Types of Trojan Programs: A Beginner’s Guide

Trojan programs (or Trojans) are malicious software that require activation by the user or another malicious program. They are named after the infamous mythological horse, as the harmful component enters the system disguised as a useful program or utility (think of hidden cryptocurrency miners, for example). Typically, a Trojan is offered as a legitimate application, but instead of the promised functionality, it performs actions that benefit cybercriminals. The main goal of Trojans is to carry out various destructive activities: from blocking programs or displaying ads to encrypting files and stealing payment system passwords.

Modern Trojans have evolved into complex forms such as backdoors (which intercept administrative functions of the operating system) and downloaders (which install malicious code on the victim’s computer).

These dangerous applications can perform the following unauthorized actions:

• Deleting data
• Blocking data
• Modifying data
• Copying data
• Slowing down computers and networks

Below is a classification of Trojan programs based on the actions they perform on a computer.

ArcBomb

ArcBomb Trojans are specially crafted archive files designed to cause abnormal behavior in archiving software when unpacked—such as freezing, significant slowdowns, or filling the disk with large amounts of “empty” data. There are three main types:

• Archives with incorrect headers or corrupted data, causing the archiver to crash or malfunction.
• Archives containing large objects made of repeating data, allowing huge files (e.g., 5 GB) to be compressed into a small archive (e.g., 200 KB).
• Archives with thousands of identical objects, which can be packed into a tiny archive using special methods (e.g., 10,000 identical files in a 30 KB RAR archive).

Backdoor

Backdoor Trojans allow attackers to remotely control infected computers. Once installed, attackers can send, receive, open, and delete files, display data, and reboot the system. Depending on the backdoor’s features, hackers can install and run any software, log keystrokes, upload and download files, and even activate the microphone or camera. Backdoors are often used to create botnets (zombie networks) for criminal purposes.

Some backdoors can spread across networks and infect other computers, similar to network worms. However, unlike worms, these backdoors only spread on command from their creator.

Banker

Banker Trojans are designed to steal credentials for online banking, electronic payments, and both credit and debit cards.

Clicker

Clicker Trojans are created to make unauthorized connections from the infected computer to specific internet resources (usually web pages). This is done by sending commands to the browser or replacing system files that store standard internet addresses (like the hosts file in Windows). Attackers may use Clickers to:

• Increase website traffic for ad revenue
• Organize DoS attacks on servers
• Attract potential victims for further infection

DoS

DoS Trojans are used to launch Denial of Service (DoS) attacks on target web addresses. In such attacks, infected computers send a massive number of requests to a specific system, overloading it and causing service outages for real users. Attackers often infect many computers with DoS Trojans (e.g., via spam campaigns), then use them all to attack a target. This is called a DDoS (Distributed Denial of Service) attack.

Downloader

Downloader Trojans can download and install new versions of malicious or adware programs on the victim’s computer. The downloaded programs are then either launched or set to run automatically. Downloaders are often used for the initial infection of computers visiting compromised web pages containing exploits.

Dropper

Droppers are used by hackers to secretly install Trojans and/or viruses hidden within the dropper itself, and to prevent detection by antivirus software (since not all antivirus programs can detect every component of such Trojans). After a Dropper is saved to disk (often in the Windows system folder), it runs—usually without any notification or with fake error messages. This achieves two goals:

• Stealthy installation of Trojans and viruses
• Protection from antivirus detection, as not all antivirus programs can scan all components inside such Trojans

Exploit

Exploits are programs or code that take advantage of vulnerabilities in software running on a computer for malicious purposes. Hackers use exploits to gain access to a victim’s computer and install malware (for example, infecting all visitors to a hacked website). Worms also use exploits to infect computers without the administrator’s knowledge. “Nuker” programs, which send specially crafted requests to crash a system, are a well-known example.

FakeAV

FakeAV programs mimic legitimate antivirus software. Attackers use them to extort money from users by promising to detect and remove non-existent threats.

GameThief

GameThief Trojans steal account information for online games and send it to the attacker.

IM

IM Trojans steal usernames and passwords for instant messaging programs like ICQ, MSN Messenger, Skype, and others, then send this information to the attacker. Data can be sent via email, FTP, web requests, and other methods.

Rootkit

Rootkits are programs designed to hide certain objects or activities in the system. Their main goal is to prevent the detection of malware, increasing the time it remains active on the infected computer. Rootkits themselves are not directly harmful, but are almost always used by malware to extend their lifespan by making detection difficult. They typically hide registry keys (such as those responsible for auto-starting malware), objects and processes in memory, and malicious network activity. This is possible due to their deep integration with the operating system. Some rootkits (called bootkits) can even start before the operating system loads. However, modern antivirus programs are capable of detecting and neutralizing almost all types of rootkits.

Loader

Loader Trojans are small pieces of code used to download and install the full version of a malicious program. Once the loader enters the system (for example, via an email attachment or a malicious image), it connects to a remote server and downloads the rest of the malware.

Mailfinder

Mailfinder Trojans collect email addresses from the infected computer and send them to the attacker via email, HTTP, FTP, or other methods. Stolen addresses are then used for further spam or malware campaigns.

Notifier

Notifier Trojans secretly inform their creator that the infected computer is currently active (connected to the Internet). They send information such as the computer’s IP address, open port numbers, email address, etc. Notifiers are often used in multi-component Trojan packages to alert the attacker of a successful infection.

Proxy

Proxy Trojans allow attackers to gain unauthorized, anonymous access to various internet resources through the victim’s computer. These Trojans are often used to send spam via infected computers acting as mail proxy servers.

PSW (Password Stealing Ware)

PSW Trojans are designed to steal administrative account credentials (usernames and passwords) from infected computers. When launched, they search for this information in system files or the registry. If successful, the data is sent to the attacker. Some PSW Trojans also steal registration information for various software. PSW Trojans that target banking accounts, instant messaging, or gaming accounts are classified as Banker, IM, and GameThief Trojans, respectively. PSW is a separate category due to its prevalence.

Ransom

Ransom Trojans can alter data on the computer so that it no longer works properly, or the user loses access to certain data. The attacker promises to restore normal operation or unlock the data after receiving a ransom payment.

Hopefully, this guide will make it easier for you to understand articles about Trojans!