Detect trojans and disguise

Trojans are generally divided into client programs and server programs. client programs are used to remotely control computers. The server program is hidden in a remote computer and receives and executes commands issued by the client program. Therefore, when hackers control a remote computer through the network, the first step is to implant the server program into the remote computer. In order to allow users to execute Trojan programs, Hackers often disguise them in various ways. This disguise is what we call Trojan painting. Since the birth of a Trojan, hackers have emerged in an endless stream of camouflage techniques to conceal the Trojan. So let's work together to get a pair of eye-catching eyes and get rid of Trojans and draw skin tricks to keep these uninvited customers away.
First scheme: icon disguise

Camouflage level:★★★★

In Windows, different icons are used to represent each file type. You can easily identify this type of file by using one icon. To confuse users, hackers Replace the Trojan server program icon with some common file icons, so that when the user runs, the nightmare begins.

Example: Black Hole 2001 the installer on the server uses the folder icon (figure 1). When you hide an extension of a known file type, the file looks like a folder, when you click it curiously and plan to see what files are there, Pandora's box opens.

Identification Method

When running a file, we often get used to double-clicking it with the mouse, so that the Windows system will first determine the file type to open its associated program, and then open the file. In this way, the trojan program with the icon modified is easily activated. In fact, we only need to change the method to avoid it. For example, after we see a text file, do not double-click it to open it, but first open the Notepad program, and then open the file through the "open" command in the "file" menu, if garbled characters are displayed, the "text file" must be faulty.

Security expert comment: Changing the icon is the most basic camouflage method for the Trojan server, but it is far from enough. Hackers can combine it with a series of disguised methods such as file Rename and file bundling to defraud users. Therefore, do not execute the files sent by others at will, so be cautious if they are your friends.

Second Scheme: Name Change

Camouflage level:★★★

Icon modification is often carried out together with file rename. Hackers often make file names attractive, such as "beautiful sister", and cheat users to run it. When the Trojan server is running, the server program also sets its process to a name similar to that of a normal system process, making it difficult for users to suspect and paralyze.

Example: as shown in figure 2, this is the pen-made Trojan Server Installation Program, which is shown as a beautiful figure. BMP on the computer ". If you use it as an image file to open it, the author's Trojan will be installed in your computer.

Identification Method

First of all, it should be clear that no matter how a trojan disguise its icons and file names, its suffix must be an executable extension, such as EXE, COM, BAT, etc, otherwise, the trojan will not run its own code, "ghost", and then assign this file with an image file icon. This file will become "a wolf in sheepskin ". In the "Folder Options" dialog box, select the "Hide extensions of known file types" option. The specific operation is to open the resource manager, on the menu bar, select Tools> folder selection. In the displayed folder selection dialog box, remove the hooks in the "Hide extensions of known file types" check box to remove the Trojans.

Security expert comment: This method is often used when using P2P programs for file transmission. It is usually used together with icon disguise to prevent users from being prevented. Therefore, it is best to use anti-virus software to scan and kill any files obtained from there.

Scheme 3: file bundling

Camouflage level:★★★★★

File bundling is to use a file bundle to bundle the Trojan server with normal files to fool the other party and run the bundled Trojan program. The bundled files are very confusing. In addition, Trojans are generally run in the background, and users do not have any abnormalities after clicking them. They are often recruited unconsciously.

Example: The file obtained after the trojan program is bound to the e-book (Figure 3) does not cause any damage to the file. After clicking the file, the user can still see the content in the e-book. This method is confusing.

Identification Method

Use a Trojan to bind a program such as Nemesis and FBFD to check suspicious executable files. When the file is bundled, the program will see a file similar to "the file may be bundled. Please use it with caution !" This prompt. In addition to detecting other programs in the executable file, Trojan bundle can also separate the programs in the file.

Security expert comment: With the increasing awareness of network security, many hacker attack methods have been effectively curbed in the past. However, file bundling is used to spread Trojan server programs, but has been favored by hackers. Therefore, you must be vigilant when running executable files.

Fourth plot: Error display

Camouflage level:★★★

The vast majority of Trojan servers do not have any graphical interface during installation. Therefore, if a program does not respond after being double-clicked, experienced netizens will suspect that it is a trojan. To eliminate these concerns, hackers will pop up an error prompt dialog box when the trojan is running.

Example: Many of today's trojan programs have the "prompt displayed after installation" option, such as Trojan HDSPY. After you configure the server program, in the "prompt content" text box, enter the required prompt content, for example, "the file is damaged and cannot be opened. After the user runs the server program, the content we set will pop up.

Identification Method

If the file is a trojan program, the user often finds the error information. Therefore, you must be alert when you see the error message. In this case, you must scan the system port to determine whether you are using a Trojan. For example, you can use X-Scan to Scan your system. If a Suspicious Port is found, it is necessary to scan and kill the port accordingly.

Security expert comment: although this method can cheat users in the early days, as people's security awareness improves, it often gives people a feeling of "Superfluous.

The fifth Plan: self-destruction

Camouflage level:★★★

Most Trojans only have one file, and their installation program is actually a Trojan server program. When you double-click a Trojan installation program, it copies itself to the system directory or other directory, therefore, if some experienced netizens suspect that a program is a Trojan, They will search for trojan files on the hard disk based on the size of the installer. In order to deal with this part of netizens, some Trojans have designed the self-destruction function. When it copies itself to the system directory or other directories, it will delete itself, making it untraceable.

Identification Method

For this method, you need to monitor the registry of the system in real time and use Trojans to monitor the system and registry in a timely manner using anti-virus software. Generally, Trojans will leave traces in the system registry. At this time, we can find these Trojans based on these clues.

Security expert comment: This method is mainly used for Trojan planting, such as webpage Trojan and remote overflow. Because hackers exploit webpage Trojans or remote overflow, they implant Trojans in a remote system without your knowledge. Since remote users do not know how to use the Trojan's self-destruction function, they can achieve "no shadow ".

Scheme 6: wedding dress on the webpage"

Camouflage level:★★★★

Web Trojan is a hacker who successfully exploits system and program vulnerabilities to trick users into browsing a special web page. During user browsing, Web Trojan will successfully exploit system vulnerabilities, thus, the Trojan server program is installed in the remote system "quietly.

Example: There are many ready-made tools for making webpage Trojans. the shark and webpage Trojan generator is an excellent one. This Trojan generator uses Microsoft's IE Help ActiveX Control Vulnerability to bypass the local security domain.

Identification Method

If you access an unfamiliar web page and the computer's speed of surfing the internet suddenly drops, or even has a false death, it may be a webpage Trojan. You can use the "view-source" IE command to view the source code of the webpage before accessing an unfamiliar webpage. If the source code contains