You are on page 1of 13

PHN I:GII THIU CHUNG

Hooker thc cht l mt loi Trojan m ngun m.Trojan l mt chng trnh bt hp php c cha bn trong mt chng trnh hp php.Chng trnh khng hp php ny thc hin nhng hm b mt m ngi dng khng bit hay khng dng n.V chc nng ca Trojan chng ti s cp n trong phn sau.Mt khc Trojan cng c th c gi l mt con chut hay l nhng cng c qun tr t xa. Ngy nay Trojan lun lun l mt vn ln trong vn bo mt v an ton trn mng.Nhiu ngi khng bit Trojan l g v h ti xung nhng file m khng bit r ngun gc.Hin nay c hn 1000 trojan v c th nhiu hn na, v mi hacker, mi lp trnh vin hay mi nhm hacker u vit Trojan ring cho mnh v nhng con Trojan ny khng c cng b ln mng cho n khi n c pht hin. Trojan: mt chng trnh my tnh trng c v l hu dng nhng tht ra n gy ph hy.Trojan b pht tn khi mi ngi b li ko bi mt chng trnh bi v h ngh n n t mt ngun hp php.Trojan cng c th cha trong phn mm m bn ti xung min ph. Khc vi virus,Trojan l mt on m chng trnh hon ton khng c tnh cht ly lan.N ch c th c ci t bng cch ngi to ra n la nn nhn,cn virus th t ng tm kim nn nhn ly lan Phn mm c cha Trojan thng l c dng chng trnh tin ch, phn mm mi hp dn nhm d thu ht ngi s dng. Trong bi vit ny chng ti s trnh by vi cc bn v Trojan v Hooker.Nhng khi nim c bn,c ch ly bm ,cch thc m trm ti khon ngi dng v lm sao n c th xm nhp vo my ca bn c?

PHN II:NI DUNG


I.S lc v virus Hooker:
1.Hooker l g?
Thc ra gi con Hooker ny l virus th cng khng ng lm v c trng nht ca virus l phi t ly lan c. N ch c xp vo li Trojan thi.

2.Lch s ca virus Hooker :


2.1.Version 1.0: y mi ch l mt chng trnh th nghim vi kh nng hot ng rt yu (ch l mt keylog n gin). V n c vit li hon ton trong phin bn k tip. 2.2.Version 2.0: By gi n gi i mt keylog v sao chp mt khu di tp (*.pwl). Sau n thit lp mt ng k xc nh ng dn cho ngi s dng. N c th xc nh kch thc ti a ca mt tp tin log-file. Sau khi gi file-log i th n xo file v lp file-log mi. Hooker s thm vo trc cc t m trong tiu v lu tr cc tnh nng ny. 2.3.Version 2.1: Thm cc t c gi v sau khi ng nhp trn. 2.4.Version 2.2 beta 1: C nh cc li rt ln trong keylogging v mc ni cc chc nng trong keylogdll khin trojan tr nn n nh hn vi nhiu chc nng hn.
2

2.5.Version 2.2 beta 2: C inh li trong chc nng cho bit ngy gi ca h thng. 2.6.Version 2.3 beta 14: N pht hin thm li kt ni RAS v c nh li ny. i khi n cng xung t vi mt vi ch .Khi keyloggingDll c cha trong LZW. 2.7.Version 2.3 beta 5: Hooker gi i cc keylog. Nu trong ca s ch c . iu c ngha l trojan khng th gi th i (Hooker ch cn lm y hp th vi mt lng ln cc th). 2.8.Version 2.3 beta 6: Ch cn mt cht thay i trong th tc gi mail l hooker c th bt u trn my m khng cn rasapi32.dll. 2.9.Version 2.4: Khng c thm phin bn, y l bn pht hnh.C nh t li trong tn ngi dng v tn my ch pht hin.C thm mt vi tnh nng: Keylog y : nu khng c kim tra Hoocker s ch ng nhp ca s, ni m c keystrokes. Nng cao ng nhp: nu khng c kim tra, Hoocker s khng ng nhp phm kho m rng nh shift,alt Ngoi ra cn c nh li trong kt ni IP

II.Cch thc virus tip cn vo my:


Bn c th b nhim t rt nhiu ngun: T ICQ T IRC T file nh km trong mail Truy cp trc tip Mnh khe 1.1 T ICQ

Mi ngi u bit rng ICQ khng an ton nh th no v l l do v sao vi ngi s dng n. Nhng nhiu ngi li ngh rng Trojan khng th ly lan trong khi h ang ni chuyn c th gi cho h mt ch Trojan. C th bn bit n ICQ cho bn mt bug cho php bn gi mt file .exe ti ngi khc nhng khi ngi nhn nhn nh c v bn ang gi mt file m thanh, hnh nh V d: C ngi no s thay i biu tng ca file.exe thnh file.bmp, v ni vi bn rng y l hnh ca anh. Bn s download n v v bum bum bum !!! Nhng nu ngi gi file i tn file.exe thnh .bmp th bn an ton, v khi file.exe i tn thnh .bmp th file.exe khng th thc hin. Nhng khi file gi n bn ng l mt con Trojan c kp chung vi file hnh nh v ngi gi thay i icon ca file.exe, khi Trojan s bt u chay m bn khng h nghi ng, v khi n vn hin hnh nh ca mt ai . l l do m hu ht ngi dng ni h khng chy bt k file no trong khi h l lm truyn vo m khng bit. 1.2 T IRC: Cng ging nh phng php ly truyn t ICQ phng php ly truyn qua IRC cng l la nn nhn chy Trojan trong my ca mnh. 1.3.T mail: Trojan c ly lan bng mail v tc ca n rt nhanh. Mt cch n gin v thng dng l Trojan s ly a ch mail trong address book pht tn cho nhng ngi bn ca bn. V th phng con virus ny chng ta hy ci ngay chng trnh c th kim tra mail trc khi download v v kim tra nhng mail c gi i.
4

1.4 T truy cp trc tip:


Trong qu trnh s dng my tnh th c th do li truy nhp m h c th b dnh Trojan, hoc do mt ngi no xm nhp vo my ca mnh v lm cho my ca ta b Trojan tn cng.

1.5. Mt s th thut v mnh khe khc:


Trn cc my Microsoft Windows, ngi tn cng c th nh km mt Trojan vo mt ci tn c v lng thin vo trong mt th in t vi vic d ngi c m tp nh km ra. Trojan thng l cc tp kh thi trn Windows v do s c cc ui nh l .exe, .com, .bat, .src. hay .pif. Trong nhiu ng dng ca Windows c cu hnh mc nh khng cho php hin th cc ui ny..Do , nu trojan c tn chng hn l Readme.txt.exe th tp ny s hin th mt cch mc nh thnh Readme.txt v n s nh la ngi dng rng y ch l mt loi h s vn bn khng th gy hi. Cc biu tng cng c th c gn vi cc loi tp khc nhau v c th c nh km v th in t. Khi ngi ny dng , m cc biu tng th cc Trojan n du s tin hnh nhng tc hi bt ng.Hin nay cc Trojan khng ch xa cc tp , b mt iu chnh cu hnh ca my tnh b nhim m cn dng my ny nh l mt c s tn cng cc my khc trong mng. Li dng mt s li ca trnh duyt web, chng hn nh Internet Explorer, nhng Trojan vo mt trang web, khi ngi dng xem trang ny s b nhim. Ngi dng nn cp nht cc bn v li thng xuyn v dng mt trnh duyt web c bo mt cao nh Firefox

III.Cch thc hot ng:


1. Sau khi trojan c kch hot chng s lm nhng vic nh sau

- Tm v tr an ton n thn: on m chnh c th t to ra t 2 n 3 file v c th nhiu hn na tm mt v tr tt m n , nhng ni m chng thch nht l... sytem, ...system32, trong c mt file gi l kch hot thng l cc file thi hnh vi ui c th l .com, .exe, .bat, .inf..., 1 file dng lu cc hm hoc th vin hoc thng tin, nu nh file cha th vin thng c ui l .dll, cn file cha thng tin thng c ui l .dat hoc l .tmp. - Ginh quyn khi ng : Sau khi n thn an ton chng bt u ginh quyn khi ng bng mt s cch - y l nhng ni m win u tin khi ng trc : - Trong cc Autostart Folder: v d file khi ng ca trojan l trojan.exe th C:\Windows\Start Menu\Programs\startup\trojan.exe. Trong file C:\windows\Win.ini ti dng lnh load=Trojan.exe hoc run=Trojan.exe - Trong file c:\windows\system.ini sau dng lnh shell Shell=Explorer.exe trojan.exe Trojan s t ng chy khi file Explorer.exe chy - Trong Autoexec.bat c:\....\Trojan.exe - Explorer Startup c:\explorer.exe,c:\...\trojan.exe - To mt kha trong Registry : [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run] "trojan"="c:\...\Trojan.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunOnce] "trojan"="c:\...\Trojan.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current
6

Version\RunServices] "trojan"="c:\...\Trojan.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServicesOnce] "trojan"="c:\...\Trojan.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Run] "trojan"="c:\...\Trojan.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\RunOnce] "trojan"="c:\...\Trojan.exe" - Trong Registry Shell Open vi key l "%1 %*" [HKEY_CLASSES_ROOT\exefile\shell\open\command] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\ope n\command] trojan.exe "%1 %*" - Trong 1 s ng dng m cho php mt s chng trnh chy: v d ICQ [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\] - Trong ActiveX [HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName] StubPath=C:\...\Trojan.exe - Tiu dit cc Phn mn antivirus v cc firewall tc l nhng chng trnh chng li n bng cch kim tra b nh v pht hin nu nh 1 s file no m ging nh list nm trong file d liu th remove hoc ngn chn li : Mt s file c th nh sau : ZONEALARM.EXE WFINDV32.EXE WEBSCANX.EXE
7

VSSTAT.EXE VSHWIN32.EXE VSECOMR.EXE VSCAN40.EXE VETTRAY.EXE VET95.EXE NT.98.EXET CA.EXE TBSCAN.EXE SWEEP95.EXE SPHINX.EXE SMC.EXE SERV95.EXE SCRSCAN.EXE SCANPM.EXE SCAN95.EXE SCAN32.EXE SAFEWEB.EXE RESCUE.EXE RAV7WIN.EXE RAV7.EXE PERSFW.EXEP CFWALLICON.EXE PCCWIN98.EXE PAVW.EXE PAVSCHED.EXE PAVCL.EXE PADMIN.EXE OUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE NAVNT.EXE NAVLU32.EXE NAVAPW32.EXE
8

N32SCANW.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE LOCKDOWN2000.EXE JEDI.EXE IOMON98.EXE IFACE.EXE ICSUPPNT.EXE ICSUPP95.EXEI CMON.EXE ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSERV.EXE IAMAPP.EXE FRW.EXEFPROT.EXE FP-WIN.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE FAGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE DVP95_0.EXE DVP95.EXE CLEANER3.EXE CLEANER.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE
9

AVWUPD32.EXE AVWIN95.EXE AVSCHED32.EXE AVPUPD.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE AVPCC.EXEAVP32.EXE AVP.EXE AVNT.EXE AVKSERV.EXE AVGCTRL.EXE AVE32.EXE AVCONSOL.EXE AUTODOWN.EXE APVXDWIN.EXE ANTI-TROJAN.EXE ACKWIN32.EXE _AVPM.EXE _AVPCC.EXE_ AVP32.EXE

2.Cch thc ngy trang :


Do vic phn chia lm nhiu phn gip Trojan rt nhiu trong vic ngy trang ngha l nhng on m chnh c nm trong cc th vin dng ng c ui l dll vi mt phn tn c v rt ging mt th vin ca win lm cho rt kh ph hin v c nm ti nhng ni c cc file cng kiu vi n thng l th mc C:..\system , cn on m c nhim v boot th rt nh c th c m ho v hide khin cho ta nhm tng mt file v hi . chng vic theo di ca cc phn mn anti chng c th t thm mt s lnh m nhng lnh ny khng nh hng ti phn logic ca chng trnh (chng li vic m phng ho ) khin cho n c th thay i kch thc file mi ln khi ng , hoc c th n thn di mt s chng trnh m mi ngi thng dng bng cch ni mt dng lnh vo chng trnh no vi cc kiu ( chn u , chn gia hay chn cui m khng nh hng n chng trnh ch ) , vi cch ny on m boot khng d dng g pht hin , nu c del on m boot trn disk th khi chy chng trnh ch th on m boot vn hot ng tr li mt cch bnh thng . tng
10

thm vic ngy trang chng phi n di taskbar ngha l nhn CTRL+ALT+DEL th on m vn khng hin ra , hoc tin hnh ph hy dng lnh msconfig l dng lnh hin cc file khi ng ca win . Ngoi ra sau khi on m chnh c kch hot th on m boot va to thnh li c dng lnh kim tra xem v del lun c chng trnh chnh khin cho vic n thn cng kn o hn . Chnh v nhim v ly thng tin cn phi kn o nn trojan ly vic kn o v n thn l rt quan trng

2.1.Tin hnh vic ly thng tin :


Tu theo ngi thit k ra trojan m thng tin ly c nhiu kiu khc nhau nhng ch yu l lm nhng nhim v sau : + Ly thng tin v password ca cc loi webmail , cc ng dng c kiu l login+password, ICQ, IRC, FTP, HTTP... + Ly thng tin tt c cc file c kiu:.DBX; .TBB; .EML; .MBX; .NCH; .MMF; .INBOX; .ODS vi mc ch tra ly tt c cc ni dung mail ca vistim + Ly v mt s file m do yu cu ngi thit k vit , a s l cc file ng dng v d liu cng nh login thng c dng: .doc; .dbf; .sxl; .pwl; .log + Chim tt c ti nguyn , chng c th m port , to ra giao thc gup cho chng c kh nng ly thm d liu cc my khc hoc gip cho ch nhn ca n c th truy cp t xa hay kt ni vo my vistim ly thng tin hoc ginh quyn iu khin my vistim nh : del, upload, down ..., chim HTTP, FPT, SMTP... gip cho vic lin h vi ch nhn ca n c d dng.

2.2.Tin hnh lin h vi ch n :


Ngi ch ra trojan ch mong c yu cu cui cng ny tc l phi lin h c vi mnh , y l bc m ch nhn n mong ch nht. lin lc c vi ch nhn n trojan thc hin theo nhng con ng sau :

11

+ dng thng qua SMTP port 25 pop3 tc l thng qua mt server mail l ni m ch nhn n c kh nng nhn . Nhng dng c SMTP th cn phi kt ni mng , nu nh gi mail i m khng kt ni th tt nhin l my vistim s cnh bo chnh v vy m trojan s lu mt s a ch vo phn d liu ca mnh v kim tra gi tr ca url nu nh thy s thay i trn trang web v trn url th tt nhin mng c kt ni , hoc -dng google.com kim tra s kt ni + dng ftp port port 21, HTTP fort 80 , 23 , c th gi d liu hay cho ch n. C th to ra mt port no ri nm ch i ch nhn ca n kt ni vo my vistim a s cc trojan i sau n tn dng tt c cc kiu truyn thng tin nhng m cng v sau th cng khai thc trit hn ti nguyn , chng ang thin v loi m port nm ch i hn , ci ny th gip ch nhn ca n khai thc c nhiu thng tin hn . gip cho vic kt ni gia trojan nm my vistim v ch nhn ca th phn d liu ca trojan cn lu thm 2 phn tra tn v pass

2.3.Cch thc Config Trojan :


Sau khi ti v mt trojan cn thc hin cc bc : + File exe cha m cn kt ni thng tin + a ch ngi nhn hay gi l a ch lin h ca ch nhn n , nu khng c ci ny th rt l kh + SMTP mail tc l mn mt server mail lu mail t trojan gi v + Tn file xut ra sau khi in thng tin v kt ni vi file exe Sau khi tin hnh xong n s to ra mt file , fine ny chnh l file c han thin v c th hot ng .

III.Lm sao bn t bo v mnh ?


+Mt s chng trnh dit virus c th gip bn mt phn no vi antitrojan, antivirus chng hn. +S dng chng trnh scan port xem mnh c m cng no l l

12

khng. +Trc khi chy file, kim tra n trc +Khng nhn file ngi l. +Cch hu hiu nht l ng bao gi m cc nh km c gi n mt cch bt ng. Khi cc nh km khng c m ra th Trojan horse cng khng th hot ng. Cn thn vi ngay c cc th in t gi t cc a ch quen bit. Trong trng hp bit chc l c nh km t ni gi quen bit th vn cn phi th li bng cc chng trnh chng virus trc khi m n. Cc tp ti v t cc dch v chia s tp nh l Kazaa hay Gnutella rt ng nghi ng, v cc dch v ny thng b dng nh l ch lan truyn Trojan horse.

13

You might also like