- Support
- Downloads
- Purchasing
How do Trojans work?
The information in this article applies to:
- GFI MailSecurity for Exchange/SMTP 10
- GFI MailSecurity for Exchange/SMTP 8
- GFI MailSecurity for Exchange/SMTP 9
Article ID: KBID001671
Query keywords:
What is a Trojan horse?
In the IT world, a Trojan horse is used to enter a victim’s computer undetected, granting the attacker unrestricted access to the data stored on that computer and causing great damage to the victim. A Trojan can be a hidden program that runs on your computer without your knowledge, or it can be ‘wrapped’ into a legitimate program meaning that this program may therefore have hidden functions that you are not aware of.
How a Trojan works
Trojans typically consist of two parts, a client part and a server part. When a victim (unknowingly) runs a Trojan server on his machine, the attacker then uses the client part of that Trojan to connect to the server module and start using the Trojan. The protocol usually used for communications is TCP, but some Trojans' functions use other protocols, such as UDP, as well. When a Trojan server runs on a victim’s computer, it (usually) tries to hide somewhere on the computer; it then starts listening for incoming connections from the attacker on one or more ports, and attempts to modify the registry and/or use some other auto-starting method.
It is necessary for the attacker to know the victim’s IP address to connect to his/her machine. Many Trojans include the ability to mail the victim’s IP and/or message the attacker via ICQ or IRC. This system is used when the victim has a dynamic IP, that is, every time he connects to the Internet, he is assigned a different IP (most dial-up users have this). ADSL users have static IPs, meaning that in this case, the infected IP is always known to the attacker; this makes it considerably easier for an attacker to connect to your machine.
Most Trojans use an auto-starting method that allows them to restart and grant an attacker access to your machine even when you shut down your computer. Trojan writers are constantly on the hunt for new auto-starting methods and other such tricks, making it hard to keep up with their new discoveries in this area. As a rule, attackers start by “joining” the Trojan to some executable file that you use very often, such as explorer.exe, and then proceed to use known methods to modify system files or the Windows Registry.
For an in-depth look at the different types of Trojans, why they pose a danger to corporate networks, and how to protect your network against them, please click here.