Trojan horses were rare until now: a terminology issue
This article’s headline might cause some readers to do a double-take and ask rightfully themselves “I thought they never went away in the first place?”. This might warrant some explanation. If you check any security news outlet, you will find that they use the term “trojan” abundantly. The problem is the polysemy of “trojan” and having no alternative word to describe the specific malware type I am talking about.
Very often “trojan” just means any non-viral malware, meaning “malware that does not actively replicate itself”. Sometimes it describes an infection vector that involves deceit, e.g., a PDF icon and a pdf.exe file extension. At other times it is even used as a synonym for malware.
When a malware researcher like me uses the term “trojan”, I am referring to a malware that implements a useful application as a core component of itself. The malware does not exist outside its useful application. For instance, the AIDS trojan horse, which was the first of its kind, cannot be separated from the AIDS information program (see also link). Similarly, the recipes with the malware commands hidden in whitespace are necessary for the TamperedChef backdoor to work.
Although trojan horses of that kind were never entirely gone, “true” trojan horses were certainly comparably rare in the last 10-15 years. Instead, we saw standard variety malware bundled with legitimate applications using third-party tools, so called “joiners” or “binders”. Such externally joined software is not a malware type, because the malware’s core is independent and separable from the bundled decoy program.
That brings us to the question, what caused this resurgence of classical trojan horses?
