Proxy Trojans
These Trojans turn the victim's computer into a proxy server, making it available to the whole world or to the attacker alone. It is used for anonymous Telnet, ICQ, IRC, etc., to make purchases with stolen credit cards, and for other such illegal activities. This gives the attacker complete anonymity and the opportunity to do everything from YOUR computer, including the possibility to launch attacks from your network.
If the attacker's activities are detected and tracked, however, the trail leads back to you not to the attacker - which could bring your organization into legal trouble. Strictly speaking, you are responsible for your network and for any attacks launched from it.
FTP Trojans
These Trojans open port 21 (the port for FTP transfers) and let the attacker connect to your machine via FTP.
Security software disablers
These are special Trojans, designed to stop/kill programs such as anti-virus software, firewalls, etc. Once these programs are disabled, the hacker is able to attack your machine more easily.
The Bugbear virus installed a Trojan on the machines of all infected users and was capable of disabling popular anti-virus and firewalls software. The destructive Goner worm (December 2001) is another virus that included a Trojan program that deleted anti-virus files.
Security software disablers are usually targeted at particular end-user software such as personal firewalls, and are therefore less applicable to a corporate environment.
How can I get infected?
For a network user who is protected by a firewall and whose ICQ and IRC connections are disabled, infection will mostly occur via an email attachment or through a software download from a website.
Many users claim never to open an attachment or to download software from an unknown website, however clever social engineering techniques used by hackers can trick most users into running the infected attachment or downloading the malicious software without even suspecting a thing.
An example of a Trojan that made use of social engineering was the Septer.troj, which was transmitted via email in October 2001. This was disguised as a donation form for the American Red Cross's disaster relief efforts and required recipients to complete a form, including their credit card details. The Trojan then encrypted these details and sent them to the attacker's website.
Infection via attachments
It is amazing how many people are infected by running an attachment sent to their mailbox. Imagine the following scenario: The person targeting you knows you have a friend named Alex and also knows Alex's email address. The attacker disguises a Trojan as interesting content, for example, a Flash-based joke, and emails it to you in your friend's name. To do so, the attacker uses some relaying mail server to falsify the email's FROM field and make it look like Alex is the sender: Alex's email address is alex@example.com so the attacker's FROM field is changed to alex@example.com. You check your mail, see that Alex has sent you an attachment containing a joke, and run it without even thinking that it might be a malicious "because, hey, Alex wouldn't do something like that, he's my friend!"
Information is power: Just because the attacker knew you had a friend Alex, and knew and guessed that you would like a joke, he succeeded in infecting your machine!
Various scenarios are possible. The point is that it only takes ONE network user to get your network infected.
In addition, if you are not running email security software that can detect certain exploits, then attachments could even run automatically, meaning that a hacker can infect a system by simply sending you the Trojan as an attachment, without any intervention on a user's part.
Infection by downloading files from a website
Trojans can also be distributed via a website. A user can receive an email with a link to an interesting site, for instance. The user visits the site, downloads some file that he thinks he needs or wants, and without his knowing, a Trojan is installed and ready to be used by attacker. A recent example is the ZeroPopUp Trojan, which was disseminated via a spam broadcast and enticed users to download the Trojan, describing it as a product that would block pop-up ads. Once installed, the Trojan would send a mail to everybody in the infected user's address book promoting the ZeroPopUp URL and software. As this email is sent from a friend or colleague, one is more likely to check out the URL and download the software.
In addition, there are thousands of "hacking/security" archives on free web space providers like Xoom, Tripod, Geocities and several others. Such archives are full of hacking programs, scanners, mail-bombers, flooders and various other tools. Often several of these programs are infected by the person who created the site. Again, a single network user could infect your whole network.
In January 2003, TruSecure, the risk management firm that also owns ICSA Labs and InfoSecurity Magazine, warned that malware code writers will increasingly disguise remote access Trojans as 'adult' entertainment, for example, and post these programs to pornography sites or news groups, to target new users. Specific users will also be targeted in this way, as the attacker can then send the URL containing the disguised malware to an unsuspecting victim.
On similar lines, the Migmaf or "migrant Mafia" Trojan that emerged in July 2003 hijacked about 2,000 Windows-based PCs with high-speed Internet connections, allowing them to be used to send ads for pornography. The Migmaf Trojan turns the victim computer into a proxy server which serves as a sort of middleman between people clicking on porn email spam or website links - it allows the victim computer to fetch porn web ads from an undisclosed server and pass on the ads to other computers either through a spam mail or a web browser.
How to protect your network from Trojans
So how do you protect your network from Trojans? A common misconception is that anti-virus software offers all the protection you need. The truth is anti-virus software offers only limited protection.