Pages

Sabtu, 12 November 2011

也谈木马 Also on Trojan

作者:Mani Author: Mani

木马的定义应该是具有隐蔽性的在完成一些有趣功能的同时也做了用户不想的功能,并且最终危害到用户的软件,这是我对木马的定义呦。 The definition should be a Trojan horse hidden in the completion of some of the interesting features also make the user do not want to function, and ultimately harmful to the user's software, this is my definition of Trojan Yo.

远程控制软件是在远方机器知道,允许的情况下,对远方机器进行远程控制的软件。 Remote control software is to know the machine in the distance, allowing the case to the remote machine for remote control software.

server端:应用于目标机器上的软件client端:控制目标机器的软件 server side: applied to the target client-side software on the machine: the target machine control software

木马的特征: Trojan features:

1. 隐蔽性。 1 hidden. 很多人的对木马和远程控制软件有点分不清,实际上他们两者的最大区别就是在于这一点,首先举个例子,象国内的血蜘蛛,国外的PCanywhere等应该是远程控制软件,血蜘蛛等server端在目标机器上运行时,目标机器上会出现很醒目的标志。 Many people Trojans and remote control software for some confusion, in fact, the biggest difference between them lies in this, first, for example, the blood of spiders as domestic, foreign PCanywhere is remote control software such as blood spider and other server side running on the target machine, the target machine will be very eye-catching signs. 而木马类的软件的server端在运行的时候应用各种手段隐藏自己,例如大家所熟悉的修改注册表和ini文件以便机器在下一次启动后仍能载入木马程式。 The Trojans like server-side software application running all the time means to hide themselves, for example, we are familiar with in order to modify the registry and ini files even after the machine starts to load the next Trojans. 有些把server端和正常程序绑定成一个程序的软件,叫做exe-binder绑定程式,可以让人在使用trojan化的程式时,木马也入侵了系统,甚至我听说有个程式能把exe文件和图片文件绑定,在你看图片的时候,木马也侵入了你的系统。 Some of the server side and the normal procedures bundled into a software program, called exe-binder to bind the program, people can use trojan-oriented program, the Trojan has invaded the system, and even I heard of a program can exe binding document and image files, when you look at pictures, Trojan has invaded your system.

还有些木马可以自定义通信端口,当然这样可以是木马更加隐秘。 Some Trojans can also customize the communication port, of course, this Trojan can be more secretive. 更改server端的图标,让它看起来象个zip或图片文件,如果你一不当心,那么就糟了。 Change the server side of the icon, it looks like a zip or image file, if you are a not careful, then worse.

2. 功能特殊性。 2 function specificity. 通常的木马的功能都是十分特殊的,除了普通的文件操作以外,还有些木马具有搜索cache中的口令,设置口令,扫描ip发现中招的机器,键盘记录,远程注册表的操作,以及颠倒屏幕,锁定鼠标等功能比较特殊的操作,而远程控制软件的功能当然不会有这么多的特殊功能,毕竟远程控制软件是用来控制的,并非hack 的。 The Trojans are usually very specific, in addition to common file operations, it also has some Trojan searches the cache the password, set password, scan ip found in the move of the machine, keyloggers, remote operation of the registry, and the reverse screen, mouse functions are special locking operation, and remote control software functions certainly do not have so many special features, after all, remote control software is used to control, not the hack is.

这里谈的只是很大一部分的木马工具,但还有些木马工具的功能比较“专”,而且工作的方式也不是client/server的方式,例如passwd sender(中译名:口令邮差)的功能就是潜伏在目标机器里,搜集各种口令的信息,在目标上网的时候,秘密发送到指定的邮箱。 Talking about here is a large part of the Trojan tool, but also features some Trojan tools more "special", but the way the work is not a client / server approach, such as passwd sender (in translation: password Postman) function is hidden in the the target machine to collect a variety of password information in the target when the Internet, the secret is sent to the specified mailbox. 在 unix下,还有些hacker们修改ps的原代码,让ps在使用时故意不显示某特殊的进程名,譬如说在系统内的sniffer等,还有些hacker则修改login,passwd,su等软件完成一些搜集口令信息或者开放一个后门等功能,这些程序,我们都称之为木马。 In unix, the hacker who modified ps some of the original code, so that ps does not show in the intentional use of a specific process name, for instance, the sniffer in the system, etc., and some hacker will modify the login, passwd, su and other software to complete Some collect password information or open a backdoor and other functions, these procedures, we are called Trojans.


木马的发展方向: Trojan's development:

1. 跨平台性:主要是针对windows系统而言,木马的使用者当然认为一个木马可以在95/98下使用在NT,windows2000下也可以使用更好。 1 cross-platform: mainly for windows systems, the user of course that a Trojan horse can be used in 95/98 in NT, windows2000 for being able to use better. 在95/98下也许大家没感觉,但NT和windows2000都具有了权限的概念,这和95/98是不同的,黑客NT,windows2000的木马需要更高的手段,如控制进程等,现在的一些木马也的确做到了这一点。 In 95/98 and maybe we did not feel, but the NT and windows2000 have the authority concept, which is different, and 95/98, hackers NT, windows2000 Trojans need more tools, such as the control process, and now some of the Trojan indeed do this.

2. 模块化设计:似乎模块化设计是一种潮流,winamp就是模块化的典范,现在的木马也有了模块化设计的概念,象bo,netbus,sub7等经典木马都有一些优秀的插件在纷纷问世就是一个很好的说明。 (2) Modular Design: Modular design seems to be a trend, winamp is a modular model, now the Trojans also have a modular design concept, such as bo, netbus, sub7 and other classic Trojan has some excellent plug-in have come is a good description.

3. 更新更强的感染模式:传统的修改ini文件和注册表的手法已经不能适应更加隐秘的需要,目前的很多的木马的感染方式已经开始在悄悄转变,象前一阶段的 YAI事件就给了我们很多的启发,象病毒一样的感染,感染windows下的文件,我认为这件事对木马设计者们有很多的启发。 3 Update the stronger pattern of infection: traditional ini file and registry changes can not adapt to a more secretive way the needs of many of the current way of Trojan infection has begun to quietly change, like the previous stage of the YAI event gave us a lot of inspiration, the same as the virus infection, file under windows, I consider this the Trojan designers have a lot of inspiration.

4. 即时通知:木马是否已经装入? 4 immediately notify: Trojan is already loaded? 目标在哪里? Where the target? 如果中招的人是使用固定ip的话,还好说,如果目标使用的是动态ip那么怎么办,扫描? If the person is caught using a fixed ip, then, better said, if the target using a dynamic ip then how to do the scan? 太慢,现在的木马已经有了即时通知的功能,如IRC,ICQ通知等,但还是太少,我不使用ICQ,也不是每次都用IRC,但是以后会更加的完善的,也许说不定某天木马们的即时通知功能变成了一个专门的软件也说不定。 Too slow, the Trojans now have instant notification features, such as IRC, ICQ notification, but still too little, I do not use ICQ, did not always have to use IRC, but the future will be more perfect, perhaps maybe Trojans are one day become the immediate notification of a special software instead.

5. 更强更多的功能:每个人都是不满足的,每当出现强大功能的时候,我们就期望更强大的功能,以后的木马的功能会如何呢? 5 more more features: Each person is not satisfied, whenever there is a strong function of time, we expect more powerful, after the Trojans will do? 我也不大清楚,也许会让大家大吃一惊的。 I am not clear, and perhaps make you surprise.

好了,讲了这么多,只是希望大家对木马这个东东有个基本的概念,不要对它心存畏惧,也不要漠然视之。 Well, talk about so much, just hope this stuff on the Trojans have a basic concept, do not it feel afraid, do not indifferent.

在这里我还是要提醒大家一句,千万不要随意运行陌生人的软件,这些软件很可能就是一只木马呦。 Here I must remind you that one, do not run random strangers software, which is probably a Trojan Yo.
木马的定义应该是具有隐蔽性的在完成一些有趣功能的同时也做了用户不想的功能,并且最终危害到用户的软件,这是我对木马的定义呦。 The definition should be a Trojan horse hidden in the completion of some of the interesting features also make the user do not want to function, and ultimately harmful to the user's software, this is my definition of Trojan Yo.

远程控制软件是在远方机器知道,允许的情况下,对远方机器进行远程控制的软件。 Remote control software is to know the machine in the distance, allowing the case to the remote machine for remote control software.

server端:应用于目标机器上的软件client端:控制目标机器的软件 server side: applied to the target client-side software on the machine: the target machine control software

木马的特征: Trojan features:

1. 隐蔽性。 1 hidden. 很多人的对木马和远程控制软件有点分不清,实际上他们两者的最大区别就是在于这一点,首先举个例子,象国内的血蜘蛛,国外的PCanywhere等应该是远程控制软件,血蜘蛛等server端在目标机器上运行时,目标机器上会出现很醒目的标志。 Many people Trojans and remote control software for some confusion, in fact, the biggest difference between them lies in this, first, for example, the blood of spiders as domestic, foreign PCanywhere is remote control software such as blood spider and other server side running on the target machine, the target machine will be very eye-catching signs. 而木马类的软件的server端在运行的时候应用各种手段隐藏自己,例如大家所熟悉的修改注册表和ini文件以便机器在下一次启动后仍能载入木马程式。 The Trojans like server-side software application running all the time means to hide themselves, for example, we are familiar with in order to modify the registry and ini files even after the machine starts to load the next Trojans. 有些把server端和正常程序绑定成一个程序的软件,叫做exe-binder绑定程式,可以让人在使用trojan化的程式时,木马也入侵了系统,甚至我听说有个程式能把exe文件和图片文件绑定,在你看图片的时候,木马也侵入了你的系统。 Some of the server side and the normal procedures bundled into a software program, called exe-binder to bind the program, people can use trojan-oriented program, the Trojan has invaded the system, and even I heard of a program can exe binding document and image files, when you look at pictures, Trojan has invaded your system.

还有些木马可以自定义通信端口,当然这样可以是木马更加隐秘。 Some Trojans can also customize the communication port, of course, this Trojan can be more secretive. 更改server端的图标,让它看起来象个zip或图片文件,如果你一不当心,那么就糟了。 Change the server side of the icon, it looks like a zip or image file, if you are a not careful, then worse.

2. 功能特殊性。 2 function specificity. 通常的木马的功能都是十分特殊的,除了普通的文件操作以外,还有些木马具有搜索cache中的口令,设置口令,扫描ip发现中招的机器,键盘记录,远程注册表的操作,以及颠倒屏幕,锁定鼠标等功能比较特殊的操作,而远程控制软件的功能当然不会有这么多的特殊功能,毕竟远程控制软件是用来控制的,并非hack 的。 The Trojans are usually very specific, in addition to common file operations, it also has some Trojan searches the cache the password, set password, scan ip found in the move of the machine, keyloggers, remote operation of the registry, and the reverse screen, mouse functions are special locking operation, and remote control software functions certainly do not have so many special features, after all, remote control software is used to control, not the hack is.

这里谈的只是很大一部分的木马工具,但还有些木马工具的功能比较“专”,而且工作的方式也不是client/server的方式,例如passwd sender(中译名:口令邮差)的功能就是潜伏在目标机器里,搜集各种口令的信息,在目标上网的时候,秘密发送到指定的邮箱。 Talking about here is a large part of the Trojan tool, but also features some Trojan tools more "special", but the way the work is not a client / server approach, such as passwd sender (in translation: password Postman) function is hidden in the the target machine to collect a variety of password information in the target when the Internet, the secret is sent to the specified mailbox. 在 unix下,还有些hacker们修改ps的原代码,让ps在使用时故意不显示某特殊的进程名,譬如说在系统内的sniffer等,还有些hacker则修改login,passwd,su等软件完成一些搜集口令信息或者开放一个后门等功能,这些程序,我们都称之为木马。 In unix, the hacker who modified ps some of the original code, so that ps does not show in the intentional use of a specific process name, for instance, the sniffer in the system, etc., and some hacker will modify the login, passwd, su and other software to complete Some collect password information or open a backdoor and other functions, these procedures, we are called Trojans.


木马的发展方向: Trojan's development:

1. 跨平台性:主要是针对windows系统而言,木马的使用者当然认为一个木马可以在95/98下使用在NT,windows2000下也可以使用更好。 1 cross-platform: mainly for windows systems, the user of course that a Trojan horse can be used in 95/98 in NT, windows2000 for being able to use better. 在95/98下也许大家没感觉,但NT和windows2000都具有了权限的概念,这和95/98是不同的,黑客NT,windows2000的木马需要更高的手段,如控制进程等,现在的一些木马也的确做到了这一点。 In 95/98 and maybe we did not feel, but the NT and windows2000 have the authority concept, which is different, and 95/98, hackers NT, windows2000 Trojans need more tools, such as the control process, and now some of the Trojan indeed do this.

2. 模块化设计:似乎模块化设计是一种潮流,winamp就是模块化的典范,现在的木马也有了模块化设计的概念,象bo,netbus,sub7等经典木马都有一些优秀的插件在纷纷问世就是一个很好的说明。 (2) Modular Design: Modular design seems to be a trend, winamp is a modular model, now the Trojans also have a modular design concept, such as bo, netbus, sub7 and other classic Trojan has some excellent plug-in have come is a good description.

3. 更新更强的感染模式:传统的修改ini文件和注册表的手法已经不能适应更加隐秘的需要,目前的很多的木马的感染方式已经开始在悄悄转变,象前一阶段的 YAI事件就给了我们很多的启发,象病毒一样的感染,感染windows下的文件,我认为这件事对木马设计者们有很多的启发。 3 Update the stronger pattern of infection: traditional ini file and registry changes can not adapt to a more secretive way the needs of many of the current way of Trojan infection has begun to quietly change, like the previous stage of the YAI event gave us a lot of inspiration, the same as the virus infection, file under windows, I consider this the Trojan designers have a lot of inspiration.

4. 即时通知:木马是否已经装入? 4 immediately notify: Trojan is already loaded? 目标在哪里? Where the target? 如果中招的人是使用固定ip的话,还好说,如果目标使用的是动态ip那么怎么办,扫描? If the person is caught using a fixed ip, then, better said, if the target using a dynamic ip then how to do the scan? 太慢,现在的木马已经有了即时通知的功能,如IRC,ICQ通知等,但还是太少,我不使用ICQ,也不是每次都用IRC,但是以后会更加的完善的,也许说不定某天木马们的即时通知功能变成了一个专门的软件也说不定。 Too slow, the Trojans now have instant notification features, such as IRC, ICQ notification, but still too little, I do not use ICQ, did not always have to use IRC, but the future will be more perfect, perhaps maybe Trojans are one day become the immediate notification of a special software instead.

5. 更强更多的功能:每个人都是不满足的,每当出现强大功能的时候,我们就期望更强大的功能,以后的木马的功能会如何呢? 5 more more features: Each person is not satisfied, whenever there is a strong function of time, we expect more powerful, after the Trojans will do? 我也不大清楚,也许会让大家大吃一惊的。 I am not clear, and perhaps make you surprise.

好了,讲了这么多,只是希望大家对木马这个东东有个基本的概念,不要对它心存畏惧,也不要漠然视之。 Well, talk about so much, just hope this stuff on the Trojans have a basic concept, do not it feel afraid, do not indifferent.

在这里我还是要提醒大家一句,千万不要随意运行陌生人的软件,这些软件很可能就是一只木马呦。 Here I must remind you that one, do not run random strangers software, which is probably a Trojan Yo.

Tidak ada komentar:

Posting Komentar