I believe many of my friends have heard of the Trojan program and always think it is mysterious and difficult. But in fact, with the intelligence of the trojan software, many hackers can easily achieve the purpose of the attack. Today, I will introduce the characteristics of Trojans to network enthusiasts from four aspects: planting, using, hiding, and preventing using the latest Trojan program black hole 2004. We need to remind you that when using a trojan program, please first disable the virus firewall in the system, because anti-virus software will take the trojan as a virus for detection and removal.
Procedure:
I. Planting Trojans
Nowadays, the popular trojans on the network basically adopt the C/S structure (Client/Server ). To use a Trojan horse to control the other party's computer, first you need to plant and run the server program in the other party's computer, and then run the client program in the Local Computer to connect the other party's computer to control the other party's computer.
Ii. use Trojans
After successfully inserting a Trojan server into someone else, you need to wait patiently for the server to go online. Because black hole 2004 adopts the anti-connection technology, the server will automatically connect to the client after it is launched. In this case, we can control the client to remotely control the server. In the list under black hole 2004, select an online computer and click the command button above to control the computer. The following describes the meaning of these commands.
File Management: After the server is launched, you can use the "File Management" command to download, create, rename, and delete files on the server. You can drag and drop a file or folder to the target folder, and you can transfer the file or folder to a breakpoint. Simple?
Process Management: View, refresh, and shut down processes of the other Party. If any antivirus software or firewall is found, the corresponding processes can be shut down to protect the server programs.
Window Management: manages the program windows on the server. You can maximize, minimize, and close the programs in the other window. This is more flexible than process management. You can make a lot of pranks, such as maximizing and minimizing a certain window of the other party.
Video Monitoring and voice listening: If a USB camera is installed on the remote server, you can use it to obtain the image and save it as an Mpeg file that Media Play can Play directly; if the other party needs a microphone, they can still hear their conversation. What a terror do they have?
In addition to the functions described above, they also include key record, restart and shutdown, remote uninstallation, and screen capture and view passwords. The operations are very simple. Do you understand? It is easy to be a hacker.
3. Hide
With the upgrade of the antivirus software virus library, Trojan Horse will soon be scanned and killed by antivirus software. Therefore, in order to enable the Trojan server to launch antivirus software, Trojan horse will be hidden in others' computers for a long time, trojan provides several feasible methods for hackers.
1. Trojan Protection
As mentioned above, when black hole 2004 generates a server, you can change the icon and use the software UPX to automatically compress and hide the server.
2. Bind the server
You can use a file bundle to bundle the Trojan server with normal files to fool the other party. The file Bundle includes a wide range of file Bundle 2002, a universal file Bundle, exeBinder, Exe Bundle, and so on.
3. Make your own server
Although these methods mentioned above can bypass anti-virus software for a while, they still cannot escape anti-virus software detection and removal. Therefore, if you can disguise existing Trojans, the anti-virus software cannot identify them, it is a permanent solution. You can use the compression software to compress the EXE and DLL files to shell the server. For example, UPX in 1 is such a compression software, but by default the software compresses the server according to its own settings, so the results are the same, it is difficult to escape anti-virus software for a long time; if you compress the server, you can select different options to compress different servers, making it difficult for antivirus software to judge. Next I will take the glacier as an example to explain the process of shelling (decompression) and shelling (compression.
If we use anti-virus software to scan and kill glaciers, we will find two viruses: one is the glacier client and the other is the server. Use the software "PEiD" to check whether the software server has been shelled by the author. You can see that the server has been compressed using UPX.
Now, we need to shell the software, which is a process of decompression. Here, I used "UPXUnpack". After selecting the desired file, click "decompress" to start shelling.
After shelling, we need to add a new shell for the server. There are a lot of shell software, such as ASPack, ASProtect, UPXShell, and Petite. Take "ASPack" as an example. Click "open" and select the server program that has just been shelled. After the selection, ASPack automatically shells the server. Use anti-virus software to scan and kill the server and find that the server is no longer identifiable. If your anti-virus software can still be detected and killed, you can use multiple software to shell the Server Multiple times. After using Petite and ASPack to shell the server twice, I tried a variety of anti-virus software and did not scan it. Many of the popular XX glaciers on the Internet are made by modifying the server and re-shelling the server.
To prevent users who are not familiar with trojans from mistakenly running the server, all popular trojans do not provide separate server programs. Instead, they use their own settings to generate servers. This is also true for black hole 2004. First, run black hole 2004 and click the "function/generate server" command to bring up the "server configuration" interface. As black hole 2004 adopts the bounce technique (please join the TIPS), click the "View" button next to it and set a new domain name in the pop-up window, enter the domain name and password of the space you requested in advance, and click "domain name registration". The registration information is displayed in the following window. After the domain name is successfully registered, return to the "server configuration" interface, fill in the domain name you just applied for, and "online display name", "Registry Startup name" and other projects. To confuse others, click the "Change Server icon" button to select an icon for the server. After all the settings are complete, click "generate EXE server" to generate a server. When the server is generated, the software will automatically use UPX to compress the server, which provides hidden protection for the server.
After the server is generated, what is the next step to implant the server into another computer? Common methods are to intrude into others' computers through system or software vulnerabilities to implant the Trojan server into their computers, or send the server as an attachment to the other Party through Email; and put the server in its own shared folder after disguise, through P2P software (such as ppdian Tong, Baobao, etc.), so that users can download and run the server program without any precaution.
This article is intended for common network enthusiasts, so we will use simple Email hang to explain it to you. Then, create a flash file in the folder, and enter the text "your playback plug-in is incomplete, click the button below, and then click the OPEN button to install the plug-in" in the 1st frame of the flash file ", create a button component, drag it to the stage, open the action panel, and enter "on (press) {getURL (" animation. files/abc.exe ");}", indicating that abc is executed when you click this button. Create a new webpage file named "animated file .htm" in the animation folder, and place the animation you just created on the webpage. Do you see the portal? Normally, your website uses a. html file and a folder ending with. files. The reason for this construction is also to confuse the openers. After all, few will go through the. files folder. Now we can write a new email, compress the "nice-looking Animation" folder into a file, store it in the attachment of the email, and write another attractive topic. As long as the other party is sure to run it and restart the system, the server will be planted successfully.
Iii. Prevention
Prevention is more important than treatment. We need to do a lot of necessary work before our computer is ready, such as installing anti-virus software and network firewall; updating the virus database and system security patches in a timely manner; regularly back up files on the hard disk; do not run software with unknown origins or open emails with unknown origins.
At last, I would like to remind you that apart from powerful remote control functions, Trojans also include extremely destructive features. We learn about it only to understand its technology and methods, rather than using it for password theft and other destructive actions. We hope you can do it yourself.
TIPS:
Bounce technology solves the problem that traditional remote control software cannot access remote computers installed with firewalls and control the LAN. The principle of port bounce software is that the client first logs on to the FTP server, edits a file on the home page space pre-configured in the trojan software, and opens the port listening, waiting for the connection from the server, the server regularly uses the HTTP protocol to read the content of this file. When the client initiates a connection, the server actively connects to the file to complete the connection.
Therefore, on the Internet, you can access a computer that accesses the Internet through a NAT (transparent proxy) proxy in the LAN, and can pass through the firewall. In contrast to the traditional remote control software, the server of the bounce port software actively connects to the client. The listening port of the client is usually 80 (that is, the port used for Web browsing, even if you use the "netstat-a" command to check your port at the command prompt, it is similar to "TCP UserIP: 3015 ControllerIP: http ESTABLISHED, with a slight negligence, you will think that you are browsing the Web page, and the firewall will also think so. As a result, the server of the rebound port software actively connects to the client, which can easily break through the firewall restrictions.