A Trojan Horse is a program, which appears to be a useful tool but is able to do various things hidden in the background without the computer owner knowing. Trojan Horses have been named after the "Trojan Horse" in Greek Mythology; a wooden horse was left behind by Troy's besiegers. Not knowing that the Greek had been hiding inside the horse. The people of Troy moved the horse to the inside of the town to celebrate their victory. Once within Trojan walls, the enemies left their hiding place to conquer the city. Nowadays, virtual Trojan Horse attacks work in a similar way.
Trojan Horses are often incorrectly treated like viruses. This is only true to a certain extend;as opposed to viruses, their main purpose is not to destroy any kind of information stored on a computer, but to transmit this data to the initiator of the attack for abusing purposes or to get control over infected computers.
Since the amount of data transmitted to the initiator is often too unfathomable, many Trojan Horses offer much more intelligent options. These so called Backdoor Trojans enable attackers to take control of foreign computers to do whatever they desire. It's just like as if the attacker would be sitting in front of the infected computer.
Well known Trojan Horses like Sub7, Netbus or Back Orifice consist of three parts:
This is the file which has to be installed on the computer, the attacker wants to control. Using this file, the attacker is able to take control of the computer. In most cases, this file is sent as an attachment via email. The attachment is an executable file appearing to be an useful program. Once started, the Trojan Horse installs itself automatically. An error message pops up to distract the user of the computer, telling them that the installation of the program was not successful. The disappointed user often deletes the program file and forgets about it. Unfortunately, they are not aware of the fact that a Trojan Horse has been installed which automatically starts on a system reboot. Everytime, the computer is turned on, the Trojan Horse loads itself into the main memory, waiting for a client to get in touch with it.
2. Configuration tool fort he serverfile
This is the program used to set up certain options for the serverfile. It is possible to adjust which way the server is supposed to start itself after successful infection, or which ports to use to gain access to a computer. Usually the serverfile is being created using this kind of configuration tool, where it is possible to select which options the Trojan Horse should offer after taking over control of a computer.
After successful infection of a computer, the client tries to build up a connection to the infected computer. If everything worked out fine, it is now possible to use the client program to gain access to the serverfile on a computer. There are many different types of Trojan Horses using different routines. Trojans, only sneaking around in foreign systems are as likely as Trojans, gathering important or valuable information to send it to a certain address via email. Oftentimes, these Trojans are able to do their destructive work for months without being recognized. Some of them only start, when an internet connection is being built up - a fact, which makes finding Trojans on the own system a very difficult task.
What is a port and why do Trojan Horses use them?
Although most of the computers only have one IP-address, it is possible to run many different services. This is possible because every single service uses a specific number (port) for the exchange of information.
Let's suppose a server machine, running the services www (world wide web) and ftp (file transfer protocol); when trying to exchange information without port numbers, none of the running services is able to recognize if certain incoming data is designated to them. Ports serve the purpose of channelling certain data into an application or service. Using these port numbers every single service knows, who the recipient of the information is.
Ports with the numbers 1 to 1024 are reserved for standard-programs (www, ftp,..). The maximum numeric value of a port would be 65.535. Thus, the complete port range begins with 1 and ends with 65.535.
Ports are used by Trojan Horses to sneak their way into a computer system. Since most of the computer owners have no idea of which ports are 'open' on their system, it is easy for a Trojan to invade a system over a certain open port. Unfortunately, Trojan Horses are able to use different ports. That allows a Trojan to be able to switch onto another port, in case the used one is closed.
What are Trojan Horses able to do?
This depends on what the attacker wants to do. If the intention is to gather information, infliction of damage to the system can be excluded. But if the attacker intends to cause trouble, he is going to use a Trojan Horse, which offers options to take control of the infected computer. This starts with remotely opening the CD-Rom-tray to even deleting files or the entire hard-disk. This shows that a Trojan Horse can be a powerful tool, which, in the wrong hands, can cause serious damage.
How can someone take control of my computer?
If an attacker manages to get his server-file on a foreign computer-system, the only thing left he needs is the computer's IP address. An IP address is a combination of numbers, which identify a computer on the internet. Computers get their IP addresses from their providers, when dialing into the internet. When using an advanced type of Trojan Horse, the server-file can be sent via email. Once installed on the foreign PC, the server sends the IP address of the infected computer to the initiator of the attack.
Many Austrian internet providers (Chello, A-Online,..) offer so called static IP addresses to their customers. Static IP addresses never change when dialing into the internet, since the dialing routine itself never takes place. The advantage of a static IP address is, that it is much more easier to install and use an own internet-server. But on the same time it makes causing damage on a computer a whole lot easier for potential attackers.