Trojan horse removal: Protecting Troy


After a ten-year siege against the seemingly impenetrable city of Troy, the Greeks decided to try something a little more crafty than brute force. Concealing themselves within a trophy offering in the shape of a giant wooden horse, Greek soldiers were able to breach the city walls, capture Troy and win the entire war.

Modern Trojan horses are similarly deceptive. In computer terms, a Trojan horse is any malicious software that disguises itself in order to deceive users of its true intent. Trojans can take the form of just about anything: an innocuous download link, an email attachment sent from a work colleague or an image sent via social media.

Despite being one of the oldest forms of malware, Trojans have proven to be persistent pests and remain the leading cause of malware infection. In fact, they account for about 8 in 10 of all new malware infections.

Nevertheless, it is possible to defend your system against this type of cybercrime. In this article, we’re going to show you exactly how the different types of Trojans work and what you can do to reduce your risk of infection.

How do Trojan horses work?

Even often referred to as trojan horse virus, there are some subtle but important differences between Trojans, viruses and worms. In contrast to the latter two, Trojans are not able to replicate themselves, nor are they able to autonomously infect other files or spread to other devices. Instead, they require input from an external source: you.

Why would you ever interact with a Trojan?


Well, as we touched on earlier, Trojans are deceptive creatures that can disguise themselves as regular, everyday, benign files – the types of files you click on without even thinking about it. Whether it’s an email attachment sent from a trusted source or a program you’ve downloaded from an ordinarily reputable website, malware authors go to great lengths to ensure their Trojan looks like the real deal.

The most recent and widely publicized Trojan example is that of Piriform’s CCleaner, a highly popular utility that was recently acquired by Avast. The cyber criminals managed to compromise the update infrastructure and injected malicious code into the installer, which was available for almost a month with a valid security certificate from Symantec until it was discovered by security researchers.

Opening a Trojan is the equivalent of opening the gate and wheeling a large wooden horse into your city. When you double click that seemingly innocent and legit file, you’re effectively allowing the attackers to bypass your defences – in fact, you’re actually triggering the malware yourself!

The different types of Trojan horses

Trojans come in all shapes and sizes and can affect your system in a variety of ways ranging from ‘annoying’ all the way through to ‘financially crippling’. We’ve rounded up the most common types of Trojans you’re likely to encounter:

Backdoor Trojan

Backdoor Trojans create a hidden link through which hackers can remotely access and control the infected device. In many cases, the criminals can gain almost full control of the computer and use it to do more or less anything they want. In the past, this might have involved random disruption such as deleting files, messing with settings and collecting personal information, but increasingly hackers are using backdoor Trojans to recruit devices into a botnet, which can, in turn, be used to carry out powerful cyber attacks.

Backdoor.Nitol is one example of a backdoor trojan that has gained a lot of attention in recent months. The trojan makes use of the same NSA exploit as WannaCry, ransomware that infected more than 350,000 computers around the world earlier this year.

Banker Trojan

This particular type is incredibly common and can have dire financial consequences for businesses and users alike. As the name implies, the primary objective of a banker trojan is to obtain banking data stored on your system that will give the hackers access to your bank accounts, credit and debit cards and e-payment systems.

Zeus, otherwise known as Zbot, continues to be the most prolific banking Trojan of 2017. After the author of the original Trojan released the source code back in 2011, a number of variants built on the original Zbot code have sprung up (including Atmos, Citadel and more), though none have proven to be as profitable as the original. The Trojan spreads mostly through phishing and drive-by-downloads.



Exploit trojans are usually concealed with programs. When executed, they exploit security weaknesses within your operating system or other software installed on your computer, giving hackers access to your data or control over your system.

In 2012, the Blackhole exploit compromised a huge chunk of the internet and was widely regarded as the biggest threat at the time. Blackhole exploited vulnerabilities in commonly used browsers and plugins to deliver a malicious payload.


A rootkit is a particularly devious type of trojan that is designed to prevent both you and your antivirus solution from identifying the presence of other malicious software. This gives the malware a bigger window of opportunity to wreak havoc on the infected system.

SmartService is a good example of a rootkit. The trojan is typically distributed via adware bundles that many users inadvertently install when acquiring free software. After installation, SmartService creates a Windows service that prevents you from running security software and can even stop you disabling certain processes and deleting particular files. This protective behavior makes it substantially more difficult to remove the other adware that was installed alongside SmartService.


Distributed Denial of Service (DDoS) attacks have become increasingly common and disruptive in recent years, with some experts estimating that the average DDoS attack costs businesses around $2.5 million. DDoS Trojans enable cyber criminals to harness your computer’s resources to send requests to an address, flooding and eventually overwhelming the target network.


Trojan downloaders are exceptionally common among home users, who may inadvertently install one after downloading a file from an unverified or disreputable source. The payload varies, but often takes the form of adware and potentially unwanted programs, which can drastically slow your computer down. Downloaders are often less complex than other types of trojans, but still pose a significant risk.


Cybercriminals use droppers as a means of deploying additional trojans and other types of malware. Many droppers have a secondary goal of preventing your system from detecting malicious software.

Many of the new ransomware breeds make use of dropper Trojans to devastating effect. Spora uses a Jscript dropper component to execute a malicious file that encrypts data on the infected machine. A dropper Trojan also played a role in the WannaCry ransomware outbreak, which successfully infected 350,000 machines around the world in May 2017.


Perhaps the greatest example of malware camouflage, FakeAV Trojans are designed to simulate helpful antivirus software. The program creates fake alerts about suspicious files that don’t exist and demands money in order to remove the non-existent threat.

ThinkPoint is a classic example of a FakeAV. Billed as an anti-spyware program that’s part of Microsoft Security Essentials, the program detects a fake infection, reboots your computer and prevents you from using your device until you pay for the full ThinkPoint program which, it promises, will restore your computer to its former state. (Hint: don’t buy it!).

What are the most common trojan infection points?

Because trojans are not capable of replicating or spreading themselves independently, they require user input to be successful. Of course, few users are willingly going to play a role in downloading and installing malicious software on their own system, so hackers have to use disguises and deceit to coerce you into running their software. Trojans generally camouflage themselves as harmless software or hide among the lines of code written within real, legitimate software.

Generally speaking, there are three main ways that Trojans are distributed online:

1. Downloaded software

Trojan horses are frequently uploaded to websites that provide free software both legally (such as shareware applications) and illegally (such as pirated software). Due to the sheer number of programs that are uploaded to these sites, it’s not always possible for site owners to check that every piece of software is safe and secure, and as a result many Trojan-containing applications slip through the cracks. When you, the user, download and install the software – even if it’s from an otherwise reputable site such as the CCleaner example we mentioned above – there’s a risk that you could be unleashing a Trojan on your system.

2. Email attachment

Your emails are another common source of Trojan infections. Cyber criminals send out convincing messages that appear to be from widely known, trustworthy companies (say, Microsoft, Amazon or similar) and attach Trojans disguised as an ordinary file such as an image, video, mp3, or download link. After you execute the file, the malware is free to run rampant.

3. Instant messaging

Instant messaging services are home to their fair share of Trojans. In August, we saw a resurgence of the classic fake Facebook video trojan, a malware disguised as a video sent via Facebook Messenger to other people on the infected machine’s friend list. When users click the fake video, they’re prompted to download a file which, when executed, releases the Trojan.

Instant messaging is particularly effective as a distribution channel because the chat is so casual and fast paced. In this sort of environment, it’s easy to let your guard down and may make you more liable to click harmful links and download files without the same precautions as you would elsewhere on the web.

Trojan virus removal and protection

Unsurprisingly, you are the first and most effective line of defense when it comes to Trojan protection. Adopting safe browsing habits and exercising a high level of caution online can go a long way toward reducing your risk of infection and should be an important part of every IT security plan.

Safe browsing habits might include:

While you might be leading the charge, the good news is that there are a number of tools that can help you in the battle against Trojans. For example, reputable IT security solutions can prevent them from penetrating your defenses and remove any malicious software that may have crept in while another antivirus product was supposed to be keeping watch.

In addition, ensuring the Windows Firewall (or a comparably comprehensive product) is active and configured correctly to block unsolicited connections can further reduce the chances of a Trojan breaching the wall. Finally, keeping your operating system, web browser and other software up to date is vital for reducing potential security vulnerabilities and minimizing the risk of becoming the victim of a zero-day exploit.

Leaving the horse outside

The ancient people of Troy lost their city when their defense system failed to see through their enemy’s disguise and recognize the Trojan horse for the threat it really was.

Don’t let history repeat itself. With the information in this blog post, your citadel guards (you!) will be better equipped to identify potential threats, bolster your computer’s defenses and keep your system safe from the ongoing Trojan threat.

Have a brilliant (Trojan-free) day!

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Have you ever fallen (or almost fallen) for a particularly deceptive Trojan? Leave a comment below and let us know how the Trojan tried to fool you and at what point you realized something fishy was afoot.



Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next