Saly986336
ORANGE EKSTRAKLASA
Dołączył: 26 Sty 2011
Posty: 347
Przeczytał: 0 tematów
Ostrzeżeń: 0/5 Skąd: England
|
Wysłany: Sob 2:24, 12 Mar 2011 |
|
|
against Trojan
[2] method is to install Trojan horse tied to a setup program, when the installation program runs, the user unaware of the Trojan circumstances, sneak into the system. The file is usually bundled executable file (ie EXE, COM a class file). (C) of the error showed some knowledge of horse people know that if you open a file, nothing happens, this is probably a Trojan, Trojan's designers are aware of this defect, it has provided a Trojan called error display function. When the server when the user opens the Trojans will pop up an error message box (which is false), the error content can be freely defined, most of them will be customized to some, such as When the service end users face value, the Trojan has quietly penetrated the system. (D) a lot of old-fashioned custom port Trojan ports are fixed, to determine whether the infection of this Trojan horse to bring the convenience, as long as a particular port to check what that Trojan infection, so now the Trojans have added many new customized port functions, the user can control the end of 1024 --- 65535 Trojan optional port as a port (generally do not choose a port below 1024), this type of Trojan horse infected judge gave trouble. (E) self-destruction of the Trojan
the application's startup configuration file, the console file to start the program using these features, will make a good start command of the same name with a Trojan file upload to cover the same file server, so you can achieve the purpose of starting a Trojan. 6. Start menu: ② triggered by the activation of horse 1. Registry: Open the file type HKEY_CLASSES_ROOT shellopencommand primary key, view its key value. For example, domestic horse, , the original application NOTEPAD to open the file, and has now become a Trojan horse program started. Should be noted that not only is the TXT file, by modifying the HTML, EXE, ZIP, etc. files startup command keys can start Trojans, the difference lies in the WINZIP, you can try to find it. 2. Bundled documents: the first trigger condition to achieve this end and to control the server has a connection through the horse, and then control the end user with a tool to Trojan file and an application bundle, and then upload to the server overwrite file, so even if Trojans are removed, as long as the running application bundled with a Trojan horse, Trojan will be installed go up. 3. Automatically broadcast
Introduction to basic knowledge of the history of forms of communication run disguised way of information disclosure control methods to establish a connection start means the remote control to troubleshoot computer network trojan how to quickly killing the game in the common Trojan horse open port made famous Trojan to modify the registry system to enhance the Trojan defense profile in the computer field, the Trojan is a type of malicious program. Trojan is hidden, the spontaneous behavior that can be used for malicious programs, and more will not directly harm the computer, but to control the main. In view of the great dangers of Trojan, the principle that we will be divided into articles, defense and counter-articles, information on three-part article to detail the Trojans, Trojans hope that such attacks on a thorough understanding. The history of the first generation of Trojan: Trojan horse disguised by this type of Trojan disguised as a trick users into the legality of procedures taken. Trojan is the world's first computer in 1986, PC-Write Trojan. It is disguised as a shareware version of PC-Write 2.72 (in fact, the preparation of PC-Write The Quicksoft company unreleased 2.72 version), once the user runs the Trojan believed, then his fate is the hard disk is formatted. In my first year at university, I had heard that a senior school in cattle with BASIC WAX room on the Trojans made a login screen, when you put your user ID, password and enter a normal login screen exactly the same pseudo- After the login screen after the Trojan side keep your ID, and password, side prompts you to re-enter your password wrong, the second time when you log in, you become a victim of Trojan. At this point do not have the first generation of Trojan infection characteristics. Second-generation Trojan: AIDS-type following the PC-Write Trojan after Trojan AIDS appeared in 1989. At that time, few people use e-mail, so
after using a computer program vulnerability to steal files invasive procedure known as the Trojan horse program. It is a kind of hidden, and spontaneous behavior that can be used for malicious programs, and more will not directly harm the computer, but to control the main.
Trojan piercing
limit the spread of
end user to run Trojan or Trojan horse program bundled, the Trojan will be installed automatically. First, copy itself to the WINDOWS system folder (C: WINDOWS or C: WINDOWSSYSTEM directory), and then in the registry, start the group, set the Startup group of non-Trojan trigger conditions, the installation of this Trojan is complete. Trojans can be started after installation, and the specific process below: ① activated by the self-starting condition of the Trojan horse from the start, roughly 6 in the following areas: 1. Registry: Open HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion next five to Run and RunServices primary key, in which the search key may start the Trojan. 2.WIN.INI: C: WINDOWS directory with a configuration file win.ini, opened with a text, in the [windows] field in startup command load = and run =, under normal circumstances is blank, if Start the program, may be the Trojan horse. 3.SYSTEM.INI: C: WINDOWS directory with a configuration file system.ini, opened with text in [386Enh], [mci], [drivers32] in the command line, in which the startup command to find the Trojan. 4.Autoexec.bat and Config.sys: under the root directory in the C of these two files can also start the Trojan. But the loading end users generally need to control a connection with the server, it will start command has been added Trojan files uploaded to the server the same name overwrite these two files Caixing. 5 .*. INI:
Trojan system consists of a complete hardware, software, parts and components specific connection. (1) hardware components: the establishment of the necessary hardware connection Trojan entity. Console: remote control on the server side. Server: The remote control console side. INTERNET: the control of the server-side remote control, data transmission network carrier. (2) software components: remote control software necessary. Console program: remote control console for the server process. Trojan: sneak into the internal server, access to the operating authority of the program. Configuration program Trojan: Trojans set the port number, trigger conditions, Trojan name, make it more subtle hidden in the server program. (3) specific connection part: By INTERNET client in the server and control channel between a Trojan necessary elements. Console IP, server IP: the control side, the server's network address is the destination of data transmission Trojan. Console ports, trojans port: the control side, server side data entry, through this portal, the data can be directly controlled side program or Trojan. This hacking tool with the Trojan network intrusion, from the process point of view can be divided into six steps (specific visible below), here we come by these six steps detailed principles of Trojan attacks. A. Trojan general configuration of a design has a Trojan horse mature configuration program, the specific configuration of the content from the view, mainly in order to achieve the following two functions: (1) Trojan disguised: Trojan server configuration program as much as possible in order to good hiding Trojans, will use a variety of camouflage means, such as modifying icons, tied files, custom port, self-destruction, we will (2) Feedback: Trojan feedback configuration program will address the manner or setting, such as setting the feedback email address, IRC number, ICQ number, etc., specific we will in the Introduction. Mode of transmission of the spread of Trojan horse, there are two main ways: one is through E-MAIL, Trojans console will be in the form of an attachment sent in the mail folder, the recipient will be infected as long as the Trojans open the attachment system; the other is software downloads, some non-formal sites to provide the name of the software download will install the Trojan program in the software bundle, download, simply run a program, Trojan will install automatically. In view of the dangers of Trojan disguised way, many people still have some horse knowledge and understanding, which played a Trojan the spread of inhibition, which is designers do not want to see the Trojans, so they developed a variety of functions to disguise Trojan horse in order to achieve lower user awareness, the purpose of deceiving the user. (A) modify the icon when you're in the E-MAIL annex to see this icon, will think this is a text file? But I must tell you, it is also possible that a Trojan horse program, now have Trojan can be Trojan server application's icon into HTML, TXT, ZIP and other file's icon, which is quite confusing, but the Trojans currently offers this feature is also unusual, and this disguise is not perfect, so not all scary, paranoid. (B) of the bundle files that hackers use Trojan virus pseudo
Trojan
computer Trojan
directory
launch 'Demon horse Zhuanshagongju'
[4] put formula: This is used to automatically play CDs, CD-ROM when you insert a movie into the drive, the system will automatically play the contents inside, which is automatically played intention, playing what is the file from the CD AutoRun.inf specified, modify AutoRun.inf the open line to specify the automatic running program during playback. Later, someone used to the hard disk, U disk, U disk or hard disk partition, create the Autorun.inf file and specify the Trojans in the Open, so that when you open the hard disk partition or U disk, it will trigger the Trojan operation. Trojans are constantly looking on (2) Trojan Trojan is activated during operation into the memory, and open the Trojan predefined port, ready to establish a connection with the control side. Then the server users can under MS-DOS mode, type NETSTAT-AN View port status, general personal computers offline will not have ports open, if the port is open, you have to pay attention to whether the infection of a Trojan . The following is a computer infected with Trojan, the NETSTAT command to view port with two instances: one ① is the server side to establish a connection and control the display of the state, ② is not server-side and control the display of the state to establish a connection. In the process, we need to download the software online, send messages, chat, etc. must open some ports, the following are some common ports: (1) 1 --- 1024 ports: these ports are called reserved ports, is designed to give some foreign Communications of the procedures used, such as FTP use 21, SMTP uses 25, POP3 uses 110 and so on. Will be used to retain only a small Trojan horse port as the port. (2) 1025 or more serial ports: the Internet web sites, the browser will open several consecutive ports to download text, image to the local hard disk, these ports are 1025 or more consecutive ports. (3) 4000 Port: This is a OICQ communications port. (4) Port 6667: This is the IRC's communication port. In addition to these ports can be basically excluded, such that there are other ports open, especially the relatively large number of ports, it would have to wonder whether the infected horse, of course, if the Trojans are customized port features that are likely to be any port Trojan port. Information disclosure In general, the design has a sophisticated Trojan feedback mechanism. Information feedback mechanism is the so-called Trojan after successful installation of server hardware and software to collect some information, and through E-MAIL, IRC or ICQ inform the control of the way end users. From the feedback to control the server side can know some of the hardware and software, including operating system, system directory, the status of hard disk partition, system password, etc., in the information, the most important thing is the server IP, because only by this parameter control terminal to establish a connection with the server, the specific connection method explained in the next section we will. In this section we establish a connection to explain how the connection is established Trojans. First, a Trojan horse to establish the connection must satisfy two conditions: First, the server has been installed Trojan horse programs; the second is the control side, the server must be online. On this basis, Trojan port console can establish a connection with the server. Suppose A machine for the control side, B side to serve machine, A machine for it to establish a connection with the B machine B machine must know the port and IP address of the Trojans, the Trojan machine A port is set in advance for known items , the most important thing is how to get B machine IP address. IP address obtained B machines, there are two main methods: feedback and IP scanning. The former has been in the previous section has been introduced, and will not go into, we focus to introduce the IP scan, for B machines with Trojans, Trojan port 7626 so it is in the open state, so now A machine as long as the scan IP addresses in the 7626 host ports open on the line, for example, figure B machine IP address is 202.102.47.56, when the A machine scans to find it when the IP port 7626 is open, then the IP will be Add to the list, then A machine can control the client program through the Trojan horse for a connection to the B drive signal, B machine in the Trojans responded immediately after receiving the signal, when the A machine, after receiving a response signal to open a then the port 1031 and port 7626 Trojan B machine to establish a connection to the connection time has truly established a Trojan. It is worth mentioning that the IP addresses to scan is clearly time-consuming, in general, the control terminal is the first feedback received through the IP address of the server, due to dial-up IP is dynamic, and the user's IP is different each time the Internet , but the IP is changing within a certain range, as shown in the B machine IP is 202.102.47.56, then the B-range changes in the Internet is the IP 202.102.000.000 --- 202.102.255.255, so the end of each control as long as the search for the IP addresses can be found on B machine. Trojan remote control connection is established, the console port and a horse will appear between the port channel. The control console on the client program can access and services by end of this Trojan horse on the contact, and through the Trojans on the server for remote control. Here we introduce the console to enjoy what the specific control of privileges, which is bigger than you think. (1) steal passwords: all in plain text form, * form or cache the password in the CACHE Trojans can be detected, in addition to a lot of keystroke-logging Trojan horse also provides functions, which will be recorded each time knocking server keyboard action, so once a Trojan invasion, the password would easily be stolen. (2) files: the control by a remote control client can be on the server, delete files,[link widoczny dla zalogowanych], create, modify, upload, download, run, change the properties of a series of operations, covering all of the files on the WINDOWS platform operations function. (3) to modify the registry: control of the server-side registry can be freely modified, including delete, new, or modify the master key, subkeys, keys. With this feature control to disable the server side to floppy, CD-ROM use, lock the server's registry, the service side of the trigger condition settings Trojan hidden series of more advanced operations. (4) Operations: This includes the server reboot or shut down the operating system, disconnect the server network connection, the control server's mouse, keyboard, monitor, desktop server, view server processes, and control at any time to the end even server send a message, imagine, when the server is suddenly out of a desktop, I do not surprise people and strange Trojan horses and viruses are an artificial procedure, all belong to computer viruses, and why the Trojans should be singled out for? Members know the role of computer viruses before, in fact, is to completely sabotage, destruction of computer information and data, in addition to damage to nothing more than some of the virus than other manufacturers in order to achieve certain purposes of deterrence and the role of extortion, or In order to show off their technology. with, the game accounts, stock accounts, and even online bank account. to privacy and peeping the purpose of economic benefit obtained. So the role of Trojan viruses than the more useful earlier. more directly to the user's purpose! resulted in many people with ulterior motives application developers with a lot of the preparation of such theft and other computer-invasive monitoring procedures, which is now flooded the Internet because a lot of Trojans. In view of these huge horse and its harmful effects and the nature of early virus is different So although the Trojans are a class of viruses, but to separate spin-off from the middle of the virus type. Independent called a Trojan horse, then it is their common anti-virus programs will of course be able to kill this trojan because of flooding in the Trojans today, individually designed for the Trojan horse killing a specialized tool, it is anti-virus software can improve the quality of the product its reputation greatly beneficial, in fact, an ordinary anti-virus software are included in the killing function of the horse. If we say that certain anti-virus software is not designed to kill Trojan horse programs, and that this anti-virus software vendors themselves seems a bit sorry, even if it's normal anti-virus software in addition to killing in the course of a Trojan horse function. Another point is, the killing alone Trojans stripped out, can improve the killing efficiency, many antivirus software programs in the Trojan horse designed to kill Trojans for killing only, not to check the general library of the virus code virus, meaning that when the user runs the Trojan horse designed to kill the program, the program is only called Trojan code repository of data, without invoking the virus code is the data library greatly improve the speed of horse killing. We know that killing is a common virus, slow speed, because there are too many viruses. Each file has to go through tens of thousands of Trojan code, test, and then combined with the known almost nearly 100,000 virus code inspection, and that it not be very slow speed. eliminating the common virus code inspection, is not to improve the efficiency and speed in? that now comes with a lot of trojan antivirus software Trojan horse designed to kill the general procedure not only killing killing the virus, but it is killing its own procedures for both normal virus killing the virus and killing Trojans! Trojan is the role of naked people secretly watch others and password theft, data and other control Methods to prevent Trojan horse for us now one of the methods is to windows system mshta.exe rename the files, into what their casual (xp and win2000 in system32 under) HKEY_LOCAL_MACHINE SOFTWARE Microsoft Internet Explorer ActiveX Compatibility under the Active Setup controls to create a new key based on CLSID {6E449683_C509_11CF_AAFA_00AA00 B6015C}, and then create a new key of type REG_DWORD key Compatibility, and set the key value 0x00000400 to. There are windows command debug.exe and windows [link widoczny dla zalogowanych] gave a change of name (or delete) some of the latest most effective popular Trojan defense ~ ~ such as the popular network is one of the Trojan smss.exe Trojan horse lurks in the main body of 98/winme/xp c: windows directory, 2000 c: winnt ..... if you first of all in the Trojan end we use the process manager is running and then the Trojans smss.exe C: windows or c: winnt directory, create a fake smss.exe and set to read-only attribute ~ (2000/XP NTFS disk format would be better if you can use the did the ~ after the infection has not been tested this way I have a great effect on many of the Trojans after such modifications, I am specifically looking for someone to test issued by the Trojan site, the experimental results is about 20 on the Trojans site, there will be about 15 Rising alarm, the other 5 did not reflect the Rising, and I did not add the machine from the new EXE file, the new process does not appear, but some remained in the wreckage of Trojan IE's temporary folder , they are not to execute, there is no risk, it is recommended that you regularly clean up temporary files folder and IE with the virus-writing technology, Trojans growing threat to users, particularly those with a very cunning Trojan means to cover themselves, so that ordinary users find it difficult poisoning. Trojans control hazards, should take the following measures: First, install antivirus software and personal firewalls, and timely upgrades. Second, set the security level personal firewall to prevent unknown programs to send out data. Third, consider using a better browser security and e-mail client tools. Fourth, if you use IE, you should install security card security aides or 360 browser to prevent malicious Web site unknown in their own software installed on your computer and browser plug-ins, Trojans took the opportunity to avoid being invaded. Trojan remote control are: ice, gray pigeons, the Hing, PCshare, network Thief, FLUX, and now the Trojans through the thread into the technology, there are many. Now the Trojans and DLL files are often closely related and, by many people call Trojan DLL is thread into the highest state of technology, technology refers to the thread insert code to embed itself in the process of running the technology. In theory, in Windows, each process has its own private memory space, another process is not allowed to operate in this private space, but in fact, we can still use all sorts of ways to access and manipulate the process private memory and, therefore, have considerable authority that the remote process. In any case, are the core of the Trojan code to run in another process's memory space, so can not only hide themselves, but also to better protect themselves. DLL can not run independently, so the Trojans to run up and want to need a EXE file DLL using dynamic embedded technology allows the car to catch the other normal processes, so that is embedded in the process of calling the DLL's DllMain function, excited horse runs, the last start Trojan EXE end of the run, Trojan horses are started. Trojan EXE DLL launch is an important role, it is called Loader, Loader can be varied, Windows of the number of DLL Trojans Rundll32.exe is also used as a Loader, This Trojan usually without the dynamic embedding, which directly Rundll32 running into the process, even if you kill the process Rundll32, Trojans body still exists. Using this approach not only can start Trojans, the number of applications also use this boot method, one of the most common example is Installed in a computer network name Run Registry Editor, expand : WINDOWS Downlo ~ 1 CnsMin.dll, Rundll32 Simple method of DLL Trojans defense killing than the killing of viruses and Trojans to be more difficult, the proposed system, users often start to see there are no more items in the project somehow, it is possible DLL Trojan Loader one of the sites. If you have some programming knowledge and analysis capabilities, you can also find the DLL name in the Loader, or see more from the process articulated in what strange DLL. For the average user, the most simple and effective method is to use antivirus software and firewalls to protect their computer security. There are some foreign firewall software will alert users when loading DLL files, such as Tiny, SSM, etc., so that we can effectively prevent a malicious Trojan DLL. Disable System Restore (Windows Me / XP) If you are running Windows Me or Windows XP, we recommend that you temporarily turn off This feature is enabled by default, once the files on your computer is damaged, Windows can use this function restore it. If a virus, worm, or Trojan infects a computer, System Restore feature to back up the computer viruses, worms or Trojan horses. Windows prohibited, including antivirus programs, including the external application to modify the System Restore. Therefore, antivirus programs or tools can not remove the System Restore folder threat. In this way, System Restore may be restored to an infected file on your computer, even if you have removed all the infected files from other locations. In addition, the virus scan may also detect the System Restore folder threat, even if you have removed the threat. Note: The worm removes a clean, follow the recovery system described in the above article to restore the settings. Restart the computer in Safe mode or VGA mode Shut down the computer, wait at least 30 seconds after the restart in Safe mode or VGA mode of Windows 95/98/Me/2000/XP users: reboot the computer into Safe Mode. All Windows 32-bit operating systems, in addition to Windows NT, can be restarted to safe mode. For more information, see the document How to start the computer in safe mode. Windows NT 4 users: reboot the computer to the VGA mode. Scan and delete the infected file to start the anti-virus program and make sure that it is configured to scan all files. Run a full system scan. If it detects any infected files are Download.Trojan, click the If necessary, clear the Internet Explorer history files. If the program is in the Temporary Internet Files folder inside the compressed file is detected, please perform the following steps: Start Internet
[1] AIDS on the use of real-life author of the messages in the spread: Letters were sent to other people e-mail contains Trojan program diskette. Was called this name because the floppy disk contains the disease AIDS and HIV medicines, price, preventive measures and other related information. Trojans in the floppy disk in the running, though not destroy data, but he locked the hard drive encryption, and then prompts the user Huaqianxiaozai infected. Can be said that the second generation of Trojans already have a spread of features (though by traditional mail.) Third-generation Trojan: Trojans network communication of the Internet's popularity with this generation and dissemination of two Trojans both features and disguised with TCP / IP network technology is endemic. At the same time he has new features: First, add a The so-called back door is a computer system for open access to the entrance of the secret program. Once installed, these programs can allow an attacker to bypass security procedures into the system. The purpose of this function is to collect important information in the system, for example, financial reports, passwords and credit card numbers. In addition, the attacker can also use the back door control system, making it an accomplice to attack other computers. Because the system is hidden behind the back door running, it is difficult to detect. Unlike viruses and worms as they are through the consumption of memory and attention. Second, add a keyboard logging. From the name you know, the main function is to record user content and form of all the keyboard keylogger log file to a malicious user. Malicious user can find the user name, password and credit card number and other user information. This generation has more famous Trojan foreign BO2000 (BackOrifice) and domestic ice Trojans. They have the following common features: Web-based client / server applications. Has to collect information, perform system commands, reset the machine, re-orientation and other functions. When the Trojan horse attack succeeded, the computer is completely in control of the puppet master hacker, hackers have become super-user, the user's all computer operations in terms of not only no secret, and hackers can remotely control the puppet host of other host attacks, which captured when the puppet master back into hacking the shield and a springboard for further attacks. Although the Trojans are becoming more subtle, but the eggs do not hover flies, as long as enhance personal security awareness, or can greatly reduce the The author will have the following recommendations: Install personal anti-virus software, personal firewall software; timely installation of system patches; on the e-mail from unknown sources and plug-ins to ignore; often a turn to the secure site in order to keep abreast of the ins and outs of new Trojan , so know ourselves, know yourself. Basics before introducing the principle of Trojan horse consisting of some of the basics we have to be described in advance, because many places will be mentioned below the content.
steal online banking
[3] key function is to compensate for a defect Trojan. We know that when the server is a user opens the file containing the Trojan, the Trojan will copy itself to the WINDOWS system folder (C: WINDOWS or C: WINDOWSSYSTEM directory), in general the original Trojan files and system folders in the Trojan the file size is the same (except the Trojans tied the file), then in the Trojan's friends as long as the recent letters received and download the software to find the original Trojan file,[link widoczny dla zalogowanych], then the size of the original Trojan horse to the system folder to find the same size The document, which is a Trojan horse to determine what on the line. Function of self-destruction of the Trojan is installed the Trojan, the original Trojan file will automatically be destroyed, so that the server users to Trojan horse is hard to find the source of the tools without killing the help of Trojan, the Trojan is difficult to remove. (F) Trojan installed on your system folder, rename the file name of Trojan is usually fixed, as long as killing Trojans according to some articles, find what you want in the system folder to find a specific file, you can determine what the Trojans. So now there are a lot of Trojans are allowed to control the end user the freedom to customize after the installation of the Trojan file name, so it is difficult to determine the type of a Trojan infection. Run Service
相关的主题文章:
[link widoczny dla zalogowanych]
[link widoczny dla zalogowanych]
[link widoczny dla zalogowanych]
Post został pochwalony 0 razy
|
|