Trojan Horses

Trojan Horses



Trojan horses are unintended components or operations that are placed hardware, firmware, software, or wetware causing unintended and/or inappropriate behavior. Examples include time bombs, use or condition bombs, flawed integrated circuits, additional components on boards, additional instructions in memory, operating system modifications, name overloaded programs placed in an execution path, added or modified circuitry, mechanical components, false connectors, false panels, radios placed in network connectors, displays, wires, or other similiar componets. [1]

Detecting Trojan horses is almost certainly an undecidable problem (although nobody has apparently proven this it seems clear) but inadequate mathematical analysis has been done in this subject to provide further clarification. [1]

In one celebrated case, a Trojan horse was a program that was supposed to find and destroy comuter viruses. A Trojan horse may be widely redistributed as part of a computer virus. [2]

The term comes from a story in Homer's Iliad, in which the Greeks give a giant wooden horse to their foes, the Trojans, ostensibly as a peace offering. But after the Trojans drag the horse inside their city walls, Greek solidiers sneak out of the horse's hollow belly and open the city gates, allowing their compatriots to pour in and capture Troy. [3]


Trojan horses rely on users to install them, or they can be installed by intruders who have gained unauthorized access by other means. Then, an intruder attempting to subvert a system using a Trojan horse relies on other users running the Trojan horse to be successful.

Users can be tricked into installing Trojan horses by being enticed or frightened. For example, a Trojan horse might arrive in email described as a computer game. When the user receives the mail, they may be enticed by the description of the game to install it. Although it may in fact be a game, it may also be taking other action that is not readily apparent to the user, such as deleting files or mailing sensitive information to the attacker. As another example, an intruder may forge an advisory from a security organization, such as CERT Coordination Center, that instructs system admi nistrators to obtain and install a patch. [4]

Other forms of "social engineering" can be used to trick users into installing or running Trojan horses. For example, an intruder might telephone a system administrator and pose as a legitimate user of the system who needs assistance of some kind. The system adminsitrator might then be tricked into running a program of the intruder's design. [4]

Software distribution sites can be compromised by intruders who replace legitimate versions of sofware with Trojan horse versions. If the distribution site is a central distribution site whose contents are mirrored by other distribution sites, the Trojan horse may be downloaded by many sites and spread quickly throughout the Internet community. [4]

Because the Domain Name System (DNS) does not provide strong authentication, users may be tricked into connecting to sites different than the ones they intend to connect to. This could be exploited by an intruder to cause users to download a Trojan horse, or to cause users to expose confidential information. [4]

Intruders may install Trojan horse versions of system utilities after they have compromised a system. Often, collections of Trojan horses are distributed into toolkits that an intruder can use to compromise a system and conceal their activity after the compromise, e.g., a toolit might include a Trojan horse version of ls which does not list files owned by the intruder. Once an intruder has gained administrative access to your systems, it is very difficult to establish trust in it again without rebuilding the system from known-good software. [4]

A Trojan horse may be inserted into a program by a compiler that is itself a Trojan horse. [4]

Finally, a Trojan horse may simply be placed on a web site to which the intruder entices victims. The Trojan horse may be in the form of a Java applet, JavaScript, ActiveX control, or other form of executable content. [4]

The most infamous hacking tool is Back Orifice 2000, often known simply as BO2k. The authors describe the program as a "remote administration tool," which just happens to be able to administer a computer without its user's knowledge or consent. It can run almost undetected under any version of Windows, allowing an outsider almost unrestricted access to a system. As well as copying or altering files, hackers equipped with BO2K can record a user's every keystroke, and even receive a live video feed of their screen. [5]

Examples of some recent incidents involving Trojan horses are as follows:

"False Upgrade to Internet Explorer" [4]

Recent reports indicate wide distribution of an email message which claims to be a free upgrade to the Microsoft Internet Explorer web browser. However, we have confirmed with Microsoft that they do not provide patches or upgrades via electronic mail, although they do distribute security bulletins by electoronic mail.

The email message contains an attached executable program called Ie0199.exe. After installation, this program makes several modifications to the system and attempts to contact other remote systems. We have received conflicting information regarding the modifications made by the Trojan horse, which could be explained by the existence of multiple versions of the Trojan Horse.

At least one version of the Trojan horse is accompanied by a message which reads, in art:

As an user of the Microsoft Internet Explorer, Microsoft Corporation provides you with this upgrade for your web browser. It will fix some bugs found in your Internet Explorer. To install the upgrade, please save the attached file (ie0199.exe) in some folder an run it.

"Trojan Horse Version of TCP Wrappers" [4]

Recently published "CA-99-01-Trojan-TCP-Wrappers" which said that some copies of the source code fro the TCP Wrappers tool were modified by an intruder and contain a Trojan horse.

"Trojan Horse Version of util-linux" [4]

Within the Trojan horse util-linux distribution the program /bin/login was modified. The modifications included code to send email to an intruder that contains the host name and uid of users logging in. The code was also modified to provide anyone with access to a login prompt the capability of executing commands based on their input at the login prompt.

"Microsoft suffers a much-publicized attack"

In fall 2000, hackers downloaded and perhaps changed the source code of a future operating system. This was the result of a Trojan concealing a worm - a program that copies itself onto other machines throughout a network. Once installed on a Microsoft machine, the code spread until it found a computer containing secrets worth stealing. The Trojan then signalled its presence to a hacker, opening a backdoor to the network. [5]


The best way to prevent your system from being infected with a Trojan horse is to avoid them all together. Listed below are some other ways an organization can avoid being infected with a Trojan horse:

1. Never download blindly from people or sites that you aren't 100% sure about. Even if the file comes from a friend, still use caution before opening the file.

2. Beware of hidden file extensions. By default, Windows hides the last extension of a file, so that innocuous- looking picture "mycar.jpg" might really be "mycar.jpg.exe" - an executable Trojan. To avoid this, see the Self-Defense guides for information on disabling file extension hiding. [6]

3. Educate your users informing them the dangers of Trojan horses and how to avoid them.

4. Never use features in your programs that automatically get or preview files. Those features may seem convenient, but they let anybody send you anything, including dangerous Trojans. Typically these are previewing files in Outlook or other email programs. [6]

5. When chatting online, never blindly type commands that others tell you to type, or run prefabricated programs or scripts (not even polular ones). If you do so, you potentially trust a stranger with control over your computer, which can lead to Trojan infection or other serious harm. [6]

6. Use caution when executing content such as Java applets, JavaScript, or ActiveX controls from web pages. You may wish to configure your browser to disable the automatic execution of web page content. [4]

7. Use firewalls and virus products which are aware of popular Trojan horses. Although it is impossible to detect all possible Trojan horses using a firewall or virus product, may aid you in preventing many popular Trojans from affecting your systems. [ 4]

8. Encourage software developers and distributors to use cryptographically strong validation for all software they produce or distribute. Any popular technique based on algorithms that are widely believed to be strong will provide users a strong tool to defeat Trojan horses.


Trojan Horse programs pose the most serious and insidious risk to the integrity of your whole network. They are much harder to detect than viruses or worms since they are often deployed with recompiled file names and attributes. They can range from simple program that log keystrokes that are made on a PC (that can be used to steal information and passwords) to full-blown remote control Trojans such as Back Orifice and Sub Seven that make commercial remote control packages like PC Anywhere look lame. They literally give FULL control to the hacker of all compromised machines, and via these machines possibly your whole network. [6]

No matter what security measures you have in place, every network suffers from one serious weakness: human gullibility. [5]

A very important warning to keep in mind comes from Andrew Keir, the developer of the Firehole proof-of-concept tool that showed just how leaky most firewalls can be.

"If you can't stop it [a Trojan executing] then it is game over - the rogue program has your computer completely under its control." said Keir.


[1] Cohen, Frederick. "The Security Database".

[2] "Trojan horse".,,sid14_gci213221,00.html

[3] Webopedia. "Trojan horse".

[4] CERT Coordination Center. "CERT Advisory CA-1999-02 Trojan Horses". March 8, 1999.

[5] Dornan, Andy. "Lesson 150: Trojan Horses". Network January 5, 2001.

[6] UKSecurity Online. "Trojan Horse Threat Analysed".