Trojan classic hiding place

Go down

Trojan classic hiding place

Post  Rynn on Wed Dec 05, 2007 12:12 am

木马是一种基于远程控制的病毒程序,该程序具有很强的隐蔽性和危害性,它可以在人不知鬼不觉的状态下控制你或者监视你。有人说,既然木马这么厉害,那我离它远一点不就可以了!
然而这个木马实在是淘气,它可不管你是否欢迎,只要它高兴,它就会想法设法地闯到你家中来的!哎呀,那还了得,赶快看看自己的电脑中有没有木马,说不定正在家中兴风作浪呢!那我怎么知道木马在哪里呢,相信不熟悉木马的菜鸟们肯定想知道这样的问题。下面就是木马潜伏的诡招,看了以后不要忘记采取绝招来对付这些损招哟!
1、集成到程序中
其实木马也是一个服务器-客户端程序,它为了不让用户能轻易地把它删除,就常常集成到程序里,一旦用户激活木马程序,那么木马文件和某一应用程序捆绑在一起,然后上传到服务端覆盖原文件,这样即使木马被删除了,只要运行捆绑了木马的应用程序,木马又会被安装上去了。绑定到某一应用程序中,如绑定到系统文件,那么每一次Windows启动均会启动木马。
2、隐藏在配置文件中
木马实在是太狡猾,知道菜鸟们平时使用的是图形化界面的操作系统,对于那些已经不太重要的配置文件大多数是不闻不问了,这正好给木马提供了一个藏身之处。而且利用配置文件的特殊作用,木马很容易就能在大家的计算机中运行、发作,从而偷窥或者监视大家。不过,现在这种方式不是很隐蔽,容易被发现,所以在Autoexec.bat和Config.sys中加载木马程序的并不多见,但也不能因此而掉以轻心哦。
3、潜伏在Win.ini中
木马要想达到控制或者监视计算机的目的,必须要运行,然而没有人会傻到自己在自己的计算机中运行这个该死的木马。当然,木马也早有心理准备,知道人类是高智商的动物,不会帮助它工作的,因此它必须找一个既安全又能在系统启动时自动运行的地方,于是潜伏在Win.ini中是木马感觉比较惬意的地方。大家不妨打开Win.ini来看看,在它的[windows]字段中有启动命令load=和run=,在一般情况下=后面是空白的,如果有后跟程序,比方说是这个样子:run=c:windowsfile.exe load=c:windowsfile.exe
这时你就要小心了,这个file.exe很可能是木马哦。
4、伪装在普通文件中
这个方法出现的比较晚,不过现在很流行,对于不熟练的windows操作者,很容易上当。具体方法是把可执行文件伪装成图片或文本----在程序中把图标改成Windows的默认图片图标, 再把文件名改为*.jpg.exe, 由于Win98默认设置是"不显示已知的文件后缀名",文件将会显示为*.jpg, 不注意的人一点这个图标就中木马了(如果你在程序中嵌一张图片就更完美了)。
5、内置到注册表中
上面的方法让木马着实舒服了一阵,既没有人能找到它,又能自动运行,真是快哉!然而好景不长,人类很快就把它的马脚揪了出来,并对它进行了严厉的惩罚!但是它还心有不甘,总结了失败教训后,认为上面的藏身之处很容易找,现在必须躲在不容易被人发现的地方,于是它想到了注册表!
的确注册表由于比较复杂,木马常常喜欢藏在这里快活,赶快检查一下,有什么程序在其下,睁大眼睛仔细看了,别放过木马哦:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion下所有以run开头的键值;HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion下所有以run开头的键值;HKEY-USERS.DefaultSoftwareMicrosoftWindowsCurrentVersion下所有以run开头的键值。
6、在System.ini中藏身
木马真是无处不在呀!什么地方有空子,它就往哪里钻!这不,Windows安装目录下的System.ini也是木马喜欢隐蔽的地方。还是小心点,打开这个文件看看,它与正常文件有什么不同,在该文件的[boot]字段中,是不是有这样的内容,那就是shell=Explorer.exe file.exe,如果确实有这样的内容,那你就不幸了,因为这里的file.exe就是木马服务端程序!另外,在System.ini中的[386Enh]字段,要注意检查在此段内的driver=路径\程序名,这里也有可能被木马所利用。
再有,在System.ini中的[mic]、[drivers]、[drivers32]这三个字段,这些段也是起到加载驱动程序的作用,但也是增添木马程序的好场所,现在你该知道也要注意这里喽。
7、隐形于启动组中
有时木马并不在乎自己的行踪,它更注意的是能否自动加载到系统中,因为一旦木马加载到系统中,任你用什么方法你都无法将它赶跑(哎,这木马脸皮也真是太厚),因此按照这个逻辑,启动组也是木马可以藏身的好地方,因为这里的确是自动加载运行的好场所。
动组对应的文件夹为:C:windowsstart menuprogramsstartup,在注册表中的位置:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer
ShellFolders Startup="C:windowsstart menuprogramsstartup"。要注意经常检查启动组哦!
8、隐蔽在Winstart.bat中
按照上面的逻辑理论,凡是利于木马能自动加载的地方,木马都喜欢呆。这不,Winstart.bat也是一个能自动被Windows加载运行的文件,它多数情况下为应用程序及Windows自动生成,在执行了Win.com并加载了多数驱动程序之后开始执行(这一点可通过启动时按F8键再选择逐步跟踪启动过程的启动方式可得知)。由于Autoexec.bat的功能可以由Winstart.bat代替完成,因此木马完全可以像在Autoexec.bat中那样被加载运行,危险由此而来。
9、捆绑在启动文件中
即应用程序的启动配置文件,控制端利用这些文件能启动程序的特点,将制作好的带有木马启动命令的同名文件上传到服务端覆盖这同名文件,这样就可以达到启动木马的目的了。
10、设置在超级连接中
木马的主人在网页上放置恶意代码,引诱用户点击,用户点击的结果不言而喻:开门揖盗!奉劝不要随便点击网页上的链接,除非你了解它,信任它,为它死了也愿意等等
avatar
Rynn
lvl 50
lvl 50

Posts : 314
Join date : 2007-12-03
Age : 29

View user profile http://psdc-b16ce.forumotion.com

Back to top Go down

Re: Trojan classic hiding place

Post  Fantasy on Wed Dec 05, 2007 7:47 pm

Trojan is a virus based on the remote control procedures, the program has a strong hidden nature and harmful, it can anybody knowing it in the people under your control or monitor you. Some people say that, since the Trojans so terrible, then I do not back away from it can be!
But this Trojan is "naughty", it can regardless of whether you welcome, as long as it pleased, it will seek to hacked you think "home" in the past! Wow, that How terrible hurry up and look at what we have in the computer Trojan, perhaps being "home" in stirring up trouble! Well, I know how Trojan, what is, I believe not familiar with the newbie sure Trojan want to know such a problem. Below is the Trojan hidden hand strokes and after do not forget to read the unique skills to deal with theseyo!
1, integrated into the process
In fact Trojan is also a server - client procedures, in order to prevent its users to easily delete it, often integrated into the process, once users activate Trojan program, a Trojan documents and applications bundled together, and then upload the server-side coverage original documents, even if this Trojan horse was deleted, as long as the Trojan running bundled applications, Trojan will be installed enhanced. Bundled with a particular application, such as bundled with system files, then activated every time Windows will be launched Trojan.
2, hidden in the configuration file
Trojan is too cunning, know菜鸟们peacetime use the graphical interface of the operating system, not those who are already most important configuration file is indifferent, this is to provide a Trojan horse hiding in it. Using configuration files and the special role, Trojans easily in everyone's computer will be able to run, attack, thereby peeping or monitor you. But for now, this method is not very subtle, easy to be found, so the Autoexec.bat and Config.sys loading Trojan program in the rare, but we must not be complacent, oh.
3, in hidden in the Win.ini
Trojan control, or if they want to reach the purpose of monitoring the computer must run, but no one will be stupid in their own computers run this damned Trojans. Of course, the Trojans have already psychologically prepared for the High IQ know that the human animal will not help it work, it must find a safe start in the system can run automatically, so is hidden in the Win.ini Trojan feeling relatively nice place. You may wish to open the Win.ini to look at, in its [windows] field in the start order "load =" and "run =" in normal circumstances "=" is behind the gap, if there heel procedures, for example that is like this: run = c: windowsfile.exe load = c: windowsfile.exe
Then you must be careful, this file.exe probably Trojan oh.
4, disguised in ordinary paper
This approach appears relatively late, but is now very popular, the windows for unskilled operators can easily fooled. The specific method is the executable file disguised as pictures or text - in the process of the default Windows icons into pictures icon, and then changed the name of the paper *. jpg.exe, since Win98 default is "not the documents show that the known suffix ", the document will be shown as *. jpg, do not pay attention to this point people in the Trojan on the icon (if you embedded in the proceedings of a picture even more perfect).
5, built-in to the registry
The above method for Trojan indeed uncomfortable for a while, neither was able to find it, can automatically run, really Satisfactory! But, the good time, a time when mankind has built it out of the马脚attempted, and it was harsh punishment! But it Afterward, summed up the lessons of failure, that the hideout of the above very easy to find, must now hiding was found not easy to place, so it I think of the registry!
Indeed registry of more complex, like Trojan often hidden in here happy to hurry up and check on, what are the procedures at its next, eyes wide open and carefully read, do not miss Trojan oh: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion under all to "run" the beginning of the keys ; HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion under all "run" the beginning of the keys; HKEY - USERS.DefaultSoftwareMicrosoftWindowsCurrentVersion under all "run" the beginning of the keys.
6, in hiding in System.ini
Trojan is everywhere! What are loopholes, where it fall in.! This is not, under the Windows installation directory Trojan System.ini is like hidden places. Or careful, open the file to see it and What is the difference between normal document in the document [boot] field, this is not the content, that is shell = Explorer.exe file.exe, if indeed there such contents, then you are unfortunate, because here is the Trojan server file.exe procedures! In addition, in System.ini in the [386 Enh] field, pay attention to check in the meantime with the "driver = path \ procedures were" here may also be exploited by Trojan.
Again, with the System.ini [mic], [drivers], [drivers32] these three fields, which is a load of the driver, but added Trojan program is a good venue, the now you know that we should pay attention to here喽.
7, stealth start in the group
Sometimes Trojans do not care about their whereabouts, it is even more attention to the system can automatically load, because once the Trojan horse loaded into the system, no matter how you how you can be it赶跑(hey, it also unabashedly called Trojan really thick), according to this logic, the group also launched Trojan can be a good place to hide, because here is indeed a good run automatically loading sites.
Dynamic Group for the corresponding folder: C: windowsstart menuprogramsstartup in the registry location:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer
ShellFolders Startup = "C: windowsstart menuprogramsstartup." Attention should be paid to carry out regular checks of activated Group Oh!
8, hidden in the Winstart.bat
According to the logic of the above theory, all conducive to automatically load the Trojan, Trojan like to stay. This is not, Winstart.bat is also a Windows will automatically load operation document which most cases for Windows applications and automatic generation, and in the implementation of the Win.com loaded after the majority of drivers started the implementation of (this point through the commencement of choice by the F8 key to start the process of gradually started tracking methods should be able to tell). As Autoexec.bat function can be replaced by Winstart.bat completed, it is entirely possible as Trojan in the Autoexec.bat as was the loading operation, the resulting risk.
9, tied up in the paper launched
That is, the start-up application configuration files, control-can use these documents to commence proceedings characteristics, will make a good start with an order of the same name Trojan file uploads to the server the same name covering this document so that it could achieve the purpose of launching a Trojan .
10, in connection installed in super
Trojan horse on the owner placed on the website of malicious code, luring the user clicks, the user clicks on the results of self-evident: Yi opened bootlegging! We advise Do not click on the website link, unless you understand it, trust it, it is also willing to die, etc.
avatar
Fantasy
lvl 10
lvl 10

Posts : 93
Join date : 2007-12-04
Age : 29
Location : Malaysia

View user profile http://b16ce.14.forumer.com/

Back to top Go down

Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum