{"id":411,"date":"2010-03-10T21:00:00","date_gmt":"2010-03-10T13:00:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=411"},"modified":"2024-02-17T20:33:25","modified_gmt":"2024-02-17T12:33:25","slug":"trojan-and-backdoor","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/411","title":{"rendered":"trojan and backdoor"},"content":{"rendered":"\n

trojan<\/strong>
Malicious code masquerading as or replacing legitimate code
A Trojan Horse is an apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation,falsification, or destruction of data<\/p>\n\n\n\n

overt and covert channels
overt channel(\u5408\u6cd5\u901a\u9053)<\/strong>:a legitimate communicatin path within a computer system,or network,for the transfer of data
covert channel(\u96b1\u5bc6\u6027\u901a\u9053)<\/strong>:a channel that transfers information within a computer system,or network,in a way that violates the security policy
ex:trojan\u6703\u4f7f\u7528covert channel\u4f86\u9003\u907f\u5b89\u5168\u8edf\u9ad4\u7684\u5075\u6e2c<\/p>\n\n\n\n

………………………<\/p>\n\n\n\n

types of trojans :<\/strong>
remote access trojans
data-sending trojans
destructive trojans
DOS attack trojans
proxy trojans
ftp trojans
security software disablers<\/p>\n\n\n\n

………………………<\/p>\n\n\n\n

different ways a trojan can get into a system:<\/strong>
IM applications
IRC
via attachments
physical access
browser and email software bugs
netbios
fake programs
suspicious sites and freeware software
downloading files,games,and screensavers from internet sites
legitimate “shrink-wrapped” softward packaged by a diagruntled employee<\/p>\n\n\n\n

ps:
\u81ea\u52d5\u57f7\u884c
\u5c07\u4ee5\u4e0b\u653e\u5165autorun.inf
[autorun]
open=setup.exe
icon=setup.exe<\/p>\n\n\n\n

ps:
\u6bcf\u6b21\u958b\u6a5f\u6642\u90fd\u57f7\u884c
\u5728\u4ee5\u4e0b\u6a5f\u78bc\u5167\u65b0\u589e\u9805\u76ee
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Services<\/p>\n\n\n\n

………………………<\/p>\n\n\n\n

indications of trojan attack<\/strong>
\u96fb\u8166\u8b8a\u6162,\u7570\u5e38\u7684\u5927\u91cf\u8b80\u53d6
\u51fa\u73fe\u7570\u5e38\u7db2\u8def\u6d41\u91cf\u8207\u9023\u7dda
cd-rom\u6703\u81ea\u5df1\u958b
\u87a2\u5e55\u4e0a\u4e0b\u5d6e\u5012
\u6ed1\u9f20\u81ea\u52d5\u79fb\u5230\u53f3\u4e0a\u89d2\u6309close<\/p>\n\n\n\n

ps:hijacklist, \u53ef\u5075\u6e2c\u662f\u5426\u6709\u7570\u5e38\u7a0b\u5f0f
………………………<\/p>\n\n\n\n

ports used by trojans<\/strong>
back orifice:udp 31337 or 31338
deep throat:udp 2140 and 3150
netbus:tcp 12345 and 12346
whack-a-mole:tcp 12361 and 12362
netbus2:tcp 20034
grilfriend:tcp 21544
sockets de troie:tcp 5000,5001 or 50505
masters paradise:tcp 3129,40421,40422,40423,and 40426
devil:tcp 65000
evil:ftp 23456
doly trojan:tcp 1011,1012,1015
chargen:udp 9,19
stealth spy phaze:tcp 555
netbios datagram:tcp,udp 138
sub seven:tcp 6711,6712,6713
icq trojan:tcp 1033
mstream:udp 9325
the prayer 1\/2:tcp 9999
online keylogger:udp 49301
portal of doom:tcp,udp 10067,10167
senna spy:tcp 13000
trojan cow:tcp 2001<\/p>\n\n\n\n

ps:netstat -an\u53ef\u770bport state
………………………<\/p>\n\n\n\n

\u7d93\u5178\u7684trojan<\/strong>
tini:a simple and small(3kb) backdoor for windows,it listens at tcp port 777
icmd:\u53efmultiple connections,\u53ef\u8a2dpassword
netbus: \u65e9\u671f\u6709\u540d\u7684\u6728\u99ac,\u5728\u65e9\u671f\u7b97\u662f\u529f\u80fd\u9f4a\u5168,\u53ef\u958bcdrom,\u8b80\u53d6\u7cfb\u7d71\u6a94,…\u7b49
netcat:\u7db2\u7ba1\u5de5\u5177,\u6709backdoor\u529f\u80fd
cryptcat:netcat + encryption
beast:\u4e3b\u8981\u662f\u505a\u9060\u7aef\u7ba1\u7406,\u6b64tool\u6703\u7522\u751fserver\u7aef(\u6728\u99ac)\u548c\u7ba1\u7406\u7aef
mosucker: \u63a7\u7ba1\u529f\u80fd\u4e0d\u932f
sars:\u53d7\u5bb3\u8005\u6703\u628aip\u50b3\u7d66\u653b\u64ca\u8005
proxy server trojan:\u5c0f\u578bproxy(3kb),\u653e\u5728\u4efb\u4e00\u53f0\u96fb\u8166\u4e0a\u7576\u8df3\u677f,\u8b93\u653b\u64ca\u8005\u4e0a\u7db2
tinyftpd:\u5728\u53d7\u5bb3\u7aef\u958bftp\u8b93\u653b\u64ca\u8005\u9023\u7dda
vnc trojan:\u9060\u7aef\u63a7\u7ba1\u8edf\u9ad4<\/p>\n\n\n\n

………………………<\/p>\n\n\n\n

wrapper<\/strong>
A tool used to bind the Trojan with legitimate file
\u5c07\u6728\u99ac\u8207\u6b63\u5e38\u7a0b\u5f0f\u5408\u5728\u4e00\u8d77<\/p>\n\n\n\n

wrapper tool\u6709\u4ee5\u4e0b
one file exe maker:\u5c072\u500b\u7a0b\u5f0f\u5408\u4f75
yet another binder
pretator wrapper<\/p>\n\n\n\n

\u5176\u4ed6tool\u6709\u4ee5\u4e0b
wordpad
remotebymail:\u4f7f\u7528mail\u4f86\u63a7\u5236
icon plus:\u6539\u8b8a\u7a0b\u5f0ficon
restorator:defacing application
tetris<\/p>\n\n\n\n

………………………………………………………………………….<\/p>\n\n\n\n

http tunnel<\/strong>
\u4e00\u7a2e\u96b1\u85cf\u901a\u8a0a\u7684\u6280\u8853
\u5e38\u898btool\u6709\u4ee5\u4e0b
http rat:http trojan,
shttpd trojan:http trojan<\/p>\n\n\n\n

ps:
atelier web remote commander
badluck destructive trojan:a dangerous and destructive tool,\u57f7\u884c\u5f8c\u5c07\u7834\u58de\u4f5c\u696d\u7cfb\u7d71
trojan horse construction kit:\u6728\u99ac\u7522\u751f\u5668,\u6839\u64da\u9078\u64c7\u7522\u751f\u4e0d\u540c\u7684\u6728\u99ac<\/p>\n\n\n\n

………………………<\/p>\n\n\n\n

icmp tunneling<\/strong>
\u4e00\u7a2e\u96b1\u85cf\u901a\u8a0a\u7684\u6280\u8853
use icmp echo-request and echo-reply<\/p>\n\n\n\n

icmp backdoor trojan
loki:\u4f7f\u7528icmp,\u96e3\u4ee5\u88ab\u5075\u6e2c<\/p>\n\n\n\n

ps
loki countermeasures
1external icmp_echo traffic should be disabled completely
2this does have serious implications to normal network management,since it affects network communication management within the local segment.this is configured to permit internal ping traffic and block and disable the packets coming from outiside
3disable icmp_echo_reply traffic on a cisco router,security implications make this a prudent choice
4ensure that the routers are configured not to send icmp_unreachable error packets to hosts that do not respond to arps
ps:
loki also has the option to run over udp port 53
………………………<\/p>\n\n\n\n

reverse connecting trojans<\/strong>
\u53ef\u53cd\u9023\u7684\u6728\u99ac
\u4e2d\u6728\u99ac\u53d7\u5bb3\u8005\u6703\u9023\u5230\u653b\u64ca\u8005\u6307\u5b9aport,\u7cfb\u7d71\u5224\u65b7\u53ef\u80fd\u6b63\u5e38,\u56e0\u70ba\u662f\u7531\u4f7f\u7528\u8005\u767c\u51fa
tool\u6709\u4ee5\u4e0b
nuclear rat trojan
CCTT(covert channel tunneling tool)
windows reverse shell
perl-reverse-shell
winarp_mim:\u4f7f\u7528arp \u653b\u64ca\u7684\u5c0f\u6728\u99ac<\/p>\n\n\n\n

XSS tunneling<\/strong>
\u5728\u7db2\u9801\u63d2\u4e00\u6bb5SCRIPT,\u53d7\u5bb3\u8005\u700f\u89bd\u7db2\u9801\u6642\u6703\u88ab\u653b\u64ca\u8005\u63a7\u5236
tool\u6709:
xss shell tunnel:web\u4ecb\u9762
xss tunnel:\u4f7f\u7528.net framework<\/p>\n\n\n\n

………………………………………………………………………….<\/p>\n\n\n\n


miscellaneous trojans:<\/strong>
backdoor.theef
t2w
downtroj
turkojan
trojan.satellite-rat
yakoza
trojan.hav-rat
PI(poison ivy):\u4e3b\u8981\u7528\u505a\u9060\u7aef\u7ba1\u7406,\u53ef\u53cd\u9023,\u591a\u529f\u80fd,\u6709plug-in,\u4e14\u4fee\u6539\u5f8c\u5f88\u96e3\u88ab\u5075\u6e2c\u5230
rapid hacker
shark
hackerzrat
optix pro
proagent
od client
acerat
mhacker-ps
rubyrat public
consoledevil
zombierat
webcam trojan:\u5c08\u9580\u63a7\u5236webcam
dji rat
skiddie rat
biohazard rat
troya
prorat
dark girl
dacryptic
net-devil
pokerstealer.a
hovdy.a<\/p>\n\n\n\n

…………………………………………………………………………………………………………………………………………….<\/p>\n\n\n\n


\u5075\u6e2ctrojans
1
scan for suspicious open open ports<\/strong>
\u53ef\u7528tool
netstat
fport
tcpview
currports<\/p>\n\n\n\n

2
scan for suspicious running processes<\/strong>
\u53ef\u7528tool\u6709
process viewer\/process explorer
what’s on my computer
super system helper
inzider
what’s running<\/p>\n\n\n\n

3
scan for suspicious registry entries<\/strong>
\u53ef\u7528 tool:
msconfig
autoruns
hijack this:\u53ef\u5206\u6790\u958b\u6a5f\u904e\u7a0b,\u4e26\u5c07\u8a18\u9304\u4e0a\u50b3\u505a\u5206\u6790
startup list<\/p>\n\n\n\n

4
scan for suspicious network activities<\/strong>
\u53ef\u7528 tool:ethereal<\/p>\n\n\n\n

5
run trojan scanner to detect trojans<\/strong>
\u5e38\u898banti-trojan\u8edf\u9ad4\u6709
trojan hunter
comodo boclean
xsoftspyse
spyware doctor
spywarefighter<\/p>\n\n\n\n

\u5176\u4ed6\u9084\u6709
trojan guard
zonealarm-f
winpatrol
leaktest
kerio personal firewall
sub-net
tavscan
spybot search & destroy
anti trojan
cleaner
vba32:\u812b\u6bbc\u80fd\u529b\u5f37<\/p>\n\n\n\n

……………………<\/p>\n\n\n\n

\u9003\u907fanti-virus\u6280\u8853<\/strong>
never use trojans from the wild
write your own trojan and embed it into an application
change trojan’s syntax ,ex:convert an exe to doc file
change the checksum
change the content of the trojan using hex editor
break the trojan file into multiple pieces<\/p>\n\n\n\n

\u9003\u907fanti-trojan\/anti-virus tool:
stealth tools<\/p>\n\n\n\n

………………………………………………………………………….<\/p>\n\n\n\n


countermeasures<\/strong>
educate users not to install applications downloaded from the internet and email attachments<\/p>\n\n\n\n

use tool:
tripwire
sigverif.exe:system file verification
sfc.exe:system file checker
md5sum.exe
windows defender<\/p>\n","protected":false},"excerpt":{"rendered":"

trojanMalicious code masquerad …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[39],"tags":[],"class_list":["post-411","post","type-post","status-publish","format-standard","hentry","category-concept"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/411","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=411"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/411\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=411"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=411"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=411"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}