The code of a trojan infection may – or may not – take effect immediately. The main purpose of a trojan is to infiltrate an operating system through misleading a user to install it. It can then either serve a stand-alone function to execute with the code it carries, or is used as a vanguard of an invasion to introduce further code to enable the hacker’s aim. The main point is that trojans fundamentally are equipped to act as remote administration tools (RATs), having the facility to communicate with the author via a Command & Control (C&C) server. Furthermore, the malware can often operate in the background of the operating system and if successful, the user will have no indication of its presence.
An extreme example of this was the emergence a few years ago of Trojan.KillFiles.904 which was designed to systematically destroy all files on all drives except Windows System Files, meaning that user data was being wiped as users carried on operating as normal (this trojan was unique because there was no explainable end-goal such as data-theft or extortion). Trojan-rootkits are another example of covert operation when employed to create botnets; to achieve long-term control, it is in the interest of the hacker to operate without detection.
Trojans have two elements – a Client, and a Server. If a trojan doesn’t need to be in two-way contact with the hacker (for example if it is only harvesting certain data and sending this back to the C&C, or for the fatal task of Trojan.KillFiles.904), then it will contain only the Server element and act independently within its parameters. These trojans are only capable of sending data and so can only act on the coding they contain. If commands are needed to be received from the C&C and interaction is required, then the infestation must contain both elements; trojan-ransomware – such as CryptoLocker – is a fully-equipped example where, for security, the unique encryption key is downloaded from the server and not carried in the initial payload.
If communication from the C&C is needed, then the trojan will comprise of both these elements, allowing the hacker to connect via a port in the infected computer. This has a bearing on the immediacy of the trojan’s initiating. If the malware has to wait for a prompt, then there could be dormancy, though if the author can make a call to start things going, this can be quicker. This hack requires the infected computer to have a connection to a public server. This said, both types of trojan commonly have system Start-Up capabilities built in to initiate at the next (and subsequent) system starts, as well as re-boot resilience, so a C&S trojan will initially run and call home automatically with the next power-up if it has not been initiated by another trigger before this.
NOTE: by blocking unauthorized port access it is possible to prevent a trojan that relies on server commands from fully executing.
Trojans are varied, and are generally described by the functions that they perform. This is dictated by the code they carry and/or the malware additions that they later combine with as a result of keeping a back-door open for the arrival of these new components. Depending on the speed, the degree of stealth required and the duration of task to accomplish, they are coded to behave and are initiated in different ways. They are triggered by three methods:
- The trojan coding is injected into another program and it runs when the host.exe is opened (in the case of freeware, the user will probably run this immediately to view, so initiating the malware);
- The trojan will replace a legitimate file and run when this is opened, or when it is called by another program or process;
(in these two instances, the trojan can lie dormant until woken by a specific event occurring). - If the trojan is coded as a Client&Server type, the server element (in the infected computer) will immediately attempt to contact the C&C (usually via an IRC request) on execution, and will be replaced by a more comprehensively coded trojan and accompanying malware (the hacker obviously has more control in this mode and – subject to the infected computer being connected to a public server – and is only a step away from totally controlling the targeted system).
So it can be said that while some of the trojan’s code can start to execute automatically and immediately after it is triggered by one of above methods, there are considerations:
- The user probably will not be aware of this and only very efficient Heuristic analysis may identify it;
- There is a greater chance that the code employed is not the sole or total payload of the infection;
- There may be an unintentional delay in real/full execution until C&C contact is achieved;
- There may then be an intentional manual delay in its real/full execution – determined by the hacker, if required – by temporarily denying the trojan contact with the C&C server until a strategic time.
In summary: the code can only take effect AFTER infiltrating a system and after being TRIGGERED. Execution will rely on an auto-start by process/program prompt, or on the next system Start-Up. Either way, the user is unlikely to see the effect until the work of the malware is well underway.
