Burning Trojans thoroughly teaches you how to prevent Trojans

"I think we should burn this thing ." More than 3000 years ago, in the face of the huge Trojan horse suddenly left by the Greek on the ruins of the battlefield, the little prince of the kingdom of the Trojan said to his father. Because of his uneasiness, this sudden object will bring bad luck. However, no one listened to him, And the whole army stubbornly shipped the giant object back to the city as a trophy. A few days later, the Greek soldiers hiding in the Trojan opened the indestructible gate of the Trojan, and thus the fall of the Trojan. If Paris still has a soul, he may have to think about it: If I had insisted on burning this bad luck thing, what would have been the end of Trojan?

Allow me to adapt the sentiment writer Jiang Tang's sentence: "The network in the 21st century is a world where Trojans are rampant. After the war on viruses, the biggest confusion of mankind is the attack and defense difficulties of Trojan and backdoor ."

As we all know, Trojans (Trojan, or BackDoor) are a very dangerous program that opens the door to unknown intruders, expose the victim's systems and data to the chaotic online world. Like a virus, a trojan has evolved over several generations, making it more and more hidden and becoming another parasite that is hard to remove.

-- If we burn the trojan as early as possible?

Know Trojans

In short, information Trojan is a remote control program that lurks in the victim's computer and secretly opens one or more data transmission channels. It consists of two parts: clients and servers are also called control terminals. The spread and infection of Trojans actually refer to the server. Intruders must send the server program to the victim through various means to achieve the purpose of Trojan propagation. When the server is executed by the victim's computer, it will copy itself to the system directory and add the Running code to the region that will be automatically called when the system starts, so as to run following the system startup, this region is usually called a "startup item ". After the trojan completes this operation, it enters the incubation period-secretly opening the system Port and waiting for the intruder to connect. So far, Trojan horses are only in the phase of being pulled into the city by the citizens of Trojan, and no destructive actions will be carried out.

When intruders use a client to connect to the port opened by the Trojan server, the gate of the Trojan is opened. Here, the nightmare of the Trojan begins ......

Therefore, before the Trojan horse slogan's military number is blown, if Paris ignited this giant in time, the trojan may not disappear-at least, it will not be destroyed by a Trojan.

Blocking trojans from entering the city-Trojan forms and corresponding system protection in different periods

The premise of Trojan horses was that the Trojan Horses containing Greek soldiers were carried into the city, allowing the Trojan horse to be successfully implemented, if at the beginning the trojan was put on the beach moldy and smelly, or burned the bad luck stuff, the trojan horse will be listed in the history as a well-known and ineffective strategy of the same nature as the marqino line of defense, and will no longer be used in future generations.

But the Greek Trojan Horse has succeeded, just as thousands of modern network Trojans have now succeeded. The modern Greek-Intruders actively use various means to bring the modern Trojan program home happily.

Early Anti-Virus ideas were not prevalent. At that time, Internet users were also relatively simple and there were only a few people using network firewalls. Therefore, intruders could be happy at that time, they only need a simple means of social engineering to transmit the trojan program to the other party for execution. During this period, Trojan planting techniques (nowadays, generally referred to as "Trojan Horse ") basically, no technology is required. Maybe the only technology required is how to configure and use a Trojan, because at that time, the trojan is still a new product. At that time, netizens could only rely on their own judgment and technology to protect themselves from or get rid of Trojans. Therefore, when Trojan technology started in China, any IP segment may have more than 40% of the affected computers open the door to wait for intruders to attack. It is no exaggeration to say that, at that time, it was the first prime time for Trojans. The only weakness in the United States was that the network speed was too slow at that time.

With the passage of time, the trojan technology has become increasingly mature, but the security awareness of netizens has also increased, and the concept of virus firewall has emerged in the early stage, intruders in this period must master more advanced social engineering techniques and Early intrusion technologies to make the other party suffer. Although Trojans in this period have been concealed, however, it is still the client-based connection to the server. Due to the emergence of a virus firewall, the efficiency of netizens in judging and killing Trojans is greatly improved, and most people also know that they are not easy to receive programs from strangers, so that Trojans are no longer as rampant as they were in the previous period, but because virus firewalls are emerging products, there are still a relatively large number of people not installed and used, so that many old Trojans can still be rampant.

Later, with the advent of the network firewall technology and the maturity of the virus firewall technology, Trojan Horse authors were forced to follow the footsteps of anti-virus manufacturers to update their work, so as to avoid Ma Er's early "martyrdom ", at the same time, the emergence of network firewall technology makes the computer and the network no longer direct, in particular, the policies implemented by the network firewall to "intercept external data connection requests" and "review internal program access network requests" lead to failure of most Trojans, during this period, Trojans gradually split into two factions: one is still using the client to connect to the server, but changed to another transmission channel, such as E-MAIL and FTP, you can also remove the network firewall internally so that you can be unobstructed. The other method changes the idea of intrusion and changes "client connection to server" to "server connection to client ", coupled with a little social engineering technology, which breaks through the limitations of the network firewall, a new Trojan technology-"rebound-type" trojan was born. During this period, the war between intruders and victims was finally upgraded to the technical level. To protect yourself, apart from installing the network firewall and virus firewall, and accessing the Network Attack and Defense Technology, this "basic interaction" has been maintained in today's XP era.

In the XP era, the network speed has taken a qualitative leap, and the hacker attack and defense war has become more and more on the surface. As the system has changed, an operating system was born specifically for network applications, there will be network-related defects. Yes, the weakness of WinXP over Win9x is that it has too many Network Vulnerabilities, whether it is a letter trojan that uses the MIME vulnerability to spread, or a trojan that is put down through LSASS overflow, A piece of meat can be allocated to the XP system. You may say that Win9x has many vulnerabilities, but why does it not bother XP? This is because the network function of Win9x is too weak, and almost no system components need to run on the network! So now, in addition to using the network firewall and virus firewall to pack yourself strictly, we have to go to the Microsoft system update site three days to install various vulnerability fixes ......

Don't let soldiers get down! -- Prevent trojans from being started

After the Greek soldiers hiding in the Trojan horse entered the city, they did not rush to kill the city, but waited until the night was quiet before they came out to open the solid gate, playing a mourning song for the destruction of the Trojan. However, computers do not have the geographical and temporal relationships of human society. Even if your hard disk now stores 100 Trojans, they are no better off than the big Trojan horse on the beach, because for the operating system, any harmful program is not running, it can be equivalent to soldiers who fail to kill, and will be considered harmless. To turn the system into the dark night of the city of Troy, the only way is to start the server side of the Trojan. The simplest way to start the trojan is to load and run it through the "startup Item.

Any operating system will automatically run some programs at startup to initialize the system environment or additional functions, these programs that are allowed to run following system startup are placed in special areas for loading and running during system startup. These areas are "startup items ", different systems provide different "Boot items". For Win9x, it provides at least five "Boot items": Autoexec in DOS environment. bat, Config. sys, the "Start" Program Group in Windows, two Run items in the registry, and one RunServices item, respectively:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices

In the 2000/XP system era, the DOS environment was canceled, but a new starting area called "service" was added, the Registry also adds two "startup items" while keeping the original project unchanged ":

Project key name

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows AppInit_DLLs

HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows run

With so many boot entries, Trojans will naturally not be missed, So we often find strange program names in some computer boot items. At this time, we can only tell them by you or the virus firewall, after all, the system itself will place some necessary initialization programs here, as well as some normal tools, including virus firewalls and network firewalls. They must also follow the system startup through the startup items.

In addition, there is also a mean way to follow the system startup without the need to use the startup Item, that is, "System Path Traversal priority spoofing ", when searching for a file without path information in a Windows system, the system follows a "from the outside to the inside" rule. It will start from the root directory of the drive letter where the system is located to the system directory for progressive search, this means that if two files with the same name are stored in C: And C: Windows, Windows will execute the program under C: instead of C: windows. This search logic provides an opportunity for intruders to change themselves to a certain file name that will be called when the system starts, and copy it to a directory that is more than a level lower than the original file, windows will take the trojan program for granted, and the system's nightmare starts. This method is often used in javasinternat.exe, because no path is set in any Windows Startup item.

Users must be aware of the Automatic Running Trojans that occupy startup items.