6.1 Malicious code

Malicious code refers to the intrusion into the user's computer system without being known , Damage system 、 The Internet 、 Confidentiality of information 、 Integrity and availability of program or code . Compared with normal code , Unauthorized 、 Destructive and other characteristics .

6.1.1 Computer virus

Insert ⼊ It destroys computer functions and can ⾃ I copied ⼀ Group program code . In accordance with the
Attached to normal software or ⽂ In the piece . Not alone ⽴ shipment ⾏.

Main performance （ characteristic ）： Infectious 、 Latency 、 Trigger ability 、 Parasitism 、 Unauthorized 、 Destructive

The structure of computer virus ：

• Boot module （ Basic modules ）： Responsible for completing the requested memory required for the normal operation of the virus 、 Modify system interruption and other work .
• Search module ： Find or locate the infected object of the virus
• Infection module （ Core module ）： Self reproduction through infection module
• Presentation module ： Different characteristics of different viruses
• Identification module （ Auxiliary modules ）： Not all viruses contain , It can identify that the system has been infected with viruses

6.1.2 Computer worms

By computer ⽹ Collateral ⾃ I copy , Consume system resources and ⽹ Network resource program

There are the following modules ：

1. Search module
2. Attack module ： Automatic attack through vulnerability , Access permissions
3. Transmission module ： Responsible for worm program replication between computers
4. Load module ： After entering the infected system , Implement information collection 、 Site cleaning, attack and destruction
5. Control module ： Adjust worm behavior , Control the infected host

6.1.3 Trojan horse

finger ⼀ Species and remote computer construction ⽴ Connect , Enable the remote computer to pass ⽹ Network control local calculation
Machine program .

It falls into the following categories ：

1. Password stealing Trojan horse
2. Launcher type Trojan horse ： Install malicious programs in the infected system
3. Download type Trojan horse ： ditto
4. Surveillance Trojan horse
5. Proxy Trojan horse
6. Click type Trojan horse ： Guide users to click on features Web Website, etc
7. Remote control Trojan horse

6.2 Working principle of Trojan horse

⽊⻢ Architecture ：C/S framework ,⽊⻢ Program + Control end program
⽊⻢ The program is the server-side program , The control end program acts as the client ,⽤ It is planted to the attacker's remote control ⼊⽊⻢ My machine
device .
Difference from remote control program ： Concealment ;⾮ Empowerment .

Hackers use Trojans to invade including 6 A step ： Configure Trojan horse 、 Spread Trojan 、 Running a Trojan horse 、 Information feedback 、 Establishing a connection 、 Remote control .

• To configure ⽊⻢： Configure the listener ⼝、DNS、IP etc. ; Configuration functions ; Configure the installation path 、⽂ Piece name, etc
• spread ⽊⻢： Through software download 、 Email attachment 、 Communication software, etc .⼜ Subdivide into active planting ⼊ And passive planting
  ⼊.
• start-up ⽊⻢：⾃ Dynamic loading 、 Latent standby . You can modify the registry group policy 、 Add system services 、 Replacement system DLL Such as implementation
• Information feedback ：⽊⻢ shipment ⾏ in the future , The infected host ⼀ Give some information back to ⿊ customer . bring ⿊ Customers can connect to the victim host or feedback ⿊ Information of interest to customers .⽐ Such as account password, etc .
• build ⽴ Connect ： Forward connection or reverse connection . because IP Address scarcity , Many operators adopt ⽤DHCP Agreement for ⽤ Household distribution IP Address . And because NAT technology , Inside ⽹ Address ⽆ Outside the law ⽹ Visited . The attacker ⽆ The law is based on IP Address find the infected host , Reverse connection technology should be used ⽽⽣. The technology can also easily pass through the victim defense ⽕ wall .
• Remote control ：⿊ Customers can use the client side ⼝ And server side ⼝ Between the channel and ⽊⻢ Get in touch with the program , Go in parallel ⾏ Remote control . Including access to ⽬ Mark machine information ; Record ⽤ Household events ; Remote operation .

6.3 Trojan horse hiding technology

• Hide when loading ：
• Hiding during storage ：⽊⻢⽂ Pieces of /⽬ Record hidden ： By some means ⼿ Paragraph makes ⽤ Household ⽆ I can't find ⽊⻢⽂ Pieces and ⽬ record . For example, make ⽤ hide , There are also replacement icons
• Runtime hiding
  • Start hiding ： bring ⽬ The standard host is in operation ⾏⽊⻢ The program is not found .
  • Process hiding ： hide ⽊⻢ process , Make it impossible in the task manager ⻅.
    • False concealment ： Refers to the process of the program still exists , Just let him disappear in the process list .
      Set window ⼝ must not ⻅
      hold ⽊⻢ Register as a service
      Cheat the function of viewing the process
      send ⽤ Variable ⾼ End ⼝
      send ⽤ System server ⼝
    • It's really hidden ： Let the program disappear completely , Don't to ⼀ A process or service ⽅ type ⼯ do .
      • Replace the system driver or DLL
      • Dynamic embedding ⼊, send ⽤ window ⼝hook、 Hook up API、 Remote ready-made, etc ⽅ Equation will ⽊⻢ Program inlay ⼊ To be transported ⾏ In the process of
    • Communication hidden ： Do not enter directly with the controller ⾏ signal communication , Through special ICMP message 、 Port multiplexing technology or through the middle ⽅ Exchange information .⽐ Such as ⽹ disc 、⽹⻚、 electric ⼦ Mail, etc. .

6.4 The most basic way to find that the host is infected with Trojans

• Pay attention to the listening port
• Pay attention to the network connection established by this machine

6.5 Prevention technology for Trojans

Do not cling to ⾏ Any software of unknown origin . Because the software may have been ⿊ Guest tamper .
Don't trust him ⼈. Because he ⼈ May be ⿊ Guest disguised , No ⾃⼰ Friends of .
Put... Into the system ⾏ Reasonable and safe configuration .⽐ Such as display and hide ⽂ Pieces of 、 Extensions, etc .
Install software and system patches in time .
anti-virus software .