Win the anti-virus war and teach you to completely prevent Trojans

I think we should burn this thing ." More than 3000 years ago, in the face of the huge Trojan horse suddenly left by the Greek on the ruins of the battlefield, the little prince of the kingdom of the Trojan said to his father. Because of his uneasiness, this sudden object will bring bad luck. However, no one listened to him, And the whole army stubbornly shipped the giant object back to the city as a trophy. A few days later, the Greek soldiers hiding in the Trojan opened the indestructible gate of the Trojan, and thus the fall of the Trojan. If Paris still has a soul, he may have to think about it: If I had insisted on burning this bad luck thing, what would have been the end of Trojan?

Allow me to adapt the sentiment writer Jiang Tang's sentence: "The network in the 21st century is a world where Trojans are rampant. After the war on viruses, the biggest confusion of mankind is the attack and defense difficulties of Trojan and backdoor ."

As we all know, Trojans (Trojan, or backdoor) are very dangerous.ProgramThey open their doors to unknown intruders, exposing their systems and data to the chaotic online world. Like a virus, a trojan has evolved over several generations, making it more and more hidden and becoming another parasite that is hard to remove.

-- If we burn the trojan as early as possible?

Know Trojans

In short, information Trojan is a remote control program that lurks in the victim's computer and secretly opens one or more data transmission channels. It consists of two parts: clients and servers are also called control terminals. The spread and infection of Trojans actually refer to the server. Intruders must send the server program to the victim through various means to achieve the purpose of Trojan propagation. When the server is executed by the victim's computer, it copies itself to the system directory and runsCodeAdd to the region that will be automatically called when the system starts to run as follows the system start. This region is usually called a "Start item ". After the trojan completes this operation, it enters the incubation period-secretly opening the system Port and waiting for the intruder to connect. So far, Trojan horses are only in the phase of being pulled into the city by the citizens of Trojan, and no destructive actions will be carried out.

When intruders use a client to connect to the port opened by the Trojan server, the gate of the Trojan is opened. Here, the nightmare of the Trojan begins ......

Therefore, before the Trojan horse slogan's military number is blown, if Paris ignited this giant in time, the trojan may not disappear-at least, it will not be destroyed by a Trojan.

Blocking trojans from entering the city-Trojan forms and corresponding system protection in different periods

The premise of Trojan horses was that the Trojan Horses containing Greek soldiers were carried into the city, allowing the Trojan horse to be successfully implemented, if at the beginning the trojan was put on the beach moldy and smelly, or burned the bad luck stuff, the trojan horse will be listed in the history as a well-known and ineffective strategy of the same nature as the marqino line of defense, and will no longer be used in future generations.

But the Greek Trojan Horse has succeeded, just as thousands of modern network Trojans have now succeeded. The modern Greek-Intruders actively use various means to bring the modern Trojan program home happily.

Early Anti-Virus ideas were not prevalent. At that time, Internet users were also relatively simple and there were only a few people using network firewalls. Therefore, intruders could be happy at that time, they only need a simple means of social engineering to transmit the trojan program to the other party for execution. During this period, Trojan planting techniques (nowadays, generally referred to as "Trojan Horse ") basically, no technology is required. Maybe the only technology required is how to configure and use a Trojan, because at that time, the trojan is still a new product. At that time, netizens could only rely on their own judgment and technology to protect themselves from or get rid of Trojans. Therefore, when Trojan technology started in China, any IP segment may have more than 40% of the affected computers open the door to wait for intruders to attack. It is no exaggeration to say that, at that time, it was the first prime time for Trojans. The only weakness in the United States was that the network speed was too slow at that time.

With the passage of time, the trojan technology has become increasingly mature, but the security awareness of netizens has also increased, and the concept of virus firewall has emerged in the early stage, intruders in this period must master more advanced social engineering techniques and Early intrusion technologies to make the other party suffer. Although Trojans in this period have been concealed, however, it is still the client-based connection to the server. Due to the emergence of a virus firewall, the efficiency of netizens in judging and killing Trojans is greatly improved, and most people also know that they are not easy to receive programs from strangers, so that Trojans are no longer as rampant as they were in the previous period, but because virus firewalls are emerging products, there are still a relatively large number of people not installed and used, so that many old Trojans can still be rampant.

Later, with the advent of the network firewall technology and the maturity of the virus firewall technology, Trojan Horse authors were forced to follow the footsteps of anti-virus manufacturers to update their work, so as to avoid Ma Er's early "martyrdom ", at the same time, the emergence of network firewall technology makes the computer and the network no longer direct, in particular, the policies implemented by the network firewall to "intercept external data connection requests" and "review internal program access network requests" lead to failure of most Trojans, during this period, Trojans gradually split into two factions: one is still using the client to connect to the server, but changed to another transmission channel, such as e-mail and FTP, you can also remove the network firewall internally so that you can be unobstructed. The other method changes the idea of intrusion and changes "client connection to server" to "server connection to client ", coupled with a little social engineering technology, which breaks through the limitations of the network firewall, a new Trojan technology-"rebound-type" trojan was born. During this period, the war between intruders and victims was finally upgraded to the technical level. To protect yourself, apart from installing the network firewall and virus firewall, and accessing the Network Attack and Defense Technology, this "basic interaction" has been maintained in today's XP era.

In the XP era, the network speed has taken a qualitative leap, and the hacker attack and defense war has become more and more on the surface. As the system has changed, an operating system was born specifically for network applications, there will be network-related defects. Yes, the weakness of WINXP over Win9x is that it has too many Network Vulnerabilities, whether it is a letter trojan that uses the mime vulnerability to spread, or a trojan that is put down through LSASS overflow, A piece of meat can be allocated to the XP system. You may say that Win9x has many vulnerabilities, but why does it not bother XP? This is because the network function of Win9x is too weak, and almost no system components need to run on the network! So now, in addition to using the network firewall and virus firewall to pack yourself strictly, we have to go to the Microsoft system update site three days to install various vulnerability fixes ......

Don't let soldiers get down! -- Prevent trojans from being started

After the Greek soldiers hiding in the Trojan horse entered the city, they did not rush to kill the city, but waited until the night was quiet before they came out to open the solid gate, playing a mourning song for the destruction of the Trojan. However, computers do not have the geographical and temporal relationships of human society. Even if your hard disk now stores 100 Trojans, they are no better off than the big Trojan horse on the beach, because for the operating system, any harmful program is not running, it can be equivalent to soldiers who fail to kill, and will be considered harmless. To turn the system into the dark night of the city of Troy, the only way is to start the server side of the Trojan. The simplest way to start the trojan is to load and run it through the "startup Item.

Any operating system will automatically run some programs at startup to initialize the system environment or additional functions, these programs that are allowed to run following system startup are placed in special areas for loading and running during system startup. These areas are "startup items ", different systems provide different "Boot items". For Win9x, it provides at least five "Boot items": autoexec in DOS environment. bat, config. sys, the "Start" Program Group in windows, two run items in the registry, and one runservices item, respectively:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ runservices

In the 2000/XP system era, the DOS environment was canceled, but a new starting area called "service" was added, the Registry also adds two "startup items" while keeping the original project unchanged ":

Project key name

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows appinit_dlls

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows run

With so many boot entries, Trojans will naturally not be missed, So we often find strange program names in some computer boot items. At this time, we can only tell them by you or the virus firewall, after all, the system itself will place some necessary initialization programs here, as well as some normal tools, including virus firewalls and network firewalls. They must also follow the system startup through the startup items.

In addition, there is also a mean way to follow the system startup without the need to use the startup Item, that is, "System Path Traversal priority spoofing ", when searching for a file without path information in a Windows system, the system follows a "from the outside to the inside" rule. It will start from the root directory of the drive letter where the system is located to the system directory for progressive search, this means that if two files with the same name are stored in c: \ and c: \ windows, Windows will execute a program under c, instead of c: \ windows. This search logic provides an opportunity for intruders to change themselves to a certain file name that will be called when the system starts, and copy it to a directory that is more than a level lower than the original file, windows will take the trojan program for granted, and the system's nightmare starts. This method is often used in javasinternat.exe, because no path is set in any Windows Startup item.

You must be aware of the Automatic Running Trojans that occupy the startup items. You must understand all the normal startup items on your machine to see if the Trojans are mixed. As for Trojans that exploit System Path vulnerabilities, users can only be careful.

Why cannot it be eradicated? -- File-parallel trojan detection and removal

Some users are often very depressed. They have already deleted the trojan file and the corresponding startup items, but they do not know when they will return intact, what's even more tragic is that after a trojan is killed, the system also fails: All applications cannot be opened. At this time, if the user's understanding of computer technology is limited to the use of anti-virus software, it can only be a cry to reinstall the system!

Why? Is this trojan still maliciously modifying the system core? In fact, the answer is very simple, because this Trojan modifies the parallel mode of the application (exe file.

What is "Parallel Connection? In Windows, the file opening operation is performed through the application specified by the corresponding key value in the registry. This part is located in the "hkey_classes_root" primary key of the Registry, when the system receives a file name request, it identifies the file type based on its suffix and calls the corresponding program to open it. The application itself is regarded as a file, which also belongs to a file type and can be enabled in other ways, however, in windows, the calling program is set to "" % 1 "% *", so that the system kernel can be understood as "executable requests ", it will create a process for the file using this open method, and the final file will be loaded and executed. If another program changes this key value, windows will call the specified file to enable it. Some Trojans have changed the "open mode" of the exefile type corresponding to the EXE suffix to "Trojan program" % 1 "% *", when running the program, the system will first create a process for the "Trojan program" and pass the followed file name as a parameter to it for execution. Therefore, the program is started normally. Because the trojan program is used as the calling program for all EXE files, it can stay in the memory for a long time and restore its own files every time. Therefore, in the opinion of general users, this trojan is "never dead ". However, once the trojan program is deleted, the corresponding calling program cannot be found in windows, and the normal program cannot be executed. This is the source of the so-called "all programs cannot run, it is not a trojan that changes the system core, so it is not necessary to reinstall the entire system.

The simplest way to eradicate this trojan is to view the program pointed to by the open method of the EXE file and immediately stop the process of the program. If other trojan files are generated, also stop together, and then delete all the trojan files when the Registry Editor is enabled (otherwise, all your programs cannot be opened, change the "open mode" item (hkey_classes_root \ exefile \ shell \ open \ command) of exefile back to the original "" % 1 "%.

If you forget to change the parallel mode back before deleting the trojan, you will find that the program cannot be opened. Do not worry. If you are a Win9x user, use the "shell replacement method ": after the restart, press f8to enter the Startup menu and select the ms-dosmodel, change the name of assumer.exe, and then Regedit. change the name of EXE to assumer.exe. After restarting, you will find that there is only one Registry Editor in windows. Change the parallel connection mode! After restarting, do not forget to restore the previous assumer.exe.

For Win2000/XP users, this operation is simpler, as long as you press F8 at startup to enter the Startup menu, select "safe mode of command prompt ", the system will automatically call the command prompt interface as the shell, and enter Regedit in it to open the Registry Editor! XP users do not even need to restart. Simply browse cmd. EXE in "open mode" to open the "command prompt" interface and run the Registry Editor Regedit. EXE.

Record theft-Recover Stolen system files

In addition to adding your own startup items, path spoofing, and changing files in parallel, a common Trojan can be used as a replacement for system files. . The trojan first renamed the original file of the system to a remote file name only known to them, and then renamed itself to the replaced file, thus completing the hidden and deep infection work, from then on, as long as the system needs to call the replaced program for work, the Trojan can continue to reside in the memory. Will file replacement cause system exceptions? As long as the trojan is not deleted, it will not cause system exceptions, because when the trojan is started as the original program, it will obtain a running parameter passed by the system, this is the key for the system to require the program to work. Trojan will directly pass this parameter to the renamed program for execution, and complete data operations like a relay competition, in this way, the command is executed normally in the system, and no exception will occur. However, because of this feature, some commands of the system cannot be passed to the program that is supposed to execute the operation after the trojan is found and killed. Instead, the system fails.

It is actually very easy to fix. You just need to remember the trojan file name and copy an "original configuration" file from the system disk after deleting it. If there is no system CD, you must use a tool to track the target program name of the parameter passed by the trojan and change it back.

Conclusion

The development of Trojans has promoted the improvement of security technology, and the improvement of security technology has forced Trojans to develop at a higher level. Now, Trojans have formed coexistence of multiple factions, the method for detecting them cannot be as simple as before. For example, the method for detecting abnormal ports is invalid for rebounding Trojans, and it does not open ports on the local machine; even if the firewall can prevent unauthorized internal programs from accessing the network, it can only target TCP/UDP Trojans. Do not forget the existence of ICMP backdoors. The firewall usually does not block such packets. Although there are few tasks that can be done by the ICMP datagram, it is enough for General Command Control ......

When will the Trojan horse stop?