Video Trojan Horse is not a Malware Type

Source
https://youtu.be/uyC11J6T6xo
Video created by
struppigel

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,117
I like a general definition (based on Wikipedia):
Trojan is any malware that misleads users of its true intent. So, most malware samples are Trojans. Viruses assume replication so they are considered as another group. Backdoors are related to gaining remote access and Worms assume replication over the network. In fact, one can create malware that can be a Trojan that also has got Virus & Backdoor & Worm capabilities.

The AV vendors define Trojan very similarly:
https://www.kaspersky.com/resource-center/threats/trojans
https://us.norton.com/internetsecurity-malware-what-is-a-trojan.html
https://www.avast.com/c-trojan
https://www.malwarebytes.com/trojan
 
Last edited:

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
423
I like a general definition (based on Wikipedia):
Trojan is any malware that misleads users of its true intent. So, most malware samples are Trojans. Viruses assume replication so they are considered as another group. Backdoors are related to gaining remote access and Worms assume replication over the network. In fact, one can create malware that can be a Trojan that also has got Virus & Backdoor & Worm capabilities.

The AV vendors define Trojan very similarly:
https://www.kaspersky.com/resource-center/threats/trojans
https://us.norton.com/internetsecurity-malware-what-is-a-trojan.html
https://www.avast.com/c-trojan
https://www.malwarebytes.com/trojan

The mere fact that there are several definitions for the term "Trojan" underlines my point: The term is fuzzy because it is used/understood differently.
Antivirus vendors are the ones who are responsible for terminology confusion in the first place. They are commercial organizations, not scientific institutions. As such they are bound to use and conflate marketing language with scientific language.

If we use that definition, the second problem I mentioned also still applies. It's an infection vector that's not tied to a malware family. Why do we call remote malware that provides remote control "remote access trojans" if we don't know in specific cases how it was distributed and whether malspam or software downloads or other user misleading was used to infect the systems with it in the first place? It's not dependent on the family and very often you cannot tell based on the sample alone.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,117
I think that you are right. :)
Furthermore, the whole terminology used by AV vendors to name particular detections is a mess. Some order was introduced by MITRE ATT&CK™ framework but it is rather a beginning of the long road.
The world of malware is very complex and changing. So, it will not be easy to make good order there.:unsure:

More information about the current state of this topic can be found in some articles, for example:
Malware classification and composition analysis: A survey of recent developments.

Here is an example, but it will be probably useful only for @struppigel or professionals who are interested in malware classification:

1627294053653.png
 
Last edited by a moderator:
Top