Analyze and clear the Web server on a Trojan horse

Many friends have encountered such a phenomenon: open a Web site, the results of the page has not been shown, anti-virus software began to alarm, prompted detection Trojan virus. Experienced friends will know that this is a Web page malicious code, but their open is clearly a regular website, no regular website will put the virus on their own web page it? So what led to this phenomenon? One of the most likely reasons for this is that the site has been put on a horse.

The word "hang horse" we often seem to be able to hear, so what is the hanging horse? The horse is a hacker invaded a number of websites, will write their own web Trojan embedded in the homepage of the black site, using the traffic of the black site will be their own web Trojan spread away to achieve their own ulterior motives. For example, many game sites are hung horse, the purpose of hackers is to steal browsing the site of the game account, and those large sites were hanging horses, is to collect a large number of chickens. The site is not only the horse will let their own site loss of credibility, a large number of customers lost, but also let us these ordinary users into hackers set traps, into the hacker's broiler. Let's take a look at the most popular hacker attacks here.

Hanging Horse's core: Trojan

From the word "hang the horse" we can know that this and the Trojan is not separated from the relationship. Indeed, the purpose of hanging a horse is to spread the Trojan, hanging a horse is only a means. The Trojan Horse used can be roughly divided into two categories: a kind of remote control for the purpose of the Trojan, hackers use this Trojan horse to attack, the purpose is to get a large number of chickens, In this case, a denial-of-service attack or other purpose is implemented for some Web sites (at present, most of the dummy computers that implement Denial-of-service attacks are victims of horse-mounted attacks). The other is a keyboard record Trojan, we usually call it stolen Trojan, its purpose is self-evident, are directed at our game account or bank account. Most of the Trojans used for horse-hanging are the latter.

The killing trick of a Trojan horse

As a horse used to hang the trojan, its concealment must be high, so that users can unknowingly run the Trojan, but also to hang a horse's page to survive more time. Hackers in order to allow Trojans to avoid the killing of anti-virus software, the use of a lot of tricks. Commonly used methods are:

Shell processing: The concept of shell we have introduced, is to let others can not modify the compiled program files, while compressing the volume of the program. Trojan After adding shell this process is likely to escape the killing of antivirus software, which is why we installed anti-virus software will also infect the cause of the old virus. Although the current anti-virus software to support the program after the shelling, but only limited to some of the more popular shell procedures, such as Aspack, UPX, and so on, and encountered some after the shell process after the Trojan, can do nothing. So the shell is still more commonly used by hackers to kill one of the tricks.

An unpopular shell-adding program

Modified Signature: Antivirus software is based on virus signatures to determine whether a program is a virus. When the antivirus software detects the program, if the virus signature is found in the program, the program is judged as a virus. Hackers certainly understand this truth, so they will modify the Trojan is defined as a part of the code, encryption or use assembly instructions to its jump, so that anti-virus software can not find virus signatures in Trojans, nature will not be judged as a virus.

Although these two methods can escape the killing of antivirus software, but we still have a way to prevent the Trojan Horse, specific methods will be in the prevention section. So how does the Trojan "hang" on the website? Here we take "gray pigeon" Trojan as an example, demonstrating the process of the hacker hanging Horse. Demo with the "Gray Pigeon" Trojan has been spared the treatment, anti-virus software can not kill.

Lurking attackers: Web Trojan

Why do we open the Web page will run Trojan program, Trojan is how to "hang" on the site? This will involve the concept of "Web Trojan". Trojan Horse is a Trojan and Web page together, open the Web page will also run the Trojan horse. The original web Trojan principle is the use of IE Browser ActiveX control, running a Web Trojan will pop up a control download prompts, only click to confirm the Trojan horse will run. This kind of webpage Trojan at that time network security consciousness generally not high situation still have a little use value, but its shortcoming is obvious, be to appear ActiveX control download hint. Of course, few people now click on the inexplicable ActiveX control Download Confirmation window.

In this case, the new Web Trojan was born. This kind of Trojan horse usually take advantage of the vulnerability of IE browser, in the runtime without the slightest hint, so the concealment is very high. It can be said that the Internet Explorer is an endless stream of vulnerabilities caused by the Web Trojan Horse rampant network. For example, the recent IE Browser Vulnerability ms06-014 can be used to make an absolutely hidden web Trojan. Let's take a look at the process of making Web Trojans using ms06-014.

Web Trojan Of course, there are Trojans, here we use the above mentioned "Gray pigeon" Trojan. Then we're going to download a ms06-014 Web Trojan generator. Then there is a page space, after the three are ready, you can start testing.

Build a Web Trojan

First of all, the Trojan program uploaded to the Web page space. Run "ms06-014 Trojan Generator", in the "Trojan address" to fill in the already uploaded to the space Trojan site, and check the bottom of the "hidden source" option. The role of this option is when the Trojan horse, will automatically empty the Web page source files, users even if the suspicion can not find traces. Of course, the empty is the user opened the source files, and the Web Trojan is not affected. Click "Generate Net Horse" button can be in the same directory of the program to generate a Web Trojan named muma.htm.

Configure the Web Trojan to continue the configuration of the Web Trojan, in the "To encrypt the Web page" to browse the selected generated Trojan horse. Web Trojan in the run will use IE loophole, which is certainly a loophole in the use of code, the code will be anti-virus software detection, so want to hide the Web trojan, encryption Trojan program is not enough, also need to encrypt the Web Trojan. "Ms06-014 Trojan Generator" in the "encryption method" provides four kinds of Web page encryption method, namely: null character encryption, escape character encryption, escape encryption and split signature. Here we use the "Escape character Encryption" encryption, select the "Escape character encryption" option, click on the "Encryption" button, the Web-free Trojan is generated. The encrypted Web page will be uploaded to the Web space immediately.

Find defective websites, write web Trojans

The Web Trojan is ready, waiting to find the target site of the horse. At this time hackers will search everywhere, looking for a script defect of the site program, find the use of web site procedures to invade the site, and get a Webshell site. At this time we can edit the content of the homepage of the website, the code to be hanged horse can be inserted. Code is: <iframe src= "/muma.htm"; Width= "0" height= "0" frameborder= "0" ></IFRAME>,SRC parameter is the address of the Web Trojan. When we open the homepage of this site, will pop up the page of the Trojan, this page we can not see, because we set up in the Code pop-up page of the window width of 0. At this time the Trojan has been quietly downloaded to the machine and run. We can see that the site's home page shows normal, anti-virus software and no response, and the Trojan has been running, visible Trojan hidden very high, the harm is also quite serious.

"Horse" attack has become the most popular attack mode, the face of a large number of "hanging horse" site, how should we defend it? As a webmaster, how do we know that their site has been hung horse? Webmaster Prevention: If you are a webmaster, you can check the home page and other main pages of the source code, such as the use of Notepad to open these pages, to "<iframe>" for the keyword search, find after you can see whether the horse code. However, experienced hackers, will write a piece of code to the whole line of the horse code encryption, so we can hardly find the Web page of the horse code. At this time, we can use "Digging horse"-Beijing Chi Heng Alliance Company produced a special for the Web page Trojan code detection of a system, can help solve the large amount of code, Web Trojans exist in various forms to check the difficult problem. System regularly upgraded can detect more than 1000 kinds of web Trojans, detection positioning is very accurate!

Common user protection: Ordinary users are concerned about the nature of how to prevent the "hanging horse" attack. Since antivirus software in front of the Web Trojan has become a "blind", and we can not perceive whether the site is "hanging horse." Under such circumstances, shall we not be trampled upon? We already know that the running principle of the Web Trojan makes use of the loophole of IE browser, so as long as we update the system patch in time can make the webpage trojan invalid. Turn on the system "Automatic Update" method: Right click on "My Computer", select "Properties", switch to the "Automatic Updates" tab, select the "Automatic (recommended)" can be.