What is Trojan Horse malware

You know the story of the Trojan Horse, right? According to Greek mythology, during the Trojan war, the ancient Greeks built a huge wooden horse (the horse being the emblem of Troy), which hid a group of elite Greek soldiers inside, and left it in front of the gates of Troy. They hoped to fool the Trojans into wheeling the horse into the city, believing it to be a victory trophy. And, as the story goes, they did. Then, later that night, the Greek soldiers crept out of the horse and opened the city gates for the rest of the Greek army. They entered the Trojan city, destroyed it, and ended the war.

The expression “Trojan Horse” came to mean something that initially seems innocuous but is ultimately bad or malicious. And in the world of computing, the expression came to denote a specific type of malware that disguises itself as a seemingly harmless program or file to trick you into installing it. Once installed, like the Greek soldiers creeping out of the wooden horse at nightfall, the Trojan Horse malware turns against you.

What is Trojan Horse Malware?

A Trojan is not a virus. It is considered malware. Unlike a computer virus, a Trojan Horse doesn’t replicate itself by infecting other files or computers. It’s a decoy that may end up downloading viruses onto your machine, but it is not itself a virus.

Trojans are one of the first pieces of malware to ever be detected. The term Trojan Horse first appeared in a 1974 US Air Force report, which documented all of the ways a computer system could presumably be compromised. Soon after, the first actual Trojan was observed on the wire. It was a small program called ANIMAL-PERVADE. This Trojan Horse was disguised as a harmless animal-themed game, but once installed on a system, it would download a virus onto that same system.

Today Trojans represent one of the most successful and common malware attacks.

What do Trojans actually do once installed?

Below are some of the more common attacks Trojans can perpetrate once installed on a computer system:

Create a backdoor

When a Trojan infects your computer, it can create an unauthorized access point for the attacker to access your machine. The Trojan itself can also send information back to a server controlled by the attacker.

Steal your information

Many Trojans are designed to hunt for and funnel your personal and financial information. This works in conjunction with a backdoor.

Download more malware & viruses

Some Trojans will target your already infected computer and download additional malware and viruses.

Take control of your computer

Other Trojans aren’t so interested in what’s on your computer but would rather use your computer as a bot on a network the attacker(s) control. This is often done to perpetrate Distributed Denial of Service attacks (DDoS), for example.

In a DDoS attack, the attacker(s) uses your machine (and presumably others’ machines) to take a server offline by flooding it with traffic from the machines under their control. Another common payload is cryptojacking, where the attacker(s) uses your machine to mine bitcoins for themselves.

Send costly messages

Some Trojans can also infect smartphones and once on the device they start sending out SMS messages to premium numbers, driving your bill way up.

Ransomware Trojans

Some Trojans are actually ransomware or a gateway to ransomware. Ransomware, once installed on your system, typically encrypts your files with an unknown key or password and then demands a ransom (usually money) in exchange for the decryption password or key.

How do Trojans work?

Trojan Horses and social engineering pretty much go hand-in-hand. Social engineering relies on manipulation in order to gain access to the target’s account. So a typical social engineering tactic consists of sending a fake link or email attachment to someone and tricking them into believing it’s a legitimate file or a link to a legitimate site. If they click on the link or the attachment, they will actually be installing a Trojan on their computer.

In fact, Trojans and social engineering are so common together that many consider Trojan Horses to be a kind of social engineering attack. That’s because the way most people get their systems infected with a Trojan Horse is through some form of social engineering.

So, for example, you could receive an email with an innocuous-looking attachment that is actually a Trojan Horse and be tricked into clicking it. Or you could download a seemingly legitimate program from the internet (like an antivirus program) which is actually a Trojan Horse.

It’s difficult to give any type of guidance on what a Trojan Horse might look like because, by its very nature, it will be disguised as something else, which can be pretty much any kind of computer file. Although the most common “disguises” are programs, links (URLs), and email attachments.

See also: Common phishing scams and how to avoid them

Examples of Trojan Horse Malware

Here’s a short list of some notable Trojan Horse malware examples that have been widely distributed:

AIDS Trojan

In late 1989, thousands of floppy disks containing the AIDS Trojan were mailed out to the subscribers of PC Business World magazine and a WHO AIDS conference mailing list. Once installed, the Trojan would encrypt all of the filenames on the system and display a ransom demand of $189 for the decryption program. This was the first known ransomware.

Beast

In 2002, the Windows-based backdoor Trojan, Beast, was discovered on the wire. Beast was capable of infecting almost all Windows versions at the time.

Vundo

In 2004, the Vundo Trojan, known to generate pop-ups and advertising for fake anti-spyware programs, first appeared. The Trojan also caused performance degradations on the infected system and could block access to certain websites.

Zlob

In 2005, the Zlob Trojan was first observed. The Zlob Trojan would cause pop-up warnings – that mimicked genuine Windows warning messages – to frequently appear. Clicking the pop-ups would trigger the download of a fake antivirus program containing additional viruses and malware.

Tiny Banker

In 2016 the Tiny Banker Trojan started infecting machines. This Trojan used HTTP injection to display a fake online banking page that looked exactly like the original, legitimate banking site.

Once a user typed-in their credentials, an error message was displayed stating there was an error, after which the user was redirected to the real banking website. But by this point, it was already too late. The credentials entered on the spoofed page were harvested by the attacker. The user had no idea their credentials had just been stolen because they were able to log in as normal, after a small “glitch”.

Grandoreiro

In 2024, Brazilian police arrested individuals responsible for the Grandoreiro Windows banking trojan. The banking malware had been targeting Spanish-speaking countries since 2017. According to one of the targeted banks, the fraud had caused approximately $120,000,000 in losses.

Researchers at ESET found that Grandoreiro was distributed via spam emails and, once in place, could – among other things – capture keystrokes, log victims out of their machines, and navigate the victim’s browser to a chosen URL. Furthermore, the malware checked which security products were installed, and whether there were any apps that protected online banking access.

How can you know if your system is infected?

Install a reputable antivirus program

It all depends on what the Trojan you’re infected with was designed to do. But for sure, you should be running a reputable antivirus program. An antivirus will always be your best technical measure against Trojans. And the easiest way to tell if your system has been infected by a Trojan is to run an antivirus scan. A good antivirus program should be able to detect most Trojan variations that are out “in the wild”.

But do bear in mind that antivirus programs can never really be ahead of the curve. The viruses and malware it protects you from must first be observed before an antivirus program can craft a defense from it. So there will always be potential infections out there that your antivirus isn’t yet equipped to protect against. This is not an argument against antivirus software – it’s just the nature of the game.

See also:

Check the programs that are installed on your system

Because Trojans disguise themselves as something innocuous. If you suspect your computer is infected by a Trojan, take a look at your list of installed programs. If you see any programs that you don’t remember installing (and you suspect you’re infected with a Trojan), you may just have found it.

Looking up the name of the program on the internet might yield more information on what it is. If you do manage to identify the program as a Trojan, uninstall it. And even if you don’t manage to identify it, it might still be a good idea to uninstall software that you don’t remember installing and that you presumably never use.

In addition to uninstalling the software, we recommend rolling back your device to a previous restore point if possible.

Check the performance of your computer

Malware and viruses can really hinder your computer’s performance. And because a Trojan can lead to viruses and more malware, it makes sense to look out for the symptoms caused by these as well, as they may indicate the presence of a Trojan Horse on your system.

Many of the things I discussed in my How to spot and avoid fake antivirus article are relevant to Trojan infections as well.

Look out for the following:

  • Constant lock-ups & slow-downs
  • Rogue processes running
  • Frequent junk pop-up ads appearing
  • Weird toolbars added to your browser
  • Hijacked homepage in your browser
  • More frequent CAPTCHAs can also be a sign of infection

These are telltale signs of viruses and malware, including Trojan Horses.

What can you do if you’re infected with a Trojan?

The first thing you should do, if you haven’t already, is to install a reputable antivirus program and run a full scan of your system. It could also be a good idea to perform a “boot-time” scan, which tends to uncover the more stubborn varieties of malware that can only be detected during the boot-up process.

Now, if you are running an antivirus program on your machine and you know you’re infected with a Trojan, it very likely means your antivirus program has identified it and quarantined or deleted it. That may well be the end of it. Of course, depending on what the Trojan was designed to do, your personal or financial information may well be compromised, but, if you’re lucky(ish), your antivirus program got rid of the Trojan.

Let’s say you’re not so lucky and your antivirus program can’t detect it. So you’re in a situation where you suspect you’re infected with a Trojan but you can’t find it. In this situation, you could restore a backup of your computer, taken before the Trojan infection. That should restore your system to a clean state.

If you didn’t make regular backups of your computer and your antivirus can’t find the Trojan and you’re still convinced you’ve got a Trojan, your only last resort may be to back up your files, reformat your computer, reinstall your programs, and copy your files back onto it. Just make sure not to copy the Trojan itself.

How can you avoid Trojans?

Below I’ve outlined some of the steps you can take to try and avoid trojans all together.

Here’s how to avoid trojan horse malware:

  • Use a firewall – All major operating systems have a built-in incoming firewall and all commercial routers on the market have a built-in NAT firewall. Make sure these are enabled.
  • Never click on pop-ups.
  • If your browser displays a warning about a website you are trying to access you should pay attention and get the information you need elsewhere.
  • Never download pirated software – free products may sound enticing but remember that those who upload them are often looking to make money, either through compromising your system themselves or by selling your information on to other web crooks.
  • Only buy well-reviewed and genuine security software from legitimate vendors.
  • Only open email attachments if you trust the sender and you’re sure that you can verify their identity – viruses do come in the mail and that’s why it’s always a good idea to scan all your incoming mail with an antivirus program.
  • Keep your programs up to date. Malware and viruses typically try and exploit security flaws found in outdated software.
  • Make regular backups of your computer.
  • If you receive an email asking for information while claiming to be from an official organization with which you have a relationship, read it very carefully before doing anything. Does it have spelling and grammar mistakes? Does it have an air of urgency? These are classic signs of a phishing attempt. And remember that your bank or the government will never ask you to send them sensitive information by email.
  • Don’t click links (URLs) in emails unless you know exactly who sent the URL and where it links to. And even then, inspect the link carefully. Is it an HTTP or an HTTPS link? Most legitimate sites use HTTPS today. Does the link contain spelling errors (gooogle instead of google)? If you can get to the destination without using the link, do that instead.

None of these dos and don’ts will make you impervious to Trojans, but they’ll help. And none of these dos and don’ts can replace a reputable antivirus program, which runs scans at regular intervals. They go together, just like Trojan Horses and social engineering.

Stay safe.