trojan horse

23
TROJAN HORSE CNEXP GROUP6 PROJECT

Upload: phillip-turner

Post on 01-Jan-2016

41 views

Category:

Documents


3 download

DESCRIPTION

TROJAN HORSE. CNEXP GROUP6 PROJECT. 什麼是木馬 (TROJAN HORSE)?. 木馬程式是一種以網路方式流傳和運作的惡意程式。 目的: 這種程式主要目的就是窺視每台電腦中的機密,例如信用卡卡號、身分證字號、銀行帳號、各式帳號密碼等。 入侵方式: 為了能夠順利入侵你的電腦,首先必須把一小程式植入你的電腦,再透過這個程式進行資料竊取。. 偽裝: 為了讓網路使用者渾然不覺的下載此後門程式,必須透過一些偽裝,譬如: 將程式藏在垃圾信中, 藏在遊戲的外掛程式裡, 也可能藏在養眼的清涼照片裡, 其他 讓你心甘情願的開啟,同時也被植入。 - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: TROJAN HORSE

TROJAN HORSE

CNEXP GROUP6 PROJECT

Page 2: TROJAN HORSE

什麼是木馬 (TROJAN HORSE)?

木馬程式是一種以網路方式流傳和運作的惡意程式。

目的:這種程式主要目的就是窺視每台電腦中的機密,例如信用卡卡號、身分證字號、銀行帳號、各式帳號密碼等。

入侵方式:為了能夠順利入侵你的電腦,首先必須把一小程式植入你的電腦,再透過這個程式進行資料竊取。

Page 3: TROJAN HORSE

偽裝:為了讓網路使用者渾然不覺的下載此後門程式,必須透過一些偽裝,譬如:

1. 將程式藏在垃圾信中,2. 藏在遊戲的外掛程式裡,3. 也可能藏在養眼的清涼照片裡,4. 其他

讓你心甘情願的開啟,同時也被植入。 後果:重了木馬並不會因此而馬上當機或電腦爆炸,木馬會

慢慢在電腦中潛伏,蒐集任何他有興趣的資料,因此並不是電腦的損害,而是個人隱私甚至是金錢的損失。

Page 4: TROJAN HORSE

木馬的運作原理 基礎知識

1. 運用 client/server 原理– Server: 被監控端 ( 被植入木馬者 )– Client: 監控端 ( 植木馬的 hacker)

Server 被植入的後門程式就是一個 server.exe ,等待 Client 的連結。

Page 5: TROJAN HORSE

運作原理1. 配置木馬:木馬配置程式

偽裝 資訊回饋:回饋方式以及位置

2. 運行木馬 觸發條件啟動

a) 註冊表HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ HKEY_CLASSES_ROOT\ 文件類型 \shell\open\command 主鍵

b) WIN.INIc) SYSTEM.INId) Autoexec.bat 和 Config.sys e) .*.INI f) 捆綁文件 g) 啟動功能表

Page 6: TROJAN HORSE

3. 資訊洩漏 收集 server 端資訊 透過 E-MAIL , IRC 或 ICO 的方式告知控制端用戶

4. 建立連線 Server 端有安裝木馬程式 Server , Client 都要在線上 Server: 執行木馬程式,在某一 Port 上等待 client 連

線 Client: 確定 server IP , Port ,傳送 connection req

uest

Page 7: TROJAN HORSE

5. 遠端程式控制當 client 與 server 建立連線後, client 即可對 server 做以下動作:

竊取密碼 檔案操作 修改註冊表 系統操作

Page 8: TROJAN HORSE

木馬的演進 一 . ICMP 木馬程式

什麼是 ICMP? Internet Control Message Protocol documented in RFC 792 delivered in IP packets Unreliable Some functions

Announce network errors Announce network congestion Assist Troubleshooting Announce Timeouts

Ex: ping

Page 9: TROJAN HORSE

二 . ICMP 木馬程式原理剖析 ICMP 通訊協定本身並沒有 port

Page 10: TROJAN HORSE

三 . 應對策略

Page 11: TROJAN HORSE

一 . DLL 木馬程式 什麼是 DLL?

Page 12: TROJAN HORSE

DLL 木馬程式 隱藏在 process 之後 Ex1:

Rundll32 mydll.dll (Rundll32.exe Windows 內建的動態聯結檔工具 )

myFunc( 木馬 ) 寫在 mydll.dll 中 Ex2:

explorer.exe -> ieDll.dll 修改 ieDll.dll 新的 ieDll.dll 會做的兩件事 Drawback

修復安裝、安裝補丁、升級系統等方法都有 可能導致特洛伊 DLL 失效

Page 13: TROJAN HORSE

應對策略 使用工具 不一定能結束異常的 process Win2000 …/system32/dllcache 存放著大量的 DLL 文件,若發現被保護的 DLL 文件被篡改(數字簽名技術),它就會自動從 dllcache 中恢復這個文件

Page 14: TROJAN HORSE

Virus, Worm, and Trojan

Virus – A virus is a program that can "infect" or "contaminate" other programs by modifying them to include a copy of itself.

Worm – A worm is a subclass of virus. It is an independent program that replicates itself, crawling from machine to machine across network connections.

Page 15: TROJAN HORSE

Trojan v.s Virus

A Trojan horse program is not technically a virus. The key distinction between a virus and a Trojan horse program is that a Trojan horse program does not replicate itself, and it does not infect other files; it only destroys information on the hard disk.

Page 16: TROJAN HORSE

Trojan v.s Worm

A worm can propagate automatically without your help, and it often clogs networks as it spreads, often via e-mail. A Trojan horse program have to be "spread" via human engineering or by manually emailing them.

Page 17: TROJAN HORSE

How do Top Hackers plant a Trojan??

SCADA

Professional Hacker Would Not Directly Attack Networks or SCADA/DCS Systems in the U.S.

Creates a Trojan That Will Allow Remote Control

Plants Trojan in Zombie Host in the South Pacific

Trojan “listens” for a specific string of characters in a chat room hosted in Europe (maybe even in another language)

When Zombie finds a match on the set of characters, it then Automatically Begins Attacking Pre-Determined Sites and Systems

1. Hacker Determines that direct attack may be too risky

UNIVERSITY

2. Plant Trojanin Zombie Host

3. Trojan is programmed to listen to Chat Room in Europe for a specific message string.

CHATROOM

4. Hacker posts message on Chat Room

5. Trojan attacksTarget Networks

Page 18: TROJAN HORSE

How to detect trojan horse 1. Scan port

Trojan horse based on TCP/UDP running Client/Server communication 2. monitor connection

a. windows 下的 netstat –anC:\>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:113 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING UDP 0.0.0.0:69 *:* UDP 0.0.0.0:445 *:* UDP 0.0.0.0:4000 *:*

Page 19: TROJAN HORSE

b. 使用 windows2000 下的命令行工具 fport E:\software>Fport.exe Pid Process Port Proto Path 420 svchost -> 135 TCP E:\WINNT\system32\svchost.exe 8 System -> 139 TCP 8 System -> 445 TCP 768 MSTask -> 1025 TCP E:\WINNT\system32\MSTask.exe 8 System -> 1027 TCP 8 System -> 137 UDP 8 System -> 138 UDP 8 System -> 445 UDP 256 lsass -> 500 UDP E:\WINNT\system32\lsass.exe

Page 20: TROJAN HORSE

C. Active Ports

Page 21: TROJAN HORSE

3.check registration tableHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (RunOnce ,RunServices, RunServicesOnce ) HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Run (RunOnce ,RunServices)

4.Use task manager Trojan horse is also a process CTL+ALT+DEL

Page 22: TROJAN HORSE

5.win.ini [WINDOWS] may exist trojan horse shortcut Blank column for normal situation“run=c:windowsfile.exe “ “load=c:windowsfile.exe “

6. system.ini [mci] 、 [drivers] 、 [drivers32] --- loading drivers [boot] shell=Explorer.exe file.exe [386Enh]

driver=xxxxx

Page 23: TROJAN HORSE

How to prevent trojan horse

A. Beware of your mails Trojans may automatically spread themselves

B. Never download blindly C. Patch your system periodically D. Beware of hidden file extensions

“susie.jpg” may be “susie.jpg.exe “

E. Firewall, Anti-virus software, Anti-Trojan

Program F. Cross your fingers or disconnect from Internet ?