Trojan Horse tutorial

Author: Chen Yu
1. Introduction to Trojan Horse (Trojan Horse)

A Trojan is called a Trojan Horse (Trojan Horse ). This term is derived from the mythical story of Ancient Greece. It is said that the Greek people have been siege of the city of Troy for a long time. Later, I came up with a Trojan to hide soldiers in a huge Trojan. The large army pretended to retreat and abandoned the Trojan horse in the city of Troy, letting the enemy drag it into the city as a trophy. The soldiers in the Trojan climbed out of the Trojan while the enemy celebrated the victory at night and relaxed their vigilance. They joined forces outside the city and attacked the Trojan.

In computer security, a Trojan Horse is a computer program that has some useful functions on the surface or in fact. It contains hidden functions that can control users' computer systems and endanger system security, may cause leakage or damage of user data or crash of the entire system. To a certain extent, Trojans can also be called computer viruses.

Many users do not know much about computer security issues, so they do not know whether their computers are equipped with Trojans or how to delete them. Although many new anti-virus software versions on the market say they can automatically clear Trojans, they cannot prevent new Trojans (even if they are advertised as being capable of killing unknown viruses ). In addition, the actual use effect is not ideal. For example, after a trojan is uninstalled with some anti-virus software, the system cannot work normally or the trojan program cannot be found. I have tested some well-known trojan programs modified by programmers. The new anti-virus software cannot be detected even during checks, let alone delete it (even if it is a virus database ). Therefore, the most important thing is to know the working principle of the Trojan horse and start to detect and delete the Trojan horse. The trojan horse hidden in the system can be easily discovered by hand, and deleted based on the hiding method.
Ii. How Trojans work

In a Windows system, a Trojan is generally used as a network service program to run in the background of a Trojan machine and listen to some specific ports on the machine. Most of the port numbers are large (over 5000, but some of them are less than 5000 ). When the client program of the Trojan requests a connection on this port, it establishes a TCP connection with the client program and is remotely controlled by the client.

Since it is a Trojan, it is not so easy for you to see the flaws. For programmers, to hide their own window programs, the main ways are to hide the windows in the taskbar, in this case, you only need to adjust the Visible attribute of Form to False, and set ShowInTaskBar to False. The program will not appear in the taskbar when running the program. To hide the program in the task manager, you only need to adjust the program to the system service program.

Now we have a general understanding of the running of Trojans. Let's start with how it works to see where it is hidden. To run as a backend network server, it needs to run as soon as the computer is started, and then resident in the memory. When Windows is started, what program will be loaded to run? You may think of a project in "start-> Program-> Start! Yes, this is something to run during Windows Startup, but if the Trojan server program is obviously put here, it is not called a Trojan.

The trojan basically uses the method of automatically loading the application when the Windows system starts, including win. ini, system. ini, and registry.

In win. in the INI file, under [WINDOWS], the "run =" and "load =" lines are the Program projects to be automatically loaded during Windows Startup, where Trojans may appear. You must observe them carefully. Generally, there is nothing behind their equal signs. If you find that there are paths and file names behind them that are not familiar to you or Startup File projects you have never seen before, then, your computer may be infected with Trojans. Of course, you also have to see clearly, because many Trojans also use confusing file names to fool users. For example, AOL trojan, which pretends to be a command.exe file. If you do not pay attention to it, you may not find it, but mistakenly recognize it as a normal system startup file.

In the system.ini file, there is a shell‑shangher.exe entry under the bootstrapping file. The correct expression is like this. If the equal sign is not only followed by the assumer.exeprogram name, but also the program name ", then the program that follows is the trojan program, and you are already in the Trojan. Now, you can bind the assumer.exe file with it to a file. In this case, it looks normal and cannot be seen.

Trojans with high concealment are all written in the registry, because the Registry itself is very large and many startup projects are easy to hide.
HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx
HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce

The startup projects under these primary keys can all be used as a Trojan. If it is a Windows NT, you must pay attention to the things in HKEY-LOCAL-MACHINESoftwareSAM. You can use regedit and other registry editing tools to view the SAM primary key, which should be empty.

After the trojan resides on the computer, you must have a client program to control the Trojan to perform the corresponding "black box" operation. If the client needs to communicate with the Trojan server, a connection (usually a TCP connection) must be established. The existence of these illegal network connections can be detected through corresponding programs or tools. The third part describes how to perform the test.

Iii. Trojan Detection

Knowing how a trojan starts and runs, we can start to see if there is a trojan on our computer.

First, check the startup projects in the system. ini, win. ini, and Startup Group. Start from "-> Run", enter msconfig, and run the "System Configuration Utility" that comes with Windows ".

1. view the system. ini file

Choose the "system.ini]" tab in the left-side Navigation Pane. The "bootstrapping" Directory will be displayed. The "Too shell‑policer.exe" line will be displayed"
If this is not the case, the trojan may be in progress. As shown in the following figure:

2. view the win. ini file

Select the win. ini tab, expand the [windows] Directory item, and check the "run =" and "load =" lines. Normally, it should be blank after the equal sign.
3. view the Startup Group

Check whether the startup project in the startup tag is abnormal? If there are keywords such as netbus, netspy, and bo,
It is very likely that it is a trojan. I usually keep the projects in the startup group in a relatively simplified state, and do not need or have no large-purpose projects
Blocked
4. view the Registry

Run the "Start-Run" command and enter regedit to run the Registry Editor. Expand:
In the "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun" directory, check whether the key value contains itself.
Unfamiliar automatic Startup File projects, such as netbus, netspy, and netserver words. Note that some Trojans generate
The server program file is very similar to the system's own file, and you want to pretend to be confused. For example, the Acid Battery Trojan is stored in the registry key.
"HKEY-LOCAL-MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun"
Assumerpolicpoliccwindowsexpiorer.exe ", there is only one letter between the Trojan server program and the system's real Explorer.
Difference!
Check the key values of the following primary keys in a similar way:
HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx
HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce

If the operating system is Windows NT, pay attention to the content under HKEY-LOCAL-MACHINESoftwareSAM. If there is a project, it is likely to be a Trojan. Normally, the primary key is empty.

Of course, there are many other places in the registry where trojan programs can be hidden. The above primary keys are commonly used in the stealth of Trojans. In addition, directories like HKEY-CURRENT-USER SoftwareMicrosoftWindowsCurrentVersionRun and HKEY-USERS **** Software MicrosoftWindowsCurrentVersionRun may all be hidden Trojans. The best way is to find the trojan file name under the HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun or other primary keys, and then search the entire Registry through the file name to know that it has a few hiding places.

If you note that each primary key in the registry has a registration item named "(default)", and the data is displayed as "(no key value is set)", that is, null. This is normal. If this default item is found to have been replaced, it will be replaced by a Trojan.

4. Other Methods

When some computers are used properly during Internet access, it is found that the computer speed has changed significantly, the hard disk is constantly reading and writing, the mouse does not listen to call, the keyboard is invalid, some of your windows are closed, new windows are inexplicably open ..... all these abnormalities can be suspected that the trojan client is remotely controlling your computer.

If you suspect that you are being controlled by a Trojan, do not undo the network cable or smoke the telephone line on the Modem. If possible, you 'd better catch the guy "black" you. The following describes the corresponding methods:

Start-> Run, Enter command, OK, and open a MS-DOS window. Or you can open it by starting-> Program-> MS-DOS. Type "netstat" on the command line in the MS-DOS window to view the connections that are currently established with this computer. As shown in:
The displayed results are displayed in four columns, which are Proto: Protocol, Local Address: Local Address, and Foreign Address.
: Remote address, State: status. In the address bar, the colon is followed by the port number. If the port number is abnormal (such as greater than 5000
), And the Address in Foreign Address is not the Address of normal network browsing, so you can determine that your machine is being
The remote computer shown in Foreign Address is peeked. The IP Address displayed in the Foreign Address of the corresponding row is
Method to connect your computer's Trojan client.

When the network is inactive, that is, there is currently no active network connection, using the netstat command in the MS-DOS window will not see
To something. In this case, you can use "netstat-a" and add the constant "-a" to display the current listening port on the computer.
. For Windows 98, the following listening ports (with the NETBEUI protocol installed) are displayed normally ):
If an unknown port is in the LISTENING status