if there is a successful exploit of the registry [21].

Testing Process of the Detection Model

The detection model can refer to databases or blacklists of known malware files and port numbers. During the initial phases of checking the TCP/UDP connections and ports, the Detection Model will look for matches on the malware databases [22]. Some items will be identified automatically, whereas others may appear as unknown (not confirmed to be either safe, or a threat). In these instances, the user will have to do some manual investigation of the file or port number in question to determine if the flagged item is a threat. This is consistent with the beliefs of many security experts - that one cannot rely on detection tools alone, and must make use of their own skills and knowledge to ensure the security of their machines [23].

Defending Against Trojan Horse Attacks: Putting it all Together

As the saying goes, prevention is better than cure. Before software tools and solutions are considered, users need to be educated about safe use of IT resources. This is particularly critical in corporate or high-security environments. If a security leader in one of these environments has not implemented a set of IT use guidelines, or an IT security policy, this should be first on his or her agenda.

IT security policies will typically cover a range of factors, including user rights and responsibilities, password management and security incident response. Relating specifically to malware prevention, users are often given a set of instructions similar to the following:

"1. Never execute programs unless they are from a trusted source.


2. Never open e-mail attachments unless you know who they're from, especially attachments with the extensions .exe, .ink and .vbs.


3. Update your antivirus and security software on a regular basis.


4. Install patches and security updates for your operating system and software as they become available.


5. Beware of homemade CDs and floppy disks. If you plan to use these disks in your computer, scan them with your anti-virus software first.


6. Never accept programs transferred by instant messaging applications" [24]

The above is certainly not an exhaustive list of security measures, but it does illustrate the kind of basic steps that users should take to avoid common types of Trojan Horse attacks which often rely on unsolicited email or social network spoofing. For more comprehensive instructions on how to implement IT security policies, organizations can refer to standards such as ISO27001 and ISO17799 (IT Security Policy and Information Security Management "best practice") [25].