Unveil the mystery of Trojans (below)
Shotgun · Yesky
Third, the struggle for the system control Trojans are not willing to be the status of the defensive, they will attack, and they will take the initiative. Winnt's overflow Trojans is such a positive, but they are not just simple loading, waiting, completed commands, but using the vulnerabilities of various systems try to make themselves the owner of the system -Admin, even the controller of the system -system. So, what method uses the Trojan to change the face of the escape, thus be the dominant system? The first time, it is obviously the registry: Many years of the history of the registry makes Trojans very familiar with the construction and characteristics of the registry (you, can you be more familiar with the Trojans) Windows2000 has several registry permission vulnerabilities, allowing non-authorization The user rewrites the setting of Admin, and forcing Admin to perform Trojans, this method is easier, but will be discovered by most firewalls. Secondly, the use of the system's permission vulnerability, rewriting admin's file, configuration, etc., this method is very easy to use in Admin to allow Active Desktop, but for an experienced administrator, this method is not too effective; third choice It is a local overflow vulnerability of the system. Because Trojans are running locally, it can achieve SYSTEM permissions through local overflow vulnerabilities (such as IIS's local overflow vulnerabilities, etc.). This part of the content has been introduced in Yuan Ge and many compilation masters, I will not let it go. (Securrily telling you, actually I can't say it, I can use the overflower, I still use it here ...) Fourth, firewall attack and defense, now, today, in this popular today, maybe Some people will say: I installed a firewall, no matter what Trojan you use, what do you do, the firewall is only available, anyway, you can't come in. Similarly, for the machine in the LAN, the original Trojan does not effectively control (if the gateway will give you NAT?) However, the city wall never stops Trojan: In the ancient Greece Troy War, people are pushing down The city wall comes to welcome the Trojan, and in this Internet, Trojans still make the firewall from the inside to be broken with their hidden and fraud. Among them, the tipped Trojans reflect this idea very clearly. Bounce Port Trojans After analyzing the characteristics of the firewall: The firewall often performs very stringent filtration for the linking link, but is negligible for the links. Thus, in contrast to the general trees, the server (controlled end) of the rebound port type Trojan uses the active port, the client (control terminal) uses the passive port, the Trojan timing monitor the existence of the control terminal, discovery the control terminal to immediately pop up the port active connection The active port opened in the control terminal, in order to conceal, the passive port of the control terminal is typically opened at 80, so that even if the user uses port scan software to check their port, it is similar to the situation similar to TCP Userip: 1026 Controllerip: 80 ESTABLISHED, slightly negligent You will think that you are browsing the web. (The firewall will think so, I think there is no firewall that will not give users 80 ports, oh. Some people will ask: How can the server know the IP address of the control terminal? Can the control terminal only use a fixed IP address? Haha, isn't it for yourself? I found it one check. In fact, the Trojan of this rebound port often uses a third-party storage device that fixed IP to perform IP addresses.