According to anti-virus manufacturer Sophos this year's first and second quarterly reports, the Web page has surpassed the e-mail as the malware dissemination of the most favorite way to use, the spread of malicious software through the Web page on average more than 300 kinds of monthly. And for users, because the user himself in the Internet browsing security awareness is weak, the system and software patches to upgrade the missing, as well as the enterprise security management deficiencies, the site has become a mobile device, enterprise LAN parallel security One of the main threats.
Web Trojan is the Web page malware threat to the culprit, and everyone's impression of the difference, accurate, that the Web Trojan is not a Trojan horse, but should be called the Web Trojan "planter", which is a browser or browser plug-in program (the target is usually IE browser and ActiveX program) loopholes, To the target user machine implanted Trojan, virus, password theft and other malicious programs means. What are the common Web Trojan attack methods? How should users identify and defend against Trojans from the web? The author will be in this paper for the user thin Road to:
The attacker's common Web Trojan attack method can be divided into active and passive attacks according to the user interaction degree.
Active attack mode, is the attacker through a variety of deception, luring and other means, to entice users to visit the site where the Trojan horse, if the user accidentally visited the malicious Web site, it is possible to infect malicious software. A common case of this type of attack is that an attacker publishes a variety of pornographic content in various forums, chat rooms, blog posts and other user-focused areas, and publishes various lottery lottery information in various online game chat channels. Use a variety of instant messaging software to manually or through previously infected users to automatically send a link to the contact with a spoofed website.
Passive attack mode, refers to the attackers through the Internet to visit a large number of sites, and insert the page in the Trojan Horse code, the current IDC room and enterprise intranet in the popular through ARP spoofing inserted malicious Web links also belong to the passive mode of attack, this type of attack is a wide net of attack mode, Users who visit the site may be infected with malicious software that has been planted on their web-Trojans.
Although no specific statistical results, but from the recent security companies released by the attack trend, the Web Trojan active attack and passive attack of the same frequency. If the user inadvertently visited a Web site with the possibility of a Trojan horse, how to identify the Trojan attack that is happening? The following are some of the most common phenomena that can be judged by the user:
System response Speed: The current attacker to build a Web Trojan using the IE browser vulnerability, including the latest MS07004 VML vulnerability, is to construct a large number of data overflow browser or components of the buffer to execute the attack code, therefore, users suffer from overflow class of the Web Trojan attack, Typically, the system reacts very slowly, with high CPU usage, no response from the browser window, or forced shutdown using Task Manager. In addition, in some memory less than 512M system, overflow class of Web Trojan attack, the system will frequently read and write to disk (physical memory is not enough, the system automatically expands virtual memory).
Process changes: A small number of IE browser vulnerabilities are not part of the buffer overflow vulnerabilities, such as the early last year, the MS06014 XML vulnerability, users in the use of its construction of the Web Trojan attack, the system response will not be obvious changes or disk read and write, at most, sometimes a temporary system waiting for the hourglass icon, However, the time is very short, users will miss the attention. In this case, the user can open Task Manager or use process Explorer to see if there is a non-user-initiated Iexplore.exe process, the name of a strange process, etc. to determine whether the Web Trojan attack.
Browser display: The attacker in the use of the Web Trojan passive attack mode, usually in their control of the legitimate Web site using an IFRAME in HTML or Java script to invoke the Web Trojan, if the user open a legitimate web site, found that IE browser in the bottom left corner of the status bar has been showing a little relationship with the current browsing site has no address, at the same time the system response to become very slow, or the mouse pointer to become an hourglass shape, it is likely to be under the attack of the Web Trojan.
Security software alarm: Security software alarm may be the most secure for users of a Web Trojan attack, but there are quite a number of anti-virus software in the market can not detect the use of Java Script and VBScript encrypted Web Trojan, anti-virus software does not necessarily indicate that the site is safe.
Attack gimmick Guise, Web Trojan is impossible to prevent, in the technology vulnerable position of users how to defend:
1, the system patch to be updated in time, most of the web Trojan victims ignore their own use of the system and application software patches upgrade. After all, only a very small number of attackers will use expensive 0day browser vulnerabilities to do the Web Trojan, in time to update the system and software security patches can defend most of the Web Trojan.
2, installation and timely update anti-virus software, users can choose the Web Trojan killing ability to kill anti-virus software, and timely update virus feature library, so that, even if the Web Trojan using the latest encryption technology to escape the detection of anti-virus software, But newer virus profiles can also be as user-free as possible from malicious software that follows a Trojan horse.
3, the use of third-party browsers, due to the current Internet on the common Trojan Horse is used for IE browser and its ActiveX control vulnerabilities, so the use of Firefox/opera and other non-ie kernel of the Third-party browser can be from the source of the attack on the Web Trojan, However, third-party browsers in the page compatibility of less than IE browser, and some special web pages, such as the use of ActiveX password login control of the Internet bank can not use a Third-party browser to log in, users browsing such web pages can use IE browser.
4, to form a safe web browsing habits, users should develop a safe web browsing habits, do not casually click on a variety of unknown sources, to explain the link with luring language, to prevent falling into the trap of attackers; When a legitimate website is attacked by an attacker and put on a Trojan horse, the user should also report to the