What is a Trojan Horse?

Trojan Horse refers to an unauthorized remote control program hosted on a computer. This name is derived from a war between Greece and Troy in the 12th century BC. Because the Trojan horse program can open system permissions, leak user information, and even steal entire computer management permissions without being noticed by the computer administrator, it has become one of the most commonly used tools by hackers. ^[1]

It is a typical network virus. It is a new type of virus that enters the target machine in a covert manner, collects and destroys the private information in the target machine, and feeds back the collected private information to the attacker through the Internet. ^[1]

Chinese name: Trojan horse
Foreign name: Trojan Horse
Nature: computer virus

Provenance: Ancient greek legend
Metaphor: Activities in ambush
Alias: Trojan horse, Trojan horse program

Trojan horse overview

Trojan horse (trojan horse for short) is an illegal program hidden in the system to complete unauthorized functions. It is an attack tool commonly used by hackers. It is disguised as a legitimate program and implanted in the system, posing a serious threat to computer network security. Different from other malicious codes, Trojans do not aim at infecting other programs, and generally do not use the network for active replication and propagation. ^[2]

Trojan horse is a remote control program based on C / S (client / server) structure. It is a type of malicious code hidden in legitimate programs. These codes either perform malicious acts or provide backdoors for unauthorized access to the privileged functions of the system. Generally, the process of using the Trojan horse is roughly divided into two steps. First, the Trojan's server-side program is remotely implanted into the controlled machine through the network, and then the operation horse program is run in the controlled machine through the installation program or startup mechanism. Once the Trojan is successfully implanted, a control architecture based on the C / S structure is formed. The server program is located on the controlled machine side and the client program is located on the control machine side. ^[2]

Trojan horse development

Since the first Trojan horse program (PC-Write Trojan in 1986) appeared in the world, the Trojan has gone through 5 stages of development. ^[3]

Stage 1: Trojans appeared in the early days of the Internet, with the main task of stealing network passwords. ^[3]

Phase 2: The Trojan started to use the C / S architecture for remote control and monitoring. However, since the target computer embedded in the Trojan will open some ports, it can be easily discovered. ^[3]

Phase 3: The Trojan changed the network connection. It is characterized by using the ICMP communication protocol to disguise itself, and in part it also uses deceptive technology to achieve the purpose of passive connection, so that it can be prevented from being killed by security software. ^[3]

Phase 4: The Trojan uses the method of embedding the kernel, for example, by inserting DLL threads, hooking PSAPI, and disguising threads. ^[3]

Phase 5: The Trojan made full use of virus-related technologies, aimed at the shortcomings and deficiencies of the Internet and computer operating systems, penetrated into the target computer or network to achieve the goal of controlling the goal, and could achieve the purpose of automatic activation, making users and security Software is harder to find. ^[3]

Trojan horse principle

The Trojan is essentially a client / server network program. Its working principle is that one host provides the server as the server and the other host receives the service as the client. The server-side program usually opens a preset connection port for monitoring. When the client makes a connection request to this server-side connection port, the corresponding program on the server-side will automatically execute to respond to the client's request and provide it. Requested service. For the Trojan horse, the function-side program is installed on the host being attacked, and it is also the implementation side of most of the Trojan horse's functions. All control functions of the Trojan horse's back-to-back attack host are also concentrated on the server side. The control terminal program of the Trojan is usually installed on the host of the attacker. It is used to control the function terminal and issue various commands to the function terminal, so that the function terminal program can implement various remote control functions according to the attacker's intention. The Trojan horse has been continuously competing with anti-virus software, firewalls and other defense tools for several years. The technology has been progressively improved. The attack mode has also been upgraded from the earliest traditional attack mode to the traditional attack mode, rebound attack mode and third-party intermediary attack mode Mixed way. The so-called traditional attack mode is that the server opens the port and waits for the connection mentioned above: the client first sends a connection request to establish a connection with the server; then the attack is launched. This attack mode appears earlier and is most commonly used. Most of the existing Trojans use this attack mode. With the continuous improvement of people's security awareness, many computers are equipped with firewalls. Because the default rules of the firewall are to prohibit connections initiated from outside to inside, the traditional attack mode cannot be successful, so the Trojan horse evolved a new Trojan attack mode, namely bounce attack. mode. In this attack mode, the client first activates the server with legitimate packets, and then the server actively connects to the client, forming an inside-out connection that is not prohibited by the firewall, and then starts the attack. This attack mode is called a rebound attack mode . And because some attackers only need to pass very little control information, in order to better hide themselves, the attacker prevents the Trojan from discovering an attack mode evolved after being traced. The server and the client do not directly connect to each other but use the email server or the broiler controlled by the attacker as an intermediary to exchange information. The client sends control to a third-party intermediary, and the server regularly obtains control information from the third-party intermediary. , And put the stolen information on a third-party intermediary, the client itself to fetch. ^[1]

Trojan horse structure

A complete Trojan system consists of hardware, software, and specific connections. ^[3]

1. Hardware part. The hardware entities necessary to establish a Trojan connection are divided into a control end, a server end, and the Internet. ^[3]

2. Software part. The software programs necessary to realize remote control include the control terminal program, Trojan horse program, sneak into the server's internal and Trojan horse configuration program. ^[3]

3. Specific connection parts. Including control port and Trojan port and network address. ^[3]

Trojan horse features

1. Concealment.

The concealment of a Trojan horse is its most important feature. If a Trojan horse cannot be hidden in the target computer or network well, it will be found and killed by users or security software, and it will not survive. ^[3]

2. Automatic operation.

The Trojan must be a program that starts and runs automatically, so the method it takes may be embedded in the startup configuration file or the registry. ^[3]

3. Deceptive.

To prevent Trojans from being detected and killed by users or security software, they often disguise themselves as general file or system and program icons, and their names are often disguised as general file or program names, such as win, dll, sys, and so on. ^[3]

4. Stubbornness.

Once Trojan horses are found, they will be in danger of being removed. At this time, some Trojan horses can lurk in the process of killing by users or security software without being removed. ^[3]

5. Easy to implant.

The premise of the Trojan horse to achieve its control or monitoring purpose is to penetrate into the target computer, so the Trojan horse must have the ability to enter the target computer unknowingly. ^[3]

Through the analysis of the characteristics of the Trojan horse above, we can see that the Trojan horse attaches great importance to hiding ability and infection ability. It has absorbed the worm technology. ^[3]

Trojan horse features

As long as the functions can be operated on the local computer, the current Trojans can basically be implemented. The control terminal of the Trojan can operate a remote computer like a local user. The functions of the Trojan can be summarized as follows. ^[2]

1. Steal user files.

The Trojan horse lurks in the target computer, and when it encounters a file of interest, it will transfer the relevant file to a preset destination without being discovered by the user. ^[2]

2. Accept the instructions of the Trojan releaser.

Once a Trojan horse infects a server on the Internet, it will steal higher privileges and control and monitor data and accounts passing through the server at will. ^[2]

3. Tampering with files and data.

Modify the system files and data according to the instructions, causing errors in the data and files of the target computer, resulting in making wrong decisions. ^[2]

4. Delete files and data.

Randomly delete files and data from the target computer's operating system. ^[2]

5. Cast viruses.

Activate the virus lurking in the target computer operating system, or download the virus to the target computer system to infect it. ^[2]

6. Make the system self-destruct.

This includes changing the clock frequency, causing the chip to thermally break down and cause damage, resulting in system paralysis. ^[2]

Trojan horse species

1.Destructive

The only function is to destroy and delete files. It can automatically delete important files such as DLL, INI, EXE on the computer. ^[4]

2.Password sending type

You can find hidden passwords and send them to the specified mailbox. Some people like to store their various passwords in a computer as a file.

Trojan virus I think it's convenient; some people like to use the password memory function provided by Windows, so that you don't have to enter the password every time. Many hacking software can find these files and send them to hackers. There are also hacking software that has been latent for a long time, recording the operator's keyboard operations and looking for useful passwords. ^[4]

3.Remote access

The most widespread is the Trojan horse. As long as someone runs the server program, if the client knows the server's IP address, it can achieve remote control. The following program can realize what the "victim" is doing. Of course, this program can be used on the right path, such as monitoring the operation of student computers. ^[4]

4.Keylogger Trojan

This Trojan horse is very simple. They only do one thing, which is to record the keystrokes of the victim and look up the password in the LOG file. This Trojan horse starts when Windows starts. They have the option of online and offline recording. As the name suggests, they record the keystrokes when you type on the keyboard, both online and offline. That is to say, what keys have you pressed? Anyone who knows the Trojan knows that from these keys he can easily get useful information such as your password, or even your credit card account number! Of course, for this type of Trojan, the mail sending function is also essential. ^[4]

5.Dos attack Trojan

As DoS attacks become more widely used, Trojan horses used as DoS attacks are becoming more and more popular. When you invade a machine and plant it with a DoS attack Trojan, then this computer will become your best assistant for DoS attacks in the future. Therefore, the harm of this Trojan is not reflected in the infected computer, but in that the attacker can use it to attack one computer after another, causing great harm and loss to the network. ^[4]

There is also a Trojan horse similar to DoS called a mail bomb Trojan. Once the machine is infected, the Trojan will randomly generate letters of various topics and send mail to a specific mailbox continuously until the other party is paralyzed and unable to accept the mail. ^[4]

6.Agent Trojan

It is very important for hackers to cover their own footprints while they are invading, and to beware of others' identity. Therefore, it is the most important task for proxy trojans to control the broiler breeder and make it a springboard for attackers to launch attacks. . ^[4]

7, FTP Trojan

This Trojan is probably the simplest and oldest Trojan. Its only function is to open port 21 and wait for users to connect. The new FTP Trojan also adds a password function so that only the attacker knows the correct password and enters the other computer. ^[4]

8, program killer Trojan

Although the above Trojan horse functions are various, but to play their role on the other machine, you must pass the level of anti-Trojan software. The function of the program killer Trojan is to close such programs running on the other machine, so that other Trojans can better function. ^[4]

9, rebound port type Trojan

The Trojan developer, after analyzing the characteristics of the firewall, found that the firewall often performs very strict filtering on incoming links, but it is not careful about outgoing links. Therefore, contrary to the general Trojan, the server (controlled side) of the rebound port type Trojan uses the active port, and the client (control side) uses the passive port. The Trojan periodically monitors the presence of the control terminal and finds that the control terminal is online and immediately pops out the port to actively connect the active port opened by the control terminal; for the sake of concealment, the passive port of the control terminal is generally opened at 80, even if the user uses the scanning software to check his own port, a little negligence You will think you are browsing the web. ^[4]

Trojan horse hiding way

1.Hide in the taskbar

This is the most basic way to hide. If an inexplicable icon appears in the taskbar of windows, everyone will understand what is going on. To achieve hiding in the taskbar during programming is easy to achieve. ^[5]

2.Hide in task manager

The easiest way to view the running process is the task manager that appears when you press Ctrl + Alt + Del. If you can see a Trojan horse running after you press Ctrl + Alt + Del, then this is definitely not a good Trojan horse. Therefore, the Trojan will do everything possible to camouflage itself so that it does not appear in the task manager. The Trojan found that setting himself as a "system service" could easily lie to him. ^[5]

3.Port

A machine has 65536 ports. Will you pay attention to so many ports? Trojans pay attention to your ports. If you pay a little attention, it is not difficult to find that most Trojans use more than 1024 ports, and they are showing an increasing trend. Of course, there are Trojans that occupy ports below 1024, but these ports are commonly used ports. Occupying these ports may cause the system to malfunction. In this case, the Trojan will be easily exposed. ^[5]

4.Hide communication

Hiding communications is also one of the methods often used by Trojans. After any Trojan runs, it must communicate with the attacker, or through an instant connection, such as the attacker directly accessing the host implanted with the Trojan through the client; or through indirect communication, such as via email. The Trojan sends sensitive information to the attacker. Most Trojans usually reside on high ports that are not easily found above 1024 after occupying the host. Some Trojans will choose some commonly used ports, such as 80 and 23. There is a very advanced Trojan that can also occupy 80HTTP port. After receiving the normal HTTP request, it is still handed over to the web server for processing. Only after receiving some specially agreed data packets, the Trojan program is called. ^[5]

5.Cooperative hiding

As the name implies, collaborative hiding means that a group of Trojans cooperate with each other to achieve stronger hiding ability. Harold Thimbleby ^[6] and others proposed a model framework for Trojan horse programs. This framework has got rid of the unity of traditional hidden technologies from a macro perspective and has been continuously developed. Later, Mei Denghua et al. [14] combined the multi-agent technology with the Trojan horse technology and proposed a multi-agent-based Trojan horse technology. Kang Zhiping and others [14] proposed a multi-threaded and multi- To many structures. ^[6]

Trojan horse camouflage method

1.Modify the icon

The icons used by the Trojan server are also exquisite. Trojan horses often deliberately disguise as XT.HTML and other file icons that you may think are not harmful to the system. This will easily entice you to open it. ^[5]

2.Bundled files

This camouflage method is to bind the Trojan to an installer. When the installer runs, the Trojan secretly enters the system without the user's awareness. The bundled files are generally executable files (ie, files such as EXE and COM). ^[5]

3. Error display

Some people with a certain Trojan horse know that if you open a file and nothing happens, this is probably a Trojan horse program. The designers of Trojans are also aware of this flaw, so there are already Trojans that provide a feature called error display. When the server user opens the Trojan program, an error prompt box will pop up (this is of course false). The error content can be freely defined, and most of them will be customized into some information such as "File is damaged and cannot be opened!" When the server user believed that it was true, the Trojan quietly invaded the system. ^[5]

4. Self-destruction

This feature is to compensate for a flaw in the Trojan. We know that when the server user opens the file containing the Trojan, the Trojan will copy itself to the Windows system folder (C: \ windows or C: \ windows \ system directory). Generally speaking, the source Trojan files and The size of the Trojan files in the system folder is the same (except for the Trojans that bundle the files). Then, the friend who got the Trojan just needs to find the source Trojan file in the received letter and the downloaded software, and then go to the source Trojan according to the size of the source Trojan. Find the file of the same size in the system folder and determine which is a Trojan. The self-destroying function of the Trojan horse means that the source Trojan horse files are automatically destroyed after the Trojan horse is installed, so that it is difficult for the server user to find the source of the Trojan horse. Without the help of tools to kill the Trojan horse, it is difficult to delete the Trojan horse. ^[5]

Trojan horse prevention strategy

1.Do not execute software of unknown origin

Most Trojan viruses are spread by binding to other software. Once the software is run, it will be infected by a divisor. Therefore, it is generally recommended to go to some reputable sites to download application software, and be sure to check with anti-virus software before installing the software, and confirm that it is non-toxic before use. ^[7]

2. Don't open email attachments casually

Most Trojan viruses are delivered through emails, and some of them will spread in series, so special attention should be paid to the operation of email attachments. ^[7]

3.Reselect new client software

Many Trojan viruses mainly infect Outlook and OutlookExpress mail client software. If you choose other email software, the possibility of being attacked by the Trojan horse will be reduced. In addition, accessing the mailbox through the Web can also reduce the probability of infection with the Trojan. ^[7]

4, try to use less or no shared folders

If it is not necessary for work, try to use or not share the folder as much as possible. Be careful not to set the system directory to share. Multi-channel rejection of the spread of Trojan horse programs. ^[7]

5.Real-time monitoring

It is the best way to use existing Trojan killing tools for real-time monitoring. At the same time, it is also necessary to constantly upgrade Trojan horse programs and anti-virus software, and install software tools such as firewalls to make your computer relatively secure. ^[7]

Trojan horse post-infection measures

1. All account numbers and passwords must be changed immediately, such as dial-up connection, ICQ, mIRC, FTP, your personal site, free email address, etc. Wherever a password is required, you must change the password as soon as possible. ^[5]

2. Delete everything that was not on your hard drive. ^[5]

3. Check if there is a virus on the hard disk once. ^[5]

4. If conditions permit, reinstall the system or directly replace the hard disk after copying the data. ^[5]

Trojan Horse Trojan Clear

When deleting a Trojan, you must first disconnect the network and then delete it using the corresponding method. ^[7]

1.Remove through the Trojan's client program

Find the suspicious file in the win.ini or system.ini file to determine the name and version of the Trojan, then find the corresponding client program on the network, download and run the program, and fill in the local computer address port at the corresponding location of the client program Number, you can establish a connection with the Trojan horse program, and then delete the Trojan horse by the client's delete Trojan server function. ^[7]

2. Manual deletion

Use Msconfig to open the system configuration utility, edit Win.ini, system.ini, and startup items to block illegal startup items. Use rededit to open the registry editor and edit the registry. First find the program name of the Trojan by the above method, then search the entire registry and delete all Trojan items. From the registered entry of the Trojan horse found, analyze the location of the Trojan file on the hard disk, and then delete it. After restarting, use the above methods to detect the Trojan to check the system to ensure that the Trojan is indeed deleted. ^[7]

3.Tool removal

The above two methods are not easy for non-professionals to operate, but now there are many very good Trojan horse killing tools. You can download or purchase them according to your own needs. Use the tool to delete, which can eliminate tedious operations, completely This is done by the software program itself. ^[7]

Trojan horse development trends

1. Trojans will be more hidden. At present, the increasing number of security software capable of killing Trojan horses has challenged the hidden nature of Trojan horses. Trojans must pay more attention to concealment if they want to survive. ^[3]

2. The Trojan will have instant messaging capabilities. The use of dynamic network addresses in the Internet is increasing, in which case Trojan horses may not be able to transmit information to a transmission destination set in advance. Therefore, the Trojan horse must establish an instant communication line with the transmission destination. ^[3]

3. The Trojan will have the ability to update itself. In order to cope with constantly updated anti-trojan security software, Trojan horses must also be able to update themselves. ^[3]

4. Trojans will continue to integrate some technologies of worms and viruses to enhance their ability to spread and survive. ^[3]