Quietly tell you how hackers to your system kind of Trojan horse-vulnerability warning-the black bar safety net

ID MYHACK58:62200613422
Type myhack58
Reporter 佚名
Modified 2006-12-26T00:00:00


I believe that many friends have heard of the Trojans, always feel it is very mysterious, very difficult, but in fact with the Trojan software intelligent, a lot of hackers are able to easily achieve the attack purpose. Today, the author in the latest of a Trojan horse-the black hole 2 0 0 4, from the cultivation, use, hide, prevent, four aspects of network enthusiasts introduce Trojan characteristics. Need to remind you, in the use of Trojan horse Program, please first turn off the system virus firewall because the antivirus software will be the Trojan horse as a virus of a killing.


A, planting the Trojan

Now the network popular Trojans are basically using the C/S structure of the client/service end of it. You want to use the Trojan to control the other computer, you first need to on the other side of the computer in the plant and run the service end of the program, and then run a local PC in the client program on the other computer are connected and then control the other computer.

Second, the use of Trojans

Success to someone else implanted in the Trojan end, you need to wait patiently for the service end of the line. Since the black hole 2 0 0 4 with a counter-connection technology, so the service end of the line after the Automatically and the client are connected, in this case, we can manipulate the client to the server for remote control. In the black hole 2 0 0 4 in the following list, just choose one already on-line computer, and then by the above command button it is possible for this computer to be controlled. The following will briefly introduce these commands meaning.

File management: the service end of the line later, you can through“file management”command to the server computer the files to download, create, rename, delete and other operations. Can through the mouse directly to the file or folder drag-and-drop to the destination folder, and support breakpoint transmission. Simple right?

Process management: view, refresh, close other process, if found to have antivirus or firewall, you can close the corresponding process, to protect the server-side program purposes.

Window management: manage the service end of the computer program window, you can make the other window in the program maximized, minimized, normal off operation, so that the ratio of process management more flexible. You can engage in many pranks, such as letting the other side of a window is kept maximized and minimized.

Video surveillance and voice monitor: if the remote server computer to install a USB webcam, then you can use it to get the image, and can be directly saved as a Media Play can directly play the Mpeg file; need each other to have a microphone, you can also hear their conversations, the horror, right?

In addition to the above description of these features, it also includes a Keylogger, restart, shutdown, remote uninstall, grab the screen to view the password and other functions, operation is very simple, understand? Do hackers actually very easy.

Third, the hidden

With the antivirus software virus library upgrade, the Trojans will soon be antivirus software killing, so in order to make the Trojan service end to avoid antivirus software killing, long time hidden in someone's computer, for hack offers several viable approaches.

1. Trojans self protection

Like previously mentioned, black hole 2 0 0 4 in the build service end time, the user can replace the icon, and using software UPX on the service end of the auto-compression hidden.

2. Bundled services-end

The user by using a file bundled with the Trojan server and the normal files bundled together, to achieve to deceive the other Party of the purpose. File bundling is with Guangdong University of Foreign Studies files bundle 2 0 0 2, universal file bundling device, exeBinder, Exe Bundle, etc.

3. Prepared to do their services end

The above-mentioned method, although can temporarily hidden from antivirus software, but in the end still can not escape the antivirus software killing, so if the existing Trojans to be disguised, so antivirus software can not identify, it is a permanent cure method. By using compress EXE and DLL file compressed software on the service end for the packers protection. For example, 1 of the UPX is a compression software, but by default the software is in accordance with its own set of service end of compression, and therefore the results are the same, it is difficult for a long time escaped antivirus software; and Own the service end to compress, you can select a different option, the compression out of the ordinary services of the end to make the virus difficult to judge. Below I will to the glacier, for example, for everyone to simply explain the shelling(extract), plus the shell compression process.

If we use antivirus on the ice for killing, certainly will find 2 viruses, one is the ice age of the client, another is Server. Using the software“PEiD”view of the software service whether the client has been the author of the packers, you can see the service end has been using UPX for the compression.

Now, we just need the software for the shelling, that is, a decompression process. Here I used the“UPXUnpack”, select the desired file and click“unzip”to start the implementation shelling.

The shelling is completed, we need to for the service end of the addition of a new shell, plus the shell of the software are many, such as: ASPack, ASProtect, the UPXShell, a Petite, etc. Here with“ASPack”, for example, click on the“Open”button, select just the shelling of the service end of the program, select the completed ASPack automatically for the service end of the added shell. Again with the antivirus on the service end to killing, and found that it has been unable to identify the judge. If your antivirus still Avira, you can also use multiple software on the server multiple times plus shell. The author in the use of Petite, and ASPack to the service end for 2 times the packers, try a variety of antivirus software does not scan out. Now the network popular among many of the XX edition of the Glacier, is to the users through the service terminal to be modified and re-packers prepared to make.

In order to avoid not familiar with the Trojan of the user erroneous operation of the service end, now the popular Trojans are not provide separate services end of the program, but by the user's own settings to generate the service side, the black hole 2 0 0 4. First run the black hole 2 0 0 4, Click on the“functional/generation services to end”command, the pop-up“server configuration”interface. Since the black hole 2 0 0 4 with bounce technology please participate in the tip, the first click Next to the“View”button in the pop-up window set the new domain name, enter your prior application space name and password, click“Domain registrations”, the following window will reflect the registration of the case. Domain name registration after a successful return to the“service-side configuration”interface, fill in just the application domain, as well as the“line display name”,“registry startup name”and other projects. In order to confuse others, you can point“to change the service end icon”button for the service end of the selected one icon. All settings are done, click the“Generate EXE-type services end”generates a service end. Generated in service side at the same time, the software will automatically use UPX for the service end of the compression, the services end up to the hidden protection.

The service end generating, the next step to do is to move the service end of the implant someone else's computer? Common methods are, by system or software vulnerabilities invading someone else's computer Put a Trojan horse in the service end of the implant its PC; or by Email entrained, the service end as an attachment sent to the other party; and the service end to be camouflaged into their shared folder via P2P software such as PP little pass, the treasure, etc., let users in on the unsuspecting download and run the service end of the program.

Since this article is mainly to face the common network fans, so we use a relatively simple Email entrained for everyone to explain. We use we often see the Flash animation, for example, establish a folder named“good looking animation”, in the folder inside the build folder“animation. files”, the Trojan server software into the folder, assuming the name of“abc.exe”then in the folder established within the flash file, the flash file on Frame 1 Enter the text“your player plug-in is not full, click the below button, and then click the Open button to install the plug-in”, create a new Button component, drag it to the stage, open the Actions panel, and in there input the“on (press) {getURL("动画 .files/abc.exe");}”, means that when click the button execute abc this file. In the folder“nice animation”create a new web page file named“动画 .htm”that will just make the animation into the web pages. Seen the doorway? Usual you download website is usually a. html file and an end to. files folder, we so construct the reason is also used to confuse the open, after all, few people will go to turn. files folder. Now we can compose a new message, the folder“nice animation”compressed into a file, into the e-mail attachment, and then write an enticing subject. As long as the other party convinced to run it, and restart the system, the service end of the cultivation a success.

Fourth, prevention

Prevent weight in the treatment, in our computer is also not in the Trojan, we need to do a lot of the necessary work, such as: install anti-virus software and network firewall; timely virus database updates and system security patches and regular backup files on the hard disk; do not run unsolicited software and open unsolicited mail.

Finally the author would like to remind everyone that Trojans in addition to its powerful remote control function, but also includes a very strong destructive. We learn it just to understand its techniques and methods, rather than for the theft of password and other acts of destruction, I hope you know better.


Bounce technology, the technology to solve the traditional remote control software can not access with a firewall and control the internal LAN of the remote computer problems. Bounce the port based software principle is that the client first login to theFTP server, edited in the Trojan software in the pre-set home page space above a file, and open the port monitor, waiting for the service side of the connection, the server periodically using HTTP Protocol to read the contents of this file, when found the client to get yourself started connection when the active connection, so you can complete the connection work.

Therefore on the Internet can access to the LAN through NAT (transparent proxy proxy Internet computer, and can pass through the firewall. With a traditional remote control software on the contrary, the rebound of the port type of the Software Service end will take the initiative to connect the client, the client listening port is generally open to 8 0 that for web browsing port, so that, even if the user at the command prompt, use“netstat-a”command to check your port, found is also similar to the“TCP UserIP:3 0 1 5 ControllerIP: http ESTABLISHED”the case of slightly negligent thing you will think is your own when browsing the web, and the firewall will also think so. Thus, with the General Software, instead, bounce the port type of the Software Service end of the actively connected client, so that you can easily break the firewall restrictions.