How hackers give your system the kind of Trojan _ security related

I believe many friends have heard of the Trojan program, always think it is very mysterious, very difficult, but in fact, with the Trojan Horse software intelligent, many hackers can easily achieve the purpose of the attack. Today, the author of the latest Trojan horse program-Black hole 2004, from planting, use, hide, guard against four aspects for network enthusiasts to introduce the characteristics of the Trojan horse. Need to remind everyone is, in the use of Trojan, please turn off the virus firewall in the system, because anti-virus software will trojan as a virus to kill.

Operation Steps:

First, the planting Trojan

Now the popular Trojan horse is basically using the C/s structure (client/server side). You want to use the Trojan to control each other's computer, first need to plant in each other's computer and run the server program, and then run the local computer client program to the other computer to connect and then control the other computer.

Second, the use of Trojans

After the successful implantation of the Trojan server, you will need to wait patiently for the server to be online. Since the black Hole 2004 uses the reverse connection technology, therefore the service end on-line will automatically connect with the client, at this time, we can manipulate the client to carry on the remote control to the server. In the list below the black Hole 2004, choose a computer that is already online, and then use the command button above to control the computer. The following is a brief introduction to the meaning of these commands.

File management: After the service end of the line, you can through the "File Management" command to the server computer files to download, new, renamed, Delete and other operations. You can drag files or folders directly to the destination folder by using the mouse, and support breakpoint transmission. Easy, huh?

Process management: View, refresh, close the process of each other, if you find anti-virus software or firewalls, you can close the corresponding process, to protect the server-side program.

Window Management: Management of the server-side computer's program window, you can make the other side of the window of the program to maximize, minimize, normal shutdown and other operations, so more flexible than the process management. You can play a lot of pranks, such as maximizing and minimizing one of the other's windows.

Video monitoring and voice monitoring: If the remote server computer has a USB camera installed, it can be used to obtain images, and can be directly saved as media play can be directly played by MPEG files; If you need a microphone, you can hear their conversation, horror?

In addition to these features described above, but also include keyboard records, restart shutdown, remote Uninstall, grab screen view password and other functions, the operation is very simple, understand? It's really easy to be a hacker.

3 Hidden

With anti-virus software virus database upgrade, Trojan will soon be anti-virus software killing, so in order to make Trojan server to open antivirus software killing, long time hidden in someone else's computer, in the Trojan for hackers to provide several feasible methods.

1. Trojan's own protection

As mentioned earlier, Black Hole 2004 when generating the service side, users can replace the icon and use software UPX to automatically compress the server to hide.

2. Bundle Service End

The user uses the file bundle to bind the Trojan server and the normal files together to deceive each other. File bundle has a wide range of file Bundles 2002, universal file Bundle, Exebinder, Exe bundle and so on.

3. Making your own service side

The above mentioned methods although can be a while to hide anti-virus software, but ultimately can not escape the killing of antivirus software, so if you can disguise the existing trojan, so that anti-virus software can not distinguish, it is a root causes of the method. You can add shell protection to the server by using compression software for compressed EXE and DLL files. For example, the UPX in 1 is such a compression software, but the default software is in accordance with its own settings on the service side of the compression, so the results are the same, it is difficult to evade the anti-virus software for a long time, and their own to the server to compress, you can choose different options, compressed out of the different services, so that anti-virus software difficult to judge. Below I take the glacier as an example, for us to briefly explain the shelling (decompression), Shell (compression) process.

If we use anti-virus software to kill the glacier, we will find 2 viruses, one is the glacier's client, the other is the service side. Using the Software "Peid" to see if the server side of the software has been shelled by the author, you can see that the server has been compressed using UPX.
Now, we need to shell the software, which is a process of decompression. Here I use "Upxunpack", select the desired file, click "Decompression" began to perform shelling.

After the shelling is completed, we need to add a new shell for the service end, and a lot of software for the shell, such as: Aspack, Asprotect, Upxshell, petite, etc. Here to "Aspack" as an example, click on the "Open" button, select just the shell of the server program, select the completion of the Aspack will automatically for the service side of the Packers. Again with antivirus software on this server to kill, found that it has been unable to identify the judge. If your anti-virus software can still kill, you can also use multiple software to the server to do multiple shell. The author in the use of petite and aspack to the server 2 times after the shell, the trial of a variety of anti-virus software has not been scanned out. Now the network is popular in many of the XX version of the glacier, is the user through the server to modify and add shell after the system to make.

In order to avoid unfamiliar Trojan users run the server, the popular Trojan horse does not provide a separate server program, but through the user set up to generate the server, Black Hole 2004 is the same. First run Black Hole 2004, click on the "function/Generate Server" command, pop-up "server Configuration" interface. Since Black Hole 2004 uses a rebound technique (please take a little knowledge), first click on the next "View" button, in the pop-up window to set up a new domain name, enter your space in advance domain name and password, click "Domain name registration", in the window below will reflect the registration situation. After the successful domain registration, return to the "Server Configuration" interface, fill in the domain name just requested, as well as "online display Name", "Registry startup name" and other items. To confuse others, you can click the Change Server icon button to select an icon for the server. When all the settings are complete, click on "Generate EXE Server" to generate a server. At the same time of generating the service side, the software will automatically use UPX to compress the server, which can protect the service side.

After the server is built, the next step is to implant the server into someone else's computer? The common method has, through the system or the software loophole invades other people's computer to carry on the Trojan server to implant its computer; or through the email entrainment, the server as an attachment to send to each other, and the service end of the masquerade into their own shared folders, through Peer-to-peer software (such as pp dot pass, hundred treasure, etc.), Let the user download and run the server program without any precaution.

Because this article mainly faces the ordinary network enthusiasts, therefore uses the simpler email entrainment, for everybody to carry on the explanation. For example, we use flash animations that you will often see, create a folder named "Good-looking animation", and then create folders inside the folder "animation. Files", put the Trojan server software in the folder assume the name is "Abc.exe", and then create a flash file in the folder , in the Flash file 1th frame input text "Your playback plugin is not complete, click the button below, click the Open button to install the plugin, create a New button component, drag it to the stage, open the Action panel, and enter the On (press) {GetURL (" animation ") inside. files/ Abc.exe ");}", which means that the ABC file is executed when the button is clicked. Create a new Web page file in the folder "nice animation" named "animated. htm" and put the animation you just made into the page. Do you see the doorway? Usually the site you download is an. html file and a folder that ends with. Files, the reason why we are so constructed is also used to confuse the open, after all, few people will turn. Files folder. Now we can write a new email, compress the folder "nice animation" into a file, put it in the email attachment, and write a tempting theme. As long as the other side is convinced to run it and reboot the system, the server is planted successfully.

Third, the prevention

Prevention is more important than treatment, before our computer is still in the Trojan, we need to do a lot of necessary work, such as: Install anti-virus software and network firewall, update the virus database and the security of the system patch, scheduled to back up the hard disk files, do not run the unknown software and open the Unknown mail.

Finally, I would like to remind everyone, Trojan horse in addition to have a powerful remote control function, but also include a very strong destructive. We learn it, just to understand its technology and methods, and not for the theft of passwords and other destructive acts, I hope everyone to look after themselves.

Small knowledge:

Bounce technology, which solves the problem of traditional remote control software that does not have access to firewalls and remote computers that control the intranet. The principle of bounce-port software is that the client first log in to the FTP server, edit in the Trojan Horse software set up in front of the home page space above a file, and open mouth listening, waiting for the service side of the connection, the server on a regular basis with the HTTP protocol to read the contents of this file, when the discovery is the client let themselves start On the active connection, so you can complete the connection work.

Therefore, the Internet can access to the LAN through the NAT (transparent proxy) proxy computer network, and can go through the firewall.　Contrary to the traditional remote control software, the service side of the bounce-port software will actively connect to the client, and the client's listening port is typically 80 (that is, the port used for web browsing), so that even if the user checks his port at the command prompt using the "netstat-a" command, it is found to be similar to "TCP USERIP:3015 Controllerip:http established "situation, a little negligence you will think that you are browsing the web, and firewalls will also think so. Thus, contrary to the general software, the server of the bounce-port software actively connects the client, so that it can easily break through the restrictions of the firewall.