The Inner Structure of a Trojan Horse

When analyzing the code of a Trojan horse it often contains  methods  and functions that can be assigned to typical function groups and modules.  Even if the code and inner organisation seems to be chaotic and hard to understand because of  its structureless appearance you can assign a function to at least one of these groups. I want to give you the big picture, an overview about the inner structure of a Trojan horse and taking the confusion a little.


The Trojan horse is wrapped by its dropper which is not a core component in the proper sense. But because it plays an important role in propagation and the installation of  the Trojans it is worth mentioning it.

The dropper, wrapped around the Trojan, on one side determines the Trojans optical appearance, whether it looks like a regular Windows application, a JPEG picture, a PDF file or any other file type. But its main purpose is in the installation of its payload. Once the dropper is executed it examines the new system to see if the place is good to drop its payload. Depending on the decision weather to install it or not it sends back a notification message to the Trojan client.

Click here to open it in new window

The inner structure of a trojan horse

The start routine

The start routine was created by the dropper as a part of the installation process and makes sure the Trojan is started after the system was rebooted. There are several ways to do it by either creating an according registry entry, creating a service and also other methods that come into question.

Three main modules

A typical Trojan horse is divided into three main modules: A security module, a damage module and a networking module. They can be compiled to one single binary file or the modules can also exist as external components like DLLs that are loaded after the main program starts.  Even if the modules are (logically) separated  from each other they are able to communicate among them and offering its capabilities to each other via an interface. For a better understanding have a look at the picture  on the top which visualizes the components team play.

1 Security module

The security modules purpose is to protect the Trojan from being detected, stopped and analyzed and anything that makes the alert bells ring. There are three typical features inside the security module: Disabling installed security software, self protection mechanism and the update mechanism.

Deactivating the security software concerns mainly desktop firewalls and antivirus solutions. It detects the installed security software, determines its type, name and version and knows exactly which buttons it has to push to disarm it.

The self protection mechanisms are necessary to protect the malware from being analyzed and reverse engineered. The binary itself is encrypted and is decrypted during runtime to make a file analyzation impossible. During runtime checks are done to detect  debuggers and virtual machines that are trying to observe and analyze the malware binary.

To supply the Trojan new plug-ins to extend its capabilities or delivering updates to fix flaws inside the software  the update mechanism is also a vital part of the security module. The Trojan client indicates the server new updates are available and ready for which the server will download and install/execute afterwards.

2 Damage module

The damage module is the part of the malware where the malicious code resides. It is in charge of the tasks executed locally on the computer itself and also of the tasks that go beyond the local system over the network. Therefore we divide the damage functions in two groups :

  • Data gathering module
  • Networking module

The Data gathering module executes tasks like password recovery, collecting browser history data, etc. It collects data from the local system and makes them ready for other modules which will transfer this data to the dropzone.
The Networking module executes malicious networking tasks. Good illustrative examples are spam  and click bots or DDos attacks.

3 Communication module

Any data that has to be transmitted over the network, no matter if the destination host is inside the intranet or in the Internet, has to pass the communication module. It’s the module that knows the network environment like proxy and  firewall  servers, it knows what way to take to communicate with servers in the Internet and it knows how to circumvent the desktop firewall to avoid triggering the alert bells.

The module also offers encryption functionality to encrypt the data that will be transferred over the network. As for example data that is sent to the dropzone or the Trojan client it is normally encrypted symmetrically or asymmetrically if the attacker is doing his job well.

Article Source:Megapanzer

Your rating: None Average: 3.5 (2 votes)



Sponsered links

Bookmark Us!


Page Rank


A fundamental rule in technology says that whatever can be done will be done.

Explore Tags

Follow Us