A Trojan horse is a computer program which carries out malicious operations without the user's knowledge. The name "Trojan horse" comes from a legend told in the Iliad (by the writer Homer) about the siege of the city of Troy by the Greeks.
Legend has it that the Greeks, unable to penetrate the city's defences, got the idea to give up the siege and instead give the city a giant wooden horse as a gift offering.
The Trojans (the people of the city of Troy) accepted this seemingly harmless gift and brought it within the city walls. However, the horse was filled with soldiers, who came out at nightfall, while the town slept, to open the city gates so that the rest of the army could enter.
Thus, a Trojan horse (in the world of computing) is a hidden program which secretly runs commands, and usually opens up access to the computer running it by opening a backdoor. For this reason, it is sometimes called a Trojan by analogy to the citizens of Troy.
Like a virus, a Trojan horse is a piece of harmful code placed within a healthy program (like a false file-listing command, which destroys files instead of displaying the list).
A Trojan horse may, for example:
- steal passwords;
- copy sensitive date;
- carry out any other harmful operations;
Worse, such a program can create an intentional security breach within your network, so as give outside users access to protected areas on the network.
The most common Trojan horses open machine ports, allowing their designer to gain entry to your computer over the network by opening a backdoor or backorifice.
| A Trojan horse is not necessarily a virus, as its goal is not to reproduce itself to infect other machines. On the other hand, some viruses may also be Trojan horses; that is, they might spread like viruses and open ports on infected machines!|
Detecting such a program is difficult because you must be able to determine whether an action is being carried out by the Trojan horse or by the user.
Symptoms of infection
Infection by a Trojan horse usually comes after opening a contaminated file containing the Trojan horse (see the article on protecting yourself from worms) and is indicated by the following symptoms:
- Abnormal activity by the modem, network adapter or hard drive: data is being loaded without any activity from the user;
- Strange reactions from the mouse;
- Programs opening unexpectedly;
- Repeated crashes.
Principle of a Trojan horse
As a Trojan horse is usually (and increasingly) intended to open a port on your machine so that a hacker can gain control of it (such as by stealing personal data stored on the hard drive), the hacker's goal is to first infect your machine by making you open an infected file containing the Trojan and then to access your machine through the opened port.
However, to be able to infiltrate your machine, the hacker normally has to know its IP address. So:
- Either you have a fixed IP address (as with businesses, or with individuals with a cable or similar connection, etc.) in which case your IP address can easily be discovered;
- or your IP address is dynamic (reassigned each time you connect), as with modem connections; in which case the hacker must scan IP addresses at random in order to detect those which correspond to infected machines.
Protect yourself from Trojans
Installing a firewall (a program which filters data entering and leaving your machine) is enough to protect you from this kind of intrusion. A firewall monitors both data leaving your machine (normally initiated by the programs you are using) and data entering it. However, the firewall may detect unknown outside connections even if a hacker is not specifically targeting you.. They may be tests carried out by your Internet service provider, or a hacker randomly scanning a range of IP addresses.
For Windows systems, there are two free high-performance firewalls:
In case of infection
If a program whose origins you are unsure of attempts to open a connection, the firewall will ask you to confirm it before initiating the connection. It is important to not authorize connections for a program you don't recognise, because it might very well be a Trojan horse.
If this reoccurs, it may be helpful to check that your computer isn't affected by a Trojan, by using a program that detects and deletes them (called an anti-Trojan).
One example is The Cleaner, which can be downloaded from http://www.moosoft.com.
List of ports commonly used by Trojans
Trojan horses commonly open a port on the infected machine and wait for a connection to open on that port, so that hackers will be able to gain total control over the computer. Here is a (non exhaustive) list of the most common ports used by Trojan horses (source: Site de Rico):
|21||Back construction, Blade runner, Doly, Fore, FTP trojan, Invisible FTP, Larva, WebEx, WinCrash|
|23||TTS (Tiny Telnet Server)|
|25||Ajan, Antigen, Email Password Sender, Happy99, Kuang 2, ProMail trojan, Shtrilitz, Stealth, Tapiras, Terminator, WinPC, WinSpy|
|31||Agent 31, Hackers Paradise, Masters Paradise|
|555||Ini-Killer, NetAdmin, Phase Zero, Stealth Spy|
|666||Attack FTP, Back Construction, Cain & Abel, Satanz Backdoor, ServeU, Shadow Phyre|
|999||Deep Throat, WinSatan|
|1010 to 1015||Doly trojan|
|1170||Psyber Stream Server, Streaming Audio Trojan, voice|
|port 1234||Ultors Trojan|
|port 1243||BackDoor-G, SubSeven, SubSeven Apocalypse|
|port 1245||VooDoo Doll|
|port 1269||Mavericks Matrix|
|port 1349 (UDP)||BO DLL|
|port 1509||Psyber Streaming Server|
|port 2001||Trojan Cow|
|port 2140||Deep Throat, The Invasor|
|port 2155||Illusion Mailer|
|port 2283||HVL Rat5|
|port 2600||Digital RootBeer|
|port 2801||Phineas Phucker|
|port 2989 (UDP)||RAT|
|port 3129||Masters Paradise|
|port 3150||Deep Throat, The Invasor|
|port 3459||Eclipse 2000|
|port 3700||portal of Doom|
|port 3801 (UDP)||Eclypse|
|port 4567||File Nail|
|port 5000||Bubbel, Back Door Setup, Sockets de Troie|
|port 5001||Back Door Setup, Sockets de Troie|
|port 5011||One of the Last Trojans (OOTLT)|
|port 5400||Blade Runner, Back Construction|
|port 5401||Blade Runner, Back Construction|
|port 5402||Blade Runner, Back Construction|
|port 5512||Illusion Mailer|
|port 5556||BO Facil|
|port 5557||BO Facil|
|port 6400||The Thing|
|port 6670||Deep Throat|
|port 6771||Deep Throat|
|port 6776||BackDoor-G, SubSeven|
|port 6912||Shit Heep (not port 69123!)|
|port 6969||GateCrasher, Priority, IRC 3|
|port 7000||Remote Grab, Kazimas|
|port 7789||Back Door Setup, ICKiller|
|port 9872||portal of Doom|
|port 9873||portal of Doom|
|port 9874||portal of Doom|
|port 9875||portal of Doom|
|port 9876||Cyber Attacker|
|port 10067 (UDP)||portal of Doom|
|port 10167 (UDP)||portal of Doom|
|port 10520||Acid Shivers|
|port 11000||Senna Spy|
|port 11223||Progenic trojan|
|port 12223||Hack'99 KeyLogger|
|port 12345||GabanBus, NetBus, Pie Bill Gates, X-bill|
|port 12346||GabanBus, NetBus, X-bill|
|port 13000||Senna Spy|
|port 17300||Kuang2 The Virus|
|port 20034||NetBus 2 Pro|
|port 23456||Evil FTP, Ugly FTP, Whack Job|
|port 23476||Donald Dick|
|port 23477||Donald Dick|
|port 26274 (UDP)||Delta Source|
|port 27374||SubSeven 2.0|
|port 29891 (UDP)||The Unexplained|
|port 30029||AOL trojan|
|port 30303||Sockets de Troie|
|port 31336||Bo Whack|
|port 31337||Baron Night, BO client, BO2, Bo Facil|
|port 31337 (UDP)||BackFire, Back Orifice, DeepBO|
|port 31338||NetSpy DK|
|port 31338 (UDP)||Back Orifice, DeepBO|
|port 31339||NetSpy DK|
|port 31666||Bo Whack|
|port 31789 (UDP)||Hack'a'Tack|
|port 31791 (UDP)||Hack'a'Tack|
|port 33911||Spirit 2001a|
|port 34324||BigGluck, TN|
|port 40412||The Spy|
|port 40421||Agent 40421, Masters Paradise|
|port 40422||Masters Paradise|
|port 40423||Masters Paradise|
|port 40426||Masters Paradise|
|port 47262 (UDP)||Delta Source|
|port 50505||Sockets de Troie|
|port 50766||Fore, Schwindler|
|port 53001||Remote Windows Shutdown|
|port 54320||Back Orifice 2000|
|port 54321||School Bus|
|port 54321 (UDP)||Back Orifice 2000|
|port 60000||Deep Throat|
Latest update on July 25, 2012 at 11:39 AM by aquarelle.