What is a Computer Torjan?

In a world when daily internet access is part and parcel of life, it is hard to avoid the many threats that are out there lurking in the ‘wild’. And with so many type of malware out their its hard to know the difference.
Each type of malware has its own purpose and threats associated with it, while hopefully most people us an Anti-Virus program there are still a number whom don’t.

A Trojan virus lends its name from the greek myth of the trojan Horse, while these days the delivery package is not a giant wooden horse it does has as devastating of an effect. The premise of a Trojan virus is to alow a remote user or attacker access to your system, or allowing them the ability to make changes on the system.

There are 14 Main types of trojans, each with very similar fundamentals but their over all goal can differ. When a system is infected with a Trojan an attacker can execute actions without the owner of the systems permissions. And in many cases without them even knowing.

Although initially it was mainly windows PC’s affected by Trojan’s in recent years the number on Android devices has increased at an exponential rate. Due to the unauthorised applications that can be installed on Android devices has opened them up to these type of attacks.

Notable Trojan Viruses

  • Shedun
    • The Shedun virus come from a family of malware, its primary platform is Android devices and was originally discovered in 2015. The virus would then redesign legitimately installed applications and flood them with ads. It is very difficult to remove and in many cases cannot be removed unless the device is rooted and them flash with a custom ROM.
  • Blackhole exploit Kit
    • The Blackhole exploit was one of the most effective and wide-spread viruses during 2012. Sophos stated that 29% of all web threats were caused by the Blackhole exploit kit. When this virus was active on a system it recorded huge amounts of data, including the victims county, browser type and the operating system they where using.
  • Tiny Banker Trojan
    • The Tiny Banker Trojan’s target of choice was financial organisations websites. The attack vector in use is a man-in-the-browser. This means that it intercepts the data between the user and the web server.
      The Tiny Banker Trojan is based on the Banker Trojan but has been reduced in size and been made more powerful.
      Once the Virus has been deployed on a site any information such as login details or bank details can be stolen and then used for malicious or illegal purposes.
  • Gh0st RAT
    • The Gh0st RAT targeted Windows systems as was able to infect a number of very sensitive systems. The RAT or Remote Access Terminal also for the attacker to take complete control of the infected system. This can be used to perform keylogging activity, provide recording of webcams and also displaye user input to name a few.
  • MiniPanzer and MegaPanzer
    • MiniPanzer and MegaPanzer are variants from Bundestrojaner (German for state-sponcered Trojan Horse) It was designed for the swiss government and then later used to capture information.

As long as your system has a anti-virus application and your careful about how you use the internet, your changes of being infected by a Trojan is reduced massively. And with new malware appearing everyday there could be numerous Trojan’s out their in the wild that are yet to be detected by anti-virus companies and then added to their database.

And in many cases you may be unaware that your system has been infected as the attacker could simply be collecting data on you to used at a later date.


What is a Keylogger?

Anyone using a decent anti-virus program and has contracted a virus may have seen a keyloger. But what are they and how can they affect your daily life?

The origins of keylogger applications where within a business environment to monitor staff, the method of keylogging was also used by law enforcement to monitor criminals activities.
There are a large number of keyloggers online that can be used in this way to alow for business to monitor their employees (Invasion of privacy or not some companies will monitor their staff and it very likely that it will have been written into their contracts.)

But as with many elements within the digital domain, it wasnt long after the conception of these application a criminal entities saw the use and benefits of keyloggers. I mean what could be better than being able to monitor a targets keystorkes from an external location.
Think about the amount of personal information you type into your system everyday, passwords, user names and credit card numbers. By combining all of these bits of data there are numarous amount of crime that can be committed.

The methods for attack can range from a simple hardware based keylogger that can be incredibly difficult to find and detect unless you know what you are doing. The image below show 2 of the hardware based keyloggers than can be used to monitor your keystrokes. These little devices get connected between the keyboard and the compter. In some instances these devices can detect the keystrokes even before the operating system.
Some of these devices require the attacker to go and physically collect the device in order to retrieve the data.
Some of the more sophisticated device of this nature alow for remote connection, meaning that the attacker can collect and almost unlimited amount of data.

2 hardware based keyloggers (On the right is a PS2 connection & On the left a USB connection)

Software based keyloggers are a much more favored method of attack as it requires no physical access to the target system and can be deployed across and almost unlimited number of devices at no cost to the attacker.
They can be deployed via any number of methods to deploy malware. From downloading a malicious file and it being executed from there.
Much in the same way a hardware keylogger sends the recorded keystorkes to an external server, software based keyloggers can also be used to send data to a remote location.

While it might seem like a complex and daunting task to develop and build an application of this nature it is actually much easier that one would initially think. After a simple google you can find 100’s of tutorials and examples of code online.

Meaning that anyone from a casual script kiddie to a experienced programmer can develop a keylogger. Granted the methods used to develop the applcation would vary on the skill set of the attacker, the end result would ultimitly be the same.

Current Research Focus

For anyone who’s taken the time to view the about us section of Michael Talks Tech, they will see that I am currently in my final year of university. As a result Michael Talks Tech has had to take a step back due to the amount of work I am dealing with at the moment.

My current research focus is within the domain of malware, I felt this was the best move for me due to my background and general interests.

Narrowing down the broad spectrum that is malware to a specific focus has led me down the path of Keyloggers. I found this domain intriguing as it allowed for my research to cover Cyber Security and loosely link into a small amount of Social Engineering.

As part of my research I have also been developing methods to scan and search for keyloggers on a system, this has led me down the path of MD5 signatures. Although I am aware that the method of detecting malware using MD5 signatures is a slightly outdated method (In comparison to self learning detection methods)

This further led me down the path of machine learning to detect for malware using both MD5 signatures as well as the sandboxing method. Sandboxing is an interesting method deploy as it requires the program to run the application in a ‘Sandbox’ environment and from their it will check the suspected applications interactions with the operating system.

There is currently a prototype application in development aimed at detecting and removing malware applications. And as a result of all this I have been having to put Michael Talks Tech on the back burner as it was becoming almost a fulltime job in regard to a number of the post that I have done and the research required for them.

Hopefully in the new year I will be able to start posting regularly again, as it is something that I find both interesting and also fun to do. Stay posted for much more to come!

What is WannaCry

Recently you might have read that a computer virus by the name of WannaCry has been extorting money from people and organizations all over the world. But what is WannaCry and should you be worried?

WannaCry  (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a computer worm that has been effecting Windows computers over the past week. It is rumored to have been enabled and aided by some of the recent Vault 7 vulnerabilitys including EternalBlue that the NSA (National Security Agency) had been collecting and storing over the past few years. This has lead to one of the most widespread and effective ransomware’s that has been seen to date. Not just targeting your average user but also going after large corporations and organization such as the NHS (National Health Services)

The WannaCry GUI that users have been met with

But what does it all mean, this ransomware could have sat dormant for month (It very likely has) just trying to spread the infection to as many vulnerable machines as possible. Until it is then activated by either the creator or by s spesific time and date. Once the infection is triggered the malicious package then encrypts the users PC and demands the user to pay the “Ransom” in this case the amount was $300 or £231.59. This is a rather large amount of money and on the scale of the attack would have made it a very profitable venture if all of the effected users pay the money to gain access back to there device.

In the case of WannaCry effecting the NHS it could have potentially cost human lives as well, because it was effecting hospitals and GP surgery’s. Without having access to the patient information the medical practitioner might have been unable to proceed with a user treatment or potential be unable to access the patients personal information.  But WannaCry made a few fatal error is the design and execution of the virus. Firstly the ransom payment was required in bitcoins (Bit coins are a digital currency with no central regulation making it hard to track) but because there what only 4 addresses to pay the bit coins too and because they where hard-coded into application it means that the possibility of tracking them is a whole lot easier. And then there is the built in “Kill Switch” that was again hard coded into the application. This meant that to deactivate the ransomware, a website address needed reached. Meaning that researchers were able to find the target URL and register it meaning they then had the ability to deactivate the program.

For such an effective and wide spread virus it looks as if corners where cut, for example if the URL that was required for the “Kill Switch” had been coded to be random it would have made the pressure of finding the target URL much greater as there would not have been a clear target. And the next blunder was in the form of having only used 4 Bitcoin payment addresses, because of this it will make the authority’s job of tracking the Bitcoins slightly easier as they will just have to monitor bitcoins public transaction ledger know as the blockchain. It has also been found by Cisco researchers that the “Check payment” button did not actually do anything other than display one of 4 possible out come, meaning that the decryption of the devices was most likely done manually. But there is also speculation that the creator may just have send out a random handful of decryption keys to make it appear as if the payment has gained the user access to there machine again. If that is the cases then this virus should not really be called ransomware at all, as there is a strong possibility that even after the ransom has been paid the user will not just be given access back to their files, making this more Theftware.


But there has been further speculation from other security researches that this attack might have been made to look as if it was ransomware. This could mean that the creators had alternate motives. This could have been for a number of things, but when you consider the sort of things that where effected and completely parallelized (Hospital equipment, Trains and ATM’s) could it be possible that the ransomware side of this attack was merely a cover up? And when you consider that researchers at Kaspersky Lab have been finding evidence linking WannaCry to North Korea. This was in the form of similar code that had been used in a previous attack this year. A number of other big names in cyber security have also backed up these claims as they too have noticed drastic similarity within the code that has been used in both attacks. And when you look at the raising tensions between the USA and North Korea and acknowledge the fact that “cyber space” is the new battle field this could have just been a test run for bigger things to come, but of course this is all merely speculation.

But what do you do if your computer if effected by Ransomware and are there any procotions that you can take to make it less damaging.

Precautions to take

  • Always keep regular backups of any documentation and files that you need or do not wish to lose. You could back them up to an external devices such as a USB stick or an external HDD. The other option would be to back up your files and documents to one of the many cloud services such as GoogleDrive or Microsoft’s OneDrive.


  • Make sure you download and install regular updates on your operating system, this should hopeful help to prevent the vulnerability being present on your computer.


  • If you machine does get infected by ransomware the first thing you should do is disconnect your devices from the internet, this could possibility prevent the virus from encrypting all of your data.