The software appears to contain benign or useful functionality,
but it also contains code that is hidden from normal operation that violates the
intended security policy of the user or the system
administrator.
Terminology Notes
Definitions of "Trojan horse" and related terms have varied widely over
the years, but common usage in 2008 generally refers to software that
performs a legitimate function, but also contains malicious code.
Almost any malicious code can be called a Trojan horse, since the author
of malicious code needs to disguise it somehow so that it will be invoked by
a nonmalicious user (unless the author means also to invoke the code, in
which case he or she presumably already possesses the authorization to
perform the intended sabotage). A Trojan horse that replicates itself by
copying its code into other program files (see case MA1) is commonly
referred to as a virus. One that replicates itself by creating new processes
or files to contain its code, instead of modifying existing storage
entities, is often called a worm. Denning provides a general discussion of
these terms; differences of opinion about the term applicable to a
particular flaw or its exploitations sometimes occur.
Time of Introduction
Implementation
Operation
Potential Mitigations
Phase
Description
Most antivirus software scans for Trojan Horses.
Verify the integrity of the software that is being installed.
Other Notes
Potentially malicious dynamic code compiled at runtime can conceal any
number of attacks that will not appear in the baseline. The use of
dynamically compiled code could also allow the injection of attacks on
post-deployed applications.
Description
