Unveil the mystery of Trojans (on)
Shotgun · Yesky
Foreword has been in the past a year. Everyone has a certain understanding of the remote control software of Trojans, such as he will change the registry, he will listen to the port, etc., and almost no one knows Trojan a year ago. What is something compared to this is a qualitative leap. However, in this even "rookie", use NetStat to look at the port, protect the registry with LockDown, is there a "killing" when the Trojan stopped, waiting for our "killing"? The answer is obviously negative. Trojans are also progressing in this year, constantly developing, they become more concealed, more flexible. This article tried to introduce you the latest attack and defense techniques of Trojans by analyzing the development of Trojans in the past year, so that everyone can sway more safely on the Internet. (The default operating system in this article is Win2000, the default programming environment is VC 6.0) In the past year, there are many famous Trojans, SUB7, BO2000, Ice, etc., they all have several common features. For example: open TCP port listening, write registry, etc., therefore, for these features, many tools that have false Trojans, such as LockDown2000, Clean, etc., these tools are generally used to check the registry and port. Looking for Trojans (also use the characterization code to find, we don't say the original idea, everyone knows, as long as the source code is slightly changed, the signature query is useless) or even some "how much it is to prevent the future Year Trojan software. And under the continuous propaganda of everyone, the following Trojans have been well known: 1. Don't download the executable file from the unknown website, don't just run the software given by others; 2, don't trust others, don't open it casually Email Attachment; 3, often check your system file, registry, port, process; 4, often view the latest Trojan announcement, update your firewall's wooden horse library; this seems, the first generation Trojan's characteristics have already It's familiar, in this case, as a underground worker, the days of the Trojans will be very sad. So, the Trojan is so sweet and slaughtered, is it waiting for? Human be extinct with Trojan this race? Not! In order to survive, it is also evolving, when we relax, when we celebrate the victory, the Trojan has experienced several quality mutations. Now the Trojan is more concealed, more clever, more difficult to discover, function more powerful. First, the route is in the mouth, the same, the port is also the biggest vulnerability of Trojans. After everyone's continuous propaganda, now there is a "rookie" just in the Internet, and I know the port with NetStat. The port of the Trojan is more, the higher, the higher the port, The more you do it like the system port, the probability that is discovered is getting bigger and bigger. However, the port is the source of life of Trojans. No port Trojans are unable to communicate with the outside world, not to say remote control. In order to solve this contradiction, Trojans have deeply studied the details of Richard Stevens' TCP / IP protocol, decided: Abandon the port they depend on, turn into the ground. How to contact the control end after giving up the port? For this problem, different Trojans use different methods, which are roughly divided into the following methods: parasitic, latent.
1, parasitic is to find a opened port, parasitic, usually only listening, encounter special instructions to explain the execution; because Trojans are actually parasitic on existing system services, so you are scanning Or when you look at the system port, there is no exception. As far as I know, this operation is relatively simple in 98, but it is much more troublesome for Win2000. Since the author has no deep research on this technology, you will not have explained here. Interested friends can go to http://www.ahjmw.gov.cn/cit/ or Winsock version of Western Hall to view the relevant information. 2, latent is to communicate with other agreements in the IP protocol rather than TCP / UDP, thus passing NetStat and port scanning software. A relatively common latent method is to use the ICMP protocol, ICMP (Internet Control Packet) is an access protocol of the IP protocol. It is directly processed by the kernel or process without the need to pass port, and a most common ICMP protocol is ping, it Use the ICMP's echo request and the response message. An ordinary ICMP Trojan will listen to ICMP packets when special packets (such as special size packages, special packet structures, etc.) will open the TCP port waiting for the control terminal, this Trojan is not activated Not visible, but once the control end is connected, the locally can see the status of Established (if the maximum connection number of port is set to 1, there is no way to discover the port scanning remote using the connect method remotely using the Connect method. And a true ICMP Troja will strictly use the ICMP protocol to pass data and control commands (data in packets of ICMP), which are invisible to the whole process. (Unless using sniffing software analysis network traffic) 3, in addition to parasitic and luros, Trojans have other better ways to hide, such as directly programming for NIC or MODEM, which involves higher programming skills. Second, the hidden process is in the Win9x era, simple registration is disappeared from the taskbar, but today in Window2000 is prevalent, this method has fallen, registering is a system process not only in the taskbar, but also can see in the taskbar. And you can directly control it directly in Services, run (too funny, Trojans are controlled by the client). Use the hidden form or console can not deceive the unsea-seeable admin adult (to know, in NT, the Administrator can see all processes). After studying the strengths of other software, Trojans found that trap technology used by Chinese Chinese software under Windows is very suitable for use in Trojan. DLL trap technology is a high-level programming technology for DLL (dynamic link library). The programmer uses Troy DLL to replace known system DLLs, and filter all function calls. For normal calls, use function repeater directly to forward Give the replaced system DLL, for some of the prior consideration, the DLL performs some corresponding operations, a relatively simple method is a process, although all the operations are completed in the DLL will be more hidden, but this It greatly increases the difficulty of program writing. In fact, most of the Trojans just use the DLL to listen, once the connection requests are found to activate themselves, the process of a binding port is used for normal Trojan operation. After the operation is completed, turn off the process and continue to enter the sleep condition.
