木馬病毒的介紹
木馬病毒的介紹
編制或者在計(jì)算機(jī)程序中插入的破壞計(jì)算機(jī)功能或者破壞數(shù)據(jù),影響計(jì)算機(jī)使用并且能夠自我復(fù)制的一組計(jì)算機(jī)指令或者程序代碼被稱為計(jì)算機(jī)病毒具有破壞性,復(fù)制性和傳染性。接下來小編為大家整理了木馬病毒的介紹,希望對你有幫助哦!
The world of malicious software is often divided into two types: viral and nonviral. Viruses are little bits of code that are buried in other codes. When the “host” codes are executed, the viruses replicate themselves and may attempt to do something destructive. In this, they behave much like biological viruses.
Worms are a kind of computer parasite considered to be part of the viral camp because they replicate and spread from computer to computer.
As with viruses, a worm's malicious act is often the very act of replication; they can overwhelm computer infrastructures by generating massive numbers of e-mails or requests for connections that servers can't handle.
Worms differ from viruses, though, in that they aren't just bits of code that exist in other files. They could be whole files——an entire Excel spreadsheet, for example. They replicate without the need for another program to be run.
Remote administration types are an example of another kind of nonviral malicious software, the Trojan horse, or more simply Trojan. The purpose of these programs isn't replication, but to penetrate and control. That masquerade as one thing when in fact they are something else, usually something destructive.
There are a number of kinds of Trojans, including spybots, which report on the Web sites a computer user visits, and keybots or keyloggers, which record and report the user''s keystrokes in order to discover passwords and other confidential information.
RATs attempt to give a remote intruder administrative control of an infected computer. They work as client/server pairs. The server resides on the infected machine, while the client resides elsewhere, across the network, where it''s available to a remote intruder.
Using standard TCP/IP or UDP protocols, the client sends instructions to the server. The server does what it's told to do on the infected computer.
Trojans, including RATs, are usually downloaded inadvertently by even the most savvy users. Visiting the wrong Web site or clicking on the wrong hyperlink invites the unwanted Trojan in. RATs install themselves by exploiting weaknesses in standard programs and browsers.
Once they reside on a computer, RATs are hard to detect and remove. For Windows users, simply pressing Ctrl-Alt-Delete won't expose RATs, because they operate in the background and don''t appear in the task list.
Some especially nefarious RATs have been designed to install themselves in such a way that they're very difficult to remove even after they're discovered.
For example, a variant of the Back Orifice RAT called G_Door installs its server as Kernel32.exe in the Windows system directory, where it's active and locked and controls the registry keys.
The active Kernel32.exe can't be removed, and a reboot won''t clear the registry keys. Every time an infected computer starts, Kernel32.exe will be restarted, and the program will be active and locked.
Some RAT servers listen on known or standard ports. Others listen on random ports, telling their clients which port and which IP address to connect to by e-mail.
Even computers that connect to the Internet through Internet service providers, which are often thought to offer better security than static broadband connections, can be susceptible to control from such RAT servers.
The ability of RAT servers to initiate connections can also allow some of them to evade firewalls. An outgoing connection is usually permitted. Once a server contacts a client, the client and server can communicate, and the server begins following the instructions of the client.
Legitimate tools are used by systems administrators to manage networks for a variety of reasons, such as logging employee usage and downloading program upgrades——functions that are remarkably similar to those of some remote administration Trojans. The distinction between the two can be quite narrow. A remote administration tool used by an intruder becomes a RAT.
In April 2001, an unemployed British systems administrator named Gary McKinnon used a legitimate remote administration tool known as RemotelyAnywhere to gain control of computers on a U.S. Navy network.
By hacking a few unguarded passwords on the target computers and using illegal copies of Remotely Anywhere, McKinnon was able to break into the Navy's network and use the remote administration tool to steal information and delete files and logs. The fact that McKinnon launched the attack from his girlfriend's e-mail account left him vulnerable to detection.
Some of the famous RATs are variants of Back Orifice; they include Netbus, SubSeven, Bionet and Hack''a''tack. These RATs tend to be families more than single programs. They are morphed by hackers into a vast array of Trojans with similar capabilities.
惡意軟件的世界常常分成兩類:病毒性和非病毒性。病毒是埋藏在其他程序中的很短的程序代碼。當(dāng)“主”程序執(zhí)行時(shí),病毒就復(fù)制自身,并企圖做些有破壞性的事。在此過程中,它們的行為很像生物病毒。
蠕蟲是一類計(jì)算機(jī)寄生蟲,可以把它們歸到病毒陣營,因?yàn)樗鼈冞M(jìn)行復(fù)制,從一臺(tái)計(jì)算機(jī)散布到另一臺(tái)計(jì)算機(jī)。
作為病毒,蠕蟲的有害行為常常只是復(fù)制這個(gè)行為。它們通過生成大量的電子郵件或申請連接的請求,使服務(wù)器沒法處理而導(dǎo)致計(jì)算機(jī)崩潰。
但蠕蟲也有別于病毒,它們不是存在于其他文件中的代碼。它們可以是整個(gè)文件,如Excel數(shù)據(jù)表格。它們不需要運(yùn)行另一個(gè)程序就進(jìn)行復(fù)制。
遠(yuǎn)程管理(病毒)是另一類非病毒性惡意軟件——特洛伊木馬(或更簡單地稱作木馬)的例子。這些程序的目的不是復(fù)制,而是滲透進(jìn)去加以控制。它們偽裝成某種東西,但實(shí)際上是另一件東西,通常具有破壞性。
有多種類型的木馬病毒,其中包括間諜機(jī)器人(它在網(wǎng)站上報(bào)告計(jì)算機(jī)用戶來訪)和擊鍵機(jī)器人(它記錄和報(bào)告用戶的擊鍵,目的是為了發(fā)現(xiàn)口令和其他的保密信息)。
RAT病毒企圖讓遠(yuǎn)程入侵者對受感染的計(jì)算機(jī)進(jìn)行管理控制。它們以客戶機(jī)/服務(wù)器那樣的方式進(jìn)行工作。服務(wù)器駐留在受感染的機(jī)器中,而客戶機(jī)位于網(wǎng)絡(luò)上能實(shí)施遠(yuǎn)程入侵的其他地方。
利用標(biāo)準(zhǔn)的TCP/IP或UDP協(xié)議,該客戶機(jī)給服務(wù)器發(fā)送指令。服務(wù)器在受感染的計(jì)算機(jī)上做被告知的事情。
木馬病毒,含RAT病毒,通常由用戶、甚至最聰明的用戶不經(jīng)意地下載下來。訪問惡意的網(wǎng)站或者點(diǎn)擊惡意的鏈接都可能招致不想要的特洛伊病毒進(jìn)入(計(jì)算機(jī))。RAT病毒利用普通程序和瀏覽器中的弱點(diǎn)自行安裝。
一旦它們駐留在計(jì)算機(jī)中,RAT病毒是很難發(fā)現(xiàn)和去除的。對于Windows用戶,簡單地?fù)舸駽trl+Alt+Delete鍵并不能暴露RAT病毒,因?yàn)樗鼈冊诤笈_(tái)工作,不會(huì)出現(xiàn)在任務(wù)列表中。
有些非常窮兇極惡的RAT病毒設(shè)計(jì)成以一種即使在被發(fā)現(xiàn)后也非常難去除的方式安裝。
例如,Back Orifice RAT病毒的一個(gè)變種,叫G_Door,安裝其服務(wù)器作為Windows系統(tǒng)目錄中的Kernel32.exe,存活并鎖定在那里并控制注冊鍵。
活動(dòng)的Kernel32.exe是不能去除的,重新啟動(dòng)也不能清除注冊鍵。每次受感染的計(jì)算機(jī)開機(jī),Kernel32.exe被再次啟動(dòng),并被激活和鎖定。
有些RAT病毒對已知的或標(biāo)準(zhǔn)的端口進(jìn)行偵聽。其他的則對隨機(jī)的端口進(jìn)行偵聽,通告它的客戶機(jī),電子郵件連接到了哪些端口和哪些IP地址。
通過ISP(因特網(wǎng)服務(wù)提供商)連接到因特網(wǎng)上的計(jì)算機(jī),雖然常常被認(rèn)為比靜態(tài)的寬帶連接更安全,也可能被這樣的RAT病毒所控制。
RAT病毒服務(wù)器這種激活連接的能力,也能讓它們中的一些可以入侵防火墻。通常向外的連接是允許的,一旦服務(wù)器與客戶機(jī)建立聯(lián)系,客戶機(jī)和服務(wù)器就能進(jìn)行通信,服務(wù)器就開始遵循客戶機(jī)的指令工作。
出于各種原因,系統(tǒng)管理員使用合法工具管理網(wǎng)絡(luò),如記錄雇員的使用和下載程序更新(與某些遠(yuǎn)程管理木馬病毒的功能非常相像)。這兩者間的差別可能是非常小的,遠(yuǎn)程管理工具被入侵者使用就成了RAT病毒。
2001年4月,一名叫Gary McKin-non的失業(yè)的英國系統(tǒng)管理員利用合法的遠(yuǎn)程管理工具——Remotely Anywhere成功地控制了美國海軍網(wǎng)絡(luò)上的多臺(tái)計(jì)算機(jī)。
McKinnon通過黑客手段獲得目標(biāo)計(jì)算機(jī)上未防護(hù)的口令和使用非法拷貝的Remotely Anywhere軟件,突破了美國海軍的網(wǎng)絡(luò),利用該遠(yuǎn)程管理工具偷竊信息、刪除文件和記錄。McKinnon從他女朋友的電子郵件賬號(hào)發(fā)起攻擊,這個(gè)賬號(hào)給偵查留下了線索。
一些有名的RAT病毒是Back Orifice的變種,如Netbus、SubSeven、 Bionet 和Hack''a''tack。這些RAT病毒大多是一組程序,而不是單獨(dú)的一個(gè)程序。黑客把它們變成一個(gè)龐大的、具有類似功能的木馬病毒陣列。