-2

I know both are a type of malware, trojans 'disguise them self as a useful program' and rootkits 'embed them self in the system to avoid detection'. Technically how do they accomplish such things? I'm confused because all viruses avoid detection in the sense that they don't display some EULA saying "this is a virus that's going to screw up your computer, click agree to continue".

For example if an attacker emailed a file to a victim claiming it was just an invoice, but in fact it was a virus, would that be considered a trojan?

I know different companies use these words differently, so is it even a worth while endeavor to try to understand them in depth?

northerner
  • 273
  • 1
  • 9
  • @forest I still don't really get the definition of trojan. From there 'Trojans disguise themselves as harmless programs' still, no virus would come with a warning that it is a virus so what really is the difference? Is it that it's a standalone executable where is by your definition a virus always attaches to a host file? – northerner Mar 09 '18 at 11:41
  • 3
    The difference is that other malware may spread to you _automatically_, e.g. through an infected website. A trojan requires you purposefully open it, so it has to disguise itself. – forest Mar 09 '18 at 11:43
  • @forest can you site a source? I've never heard definitions requiring other malware to automatically spread, for example I never heard to be considered randsomware it must automatically spread. – northerner Mar 09 '18 at 11:48
  • 2
    As explained in answers to the linked question, these classifications can overlap. Ransomware can also be a trojan, or a worm. So worms for example automatically spread through the network. Viruses automatically spread to other writable executables. "Trojan" just describes one type of infection, specifically infection through tricking a user into running it. – forest Mar 09 '18 at 11:49
  • Your questions are a little all over the place and difficult to answer in a single question. You want to know how a rootkit technically embeds itself in a system? And you want that answer in relation to what a trojan is? – schroeder Mar 09 '18 at 14:59

1 Answers1

1

You appear to be trying to evaluate these terms through a single, simplified lens of "detection", even though they describe "detection" at different points in the malware's lifecycle.

The terms "trojan", "rootkit", and "virus" describe different aspects of malware, and a single malware binary could be all 3 or some combination.

"Trojan" has to do with how the malware presents itself to the user. It embeds itself in a program that does something else. A binary that has been infected with a trojan works as intended but does the additional unwanted actions. "Virus.exe" that has been renamed to "calculator.exe" is not a trojan. A calculator program that works that has also been infected, is a trojan. You might never know that you have been infected because the program you ran works as intended.

"Rootkit" has to do with where the malware resides on the system. Once the malware code has been run, it infects the most basic parts of the system so that it is always run, even if the system is rebooted or the running malware code is removed.

A trojan might not be a rootkit, and a rootkit might not be a trojan. Some malware might be neither.

schroeder
  • 123,438
  • 55
  • 284
  • 319