internetinspiration logo internetinspiration.co.uk
Home Internet Guides Privacy & Security Must have software Internet Shopping Earn Money Fun & Games Freebies

Privacy & Security
Trojan protection, detection and removal

A trojan is often incorrectly called, or thought as being a computer virus, but they are not capable of reproducing themselves and therefore not a virus. Not only should they not be considered to be a virus, they should not be treated as one. Their prevention, detection and removal should be be viewed as a separate issue to viruses, many virus scanners can detect a few of the more common trojans but you should be armed with a separate detection and removal tool.

So if a trojan is not a virus, what is it and what can it do?

Trojans were originally named after the famous wooden horse used in the Trojan war to win the city of Troy, as these computer programmes sneak into your PC disguised as something else, but are actually one of the most dangerous threats to your privacy and security, they are also a favourite tool for crackers who will probe your PC for ports opened by his trojan.

They can also find their way into your PC via vulnerabilities in your Windows system. To be fair to windows they do issue security patches to cover vulnerabilities as they are discovered and exploited, but you will only be protected if you keep your system fully updated. Attackers take advantage of the fact that many people simply do not update their operating systems
Other ways include attachments to emails. Offers of free products, services or information, fake virus warnings, false product updates (including Windows updates), good/bad news, even the promise of nude photo's have all been used to trick people into opening the attachment
Fake freeware products. There are thousands of sites offering free software products to help you do a very wide array of useful things, but they are also a popular place for trojan makers to infect computers. yes, you might get a free registry cleaner, scanner, search engine or something to maintain your PC, but it many have a trojan attached, waiting to capture every key stroke, every form you complete, every site you visit and open ports on your pc for other applications to be put in your computer, all without you knowing.
Web sites offering cracking codes, cheats, free porn and the like can install a wide variety of applications, including powerful trojans.
P2P File sharing programs, such as Grokster, Bearshare and KaZa

Once in your system, they are capable of -
Loss, damage or theft of data.
Instigating or triggering illicit or unauthorised payments or actions.
Change your computers configuration.
Collect and distribute your information.
Open access paths into your computer to bypass security systems.
Launch Denial of service (DoS) attacks,
Allow virtually anything to be downloaded into your PC.
Allow a cracker to see or even control your computer

Trojans are an executable file, (one which is capable of starting or carrying out actions). An executable file can have a file extension (the last 3 letters following the file name and a 'dot') of the following -
.bat .cmd .com .cpl .exe .inf .pif .scr .shs .vb .vbs .wcs .wsf .wsh

Once infected, the Trojan will silently get on with whatever tasks it is programmed to do, which can be wide, varied and destructive.

Types of Trojan

A trojan will consist of one or more of the following components, its classification is usually based on its prime component or function.

A Remote Access component. Known as a RAT (remote access trojan). A RAT comes in two parts. A server component which is installed in your PC. Once functioning it will contact its owner/author who will then use the client part to access your computer as if it were their own, for any reason they choose. This could be anything from just annoying by doing things like repeatedly open and close a CD drawer, to making changes to your computers configuration and settings or for the ultimate invasion of privacy, start your web cam. An attacker could also use your computer to distribute malware or spam, or use your hard drive to store files, folders or programs.

A Compression or Packer component, will allow the initial download of the trojan to be small, fast and evade detection by a firewall. Once in your PC, the packer will expand the application to allow it to execute.

A Downloader component will open one or more of your computers ports to allow other malicious programs to be secretly downloaded. The Trojan can be programmed to download other applications automatically. It can also check for, and download updates to its own program.

A DoS (Denial of service) component, can work in one of two ways.
a) Hog your internet connection and computer resources to interrupt the normal flow of data into and out of your pc,
b)  Along with every other infected computer, at a predetermined time, make repeated calls for a service or web site to overload its servers and prevent other uses from accessing it, usually targeting internet security related sites.

A Destructive component is there for no reason other than to cause damage to the computers operating system or other programs, files and folders.

A FTP component will install a FTP (File transfer protocol) server, which will allow its owner to download and upload files and programs in either direction, i.e. from his computer to yours and from your computer to his. It will also allow other people the same access.

A Http component will allow the owner to use a web browser to contact, view and control the trojan and other software in the users machine.

A Logic bomb component. This can be set to allow the trojan to execute only after a specific number of tasks or events have taken place, for example, when a specified program or process is run, or when a certain number of files are in place.

A Time bomb component is the same as a logic bomb except its functions will be triggered by time or date.

A Data sending component sends information from the infected machine to the attacker, usually to a website or email address.

A Security programme disabling component will prevent processes belonging to security software from running to prevent some or all of its functions.

A Phreaking component will use your computers sound card to imitate a telephones dialling tones in order to dial out.

a Port scanning (or probing) component will use your computer as a base to scan the internet, and probe the ports of every computer it comes across. It could be looking for specific ports opened by a trojan or vulnerable unprotected computers. By using your machine, the attacker is avoiding detection.

A Rootkit component will be used by an attacker to gain full administrator privileges. This allows him/her to have the ability to hide processes, files, services, registry keys, even internet connections. He/she can also change remove/change your privileges, reducing your ability to detect, remove or change his/her workings. By design, they are very difficult to remove, a few scanners  can detect them, even fewer have the ability to delete them .

A Packet sniffer component will capture all packets containing the information that is sent over the internet.

A Proxy server lies in-between a server and a client PC and can be used to divert, filter or interfere with internet traffic. An attacker can also carry out illegal activities whilst using your computer and its address.

An Encryption component will encrypt the contents of the files and the file names to avoid detection. The really clever ones use a process called Oligomorphic encryption, which will use one of a range of encrypting codes so each infection is encrypted differently, or each trojan is encrypted differently on each boot up.

As you can see, trojans can have a wide variety of composition and functions. They can also have other applications attached to them, a worm virus as another method of distribution, a keylogger, dialler or other malware are examples.

So how can I stop them?

Your first line of defence is caution.

Be suspicious of any email attachment that has a file extension for an executable file. You should note that Windows is set by default to hide file extensions, see Security of an email for more information.

Be cautious of freeware programmes, check for user reviews of the product with a search engine before downloading.

Always keep your operating system, browser, Instant messenger and e-mail applications fully up to date.

Have a reputable firewall installed, and keep it updated. See our Hackers, crackers and firewalls page for a good quality firewall.

Install and USE a scanner that specialises in finding and removing trojans. The ones listed below come recommended.

Anti trojan software
Product description On line scan Free version Free trial Full version
A squared Scanner for Trojans, spyware, malware, and worms
AVG Anti-spyware Formerly known as Ewido. A Comprehensive very strong trojan/spyware security suite.
Pest Patrol Highly recommended Trojan and parasite detection    
Stinger Free Trojan remover from the Highly reputed McAfee stable      
Tuscan Powerful Trojan detection and removal    
Trojan Hunter highly regarded utility    
Trojan Remover Comprehensive database of Trojans and difficult to remove malware, includes the ability to reset Windows applications.    
Windows security free online trojan scan and excellent source of information      

Once a Trojan has been detected and removed, the problems do not stop there. You have to consider what the creator was able to do and see whilst they had access to your PC. Passwords, account numbers, bank and credit card details may have been compromised. Your computer could also have been used as a base for the distribution of spam, trojans, viruses, spyware and to break into other computers. If you are concerned, change your passwords, pin numbers once the infection has been removed

In addition to detection and removal tools, DiamondCS produce two very powerful applications that can prevent trojans from executing their payload in the first place.
Process Guard protects your legitimate files from attack by blocking changes that you do not specifically approve. There is a Free version available (the paid version offers protection against additional threats, including rootkits.). 
Port Explorer, allows you to see all open ports and what process owns them, this is called port to process mapping, which when combined with its built in trojan detection utility it is impossible for any trojan that slips through your firewall to operate undetected. It also includes  a packet sniffer, so you can actually see what information is being sent from your computer, . This is not freeware, but there is a free 30 day evaluation period.

The next page looks at the prevention, detection and removal of Spyware

Privacy & Security

Information

E-mail

Viruses

hackers, crackers & firewalls

Trojans

Spyware

Keyloggers

Cookies

BHO's & Hijackers

Drive by downloads

diallers

Scams & Hoaxes

Hijack this-
automatic analysis


Free pest scan

Unwanted processes

How to-Tutorials

Clean up/repair after malware infection

Prevent malware installing

Install Hijackthis

Start in Safe mode

Show hidden files/folders

enable/disable Active X controls

Disable Messenger service pop-ups

Use the Host file

Roguefix -
Removal tool for Rogue spyware removers & Fake Warnings
removal tool


Kill E2Give

Kill MySearch

Kill Sdbot-ADD / lockx.exe

Kill seeve.exe / mediamotors pop ups

Kill Winfixer2005

Kill SysProtect

News/Articles

New Winfixer infection displays fake Blackworm warning

The real cost of Free security software

Hackers, crackers and firewalls RAT's About us Contact us FAQ Links Privacy Statement Site Map Webmasters
Click here to add this page to your favorites
©Internet Inspiration, 2003.      All registered trademarks are observed and respected.
If you receive advertising pop ups whilst viewing this site, you are infected with an ad-serving parasite, because we don't use pop ups. See our Privacy & security section for help with detection and removal.