You’ve probably heard about the Trojan Horse story before, at least once in your life. Basically, the story is about The Greeks pretended to sail away, leaving a wooden horse, and the Trojans pulled the horse into their city as a victory trophy, but it turned out to be a trap; the Greek soldiers were hiding inside the horse and they crept out of the horse at night, opening the castle gates for the rest of the Greek army allowing them to destroy the city.
In Cybersecurity, the term “Trojan Horse” refers to a type of malware that downloads onto a computer disguised as a legitimate program. The user thinks the software is safe, therefore downloads onto their computer, however a malicious virus is hidden inside that software, allowing the attacker to gain access to the users’ computer, just like the Trojan Horse. No wonder why this malware is named after the Trojan Horse legend.
But what’s different with the Trojan Horse in cybersecurity and the legend? One happens on the computer and the other happens physically; well that is true. However, in the legend, the Trojan realized they’ve been tricked at the end, but in cybersecurity, the user doesn’t know they’ve been tricked. The attacker adds a code that steals out the users’ information or does something unexpected, for example, the user creates a new password and the attacker uses that password on other accounts like the users’ banking account. Or a puzzle game that actually mails the users’ address book.
When a user is downloading a software, do they have any idea what’s in there? Do they get the code with it? No, they don’t. Unless it’s an open source software, MOST softwares out in the world: the user downloads it, runs it, and that’s it. The user trusts the developer to not put trojan horses in the software, since it is hard for the user to detect a trojan horse via program testing or reviewing the code. It is up to the user how much to trust the developer.
Luckily for the normal users, there are lists of common types of Trojan Horse malware, and common symptoms when a computer is infected by the Trojan Horse malware are known: computer settings suddenly changing, a loss in computer performance, or unusual activity are the symptoms of it. Since common types of Trojan malware are known, it could be detected by a Trojan scanner or malware-removal software. Although ironically, those Trojan scanners could also be a Trojan Horse.
There are three options to detect if a software is a Trojan horse: testing on the software, getting some understanding of the software process that went into building the software, and code review. Firstly, testing doesn’t help. The chances of detecting it are very low, almost impossible, since testing only shows the outcome of the software. Secondly, where the user is kind of looking at how the development process works might help. It can be helpful finding out if other purposes were reflected into the development of the software. Lastly, code review. If the user can actually review the code, the user can look to see whether the programmer coded certain types of malwares. Therefore, it is the most right answer among the three options. However, this can be subverted itself. In the continuing article, we will deal with how even a clean source code could become a Trojan Horse. Stay tuned!