Secrets of computer intrusion

Source: Internet
Author: User
Tags windows remote desktop

(1) What is a "zombie" computer?
The so-called "zombie" computer is simply a computer remotely controlled by others. When your computer is controlled by others, it is like the meat on the chopping board of others. what others want to eat is what they want, and a zombie (MACHINE) comes from it.
Generally, computers that are exploited by attackers and can be remotely controlled by Trojans, system vulnerabilities, and backdoors are "bots ".
(2) What is "commercial value" for "zombie" computers "?
1. Theft of Virtual Property of "zombie" computers, such as online game ID equipment and QQ coins.
2. Theft of real assets on bots, such as online banking. Once your online banking account is stolen, it is possible to pay for others' consumption.
3. Theft of others' private data. I believe everyone knows about Edison Chen's "Photo exposure" incident. If your ID card, hidden photos, and personal files are posted on the Internet or disguised as your identity for various illegal activities, the consequences will be very serious.
4. Attackers can steal commercial information on the victim's computer, such as financial statements, personnel files, and customer files, to seek illegal benefits.
5. implant rogue software on the "zombie" computer and click the advertisement automatically to make a profit. After controlling a large number of bots, attackers can forcibly bring up advertisements and get advertising fees from advertisers. This is also one of the reasons for the spread of rogue software.
6. launch attacks on other computers using bots as the stepping stone (proxy server. Any hacker attack behavior may leave traces. In order to better hide itself, it is necessary to go through multiple proxy jumps. The zombie computer acts as an intermediary and a scapegoat.
7. attackers who control a large number of "bots" computers will launch DDoS attacks on the target host for a certain purpose to gain benefits. The "bots" computer is the first to launch DDoS attacks.
In addition, bots can be sold like cabbage in the attacker's circle. In the high-end of the black industry chain, controllers of large "zombie" computer groups can also build a trojan empire for various profit-making activities. In short, bots are the source of attackers getting rich.

Knowledge: What is DDoS
DDoS is called Distributed Denial of Service. If you have many "zombie" computers under your control, their bandwidth will add up to your traffic and you will use this traffic to access the target computer you want to eat, as long as your traffic exceeds it, other people will not be able to access this computer, which is equivalent to killing it, which is called DDoS.

The secret of NO2 not being intruded

Practice: Be careful about 7 abnormal system Phenomena
Symptom 1: Sometimes you will suddenly find that your mouse does not listen, when you do not move the mouse, the mouse will also move, and will click the relevant button for operation. The moving track and performance of the mouse are significantly different from that of the Optical Mouse.
Symptom 2: an inexplicable dialog box or IE window pops up when the computer is running or starting up, but it will soon be automatically closed.
Symptom 3: logon to QQ or MSN is abnormal. When you log on to QQ, the system prompts that the IP address of the last logon is totally irrelevant to you. For example, your home is in Beijing, but QQ reminds you that the last logon location is in Guangzhou (see figure 1 ). When you log on to MSN, a friend may send you a message asking you what you just sent, but you are very clear about what you have never sent to this friend.

Symptom 4: After logging on to the online game, you may find that the device is lost or the location of the device is incorrect during the previous disconnection, or you may not be able to log on with the correct password. Apparently, when you didn't log on to this game, someone else logged on for you.
Phenomenon 5: when surfing the internet normally, the system suddenly feels slow, and the hard drive lights are flashing, as if they are constantly copying files. This is probably because attackers are trying to copy your files. When copying a large number of files, the disk read and write operations will obviously increase, and the system will also slow down. At this point, you should undo the network cable without hesitation and immediately check whether your system process is abnormal.
Symptom 6: when you are about to use a camera, the system prompts that the device is in use. This indicates that the attacker is stealing your camera. Because the system does not prompt when the camera starts to work and the working status is invisible, it is recommended to cover the camera when you do not need the camera (built-in laptop screen) or directly unplug the file (USB external) and the attacker will be able to bypass it.
Symptom 7: when you are not using any network resources, you find that the NIC lights are constantly flashing. When you double-click "Local Connection" in "network connection" to view its status, you will find that the "small computer" in the window keeps flashing, moreover, the amount of data sent increases rapidly.

(2) find a few good helpers for "chicken" Testing
It may not be very accurate to determine whether the computer is intruded by some superficial phenomena. However, no matter how attackers control the "zombie" computer, the computer must be in contact with the outside world, some ports send data to the outside, so we can use some common software to observe network activity.

Practice 1: Use the firewall to find the Black Hand that occupies the traffic
Generally, network firewalls (such as Skynet, Kingsoft network firewall, and C. o. m. o. d. O and so on) There will be a network detection function, we can use these software to view network traffic and suspicious network connections to confirm "zombie ". The author takes Kingsoft network as an example.
First, double-click the software icon in the system tray area to open the main window of the program. Then, on the "security status" Page, check whether there are any unfamiliar programs in the "current network activity status" program, and then observe the current network traffic. If the "Send traffic" increases rapidly, then you need to be careful (see figure 2 ). Finally, switch to the "Network Status" Page and check the connection carefully. If you find that the software you are not using is connected to a remote computer, your computer may have won the bid.

Kingsoft website is usually included in Kingsoft's drug overlord package, which is

Practice 2: Who opened the backdoor? You can use tcpview to see it!
Usually, remote intruders open some specific ports on the zombie computer in advance, and these ports are waiting for the control side to connect or actively connect to the remote server at any time. Of course, as long as we close these ports, we can reject the control of intruders. How can we view the current opened ports of the PC?
Tcpview is a tool for viewing ports and threads (for that lists in detail the ports opened by the system. In the list of the tcpview interface, an icon corresponds to an opened port, and displays local and remote connection details in detail. If data exchange occurs on a port, tcpview displays a highlighted color. Some programs with opened ports may have the same name as programs in the system, but they are not system programs. Double-click the port you think is suspicious to open its properties, check whether there is a problem with the "path" of the program that occupies the port. If any problem occurs, click "End Process" to kill it.
★The netstat command can be used only after the TCP/IP protocol is installed;
★The corresponding "listening" under "status" indicates that the port is open and is waiting for connection but not connected. "established" indicates that the connection has been established; "time_wait" indicates that the port has been accessed, but the access is over.
Knowledge: What is a port?
The so-called port "Port" refers to the entry and exit for communication between the computer and the outside world. If the IP address of the computer on the internet is compared to the house number, the port is equivalent to the door, the family members communicate and contact the outside world through these doors. In the network, according to the TCP/IP protocol, the computer may have 256 × 256 (65536) ports, and each port is like a door, PCS communicate with the outside world through these specific "Doors.
Practice 3: Use the built-in DOS command to view open ports (Windows 2000/XP/Vista/7)
In Windows, a "netstat" command is provided to display the current TCP/IP network connection. Enter "cmd" in "run" and "netstat-an" in the Command window that is opened ), press enter to display the port opened by the current system and the connection information in the window.
Without any network behavior, all ports should be in the "listening" status. If you find a large number of ports in the "established" status, you 'd better check the system with anti-virus software or other security tools.
Practice 4: Use the "Resource Monitor" to find out the culprit of Hard Disk flash (Windows Vista/7)
I believe that when using the system, all people have encountered a flash of hard drive, but they do not know who is doing anything strange. Are they anti-virus software, QQ, or are they reading and writing your hard drive? In fact, there is a "Resource Monitor" tool in Windows Vista and Windows 7 systems, which can be used to easily find out the root cause of Hard Disk flash. Take the "Resource Monitor" of Windows 7 as an example.
Press "crtl + Shift + ESC" to open "Resource Manager", and click "Resource Monitor" on the "performance" page ", then, in the displayed "Resource Monitor" window, you can view the resource usage of CPU, memory, disk, network, and other hardware. If you want to know which program is reading and writing the hard disk, switch to the "disk" Page and check the reading and writing speed of each process.
Generally, if you do not operate the computer, other programs except the "System" and anti-virus software processes will not read or write hard disks frequently. If you find that some inexplicable processes are reading or writing hard disks, it is probably a virus or Trojan.
TIPS: use the resource monitor to easily find the legacy files of intruders
If there is a suspicious process in the "Hard Disk" project of the "Resource Monitor", you can check this process, under "Hard Drive activity", you can see which files are read and written by the process. If the process is a virus or Trojan, you can easily find the file it writes and delete it.
(3) Determine whether the process is secure
A process is a program running in the memory. When the Windows system is started, there will be 30 ~ 40 (less XP, more Vista and win7) processes run in the memory, these processes may include system services, applications, malicious programs, and Trojan control programs.
Practice 1: make good use of the system management process
There are many ways to view the processes running in the system. Using the "Task Manager" that comes with Windows is the simplest and most convenient: at the same time, press Ctrl + Shift + ESC to open the task manager. Click the process tab to view the list of running processes.
Generally, there are two basic principles for a process: first, carefully check the process file name and second, check its path. After the system is started, common processes are relatively fixed. problematic processes often pretend to be System Processes (names are the same or similar to system processes ), in this case, the file path is used to determine.
Large network subsidies:
In many cases, it is mainly based on experience to determine whether a process is faulty. Friends with less experience can use search engines or related knowledge bases to determine whether a process is faulty. For example:
Process Knowledge Base:Http://
System Process Information Library:Http://
Practice 2: Find a good helper for the management process
The built-in "Task Manager" function of the system is relatively simple, sometimes it may not find some deliberately hidden processes, so we can use some professional process management tools, such as process ExplorerHttp:// #).
Process Explorer can manage system processes in two categories: system processes and general processes, which are distinguished by different colors. In other words, svchost.exew.winlogon.exe?spoolsv.exe and so on all belong to system processes. If "system", "locanl servive", and "network operator" are used, they must be impersonated by viruses or Trojans.
By default, process Explorer does not display the User Name of the process. On the software interface, select "View> Select column". In the displayed dialog box, select "User Name ", the User Name of the process.
Practice 3: provide a "security authentication" for processes and DLL files"
Because you can determine whether the system has security problems through the process, some anti-virus software has designed the "Security Authentication" function for this purpose. If there is a problem with the running process, the software will mark it out, and even help you identify suspicious processes. The author takes Kingsoft drug overlord 2009 as an example.
First, open the main window of Kingsoft drug overlord 2009, and click the process manager tool on the treasure chest page (or right-click the system taskbar and select Kingsoft drug overlord Process Manager "). Go to the "Process Manager" interface, which can view the information of the current system process like the "Task Manager" of the system.
However, compared with the built-in manager, the "Process Manager" performs "trusted authentication" on all processes, allowing you to easily identify whether suspicious processes exist. If a problematic process is found, click the "Find a risky process" button and the "Process Manager" will help you find the suspicious process, select the process and click "End Process.
In addition, the process is generally not isolated and will load many DLL files. If you want to see if there are any suspicious DLL files, check "show the DLL loaded into the process ", if it is suspicious, right-click it and select "locate file" in the pop-up menu to find the DLL file and delete it.
Prevention of the secrets of NO3.

To log on to a remote "zombie" computer, attackers must have three parameters: IP address, user name, and password of the remote computer. Therefore, attackers may find ways to gain control over the target computer. Generally, there are two methods: first, virus or Trojan Infection, and second, port or vulnerability scanning.
Relatively speaking, the first method is relatively simple, but the attacker is relatively passive; the second method is to take the initiative. That is to say, computers are not infected with viruses and may also become "bots ". Therefore, if you do not want your computer to become a zombie, remember the following points:
Key Aspect 1: Install anti-virus software, check whether it works properly at any time, and update the virus database in a timely manner.
These are the most common intrusion methods for intruders, whether they are implanted with Trojans or target viruses. Therefore, anti-virus software is essential and the most basic protection requirements. Of course, anti-virus software is not omnipotent, but it can reduce the risk of becoming a "zombie.
In fact, intruders hate anti-virus software very much. After many Trojans or viruses invade into the system, they will first destroy anti-virus software. Therefore, you have to check whether the anti-virus software works properly and whether it can be upgraded normally. In addition, viruses and Trojans are updated at any time, and it is also important to update the virus database in a timely manner.
Anti-virus software has many options, such as Kingsoft drug overlord and rising star in China and Norton, Kaspersky and McAfee in foreign countries. However, no matter which anti-virus software is not omnipotent, it has advantages and disadvantages. Anti-virus software should be chosen based on your preferences. As long as you think it is easy to use, it is good software.
Key 2: Install the network firewall and make sure it works properly.
For Internet users, the Network Firewall is a gateway that isolates you from the outside world. Correctly enabling and configuring the firewall will reduce your chances of directly facing attacks. When your system has unpatched vulnerabilities, the network firewall may be the only protection software for your computer security.
It should be noted that, because the firewall function of Windows is relatively simple, it can only intercept communication from the outside to the inside (that is, from the Internet to the local machine) before relevant settings are performed, it does not effectively block inbound and outbound access. Most Trojans or control software can easily escape the monitoring of Windows built-in firewall. Therefore, it is necessary to install a third-party firewall.
In fact, it refers to software firewalls rather than hardware firewalls. There are many types of software firewalls. You need to select different products based on different network environments. However, I do not recommend that you use a product with a single function. Try to use a firewall with complete functions.
In addition to monitoring Internet and LAN access behaviors, the function can monitor risky system behaviors, such as modifying system settings, modifying or deleting system files, and modifying the registry. In addition, many third-party firewalls automatically disable useless ports to prevent scanning by others.
Practice 1: Cut off the Black Hand of the LAN without any reason
Currently, there are many Trojans or viruses with ARP spoofing. If a computer in the LAN has this virus in its brain, a large number of packets will be sent to the gateway as long as the computer is started up, as a result, the LAN communication is blocked and the network is disconnected. For this type of spoofing attack, the common firewall cannot be monitored. In this case, a dedicated arpfirewall is required to protect the gateway.
There are many security software with an APR firewall, such as Kingsoft anti-drug overlord arpfirewall and 360 security guard. The author takes 360 security guard as an example (: Http:// You can set anti-Spoofing Protection for the gateway as follows:
Open the main interface of 360 security guard, click "real-time protection", and set "arpfirewall" under the "real-time protection" tab on the page to "enabled ". After the system is restarted, the "arpfirewall" function of 360 security guard will be ready to run. In this case, go to the "Advanced Settings> arpfirewall" option page of "360 Real-time protection" and select "manual settings" in "Gateway and DNS Protection Settings ", then, click "add protection gateway IP/mac", click "add Gateway" in the pop-up interface, enter the gateway IP address of your LAN, and click "Get automatically, click OK to complete the settings.
Large network subsidies: for knowledge about ARP spoofing and ARP viruses, refer:
ARP Encyclopedia:Http://
ARP virus Encyclopedia:Http://
Practice 2: use Kingsoft network to close port 3389, which is convenient and simple
Port 3389 is the initial port of the Windows Remote Desktop function. It is set to facilitate remote management of your computer. If port 3389 is enabled, it can provide services for anyone with password management. Because this port is a system service, most attackers prefer to open this port in "zombie. To prevent others from using port 3389, we should use a firewall to block it.
Here we use the example of "Kingsoft network 2009. Open the main interface of Kingsoft network, select "Tools> comprehensive settings", switch to "advanced" in the window that opens, and then select "Enable TCP/UPD port filtering" on the right, click "add", and then set the remote operation on port 3389 to disabled. It is important to note that, depending on the Protocol, two rules must be completely prohibited.
Key Aspect 3: promptly fix system and software vulnerabilities to improve system security.
In Windows, there are two types of vulnerabilities that are often exploited: Windows vulnerabilities and application software vulnerabilities. The exploitation of application software vulnerabilities is subject to a large number of environmental constraints, and the risk is usually low. However, if a Windows system vulnerability is not patched, the vulnerability will always exist, so the risk is high.
In general, vulnerabilities are often exploited by hackers for a long time before they are officially announced. This is generally referred to as 0-day attacks. Therefore, to enable the "Automatic update" function of the system when a new windows patch is available at system time.
In addition, although vulnerabilities in third-party application software are less risky, some common tools such as Flash Player, RealPlayer, Adobe Reader, Photoshop, WinRAR, QQ, MSN, and are commonly used, attackers may also exploit this vulnerability. Therefore, it is also necessary to update the software version.
Practice 3: Install patches and software updates, and use 360
Sometimes patching or updating software for the system may cause some obstacles, especially for non-genuine system users or friends who do not pay much attention to software updates. To address these problems, there are already a lot of software that can pack and solve these problems, which is very simple and convenient, such as 360 security guard.
On the system where 360 security guard is installed, open the main interface of the software and click the "repair system vulnerabilities" tab to go to the "360 vulnerability Repair" page. The software will automatically scan for system vulnerabilities, if the vulnerability exists, it will be classified according to the important levels. After selecting the vulnerability you want to fix, click the "Fix selected Vulnerability" button at the bottom of the page. Compared with automatic system updates, there are two benefits of using 360 security guard to fix system vulnerabilities, that is, the download speed is faster and resumable data transfer is supported.
In addition, if the commonly used software in the system has security vulnerabilities, the "360 vulnerability fix" can also be scanned and the software upgrade function is integrated. On the "360 security guard" page, click "installation required". On the "360 software management" Page, switch to the "software upgrade" Page and select the software you want to upgrade, click "Upgrade". After the download is complete, click "Install" below.
Key Aspect 4: Pirated systems are at risk. After installation, security should be improved.
For Windows XP transformed by third-party individuals or forums such as tomato garden, Yulin wind, tornado, and deep technology, it is usually installed in unattended mode. Although the installation steps are very simple, however, the system has a fatal defect-the administrator password is empty and automatically logs on. That is to say, anyone can try to log on to your system with an empty password.
Now that you know the problem, the solution is simple. Open "Control Panel> User Account", select "Administrator" in the pop-up window, click "create password", and enter your password. We recommend that you use a combination of letters and other special characters for the password, with a length of no less than 8 characters.
In addition, if you do not want attackers to know the Administrator account, change "Administrator" to another account and enter "lusrmgr. MSC opens "local users and groups", right-click "Administrator" in the right-side window, select "RENAME", and enter an account that is only known to you.

Key 5: Be careful when using mobile storage devices
Nowadays, the public is increasingly using mobile storage devices (mobile hard drives, USB flash drives, and digital memory cards) to transmit files. Therefore, mobile storage devices have become an important channel for Trojan horse or virus propagation, for example, the notorious "pandatv", "U disk parasite", and "drive disk" all belong to this category.
Because mobile storage devices are automatically run in Windows by default, viruses can be infected on the computer as long as toxic devices are inserted. For this attack, the simplest way is to press the Shift key while inserting the device. However, it is best to disable the automatic playback function of the system. Take the Vista system as an example. The setting method is as follows:
Click Start> run, and enter gpedit. MSC open the Group Policy Editor and choose computer configuration> Manage template> Windows creation> automatic playback policy ", in the right-side window, double-click the properties of the "Disable automatic playback" project and set it to "enabled". Then, set the close object below to "All Drives ", confirm setting and exit the Group Policy Editor. After the system is restarted, the automatic playback function is disabled.

In addition, you can download a dedicatedUSB flash drive immune(Http://
Key Aspect 6: webpage Trojans are very popular and browsers should be well protected!
Browsing insecure websites has become one of the important reasons for "bots. It is very difficult for common users to distinguish between website security and website security. In fact, any website that lacks security management may be hacked and implanted with Trojans or viruses. Therefore, as long as you browse the Web page, no one can avoid webpage Trojans or viruses. All we can do is to minimize this risk.
There are many ways to reduce the risk of Web browsing, such as installing and enabling anti-virus software that can monitor web Trojans (almost all anti-virus software have this function ), try to use third-party browsers with interception functions (such as roaming, greenbrowser, and window of the world), and avoid browsing gray websites, such as pornographic websites and gambling websites.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.