New Trojan found - this time, interesting, important and harmless!

Filed Under: Malware

The word Trojan has many meanings, and when it is used without qualification in headlines, it's hard to know which one is meant.

An olden-day Trojan was an inhabitant of the ancient city of Troy, near modern Çanakkale in Turkey, on the Anatolian side of the Dardanelles.

The word is also short for Trojan horse. Once, this meant the dissembling wooden gift which tricked those same Trojans into defeat in Virgil's epic Latin poem The Aeneid; today, it refers to the sort of dodgy software which tricks you into giving up control of your PC.

In Australia, if you want to renovate your house, you'll need power tools, and they might be Trojans; in the USA, if you get lucky, you'll need a condom, and you might roll out a different sort of Trojan.

(Since the ancient Trojans are best remembered for puncturing a hole in their own defences - to admit the aforementioned wooden horse - thus allowing the enemy to spill into their city and destroy it, I've never quite understood the metaphor in branding condoms as 'Trojans'. Perhaps that's why I'm not in marketing.)

But there's another sort of Trojan, namely an asteroid or small satellite which shares its orbit with a planet or larger satellite.

This sort of Trojan makes fascinating study, because it involves dealing with the interaction of three celestial objects. The so-called three-body problem is a special case of the n-body problem, first expounded by Sir Isaac Newton in his 1687 book known as Principia, in which he also introduced the Law of Universal Gravitation.

Obviously, the zero-body and one-body problems are trivial and uninteresting. And it turns out that the mathematics for the two-body problem - for example, working with the sun and the earth, or the earth and the moon - is fairly straightforward. Sir Isaac sorted things out for n=2 back in the 17th century.

It seems obvious that the mathematics ought quickly to get hairy as n increases. When n=20, for example, you'd expect a jolly spicy set of equations. But it might be a surprise to learn that things get almost insurpassably tough right at once. As Wikipedia rather drily remarks, "for n ≥ 3 very little is known about the n-body problem."

What we do know, thanks to the brilliant 18th century mathematician Joseph-Louis Lagrange, is that there are "five positions in an orbital configuration where a small object affected only by gravity can theoretically be stationary relative to two larger objects".

To this day, they are called Lagrange points, denoted by L1 to L5.

And that's where our brand-new Trojan comes in.

Discovered in October 2010, this celestial body has now been confirmed as the very first astronomical Trojan known to orbit along with Earth.

The Trojan loops, well, quite loopily, around L4, which itself loops around the sun, 60 degrees ahead of our Earth-bound trajectory.

The Trojan, which is estimated to be about 300m across, therefore precedes us round the sun. Fortunately, it maintains a reliable, healthy and, most importantly, consistent distance from our planet.

That's what makes it harmless: it's locked into orbit with us, rather than on any sort of collision course. At least for now.

And it's important because Earth Trojans - of which there may be many - are hard to find. Trojans of Mars, Jupiter and Neptune are known; so are Trojans of Saturn's moons. But Earth Trojans circle mostly in our daylight sky, making them really tricky to spot.

But where, I'm sure you are now dying to ask, is the link to computer security, and to computer Trojans?

Here you go.

Astronomers, like malware researchers, deal with huge numbers of new discoveries. Naming something if it's one of the very first examples of its type is one thing. Reliably naming objects by the million is quite another.

For this reason, malware researchers have shifted from catchy names like Jerusalem, Tremor and Grand Old Duke of York (don't ask - that one's a story in its own right) to taxonomic dullnesses such as Troj/FakeAV-DB and Mal/ObfJS-E.

Catchy names now appear only occasionally for really well-known viruses, such as Conficker and Stuxnet.

Astronomers, unsurprisingly, have a similar approach, so I'm sorry to have to tell you that this super-cool, first-of-its-kind, Earth Trojan is unmajestically known simply as 2010 TK7.

If you've got a cooler name, please leave a comment and let us know. We'll pass your suggestions on to the astronomical powers-that-be.

And be sure to check out the animations which yielded the above 2010 TK7 diagram.

, , , , ,

You might like

5 Responses to New Trojan found - this time, interesting, important and harmless!

  1. cimeof · 1529 days ago

    "lmao" would be a good name for any type of malware

  2. Guest · 1529 days ago

    The original trojan horse had warriors hidden inside, who came out and opened defences once the `gift horse` was inside the walls.

    In the article, the author says it was the breaching of the defences to get the horse in that was the pertinent point.

    In light of the hidden payload scenario..the naming of Trojans makes more sense.

    • Paul Ducklin · 1529 days ago

      Both issues are important. But I've always thought that the key to the breach was a lot more than just the troops inside.

      After all, you can't squeeze enough warriors into a wooden horse to ransack an entire city. In the Aeneid, the Greeks deliberately made the horse slightly bigger that the city gates. In Book II, line 234 (I knew studying Latin would come in handy for _something_ one day :-), Virgil says: "diuidimus muros et moenia pandimus urbis" - we parted the walls, and opened up the fortifications of the city.

      And that's how modern Trojan horse infestations often work. You start by letting a small and innocent-looking program inside, and it later uses its internal beachhead to "upgrade" you to a whole raft of bigger, more serious, items of malware.

  3. Josh · 1529 days ago

    obfjs = obfuscated javascript
    iframe = HTML iframe tag
    JSredir = javascript redirectors
    SEOimg = Search Engine Optiminization via Google Images
    FBJack = facebook clickjacking scripts

    All of the above MAY LEAD to a malicious code, but they are not malware per se.
    I wonder why you consider and count them the same way you count Zeus, Stuxnet or Conficker...

    • Paul Ducklin · 1529 days ago

      I don't count or consider them the same as Zbot (aka Zeus), Stuxnet or Conficker.

      Those are just some sample names from the latest list of web threats on our website. (It's a clickable link. Try clicking. That will probably clarify. We list EXE malware threats separately.)

      As for whether they count as "malware", I'm comfortable saying that they do. They're malicious, and they are software source code, at least in some sense, so the word "malware" suits them just fine. They're not directly dangerous, of course, in the way that a Conficker executable is, but that's a detail.

      My goal with those names was not to compare threat levels but simply to show how modern malware naming is unexciting - and often encompasses huge families of dodgy stuff with a single generic-sounding name - compared to the heady days of malware objects with names like 'Power Pump', 'Simulated Metamorphic Encryption Generator' and 'Monkey' :-)

      That's all. Apologies for the confusion. Imagine a heading on the picture saying "Web threats".

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog