1

I'm trying to figure out some possible attack scenarios for a project I'm conducting. I've read plenty of material about malware and, in particular, spyware and trojans. While it's hard to find unique specific definitions for both of them, which however I'm not really interested in, I came to the conclusions that, roughly speaking:

  • Spyware: log activities and steal information;
  • Trojans: give remote control of a system to the attacker, to perform a broad variety of malicious actions, possibly including stealing information and logging activities.

Considering this somewhat correct (I hope it is), I'm trying to find some possible motivations, if any, to use RATs instead of spyware. Although I know other common features trojans have, those don't fit well my work. Are there motivations to prefer a trojan over a spyware if there is no interest in taking control of the infected system ?

Matteo Grimaldi
  • 47
  • 4
  • If Thomas Pornin answered your question, could you mark it as answered? – KnightOfNi Apr 22 '14 at 01:56
  • I would have done it before if that was the case. Most of his answer was about clarifying some concepts but he didn't give any specific answer to my original question. That's why I've commented his post asking for confirmation. – Matteo Grimaldi Apr 22 '14 at 16:29

1 Answers1

0

See this answer for some musings about the definitions of such terms, and, in particular, how fuzzy and mostly irrelevant they are.

If we really want to make distinctions, then:

  • A spyware is some software which spies on the user.
  • A trojan is some malicious software which gets installed by the victim himself, who was deceived into thinking that the software was benign.

So the two terms are not opposite at all ! In fact, they are orthogonal. A given piece of malware (the generic term, meaning "malicious software") can be a trojan or something else (depending on how it enters the victim's computer), and can be a spyware or something else (depending on whether, once there, in engages into spying activities).

In older times, malware was mostly virus (i.e. malware which propagates by grafting itself on executable files exchanged between computers) and worms (automatic exploit of network-based vulnerabilities). Some had no payload, they just replicated for the fun of it; but most tried to be destructive, wiping out files and operating systems, and even breaking the hardware. Nowadays, a lot of malware exploits the gullibility of the human user (that's much easier than relying on some exploitable vulnerability), making up the large "trojan" category. Also, most malware tries to be inconspicuous: typical malware does not try to break your machine; instead, it silently siphons out your secrets (e.g. passwords).

"Taking control" is not a well-defined category. By definition, malware running on a machine is "controlling" it, if only transiently. Most malware will include some backdoor so that the malware author can use an installed malware instance as an entry point for pushing new attack code, whether such an escalation is actually planned or not.

Community
  • 1
Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • Thanks for the explanation, so, since for "taking control" I was talking about the use of backdoors, are you saying that they could be used mainly as part of more complex attack scenarios ? – Matteo Grimaldi Apr 18 '14 at 18:11
  • @hate What Thomas Pornin is saying is that the techniques used by a Trojan are a way of gaining access to a system (social engineering) whereas 'spyware' is a term used to describe what some types of malware do once they gain access to your system. Therefore, some pieces of spyware are Trojans. Both spyware and Trojans can install backdoors on your computer. – KnightOfNi Apr 22 '14 at 20:16