TROJAN HORSE CNEXP GROUP6 PROJECT

什麼是木馬(TROJAN HORSE)? 木馬程式是一種以網路方式流傳和運作的惡意程式。 目的：這種程式主要目的就是窺視每台電腦中的機密，例如信用卡卡號、身分證字號、銀行帳號、各式帳號密碼等。 入侵方式：為了能夠順利入侵你的電腦，首先必須把一小程式植入你的電腦，再透過這個程式進行資料竊取。

偽裝：為了讓網路使用者渾然不覺的下載此後門程式，必須透過一些偽裝，譬如： 將程式藏在垃圾信中， 藏在遊戲的外掛程式裡， 也可能藏在養眼的清涼照片裡， 其他 讓你心甘情願的開啟，同時也被植入。 後果：重了木馬並不會因此而馬上當機或電腦爆炸，木馬會慢慢在電腦中潛伏，蒐集任何他有興趣的資料，因此並不是電腦的損害，而是個人隱私甚至是金錢的損失。

木馬的運作原理 基礎知識 運用client/server原理 Server:被監控端 (被植入木馬者) Client: 監控端 (植木馬的hacker) Server被植入的後門程式就是一個server.exe，等待Client的連結。

運作原理 配置木馬：木馬配置程式 運行木馬 觸發條件啟動 偽裝 資訊回饋：回饋方式以及位置 註冊表 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ HKEY_CLASSES_ROOT\文件類型\shell\open\command主鍵 WIN.INI SYSTEM.INI Autoexec.bat和Config.sys .*.INI 捆綁文件 啟動功能表

資訊洩漏 建立連線 收集server端資訊 透過E-MAIL，IRC或ICO的方式告知控制端用戶 Server端有安裝木馬程式 Server，Client都要在線上 Server:執行木馬程式，在某一Port上等待client連線 Client:確定server IP，Port，傳送connection request

遠端程式控制 當client與server建立連線後，client即可對server做以下動作： 竊取密碼 檔案操作 修改註冊表 系統操作

木馬的演進 一. ICMP木馬程式 Internet Control Message Protocol documented in RFC 792 delivered in IP packets Unreliable Some functions Announce network errors Announce network congestion Assist Troubleshooting Announce Timeouts Ex: ping

二. ICMP木馬程式原理剖析 ICMP通訊協定本身並沒有 port

三. 應對策略

一. DLL木馬程式 什麼是DLL?

myFunc(木馬) 寫在mydll.dll中 Ex2: 修改ieDll.dll 新的ieDll.dll 會做的兩件事 Drawback 隱藏在process 之後 Ex1: Rundll32 mydll.dll (Rundll32.exe Windows 內建的動態聯結檔工具) myFunc(木馬) 寫在mydll.dll中 Ex2: explorer.exe -> ieDll.dll 修改ieDll.dll 新的ieDll.dll 會做的兩件事 Drawback 修復安裝、安裝補丁、升級系統等方法都有 可能導致特洛伊DLL失效

應對策略 使用工具 不一定能結束異常的process Win2000 …/system32/dllcache存放著大量的DLL文件，若發現被保護的DLL文件被篡改（數字簽名技術），它就會自動從dllcache中恢復這個文件

Virus, Worm, and Trojan Virus – A virus is a program that can "infect" or "contaminate" other programs by modifying them to include a copy of itself. Worm – A worm is a subclass of virus. It is an independent program that replicates itself, crawling from machine to machine across network connections.

Trojan v.s Virus A Trojan horse program is not technically a virus. The key distinction between a virus and a Trojan horse program is that a Trojan horse program does not replicate itself, and it does not infect other files; it only destroys information on the hard disk.

Trojan v.s Worm A worm can propagate automatically without your help, and it often clogs networks as it spreads, often via e-mail. A Trojan horse program have to be "spread" via human engineering or by manually emailing them.

How do Top Hackers plant a Trojan?? Professional Hacker Would Not Directly Attack Networks or SCADA/DCS Systems in the U.S. Creates a Trojan That Will Allow Remote Control Plants Trojan in Zombie Host in the South Pacific Trojan “listens” for a specific string of characters in a chat room hosted in Europe (maybe even in another language) When Zombie finds a match on the set of characters, it then Automatically Begins Attacking Pre-Determined Sites and Systems 1. Hacker Determines that direct attack may be too risky 4. Hacker posts message on Chat Room UNIVERSITY 2. Plant Trojan in Zombie Host SCADA 3. Trojan is programmed to listen to Chat Room in Europe for a specific message string. CHAT ROOM 5. Trojan attacks Target Networks

How to detect trojan horse 1. Scan port Trojan horse based on TCP/UDP running Client/Server communication 2. monitor connection a. windows 下的 netstat –an C:\>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:113 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING UDP 0.0.0.0:69 *:* UDP 0.0.0.0:445 *:* UDP 0.0.0.0:4000 *:*

768 MSTask -> 1025 TCP E:\WINNT\system32\MSTask.exe b. 使用windows2000下的命令行工具 fport E:\software>Fport.exe Pid Process Port Proto Path 420 svchost -> 135 TCP E:\WINNT\system32\svchost.exe 8 System -> 139 TCP 8 System -> 445 TCP 768 MSTask -> 1025 TCP E:\WINNT\system32\MSTask.exe 8 System -> 1027 TCP 8 System -> 137 UDP 8 System -> 138 UDP 8 System -> 445 UDP 256 lsass -> 500 UDP E:\WINNT\system32\lsass.exe

C. Active Ports

3.check registration table HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (RunOnce ,RunServices, RunServicesOnce ) HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Run (RunOnce ,RunServices) 4.Use task manager Trojan horse is also a process CTL+ALT+DEL

5.win.ini [WINDOWS] may exist trojan horse shortcut Blank column for normal situation “run=c:windowsfile.exe “ “load=c:windowsfile.exe “ 6. system.ini [mci]、[drivers]、[drivers32] --- loading drivers [boot] shell=Explorer.exe file.exe [386Enh] driver=xxxxx

How to prevent trojan horse A. Beware of your mails Trojans may automatically spread themselves B. Never download blindly C. Patch your system periodically D. Beware of hidden file extensions “susie.jpg” may be “susie.jpg.exe “ E. Firewall, Anti-virus software, Anti-Trojan Program F. Cross your fingers or disconnect from Internet ?