Trojan Virus Analysis

First, Trojan Virus background introduction

A Trojan horse virus refers to a special function hidden in the normal program of malicious code, with the ability to destroy and delete files, send passwords, record keyboards and attacks, etc., can cause user system damage or even paralysis.

b) The first computer Trojan in 1986 years.

Second, the classification of Trojan virus

A) Trojan Virus for online games

b) Trojan virus for Online banking

c) Trojan Virus for Instant messaging tools

d) Trojan virus for computer back door

e) Promotion of advertising Trojan virus

Third, the development stage of Trojan virus

A) first-generation Trojan: Camouflage virus

This virus tricks the user into being fooled by masquerading as a legitimate program. The world's first computer Trojan is a pc-write Trojan that appears in the 1986 year , disguised as a shareware pc-write 2.72 version. at this time the first-generation Trojan does not have the characteristics of infection.

b) Second-generation Trojan Horse:AIDS Trojan

Since very few people used e-mails at the time, the AIDS authors were using real-life mail to spread: send someone a letter containing a Trojan horse floppy disk. The Trojan name comes from a floppy disk containing information about AIDS and HIV disease. The Trojan horse program in the floppy disk will not destroy the data after running, but will lock the hard disk encryption to death. Exasperating is that it will prompt the infected user to give the virus author some money to buy the decrypted password.

c) Third-generation Trojan: network-borne Trojan horse

New features:

Added backdoor functionality

The so-called backdoor is a program that can open access to a computer system secretly. Once it is installed,

These programs enable attackers to bypass security programs into the system. The purpose of this function is to collect the system

Important information, such as financial reports, passwords, and credit card numbers. In addition, attackers can also exploit

A backdoor control system that makes it an accomplice in attacking other computers. Because the back door is hidden behind the system

So it is difficult to detect. They do not attract attention by consuming memory like viruses and worms.

The keystroke logging feature has been added.

This function is mainly to record the user all keystrokes content. After a certain amount of time, the Trojan will send the log file of the keystroke record to the malicious user. A malicious user can find the user name, password, and credit card number.

d) fourth-generation Trojan horse

Fourth generation, in the process of hiding a lot of changes in the use of the kernel plug-in approach, the use of Remote insertion Threading technology, embedded DLL thread. or hook up psapi, realize the hidden Trojan program, even under the Windows nt/2000 , have achieved a good hiding effect. Gray pigeons and bee thieves are the more famous DLL Trojans .

e) Fifth-generation Trojan horse

Fifth generation, drive-level Trojans. Most of the driver-level Trojans use a lot of rootkit technology to achieve in-depth hidden effects, and deep into the kernel space, after infection for anti-virus software and network firewall attacks, can be the system SSDT initialization, resulting in the anti-virus firewall loss of effect. Some drive-level Trojans can residein the BIOS and are difficult to avira.

f) Sixth-generation Trojan horse

Sixth generation, with the rise of identity authentication Usbkey and anti-virus software active defense, army worms technology type and special anti-display technology type Trojan gradually began systematization. The former mainly to steal and tamper with user-sensitive information, the latter with dynamic password and hard certificate attacks. passcopy and Diablo Spider-Man is the representative of this kind of Trojan.

Iv. working methods of Trojan virus

Trojan virus is generally divided into the client (control side) and the server (the control side), the use of the control to the server to send the request, the server receives the request will be based on the request to perform the corresponding action, including:

A) View the file system, modify, delete, and retrieve files.

b) Review the system registry and modify the system settings.

c) intercepts the computer's screen and sends it to the control side.

d) Review the processes in the system to start and stop the program.

e) Control the operation of the computer's keyboard, mouse, or other hardware device.

f) Attack other computers in the network with this machine as a platform.

g) Download new virus files over the network.

h) by modifying the system to implement self-booting.

Five, the Trojan virus hidden way

A) Disguise yourself as a system file

Trojan viruses will find ways to disguise themselves as "humble" files or "regular" system files, and hide themselves in the system folder, and system files mixed together. For example, the server file named mircosoft.sys, the virus will deliberately reverse the order of a few letters or wrong, making it difficult for ordinary users to find, even if found to be Microsoft's own system program, so as to lose vigilance. There are some Trojan viruses will hide themselves in the taskbar and hide their own icons, opportunistic seizures, the general user is very difficult to notice.

b) Disguise the Trojan virus server as a system service

c) Load the Trojan horse program into the system file. Win.ini System.ini

d) Make full use of port hiding

e) hidden in the registry

f) Automatic backup

g) Trojan Horse program for other program bindings

h) "Wall-piercing" (using dynamic libraries to insert into normal programs, such as grey pigeons)

i) using remote threads to hide

j) hides itself by intercepting system function calls: The program interface that the system provides to the application when the system function is called. For example: file reading and writing, file search, process traversal, including anti-virus software, such as the Killing function need system call support.

K) Attack antivirus software

Related technologies: process insertion, process evaporation, anti-virus software shell

Vi. means of communication for Trojans

A) using the TCP Protocol, the server listens, and the client connects. The server opens a TCP port on the host machine and waits for the client to connect, and after authenticating the client, the client can control the server.

b) Use the TCP protocol. The client listens, and the server connects. The so-called reverse connection technology. In order to overcome the disadvantage that the service side listens at one end of the port, the server is now no longer listening for ports, but rather to connect the client at one end of listening.

c) using the UDP Protocol

d) Resolve Firewall issues

I. Code injection (process insertion)

Trojan Virus Analysis