Network Anti-Black Trojan

Source: Internet
Author: User

Trojan Horse (hereinafter referred to as Trojan Horse) is called "Trojan house" in English and its name is taken from the Trojan horse in Greek mythology. It is a remote-controlled hacker tool. Among the various attacks by hackers, Trojans play a leading role.

I. hazards of Trojans
I believe Trojans are not unfamiliar to many netizens. It is a remote control tool, which is easy, effective, and favored by hackers. Once an electric brain Trojan is installed, it becomes a zombie. The other party can upload and download files on your computer to gain a peek at your private files, steal your various passwords and password information ...... When a trojan is installed, all your secrets will be exposed to others. What is privacy? No longer exist!

Trojans are also an indispensable tool in hacker intrusion. In October 28 last year, a hacker invaded Microsoft's portal website in the United States, and some internal information of the website was sent out by a trojan named QAZ. This is the small QAZ that makes a huge Microsoft face lost!

Many netizens are familiar with trojans when the domestic software is frozen. The glacier is a free software developed by Huang Xin. after its launch, it was chilling to use its simple operation method and powerful control capabilities. It can be said that it has reached the point of "ice" color change.

Ii. Trojan principles
The trojan horse belongs to the customer/service mode. It is divided into two parts: client and server. The principle is that one host provides services (servers) and the other host accepts services (clients). As a server host, a default port is usually opened for listening. If a client requests a connection to this port of the server, the corresponding program on the server runs automatically to respond to the client's request. This program is called a daemon. Taking the famous wooden horse glacier as an example, the control terminal is a server, the control terminal is a customer server, the Service terminal program g_server.exe is a daemon process, and G_Client.exe is a client application.

To learn more about Trojans, let's take a look at their hidden methods. The main methods of Trojan hiding are as follows:

1) Hide in the taskbar
This is the most basic. If there is an inexplicable icon in the history of windows tasks, the dummies will understand what is going on. In VB, as long as the Viseble attribute of form is set to False and the ShowInTaskBar is set to False, it will not appear in the taskbar.

2.) Hide in the Task Manager
The simplest way to view a running process is to press ctrl + alt + del to display the task manager. If you press ctrl + alt + del and you can see that a trojan program is running, this is definitely not a good Trojan. As a result, the trojan has made every effort to disguise itself and make itself unable to appear in the task manager. You can easily cheat yourself by setting yourself as a "system service. Therefore, it is unrealistic to identify Trojans by Using ct rl + alt + del.

3.) Port
A machine has 65536 ports. Do you pay attention to these ports? The trojan pays attention to your port. If you pay attention to it a little bit, it is not difficult to find out that most Trojans use ports above 1024, and the trend is getting bigger and bigger. Of course, there are Trojans occupying ports below 1024. However, these ports are commonly used and occupying these ports may cause system exceptions. In this way, Trojans are easily exposed. Maybe you know the ports occupied by Trojan horses. You may often scan these ports, but now all trojans provide the port modification function. Do you have time to scan 65536 ports?

4. The Loading Method of Trojans is concealed.
The method of loading Trojans is amazing. However, all of them share the same purpose, that is, to run the server program of the Trojan. If the trojan is not disguised. It tells you that this is a Trojan, And you will run it to blame. With the continuous progress of the website interaction process, more and more things can become the transmission medium of Trojans, JavaScript, VBScript, ActiveX, XLM ........ Almost every new function of www leads to the rapid evolution of Trojans.

5) Trojan name
The name of the Trojan server program is also learned. If you do not make any changes, use the original name. Who knows this is a trojan? Therefore, the trojan name is strange. But most of them are changed to the same name as the system file name. If you do not know enough about the system file, it is dangerous. For example, if a trojan name is changed to window.exe, do you dare to delete it if you don't tell you it is a trojan? Another thing is to change some extension names, such as changing the dll to dl. If you don't take a closer look, will you find out?

6.) The latest stealth technology
At present, in addition to the above commonly used stealth technology, there has been an updated and more concealed method. That is, modify the Virtual Device Driver (vxd) or modify the dynamic connection library (DLL ). This method is different from the general method. It basically gets rid of the original Trojan mode-listening port, instead of replacing the system function (rewrite the vxd or DLL file ), trojan will replace the modified DLL with the DLL known by the system and filter all function calls. For common calls, the function forwarder is used to forward directly to the replaced system DLL. For some special situations agreed in advance, the DLL will perform some corresponding operations. In fact, such Trojans only use DLL for listening. Once the connection request of the control end is found, the system activates itself and binds it to a process for normal Trojan operations. The advantage of this is that no new files are added, no new ports need to be opened, no new processes exist, and it cannot be monitored using conventional methods, during normal operation, the trojan has almost no symptoms. Once the control side of the Trojan sends specific information to the controlled side, the hidden program starts to operate immediately.

Iii. Trojan prevention tools
Anti-Trojan can use firewall software and various anti-Black software to build a line of defense against trojans on the Internet. The Internet is much safer.

There are many firewall software on the Internet. We recommend that you use the "Skynet firewall Personal Edition ". it is a completely free software. After the installation is successful, it becomes a shield chart, which is reduced to the system tray of the task and monitors every hacker's movements at all times, when a hacker invades, the system automatically generates an alarm and displays the IP address of the attacker.

Double-click the shield icon and the Skynet console will pop up, the console has five tabs: "General Settings", "Advanced Settings", "Security Settings", "detection", and "about. Click the "general settings" tab. The LAN security settings and Internet Security Settings windows are displayed. You can drag the slider to set their security levels. We recommend that you select "medium" (all TCP port services are closed, but the UDP port service is still open, and others cannot intrude through port vulnerabilities, it blocks almost all blue screen attacks and Information Leakage issues, and does not affect the use of common network software)

Click "Advanced Settings" on the console to manually select whether to cancel "network connection", "ICMP", "IGMP", "TCP listener", "UDP listener", and "NETBIOS ". several options. If someone wants to connect to your computer after going online, Skynet firewall will automatically intercept it and send an alarm. At the same time, in the "security record" on the console, it will send the IP address and protocol of the connection provider, the source port, firewall operations, and attack information such as time records are displayed.

In the "detection" and "about" tabs on the console, there are mainly descriptions of security vulnerabilities, firewall software version numbers, registrant numbers, and other information. If you are under attack and want to immediately disconnect the network, click "stop" on the console.

4. trojan detection and removal
Automatic and manual methods can be used to detect and kill Trojans. The simplest way to delete Trojans is to install anti-virus software (automatic). Currently, many anti-virus software can delete the most rampant trojans on the network. We recommend that you install Kingsoft drug overlord or security star XP, they have a set of skills in trojan detection and removal!

Because anti-virus software upgrades are slower than Trojans in most cases, it is necessary to manually scan and kill them. The method is:

1) Check the Registry
Check whether any key value names starting with "Run" in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsC urren Version and HKEY_CURRENT_USERSoftwareMicrosoftWindowsC urrentVersion have any suspicious file names. If yes, delete the corresponding key value and then delete the corresponding application.

2) Check the Startup Group
Trojans hidden in the startup group are not very concealed, but they are indeed a good place to automatically load and run, so Trojans like to stay here. The folder corresponding to the Startup Group is C: windowsstart menuprogramsstartup. The location in the registry is HKEY_CURRENT_USERSoft waremicrosoftwindowscur1_versionpolicershell.
Folders Startup = "C: windowsstart menuprogramsstartup ". Check these two locations frequently!

3.) Win. ini and System. ini are also hidden places for Trojans.
For example, Win. in the [Windows] section of ini, the load and run sections are not followed by any programs under normal circumstances. If so, be careful to see what it is; in the Sy stem.ini's kernel bootstrapping section, the later part of the shellkernel assumer.exe is also a good place to load Trojans. Therefore, pay attention to this. When you see this: shelljavaser.exe wind0ws.exe, please refer to the wind0ws.exe program as a Trojan server! Check it out.

4.) Check the files listed below, and Trojan horses may be hidden there.
C: windowswinstart. bat, C: windowswininit. ini, and Autoexe c. bat.

5) if the EXE file is started, run the program to check whether the trojan is loaded into memory and whether the port is opened. If yes, it means either the file starts the trojan program or the file is bound with the trojan program, so you have to find another program and reinstall it.

6.) There is a way to start a trojan in a specific situation.
Therefore, pay more attention to your port and check the running program. It is okay to use this to monitor most Trojans.

As long as we can improve our own quality, enhance our awareness of network security, and stay away from Trojans, you may be able to become a master of trojan detection and removal.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.