What is a trojan horse attack, and what should I do if I think I’ve opened a trojan?

Trojans are tools used by attackers to get victims to click on something they shouldn’t. They’re currently one of the most commonly-seen items of malware, and just like their ancient Greek namesake, they are equal parts social engineering and malicious payload.

What is a trojan, and what does it look like?

Trojans are a form of malware disguised as legitimate downloads, email attachments or programs to deceive users into downloading and opening them. This last part is crucial: for a trojan to work, the user must be tricked into executing it. This is a key point of difference between a trojan and a virus. Another is that, while a virus self-replicates, a trojan does not. That doesn’t mean, however, that a trojan’s payload doesn’t get up to some pretty nasty tricks.

In email attacks, trojans can be the payload in a phishing email: phishing is the practice of sending emails with the intention of tricking users into a variety of errors: sharing personal or company information, or otherwise providing access to a system. This access can be achieved through sending a malicious payload to the victim; a trojan is one such type of malicious program.

While email attachments are a common delivery method, trojans are also disguised as software downloads, media files and more. In some cases, they have been inserted into fake software updates that users are manipulated into downloading and running.

Typically, trojans enable attackers to achieve remote access, steal data, and maintain persistence: in plain language, trojans allow attackers to get and keep access to an compromised system to steal sensitive information.

When we talk about systems in this context, it’s worth noting that this includes smartphones: your Android or Apple mobile device can be compromised with trojans just like any PC or Mac.

A historic example: Zeus

The Zeus or ZBot trojan is best known for being used to steal customers’ banking details, but  has also helped attackers steal tens of thousands of FTP logins at major financial institutions and for duping tech support customers into paying for non-existent fixes. The trojan first came to light in 2007 before being temporarily disrupted by law enforcement three years later. It’s difficult to keep an effective trojan down, however, and Zeus copies and derivatives have continued to pop up in the years since, albeit with less impact.

A brief history of trojan horse malware

The term trojan has been used in computer security for over 50 years; the first Unix manual, published in 1971 includes use of the term. A US Air Force report from 1974 includes the term in an evaluation of the vulnerabilities in the Multics time-sharing operating system.

Why use an ancient myth to describe a computing attack?

The myth of the Trojan Horse is well-known but it bears repeating, not least because the various characters and devices involved are mirrored by modern day trojan horses.

After a costly, decade-long siege of the city of Troy, an army of Greeks is persuaded by Odysseus to pretend to give up, and sail away in its invasion fleet - leaving behind a large wooden horse as an offering. A Greek warrior, Sinon, stays behind and persuades the Trojan defenders that the horse is an offering that, if taken into the city, will allow the Trojans to conquer Greece. Despite warnings from a priest, the Trojans drag the horse inside the city walls, and after dark soldiers hidden inside it emerged to open the city gates and let the returning Greek army enter and sack Troy.

Modern Trojans mirror this story: defenders are presented with the opportunity of enrichment (the horse); a dubious interloper persuades the victim of its value (Sinon) and, despite plenty of warnings (the priest) the gift is brought inside the victim’s device and past its defenses, ultimately resulting in a compromise.

In real life, a modern trojan attack looks something like this: an attacker posing as a recruiter contacts the victim via email to discuss a job that sounds too good to be true. After initial contact, the attacker sends the victim a file that they say contains further information: a job description, contract or offer letter. When this file – often disguised as a PDF or Word Document – is opened by the victim, it launches its malicious payload, which could be spyware, ransomware, connecting the device to a botnet, or malware. Through social engineering, the attacker has tricked the victim into letting down their defenses and doing something that ordinarily they might never consider doing.

Trojans are enormously versatile tools for attackers: given the right approach, they can be used to persuade victims to run malicious code.

Trojan attack types

We’ve already talked about the use of trojans in phishing and other social engineering-type attacks, but attackers use trojans for other tasks, too.

• Downloaders are trojans whose only purpose is to download more malicious software to the victim’s device and run it. This behavior is similar to that of adware, which is sometimes bundled in with legitimate software package downloads.
• Droppers act as carriers for a malicious file, carrying it as part of the trojan and installing and running the malicious payload once triggered by the victim.
• Backdoors or Remote Access Trojans (RATs) are more sophisticated, often containing a number of different tools that equip attackers to gain full access to an infected system. RATs allow attackers to send and receive files from an infected device, log keystrokes and take screenshots.
• Keyloggers, now more often seen as a feature in infostealers, have historically featured as a trojan payload. While there are legitimate uses for keylogging software, it’s unlikely that a legitimate keylogger will be delivered via a trojan.
• Packers also known as protectors or cryptors, are designed to allow trojans to pass unnoticed by antivirus software or malware analysis by security teams, who must first unpack the software to figure out its purpose. It’s worth noting that packers are also used for compressing or preventing the pirating or reverse-engineering of legitimate applications.
• DDoS and Botnet trojans do what they say: these use infected devices to mount Distributed Denial of Service (DDoS) attacks or to power Botnets. Trojans can also be used to install mining software to generate cryptocurrency.
• Banking trojans are some of the most damaging types of trojan, and use many of the above techniques to steal banking credentials. Banking trojans are nowadays interchangeable with infostealers and other attack techniques, and it’s rare to see a dedicated banking trojan in the wild. Past examples include Grandoreiro, which targeted customers of Brazilian banks before being disrupted in 2024v, and Trickbot, which grew from an effective banking trojan to a more all-encompassing malware over time before collapsing after the group behind it fell out over the invasion of Ukraine.

What’s the impact of a trojan attack?

For individuals and businesses, a successful trojan attack can be incredibly disruptive. Direct financial losses are an immediate outcome of trojans that aim to steal banking credentials. Data breaches, theft of private data and more are also high on the list of impacts. All of this, and the downtime required to identify and remove the malware and the source of the infection, creates operational disruption to affected businesses and considerable inconvenience, stress and loss to individual or private users.

Common infection vectors

We’ve already talked about trojans delivered in the guise of legitimate files over email, and as malware bundled with legitimate applications but another source of infection is websites that are either designed to deliver drive-by downloads or encourage users to make risky clicks, or websites that have been compromised by attackers to do the same. Drive-by downloads are another social engineering trick that scams unsuspecting users into downloading a malicious file. What might look like a simple link to another page or resource is, in fact, a download link to a trojan with a malicious payload.

How do I know if I’ve fallen victim to a trojan attack?

Unfortunately, the symptoms of compromise by a trojan are broadly similar to those of a PC or smartphone that’s starting to show its age. Generally, you’ll notice your device might start to run slower, new apps you didn’t download start appearing, pop-up windows and alerts suddenly appear – and just as suddenly disappear – and you may find that your bank account, personal data and communications channels such as email and social media are compromised. It’s also a bad sign if your device freezes or crashes regularly.

Also look at unusual network activity – if your devices are suddenly using a lot more data, it may be a sign that they’re compromised, and either exfiltrating your data or being used to mine cryptocurrencies, take part in DDoS attacks, or downloading more malicious software.

Trojans can infect smartphones and tablets as well as PCs and Macs, and attackers are skilled at social engineering, creating what looks like fantastic opportunities or urgent threats that drive users toward clicking on something they shouldn’t. For this reason, it’s always worth taking a moment before clicking on that pop-up, downloading that free file or opening that attachment.

Detection and Prevention

Good antivirus and anti-malware software is hugely important – as is the importance of using reputable cybersecurity providers. Home users should look for software that has been tested by a reputable lab. AV-Comparatives, AV Test and SE Labs are good examples, but other ‘test labs’ may need a little more care, as some are actually affiliate marketers who give top marks for software that gives them a commission on sales. Another excellent source of information is reputable computing magazines such as ComputerWoche, PCMag. TechRadar and PC World.

Business users should look at enterprise security systems, starting with endpoints and  then firewall and other network defenses.

Other than that, there are several other things it’s important for all types of user to do:

• Firstly, turn on automatic software updates, and avoid downloading or running patches from elsewhere if possible. Attackers can try to trick users into opening a trojan by introducing it as an urgent patch.
• The same goes for pirated software and some freeware, which can sometimes contain software you didn’t ask for, including the trojan’s distant cousin: adware.
• Both businesses and home users should also brush up on their scam identification: phishing training is readily available for commercial users, but reading up on the warning signs is something anyone can do.
• A final piece of best practice: regularly back up your data and secure it. This might mean regularly copying important files over to a physical drive, or using an online backup service. Either way, knowing you have the option to erase your device and start again if the worst should happen can be a reassuring.

What to do if you suspect a trojan is on your device?

For Windows PCs, the following steps are worth following:

• Go offline and isolate the device. Disconnect from Wi-Fi network – this stops the trojan communicating with its controller and stops it from spreading to further devices.
• Most of the major antivirus solutions evaluated by independent test labs such as AV‑TEST, SE Labs and AV‑Comparatives are capable of identifying and stopping trojans before they get a chance to infect your device. ESET’s core malware protection technology is among those regularly tested - so if you don’t have antivirus protection installed, now is the time to get protected. Download ESET HOME Security Premium to secure your device against trojans and other threats.
• Next, run a full system scan with your antivirus software, delete or quarantine any infected or suspect files, and, once you’re confident the infection has been removed, reconnect to the internet to update Windows, including any security patches.

MacOS is a little different – although disconnecting from the network is the same first step. Apple includes a tool called XProtect, which uses YARA signatures to identify malware including trojans. This tool runs whenever and app is first launched, and when it’s changed in the MacOS file system. XProtect also runs when the YARA signatures are updated.  Any malware discovered goes straight into the macOS Rubbish Bin. There are a couple of other capabilities – Notarisation and Gatekeeper – that reduce the chances of suspect apps getting onto the Mac in the first place.

While this is a great start, we’d still recommend running a good third-party AV tool to check from time to time, and also that you keep macOS updated to the latest version automatically, not least because it’s also how XProtect updates its signatures.

Removing trojans on mobile devices

Smartphones and tablets are not immune, but the nature of the two main operating systems – Android and iOS – means different procedures are needed to identify and remove trojans and other malware. Google has a short, useful guide for Android devices that’s worth following, and ESET happens to have a fresh and up-to-date guide for iOS here. It’s worth noting that ESET provides both free and premium antivirus packages for Android devices with ESET Mobile Security.

One thing that’s worth doing generally for mobile devices is to completely turn them off and then back on once every week or so. This clears out any zero click nasties that may be running in the device’s memory – and it’s something the US National Security Agency – no stranger to trojans – recommends itself as part of general best practice.

Conclusion

Attackers use social engineering to persuade victims to activate malicious content delivered by a trojan, and as a result, one of the best defenses against this type of malware is good practice and vigilance. Taking a moment to think about whether you should click on that download, attachment or link remains one of the most effective lines of defense against trojans. But no-one is truly immune from this sort of attack, and all it takes is a moment of distraction. That’s why having the right tools to identify, stop and, if necessary, remediate are vital.

Frequently asked questions

1. What do you mean by trojan?

A trojan is a malware disguised as a legitimate file, intended to persuade victims to execute a malicious executable

2. What is an example of a trojan?

An early example is the Zeus or ZBot banking trojan, but recent examples include Agent Tesla, a trojan that has circulated since 2014.

3. Why is it called a Trojan Horse?

It’s a reference to the wooden horse that was used to smuggle Greek soldiers into the city of Troy, leading to its downfall after a ten-year siege. Modern trojans also appear harmless or benevolent on the surface but contain malicious ingredients.

4. What happens if you get a trojan?

It’s likely you’ll lose control of your device, and possibly anything you use to access it with: bank, email and social media accounts and so on.

5. How harmful is a trojan?

Disruptive or destructive malware is pretty rare (apart from some examples from the conflict in Ukraine), and most trojans are delivery tools for infostealers – which will look for things like passwords or banking details. Ensuring you have good cybersecurity tools in place and pause to think before clicking on files and downloads can help avoid the problem in the first place.

6. How do I know if I have a trojan?

Without a decent antivirus, you probably won’t even notice, unfortunately. One of the problems is that (as we’ll see) signs of a trojan infection are often very similar to running an old PC or device that’s a bit crufted up . In some cases, you may notice a sudden drop in performance – your device might run more slowly. Look for new programs running that you don’t remember installing, programs suddenly opening and closing with no warning, a spate of popup messages in your web browser or operating system alerts, or a sudden increase in spam messages. If you can access your Task Manager in Windows (or run top-u in Bash in MacOS) then look for unusual programs using a lot of disk, processor or memory resources.

7. What is the most famous Trojan Horse?

Probably Zeus, purely for its financial impact.

8. Are mobile devices susceptible to Trojan Horse viruses?

Absolutely. Both Android and iOS – powered devices can and are compromised with trojans every day. It’s also possible for IoT devices to fall victim to trojans.

9. What are the best practices for preventing trojan infections?

The first two things are actually general best practice:
- ensure you have a reliable antivirus tool on your device, and
- update the device’s Operating System and apps regularly.

A few other suggestions, and remember:
- if something seems too good (or urgent) to be true – don’t click on it,
- don’t click on odd pop-ups when web browsing,
- avoid opening email attachments unless they’re already virus-scanned and are from a sender you know,
- use multifactor authentication (preferably using an authenticator app) and ensure software updates are automatically applied for your system and applications,
- finally: use a good antivirus application.