People who have been attacked by Trojans and backdoors (hereinafter referred to as backdoors) will not forget the tragedy after the machines are damaged. As a result, people started active defense, from patches to firewalls, I hate to add a validators to even the network cable. Under a variety of defense techniques, a large number of backdoors have fallen, and cainiao do not have to worry about accessing the Internet ...... But will the backdoors stop? Of course, the answer is no. No. A batch of new backdoors are crossing Chen Cang in the land of calm ......
1. Target intruders
What is the hacker A doing when he connects to the network but does not see any action? We can only see that he lit up a cigarette and seemed to be in a daze ...... After a while, he suddenly dropped his cigarette head and quickly tapped the keyboard with both hands. through the screen, we learned that he had already entered a server inside the company, A server with a firewall installed and deep inside ...... How did he do it? Is him a god? Please let the camera go back to the scene just now. Hacker A glances at A program interface in smoke, and suddenly the interface changes. At the same time, hacker A also beats the keyboard, the next step is the familiar control interface. You may not believe your own eyes: Is it the machine that finds him? Impossible ...... However, this is the fact that the server actually finds it. Hacker A is not A high technology either. He just uses an anti-customer BackDoor-A bounce Trojan.
As we all know, intrusion is usually said to be an attack initiated by intruders. This is a similar way of hunting. They are unable to cope with prey with high scalability. However, for intruders who use bounce technology, they are much more relaxed, and the rebound Trojan is like a wolf grandmother, waiting for the little red hat to personally deliver the door. The general intrusion is when the attacker operates the control program to find the connected computer, but the bounce intrusion is the opposite. It opens a port of the computer where the hacker is attacked, but let the victims contact the intruders themselves and let the intruders control themselves. Because most firewalls only process external data, but close their eyes on internal data, the tragedy has occurred.
The working mode of the bounce Trojan is as follows: the victim (the computer on the server side of the bounce Trojan) sends a request to the connection control end every time, and the request continues until it is successfully connected to the control end; next, the control end accepts connection requests from the server and establishes a trusted transmission channel between the two. Finally, what the control end does is common-to gain control of the victim. Because it is a connection initiated by the victim, the firewall will not trigger an alarm in most cases. In addition, this connection mode can break through the Intranet to establish a connection with the external, and intruders can easily enter the internal computer.
Although a rebound Trojan is more terrible than a general Trojan, it has a inherent weakness: concealment is not high enough because it has to open a random port locally, as long as the victim has a little experience, recognizing a bounce Trojan is not difficult. So another trojan was born.
2. Normal connection of restless points
Now many users have installed their individual HTTP servers, which means that the machine will open port 80, which is normal. But who knows this is a new technology that brings pain to countless network administrators, it turns a normal service into a weapon for intruders.
When a machine is planted with Tunnel, its HTTP port is rebound by Tunnel-the data transmitted to the WWW Service Program is also transmitted to the underlying Tunnel at the same time, intruders pretend to browse the Web page (the machine thinks), but send a special request data (in line with the HTTP protocol). Both the Tunnel and WWW services receive this information, because the requested page usually does not exist, the WWW Service returns an HTTP404 response, while the Tunnel is busy ......
First, the Tunnel sends a confirmation data to the intruder and reports the existence of the Tunnel. Then the Tunnel immediately sends a new connection to request the attacker's attack data and process the data sent by the intruder from the HTTP port. Finally, tunnel executes the operations that intruders want. Because this is a "normal" data transmission, the firewall did not see it. But what should I do if the target port 80 is not opened? Opening a port without authorization means committing suicide. But the intruders will not forget the lovely NetBIOS port, port 139, which has been open for years and has been sharing data with it. Why? Tunnel technology makes the backdoor more concealed, but this does not mean it is impeccable, because an experienced administrator will see an abnormal scene through Sniffer ...... The Tunnel attack was cracked by the Administrator. However, a more terrible intrusion is being hacked ......
3. useless data transmission?
The thief under the eyelid-ICMP
ICMP, Internet Control Message Protocol (Internet Control Information Protocol), the most common network packet, has been widely used in flood congestion attacks in recent years, but few people have noticed that, ICMP also secretly participated in the Trojan War ...... The most common ICMP packet is used as the Pathfinder-PING. It is actually a type of 8 ICMP data. The Protocol requires that a remote machine returns a Type 0 response after receiving the data, report "I am online ". However, because an ICMP packet can carry data itself, it is doomed to become a good helper for intruders. Because ICMP packets are processed by the system kernel and do not occupy ports, it has a high priority. ICMP is like a relative of the system kernel and can be blocked by any guard. As a result, the Rural Old Man with weapons in the basket knocked on the door of the President ......
The backdoor that uses special ICMP data is quietly becoming popular. This seemingly normal data, under the surveillance of the firewall, manipulates the victim. Even if the administrator is an experienced expert, I would not think that these "normal" ICMP packets are swallowed up on his machine. Someone may say, capture a packet. However, in practice, most of the ICMP messages passing data must be encrypted. How do you check them?
However, ICMP is not invincible. administrators with more experience simply disable transmission of all ICMP packets so that this relative is no longer near the system, although this will affect some of the normal functions of the system, in order to avoid being murdered by relatives, we can only endure it. The most intimate and unsuspected person is the most likely to kill you.
Abnormal postman-IP head strategy
We all know that the network is based on IP datagram, And everything needs to deal with IP, but the most basic postman of IP packets is also bought by intruders, this war never stops ...... Why? Let's take a look at the structure of IP datagram. It consists of two parts: header and body. The header is filled with address information and recognition data, just like an envelope. The body is the data we are familiar, just like a letter. All packets are transmitted in IP packets. Generally, we only pay attention to what is written on the letter paper, but ignore whether Potassium Cyanate is coated on the envelope. As a result, many administrators died of incurable diseases ......
This error is caused by a defect in the protocol specification. This error is not unique, just as SYN attacks are also caused by errors in the protocol specification. Similarly, both use the IP header. SYN uses a fake envelope, while socket Trojans use additional blank content on the envelope to apply the poison-IP protocol specification, the IP header has a certain length to place a flag (Express? Ping Xin ?) And additional data (Remarks on the message). As a result, the IP header contains several bytes of white space. Do not underestimate the white space. It can carry highly toxic substances. These seemingly harmless emails won't be intercepted by the guard, but the president died in the office without knowing what to say ......
Intruders use brief attack data to fill up the white space of the IP address header. If there is too much data, several more messages will be sent. The postman mixed into the victim's machine recorded the "redundant" Contents of the envelope. When the contents could be pieced together into an attack command, the attack began ......
Conclusion
Today, backdoor technology is no longer a rigid machine-to-machine war. They have learned to test humanity. If the current defense technology is still stuck in simple data judgment and processing, there will be numerous new backdoors. The real defense must be based on human management operations, rather than relying on machine code. Otherwise, your machine will be corrupted ......
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
