【 Weak current College 】 viruses stealth operation decrypt the files through wall injection and rebound in connection

For viruses currently use stealth and through wall, this article is the third article, though the length of each article are not very long, but each article describes two to three Trojans common stealth skills, through wall of visible viruses authors and users to avoid the security software to detect how much up and down. Moreover, even if this article describes the Trojans or stealthy through wall after the end of the article, there will be new is still not familiar with technology. But in the new Trojans before operation stealth through wall, let's first take a look at this to illustrate several trojans using stealth through wall skills!

First, the process and the dll file into the

Process, which means the Trojan injects itself into a normal process, and then, it can be to properly process the child threads. At this point, it's the process name in the Task Manager process list box appears. Thus, the user will not be able to through the Task Manager to find it. Moreover, even if it can be found in its antivirus software, but you want to use it from the normal process clear it will not be easy.

Because of the firewall for the system in normal network related processes (such as Services.exe, Svchost.exe, etc) the default is released, so that the Trojan is injected into the system process, and thus to pass through the firewall. However, the Trojan program is only obtained with these system processes the same system permissions can potentially inject a success. However, at present, there are already many Trojans have the feature to implement remote process.

As for the purpose of the DLL files into generally is used to escape the firewall blocking. It mainly use a firewall to trust a software, it loads all the DLLs files full trust. Therefore, as long as the Trojan injects itself into these DLL files, you can escape the firewall monitor, then you can contact the attacker for network communication, or download other Trojan horses, keyboard loggers and backdoors, etc. On Windows systems, the DLL injection exploit a maximum, the IE browser.

For DLL file into the wooden horse, you can verify the digital signature of the file system, to discover the system DLL files have been modified, this can be done by Windows system "system information" in digital signature verification procedures to complete. For the process, you can use IceSword software to view the loaded modules, as long as the discovery is not a Windows system itself, already have Trojans implantation. Then, you can forcibly terminates the IceSword illegal module, and then in the appropriate location to completely remove it. Now, there are some antivirus software can already be killing the implantation of the Trojans, such as rising anti-virus software. As for firewall, now there's a new technique, that is when the firewall detects a application loaded file is modified, it will have on its network connection will be blocked. But now this technology has not joined to a home firewall.

Second, the TCP/IP stack bypass
Some personal firewalls, they generally only by Windows system itself, the TCP/IP stack for filtering, and other data generated by the network stack is not carried out any checks will release. Therefore, a Trojan that uses a firewall this loophole in its operation, at the same time, install a network drive, and then pass it to the system of network interface cards for communication, so that you can escape the firewall detection.

To prevent this form of Trojan horse attacks, as long as the firewall settings for a rule that prohibits all non-standard Windows system TCP/IP stack resulting from adoption. Now some personal firewall's latest version, you already have these features. Therefore, Internet users had better continue to upgrade their firewall software to protect against this type of Trojan horse through wall.

Third, the rebound in connection technology

Today's Internet users are generally use PPPOE dial mode, or through a proxy server and NAT way to connect to the Internet, this gives the attacker through Trojan client initiative to connect their servers-side settings a little in the way. Therefore, the attacker in order to eliminate the obstacles, to write some Trojan horse with back technology.

Use the rebound technology, as long as the Trojan detected system already has an active network connection, the server-side will take the initiative to set up by the attacker connects the attacker's clients. Whereas the General system of internal firewall issue network connection request is not blocked, therefore, Trojans and so light and easy-lift through a system firewall blocking.

However, only use the rebound technology, Trojans are sometimes too got system firewall this off, but it won't be hardware-the gateway of the network firewall. Therefore, in order to be able to penetrate the hardware-network firewall, Trojan horse and beat on the tunnel technology idea. They will be sent to the content package to other network firewall allows network protocols, such as HTTP, DNS, and SMTP, and so on, then you can make use of these protocols package the content sent to the attacker specifies location (such as an Email address). These contents may include a user logged on to the system account, password, public IP address, open ports and run the service, and so on. Then, the attacks are done the same to connect to the server side of a Trojan horse.

To prevent rebound-Trojans. The first is to use the application filtering features of personal firewalls, they generally request network connected applications are blocked and prompts the user whether to pass. Now most of the latest version of personal firewalls are already has this feature. For example, ZA, rising and Tinyfirewallpro, etc. The second is to use aThere is no restructuring depth detection technology hardware-network firewall may be preventing use tunnel mode of attack of Trojan horses.

From the introduction of viruses stealth through wall of series of articles you can find every kind of method no matter how good, has its weaknesses exist, i.e. is there a way to prevent description to and remove them. However, now all the Trojans, certainly not only use an escape method. They are often used simultaneously in several ways, for example, at the same time using the shell, encryption, and injection technique, this greatly improved antivirus and firewall-the difficulty of measuring them. But anyway, the preparation and the Trojans protection technology in the development of security technology are continually in development, as long as they can find their weaknesses, precaution and clear them is completely achievable. In fact, the final solution to the problem of key lies in the user itself, the constraints of their network behavior, understand certain security technology so that you can significantly reduce the Trojans.