Trojans are a specific type of malware that infects the target device by disguising itself as a legitimate application. Like the mythical Trojan Horse described in Homer’s Odyssey, it infiltrates the system by pretending to be something it is not. 

In the original story, the Greeks hid inside a giant wooden horse after failing to capture the city of Troy. The Trojans interpreted the horse as a gift from the gods to reward their patience and piety. After the Trojans moved the horse inside the city gates, the Greeks came out and opened the gates so the rest of the army could enter. 

How do Trojans work? 

Modern trojan malware works the same way as its ancient namesake. An attacker may hide malicious code in a legitimate file or document sent by email. When a user opens the attachment, it runs the malicious code, embedding itself in the system and taking control of that device.  

From there, the attacker may try to disable the device’s security controls and target it with more disruptive malware. Alternatively, the attacker may conduct reconnaissance and perform lateral movement across the network, hoping to gain access to more valuable systems. 

In a typical scenario, the malicious code may not actually activate until the user takes a predefined action. For example, the trojan may wait until the victim opens a secure work login page to start logging keystrokes. This could pave the way for a credential-based attack with catastrophic results. 

Some of the most common ways users introduce trojans onto their devices include: 

• Downloading pirated media, especially popular software and paid content. 
• Downloading unsolicited email attachments, like documents and photos. 
• Accepting pop-up notifications without reading the message or understanding what they say. 
• Neglecting to keep web browsers, operating systems, and software applications updated to the latest version. 

Mobile trojans 

Historically, most trojans target PCs running Windows, with a small minority targeting Macs and Linux devices. However, modern trojans now target the entire spectrum of endpoint devices — from desktops and laptops to smartphones and tablets running a wide range of operating systems. 

Mobile trojans may have wider capabilities that exploit the portable nature of the infected device. For example, the attacker may program the trojan to activate once an infected device connects to a corporate Wi-Fi connection and try to infect other devices from there. 

Trojans vs. viruses and worms 

Trojans are sometimes referred to as “Trojan Horse Viruses” or “Trojan Viruses”, but this term is misleading. Viruses are a type of malware that can replicate and self-execute. Trojans don’t do either of these things — they require specific, deliberate action from the target. 

Similarly, worms are designed to self-replicate and spread across devices in a network. Some trojans like QakBot have worm-like functionality, allowing them to spread throughout a network on their own. But QakBot is still considered a trojan because the initial exploit relies on tricking a user into executing a malicious script hidden in a seemingly legitimate application. 

10 types of Trojans 

The concept behind trojan malware is broad and applies well to many attack scenarios. Here are some examples of popular types of trojans and how they work: 

• Exploit trojans take advantage of specific vulnerabilities in the target’s device. They may look for a certain application and leverage a known vulnerability in that application to grant the attacker control. 
• Downloader trojans deliver malicious payloads to infected devices. These trojans are essentially vehicles for bypassing network security defenses and activating other types of malware. 
• Ransom trojans identify sensitive or mission-critical IT assets and encrypt them, rendering them temporarily unusable. Hackers then directly extort the victim for money in return for a decryption key. 
• Backdoor trojans grant attackers remote access to a device by creating a new, unsecured entry point for the attacker to exploit. This enables hackers to control victims’ devices as if they had physical access. 
• Distributed Denial of Service (DDoS) trojans are designed to overwhelm network assets by flooding them with malicious traffic. They might take control over the user’s device entirely, turning it into a zombie device in a larger botnet. 
• Fake antivirus trojans work by disguising themselves as antivirus programs. They target users who believe their devices have been compromised. Instead of fixing the problem, these trojans make it worse by downloading more dangerous malware onto the device. 
• Rootkit trojans enable attackers to install malware payloads onto target devices using administrator-level access. This allows the malware to hide in plain sight and use its high-level permissions to disable other security tools. 
• SMS trojans infect mobile devices and grant attackers control over their text message capabilities. This allows attackers to send messages without users’ knowledge and potentially receive one-time-passwords from SMS-enabled multi-factor authentication (MFA) systems. 
• Banking trojans have their own category because they specifically target financial account data, credit card numbers, and login credentials for electronic payment solutions. 
• Infostealer trojans search for specific pieces of information on infected devices and send it back to the attacker. They may target email contacts lists, sensitive system files, or browser-secured login credentials. Some variants can replace stolen data with new, false data. 

How to prevent Trojan malware infections 

Preventing trojan horse attacks requires developing good security policies and communicating them to users throughout the network. Cybersecurity awareness training can help users reduce risky behaviors and identify suspicious activities before they result in cyberattacks. 

Some of the things users can do to prevent trojan horse attacks include: 

• Never downloading unsolicited or unexpected attachments. 
• Using strong, unique passwords for all accounts and devices. 
• Only accessing URLs that use the HTTPS protocol. 
• Logging into sensitive accounts through new browser tabs or an official app instead of clicking on links. 

Security leaders and IT administrators need to enforce good cyber hygiene by developing strong policies and making sure users understand them. Some of the things you can do to protect your organization from trojan attacks include: 

• Implementing an email phishing protection solution like Proofpoint. 
• Deploying good vulnerability management practices that keep software applications patched to the current version. 
• Investing in a secure backup solution that can protect against ransomware attacks. 
• Educate users about the risks associated with shadow IT and enforce compliance with security policies. 

How to detect and respond to Trojans 

Once a trojan infects a network asset, the incident response team must isolate the device from the rest of the network. If your network security architecture is segmented according to Zero Trust principles, the immediate damage should be minor. 

Detecting the initial infection relies on implementing tools capable of monitoring devices and assets for unusual behavior. It demands in-depth visibility into every corner of the enterprise tech stack and a well-equipped Security Operations Center (SOC). 

The following tools and platforms can help you neutralize trojan malware threats early on, limiting the damage and ensuring business continuity: 

• Extended Detection and Response (XDR) solutions can identify malicious downloads and block harmful executions from taking place. 
• User Entity and Behavioral Analytics (UEBA) technology can provide insight into insider risks, alerting you when IT assets or user accounts are potentially compromised. 
• Security Information and Event Management (SIEM) platforms ingest log data from multiple sources across the IT environment, providing the visibility your team needs to identify compromised assets early on. 
• Network Detection and Response (NDR) can identify signs of lateral movement and prevent attackers from hiding in areas of your network that aren’t covered by other security tools. 

The best solutions utilize machine learning to block trojan malware executions without relying on a previously known threat signature. Highly automated detection and response services like Lumifi ShieldVision™ keep organizations on top of evolving threats at a moment’s notice.