Skip to content

What is a Trojan, how does it work, and how can we protect ourselves?

24 mayo, 2021

Yesterday the draft of the Criminal Procedure Code was known, which allows the State security forces and bodies to use trojans to access the data on the investigated computers.

But let’s start from the beginning: What really is a trojan? What can you do on a computer?

Trojans are a type of malware whose main purpose is give remote access to a system. Like the mythical horse that the Greeks used to enter Troy without raising suspicions, these programs try to go as unnoticed as possible, opening a back door for a remote attacker to enter the computer.

Typically, Trojans do more than provide a back door: they record keystrokes and pages visited, transfer data from the computer, make it part of a botnet… However, in the case of those that the police would use, it is most likely that only provide a record of user actions and access so that the contents of the computer could be explored remotely.

On the other hand, we said that the Trojan try to go unnoticed, so it would not be strange if he was accompanied by a rootkit. The purpose of this type of malware is to hide processes that may make the user suspicious.

How? As the name suggests, rootkits are installed on the computer with administrator, superuser or root. By having complete control of the system, they can hide certain processes and files, prevent antivirus from doing their job well, bypass encryption systems … This way they prevent you from detecting that there has been a commitment in your system.

The rootkits They can be installed at the operating system level (the most normal thing), but they can replace parts of the kernel or even the computer’s boot: in this way they can skip whatever protection you have (the rootkit controls the entire computer from the moment it boots) and are very difficult to detect and remove.

How can we get infected?

That guy over there types very fast, he's a sure hacker.

Once we know what a Trojan is, the next thing is to know how can they get to the computer. There are many, many ways, let’s see a few.

It may be for one vulnerability in a program you have installed (ahem, Flash, Java, Adobe Reader). You download a specially prepared file so that, when you open it, a code is executed that installs the rootkit in question (vulnerabilities due to buffer overflow, mostly).

It can also be by hardware and driver failures. It would not be the first time that someone took control of a computer by sending special packets to the WiFi antenna, or to the Bluetooth radio. In addition, if they enter this way they would directly get administrator privileges to do what they want with the system.

It would not be the first time they have infected someone by sending data to their WiFi antenna.

Another possible door: direct manipulation of the files that you download. An MITM (Man In The Middle) attack, putting software between your computer and the rest of the Internet, would modify an executable file that you download by injecting code to install a Trojan. So, you think you are installing, for example, Chrome, and you are actually installing Chrome with a gift from your friend the hacker.

And we don’t have to go that far. Someone with physical access to your computer can grab a mouse and keyboard and install the malware without vulnerabilities or complications.

The moral is that If they want to go after you, they probably will. Sooner or later, your computer will be vulnerable. Even if you have the system updated to the second and with an antivirus continuously analyzing the system, someone will find a vulnerability that the manufacturer does not know and that they can take advantage of to introduce their malware specially created to be undetectable by the antivirus. Still, it’s not a matter of making things easy, so let’s see how to protect ourselves.

How to protect a system against a Trojan

If you put a padlock on it, the pinnacle of security.

High security anti-hackers agenda.

We are not going to repeat the obvious: have all the applications updated, a good antivirus, do not download files from sites that you do not know … Nor that the only way to be 100% sure is not to use computers or connect to the Internet. These are the tips for normal users, but if you are really concerned about your safety we have something more original.

Let’s see measures of this type, from the least intrusive to those that are more typical of a true paranoid of security.

No open wifi networks, thank you.

First of all: never, ever, in your life, connect to an open WiFi network if you are minimally concerned about security. They can see the unencrypted traffic, anyone can see what open ports you have on your computer, and they could even enter your non-HTTPS service accounts with one click.

You can also secure your Internet connections using HTTPS whenever possible, or connect through a VPN to prevent MITM attacks. If you download something, verify that it has not been modified along the way by calculating its hash and comparing with the one they give you on the download page. Of course upload it to sites like VirusTotal to verify that it is not malware. Oh, and although it may not seem like it, a BitTorrent download is safer than a direct download.

If available, enables system file integrity checks in your antivirus. In this way, the antivirus will check that the system files have not changed since the last time. If they have changed and you don’t know why, too bad.

Separating user and administrator accounts is a simple and quite effective measure.

Separate user and administrator accounts it is also a very simple and effective measure. I am not referring to things like the Windows 8 UAC, which asks you if a program wants to make changes to the system, or to sudo Linux. No. I mean that you have two different users, one for administration and one for user tasks. If you want to install a program, you leave the user account and enter the administrator account, and when you finish you return to the user account. On Windows and Mac this means removing administration privileges from your account; on Linux, remove your username from the file sweats so you can’t use sudo but you have to enter with another user (your username).

Use specialized programs to detect possible intrusions periodically is another good practice. You can go from the simple, with anti-rootkits like the one from Sophos to more advanced programs, like HijackThis or GMER.

Of course, keep in mind that the more advanced the program is, the more difficult it is to use. Instead of doing everything automatically, these programs give you a lot of information so that you can decide what to do. You have to know very well what each notice it gives you means and what each elimination option does.

Another measure that is quite effective but that annoys the use of the computer a lot: putting a strict mode firewall. By that I mean to block all communications by default, and only allow the connection through certain ports to the applications that you have explicitly defined. Basically, browser, update system and little else.

Encrypt our system will protect our data against intrusions. If we encrypt the entire disk (including the OS), we will need a password to access the system, but then all the files will appear unencrypted to our eyes (and to those of the programs running on the system). Encrypting only certain folders or files is more recommended if you only want to protect confidential data (password store, emails, calendar …). TrueCrypt is one of the best programs to encrypt your disk or system.

Make it difficult for the attacker: use less known systems.

We can also make things difficult using more minority software. Don’t use Windows or Mac, use Linux. Don’t use Android or iOS either, use BlackBerry or Windows Phone (although if you’re really concerned about security I don’t know what you do with a smartphone). Not because some are more secure than others, but because if you use a less used system there will be fewer tools and resources to attack it. Simple math: the fewer users, the less interest it has for attackers. If you also use another processor architecture (ARM for desktop, for example), you will have a very high probability that the malware they send you will not even run on your system.

And if I use a mobile / tablet, how do I protect myself?

Android

With useless antivirus and without additional protection systems, mobiles are not safe.

Mobile or tablet security is a very delicate matter. First, because there is less protection software. There is antivirus only in Android, but as if there were none, because they are quite useless– They fail miserably when it comes to detecting malware that has been transformed using simple and familiar techniques.

But that is not the real problem. After all, you can avoid these mobile viruses if you are a little careful. But in the face of other types of vulnerabilities, we are totally sold without detection systems like those that may be in a normal computer. Failures in the applications, in the system itself, when connecting to WiFi networks that have been spoofed (something not very difficult to do) …

The best thing you can do is encrypt your data on your mobile in case you ever lose it, but in any way, assume that mobile phones and tablets, for now and unless you are the Pentagon and have better protected versions of the system, they are not safe.

In Engadget Android | Trojans on your Android? Don’t neglect security