Reject the intrusion of non-fast customers, dismantle Trojans, and disguise

Source: Internet
Author: User

Trojans are generally divided into client programs and server programs. client programs are used to remotely control computers. The server program is hidden in a remote computer and receives and executes commands issued by the client program. Therefore, when hackers control a remote computer through the network, the first step is to implant the server program into the remote computer.

In order to allow users to execute Trojan programs, Hackers often disguise them in various ways. This disguise is what we call Trojan painting. Since the birth of a Trojan, hackers have emerged in an endless stream of camouflage techniques to conceal the Trojan. So let's work together to get a pair of eye-catching eyes and get rid of Trojans and draw skin tricks to keep these uninvited customers away.

First scheme: icon disguise

Camouflage level:★★★★

In Windows, different icons are used to represent each file type. You can easily identify this type of file by using one icon. To confuse users, hackers Replace the Trojan server program icon with some common file icons, so that when the user runs, the nightmare begins.

Example: Black Hole 2001 the installer on the server uses the folder icon (figure 1). When you hide an extension of a known file type, the file looks like a folder, when you click it curiously and plan to see what files are there, Pandora's box opens.


Figure 1

Identification Method

When running a file, we often get usedMouseDouble-click to run it. In this way, the Windows system will first determine the file type to open its associated program, and then open the file. In this way, the trojan program with the icon modified is easily activated. In fact, we only need to change the method to avoid it. For example, after we see a text file, do not double-click it to open it, but first open the Notepad program, and then open the file through the "open" command in the "file" menu, if garbled characters are displayed, the "text file" must be faulty.

Security expert comment: Changing the icon is the most basic camouflage method for the Trojan server, but it is far from enough. Hackers can combine it with a series of disguised methods such as file Rename and file bundling to defraud users. Therefore, do not execute the files sent by others at will, so be cautious if they are your friends.

Second Scheme: Name Change

Camouflage level:★★★

Icon modification is often carried out together with file rename. Hackers often make file names attractive, such as "beautiful sister", and cheat users to run it. When the Trojan server is running, the server program also sets its process to a name similar to that of a normal system process, making it difficult for users to suspect and paralyze.

Example: as shown in figure 2, this is the pen-made Trojan Server Installation Program, which is shown as a beautiful figure. BMP on the computer ". If you use it as an image file to open it, the author's Trojan will be installed in your computer.

Figure 2

Identification Method

"Images", and then assign this file an image file icon. This file will become "a wolf in sheepskin ".

In the "Folder Options" dialog box, select the "Hide extensions of known file types" option. The specific operation is to open the resource manager, on the menu bar, select Tools> folder selection. In the displayed folder selection dialog box, remove the hooks in the "Hide extensions of known file types" check box to remove the Trojans.

Security expert comment: This method is often used when using P2P programs for file transmission. It is usually used together with icon disguise to prevent users from being prevented. Therefore, it is best to use anti-virus software to scan and kill any files obtained from there.

Scheme 3: file bundling 

Camouflage level:★★★★★

File bundling is to use a file bundle to bundle the Trojan server with normal files to fool the other party and run the bundled Trojan program. The bundled files are very confusing. In addition, Trojans are generally run in the background, and users do not have any abnormalities after clicking them. They are often recruited unconsciously.

  Fourth plot: Error display  

Camouflage level:★★★

The vast majority of Trojan servers do not have any graphical interface during installation. Therefore, if a program does not respond after being double-clicked, experienced netizens will suspect that it is a trojan. To eliminate these concerns, hackers will pop up an error prompt dialog box when the trojan is running.

Example: Many of today's trojan programs have the "prompt displayed after installation" option, such as Trojan HDSPY. After you configure the server program, in the "prompt content" text box, enter the required prompt content, for example, "the file is damaged and cannot be opened. After the user runs the server program, the content we set will pop up.

  Identification Method 

If the file is a trojan program, the user often finds the error information. Therefore, you must be alert when you see the error message. In this case, you must scan the system port to determine whether you are using a Trojan. For example, you can use X-Scan to Scan your system. If a Suspicious Port is found, it is necessary to scan and kill the port accordingly.

Security expert comment: although this method can cheat users in the early days, as people's security awareness improves, it often gives people a feeling of "Superfluous.

  The fifth Plan: self-destruction 

Camouflage level:★★★

Most Trojans only have one file, and their installation program is actually a Trojan server program. When you double-click a Trojan installation program, it copies itself to the system directory or other directory, therefore, if some experienced netizens suspect that a program is a Trojan, They will search for trojan files on the hard disk based on the size of the installer. In order to deal with this part of netizens, some Trojans have designed the self-destruction function. When it copies itself to the system directory or other directories, it will delete itself, making it untraceable.

  Identification Method 

For this method, you need to monitor the registry of the system in real time and use Trojans to monitor the system and registry in a timely manner using anti-virus software. Generally, Trojans will leave traces in the system registry. At this time, we can find these Trojans based on these clues.

Security expert comment: This method is mainly used for Trojan planting, such as webpage Trojan and remote overflow. Because hackers exploit webpage Trojans or remote overflow, they implant Trojans in a remote system without your knowledge. Since remote users do not know how to use the Trojan's self-destruction function, they can achieve "no shadow ".

  Scheme 6: wedding dress on the webpage" 

Camouflage level:★★★★

Web Trojan is a hacker who successfully exploits system and program vulnerabilities to trick users into browsing a special web page. During user browsing, Web Trojan will successfully exploit system vulnerabilities, thus, the Trojan server program is installed in the remote system "quietly.

Example: There are many ready-made tools for making webpage Trojans. the shark and webpage Trojan generator is an excellent one. This Trojan generator uses Microsoft's IEHelp
ActiveX control vulnerabilities bypass local security domains.

  Picture 7: email attachment

Camouflage level:★★

Simple file transmission through email attachments is intended to facilitate users. Hackers have taken a fancy to this point. By forging emails from famous enterprises or users' friends, hackers can spoof users and spread Trojan server programs through email attachments.
Example: After a hacker adds a Trojan to an email attachment, the hacker generally uses confusing statements to gain the user's trust. For example, "this is the latest security patch for Windows. Please run it and restart the system ."

  Identification Method 
Do not run the email attachment immediately, but "save it as" to a folder, and then scan and kill the folder. If any problem is found, delete it immediately.
Security expert comment: using email attachments is the most common method for spreading Trojans and viruses. Generally, inexperienced users will be recruited. However, because many email systems have their own anti-virus systems, they are no longer very popular.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.