I have found that my computer contains 2 trojans. I have heard that hackers
use trojans to gain unauthorized access to all your data. Is this true? If so,
then is the data in my external hard disk (which I connect to the computer at
least once a week and for a span of half an hour) also compromised?
There are so many different types and variations of malware out there that
it’s hard to give a definite answer. However we can certainly examine what they
might be doing, and why. We’ll also look at the assumptions you’ll probably
make, and which of those I’d make in your shoes.
Become a Patron of Ask Leo! and go ad-free!
To answer your second question first, without knowing the specific malware
that you’ve been infected with we can’t make any assumptions at all about what
it might, or might not have access to.
Strike that, we can make only one assumption: malware can access everything
on your machine (even devices that are connected only occasionally) and quite
possibly any other machines on your local network as well.
So in your specific configuration, if your machine was infected the last
time you connected that external hard drive, it’s quite possible that it was
Now, I also need to clarify what we might mean by the word “compromised”.
There are two primary forms:
Infection: the malware might simply copy itself to your
external hard drive. The goal here is the malware’s propagation – it’s trying
to move to other machines. If your external drive becomes infected and you were to then plug it into another machine it’s possible that the malware could
infect that other machine. Your external hard drive could become a “carrier”
for the malware.
Data Access: If your machine has been infected and the
malware is active, then it absolutely could be accessing that external hard
disk when it’s connected and, for all we know, locating “interesting stuff” and
sending it off to points and people unknown.
Now, I want to be clear about something: as I understand it most
malware does neither. Most malware simply infects your machine and then goes on
to do other things. And of the two compromises that I’ve listed above,
Infection is the most likely form of compromise, in my opinion. As
we’ll see in a moment, most malware is more interested in propagating than it
is in your data.
More often than not if you’ve been infected data on your external drive has
not been harvested. But this is malware we’re talking about. There are no
So just what is malware doing if it’s not likely sucking up all your data
and sending it off somewhere?
In years past, malware’s goal was simply to cause trouble. It was more
likely that your data would disappear as the result of an infection, and not
much more. You might lose the contents of your hard disk, but none of that data
would have been sent anywhere.
In recent years the landscape has changed, and in a word that change is
“spam”. Some very large percentage of malware these days is all about trying to
infect machines in order to create spam-sending zombies operating as part of
botnets. They have two goals:
Propagate and infect more machines into joining the botnet.
Wait for further instructions from the botnet operator. Typically that means
being prepared to send out huge amounts of spam when instructed.
You can see that looking at your data isn’t part of their job.
Why the shift? Money. There’s no money in causing trouble for trouble’s
sake, but there are people willing to pay to get their spam sent. As a result
botnet operators can actually make money by managing a network of infected
zombie machines to send out spam.
So all that’s well and good, but if you’re infected what should you
It depends on your level of paranoia.
What I would do is this: use anti-malware tools remove the malware
from the infected PC, and then also scan the external drive for
infections. Assuming everything turns out clean, I’d be satisfied and move on
with my life. (Taking note to avoid whatever it was I did to get infected in
the first place, of course.)
However, there’s an extremely paranoid, and yet very valid position with
regard to malware infections: “Once infected, all bets are off.” That means
that once you’ve been infected malware has become so stealthy and malicious
that there’s no way to know with 100% certainty that it’s really been
eradicated from a system. If you follow this philosophy to its logical
conclusion, the only action you can take after an infection is to reformat and
reinstall your machine from scratch. And sadly, taken to this extreme, that
includes the external hard drive.
To be clear, I would not do this on a personal machine. Your
situation might be different; I’d expect government and other sensitive
installations to perhaps need to be more paranoid about these types of things.
I’m typically quite happy with a good virus scan and cleanup. The only
exception was some years ago when the server hosting Ask Leo! became infected –
I elected at that point to build out a new server and move the site and my
other data to it. The infected server was then reformatted.