Abstract : This article briefly introduces viruses, Trojan horses and worms. The difference between a Trojan horse and a virus worm is that the Trojan horse can establish a remote connection and remotely control the victim's host. The difference between a worm and a virus Trojan horse is that its principle is to use a buffer overflow vulnerability to modify the return value of a function to carry out an automatic attack. In addition, it also introduces virus immunity technology, which is based on the characteristics of viruses not infecting the same file, and virus compression technology. Introduced the principles of Trojan horses, Trojan horse implantation technology, and hidden technology. Finally, the basic principles of worm attacks are introduced.
table of Contents
virus
- Features: Will not repeatedly infect the same program, set "infection flag" to mark the program that has been infected to avoid repeated infection.
- Why avoid repeated infections? : Repeat infection will
- ①Causing damage to the file format (variables with the same name, etc.)
- ②Reduce the efficiency of virus attack
- Virus immune technology :
- Use infection marks to write infection marks for normal files to avoid being found and infected by viruses. However, not all viruses have infection marks, and it is impossible for normal files to embed too many infection marks.
- Virus compression technology : compress the program of the current host, add yourself to the beginning of the program, so that the length of the host program does not change
- Other features: ( 1 ) enforceability ( 2 ) infectious ( 3 ) unauthorized ( 4 ) concealment (compression technology, etc.) ( 5 ) latent (will not happen immediately) ( 6 ) destructive ( 7 ) parasitic Sex ( 8 ) Unpredictability ( 9 ) Temptation and deception
- Virus classification:
- Boot-type virus ( the Boot Strap Sector Virus ) : hiding in the first sector of the hard disk, before the operating system is loaded, it is loaded into memory
- File viruses ( File Infector Virus ) : parasitic in the executable file (* .com, * .exe , etc.), when the file is executed, the virus is executed
- Composite virus ( the Multi-Partite Virus ) : guiding both a virus and virus file characteristics, both infected executable file, the first sector also infected
- Macro virus ( Macro Virus ) : the ability to use the software to design their own macro viruses, such as Word, Excel , etc.
- Trojan horse : enters the user's system and hides it, the attacker can remotely control the user through the Trojan horse
- Computer worm : does not occupy any resources other than memory, does not modify disk files, and uses network functions to spread itself
Trojan Horse
- The program that steals user information or controls the user's host computer through the network without the user's awareness . Remote connection can be established, which is the difference between Trojan horse and virus
- Working principle :
- The method of Trojan implantation:
- Implant via removable media ( U disk)
- By e-mail attachments way
- Use web script to embed
- Trojan hiding technology
- Document disguise: often disguised as pictures
- Modify system configuration
- Use system search rules: The Trojan changes its name to a certain file that must be executed when the system starts, and puts it in a directory that is one level shallower than the original file
- Replace system files
- Examples of Trojan Horses: Glacier
- Glacier is a very famous Trojan horse tool, which includes two executable programs G_Server and G_Client . The former is the server side of the Trojan horse (implanting the victim), and the latter is the Trojan horse's client side (the attacker's console). After the victim has been planted with a Trojan horse, it can be connected in the console. After connection, the information of the controlled host will be displayed.
worm
- It is a program that can run independently and automatically spread to other computers. Using buffer overflow vulnerabilities to make attack codes run automatically is the main difference between worms, viruses and Trojan horses.
- Buffer overflow vulnerability:
- Principle: Ideally, the program checks the data length and does not allow the input of characters exceeding the length of the buffer, but most programs will assume that the data length always matches the allocated storage space, which is buried in the buffer overflow Hidden dangers. The buffer used by the operating system is also called the " stack ". In the figure below, when the input variable overflows, the overflowed part will be directly overwritten to the location where the return value of the function is stored, thereby changing the return value of the function.
- The harm of buffer overflow : the intruder can use the stack overflow to change the address of the return program when the function returns and let it jump to any address. The harm is: one case is that the program crashes and the other is denial of service. Just jump and execute a piece of malicious code, such as getting a shell, and then do whatever you want.
- Prevent buffer attacks:
- Write safe code: do not use functions that do not check for out-of-bounds data, such as strcpy()
- Canary word ( random character): When the buffer overflows, the canary word will be overwritten before the return address is overwritten. By checking whether the canary word has been modified, the attack can be found.