CHUYN V TROJAN

SINH VIN:

NGH CM LI

MSSV: 07010240

GV: DNG THIN T

LI TA Khi dch v Internet pht trin rng ri trn th gii th cng l lc cc chng Virus, Trojan, Worm gi chung l Malware cng dn dn xut hin v pht trin vi mt tc ng kinh ngc. Ch trong vi nm u n chng minh s thiu st ca cc phn mm v dch v, gy thit ln v kinh t gy chn ng th gii vo nm 1999. Do cc phn mm chng v dit Malware ln lt ra i. T lc ny xut hin hai trng phi i lp nhau nh nc vi la trong th gii o l HACKER m trng v HACKER m en . Hacker m en th chuyn nghin cu l hng ca cc chng trnh v li h thng to ra nhng Malware c hi phc v li ch ca mnh . Cn HACKER m trng th ngc li nghin cu cch thc phng chng v dit nhng Malware bo d cho cng ng IT. (^.^) N vn l cuc i chin ln nht trong th gii o ca cng ng IT cho n ngy nay . Trong chuyn ny ta ch nghin cu v ngun gc, lch s , mt s khi nim c bn v virus, worm ,trojan Ngoi ra , cn tm hiu v cch thc virus, worm , trojan hot ng ,cch phng chng v dit n nh th no ? M c th ta nghin cu v Trojan l mt phn nh trong Malware . Trong qu trnh nghin cu c th cn mt s thiu st , mong cc bn c th ng gp kin chuyn c tt v hon thin hn !.

MC LC
Chng I: Ngun gc Lch S - Cc Khi Nim C Bn I. II. III. IV. Ngun gc Lch s? Virus tin hc l g? Cc bin dng Virus nh th no? Trojan l g?

Chng II: Trojan hot ng, cch phng chng v dit n nh th no? I. II. III. IV. V. VI. VII. VIII. IX. Nguyn tc hot ng ca Trojan? Mt s port ca cc Trojan hay dung. Phn loi cc dng Trojan? Cc con ng thng b nhim Trojan Mt s cch nhn dng trojan Cch s dng mt s Trojan c ban Cch s dng tool pht hin trojan Cc cch phng chng Trojan v mt s Trojan c th Th d v cch dit mt s loi Trojan c bn?

CHNG I : NGUN GC LCH S - CC KHI NIM C BN

I. Ngun Gc Lch S :
LCH S PHT TRIN CA VIRUS MY TNH C th ni virus my tnh c mt qu trnh pht trin kh di, v n lun song hnh cng ngi bn ng hnh ca n l nhng chic "my tnh", (v tt nhin l ngi bn my tnh ca n chng thch th g. Khi m Cng ngh phn mm cng nh phn cng pht trin th virus cng pht trin theo . H iu hnh thay i th virus my tnh cng t thay i mnh ph hp vi h iu hnh v c th n bm k sinh. Tt nhin l virus khng t sinh ra . C th vic vit virus mang mc ch ph hoi, th nghim hay n gin ch l mt th a vui c . Nhng ch c iu nhng ci u thng minh ny khin chng ta phi au u i ph v cuc chin ny gn nh khng chm dt, n vn tip din. C nhiu ti liu khc nhau ni v xut x ca virus my tnh, u cng l iu d hiu, bi l vo thi im con ngi cha th hnh dung ra ni mt "x hi" ng c v nguy him ca virus my tnh nh ngy nay, iu cng c ngha l khng my ngi quan tm ti chng. Ch khi chng gy ra nhng hu qu nghim trng nh ngy nay, ngi ta mi lt li h s tm hiu . Tuy vy, a s cc cu chuyn xoay quanh vic xut x ca virus my tnh u t nhiu lin quan ti nhng s kin sau: 1983 - l nguyn l ca tr chi "Core War"

Frederik Cohen "Core War" l mt cuc u tr gia hai on chng trnh my tnh do 2 lp trnh vin vit ra. Mi u th s a mt chng trnh c kh nng t ti to gi l Organism vo b nh my tnh . Khi bt u cuc chi, mi u th s c gng ph hu Organism ca i phng v ti to Organism ca mnh . u th thng cuc l u th t nhn bn c nhiu nht . Tr chi "Core War" ny c gi kn n nm 1983, Ken Thompson ngi vit phin bn u tin cho h iu hnh UNIX, l ra khi nhn mt trong nhng gii thng danh d ca gii in ton - Gii thng A.M Turing. Trong bi din vn ca mnh ng a ra mt tng v virus my tnh da trn tr chi " Core War " . Cng nm 1983, tin s Frederik Cohen chng minh c s tn ti ca virus my tnh . Thng 5 nm 1984 t bo Scientific America c ng mt bi bo m t v "Core War" v cung cp cho c gi nhng thng tin hng dn v tr chi ny . K t virus my tnh xut hin v i km theo n l cuc chin gia nhng ngi vit ra virus v nhng ngi dit virus. 1986 - Brain virus C th c coi l virus my tnh u tin trn th gii, Brain m thm b t Pakistan vo nc M vi mc tiu u tin l Trng i hc Delaware. Mt ni khc trn th gii cng m t s xut hin ca virus, l i hc Hebrew Israel . 1987 - Lehigh virus xut hin Li mt ln na lin quan ti mt trng i hc. Lehigh chnh l tn ca virus xut hin nm 1987 ti trng i hc ny . Trong thi gian ny cng c 1 s virus khc xut hin, c bit WORM virus (su virus), cn c mng vi cc h thng my ch cng xut hin. Ci tn Jerusalem chc s lm cho cng ty IBM nh mi vi tc ly lan ng n: 500000 nhn bn trong 1 gi. 1988 - Virus ly trn mng Ngy 2 thng 11 nm 1988, Robert Morris a virus vo mng my tnh quan trng nht ca M,

gy thit hi ln. T tr i ngi ta mi bt u nhn thc c tnh nguy hi ca virus my tnh . 1989 - AIDS Trojan Xut hin Trojan hay cn gi l "con nga thnh T-roa", chng khng phi l virus my tnh, nhng lun i cng vi khi nim virus. "Nhng ch nga thnh T-roa" ny khi gn vo my tnh ca bn th n s ly cp mt s thng tin mt trn v gi n mt a ch m ch ca ch nga ny mun n vn chuyn n, hoc n gin ch l ph hu d liu trn my tnh ca bn . 1991 - Tequila virus y l loi virus u tin m gii chuyn mn gi l virus a hnh, n nh du mt bc ngot trong cuc chin gia ci thin v ci c trong cc h thng my tnh. y thc s l loi virus gy au u cho nhng ngi dit virus v qu tht khng d dng g dit chng . Chng c kh nng t thay hnh i dng sau mi ln ly nhim, lm cho vic pht hin ra chng qu tht l kh. Bkav c cp nht mt s loi virus tng t nh vy, v chng ti bit s kh khn khi dit chng nh th no . 1992 - Michelangelo virus Tip ni s ng s ca "virus a hnh" nm 1991, th cng c nm 92 ny to thm sc mnh cho cc loi virus my tnh bng cch to ra s a hnh cc k phc tp. Qu tht h lun bit cch gy ra kh khn cho nhng ngi dit virus . 1995 - Concept virus Sau gn 10 nm k t ngy virus my tnh u tin xut hin, y l loi virus u tin c nguyn l hot ng gn nh thay i hon ton so vi nhng tin bi ca n. Chng gy ra mt c sc cho nhng cng ty dit virus cng nh nhng ngi tnh nguyn trong lnh vc phng chng virus my tnh . Cng phi t ho rng khi virus ny xut hin, trn th gii cha c loi "khng sinh" no th ti Vit Nam chng ti a ra c gii php rt n gin loi tr loi virus ny v cng l thi im Bkav bt u c mi ngi s dng rng ri trn ton Quc . Nhng nm sau , nhng virus theo nguyn l ca Concept c gi chung l virus macro, chng tn cng vo cc h son tho vn bn ca Microsoft (Word, Exel, Powerpoint). Tuy nhin cho ti nay, cc virus macro hu nh khng cn tn ti na v cng vi vic mi ngi khng cn s dng cc macro trong vn bn ca mnh na th virus macro ang dn b qun lng ... 1996 - Boza virus Khi hng Microsoft chuyn sang h iu hnh Windows95 v h cho rng virus khng th cng ph thnh tr ca h c, th nm 1996 xut hin virus ly trn h iu hnh Windows95 (c l khng nn thch thc nhng k xu, iu ch thm kch ng chng ) 1999 - Melissa, Bubbleboy virus y tht s l mt cn c mng vi cc my tnh trn khp th gii. Su Melissa khng nhng kt hp cc tnh nng ca su Internet v virus macro, m n cn bit khai thc mt cng c m chng ta thng s dng hng ngy l Microsoft Outlook Express chng li chnh chng ta . Khi my tnh ca bn b nhim Mellisa, n s t phn pht mnh i m kh ch khng h hay bit . V bn cng s rt bt ng khi b mang ting l pht tn virus . Ch t ngy th su ti ngy th hai tun sau, virus ny kp ly nhim 250 ngn my tnh trn th gii thng qua Internet, trong c Vit Nam, gy thit hi hng trm triu USD. Mt ln na cuc chin li sang mt bc ngot mi, bo hiu nhiu kh khn bi Internet c chng minh l mt phng tin hu hiu virus my tnh c th ly lan trn ton cu ch trong vi ting ng h. Nm 1999 ng l mt nm ng nh ca nhng ngi s dng my tnh trn ton cu, ngoi

Melissa, virus Chernobyl hay cn gi l CIH ph hu d liu ca hng triu my tnh trn th gii, gy thit hi gn 1 t USD vo ngy 26 thng 4.

II.

Virus tin hc l g ? Khi nim Virus tin hc thc cht l mt chng trnh c thit k vi mc ch t bit : c kh nng t nhn ban , sao chp chnh n vo cc chng trnh khc . Chng trnh virus thng thc hin nhng bc sau : Tm cch gn vo i tn ch , sa i d liu sao cho virus nhn c quyn iu khin mi khi chng trnh ch c thc thi. Khi c thc ,virus tm kim nhng i tng khc, sau ly nhim ln nhng i tng ny. Tin hnh nhng hot ng ph hoi , do thm Tr li quyn thi hnh cho chng trnh ch hot ng nh bnh thng . V nguyn tc , virus ch c th ly nhim ln nhng i tng c cha ni dung thi hnh c (Executable Content ) VD: Cc file .BAT , .EXE , .Com , ,cc ti liu vn bn Word ,Excel , PowerPoint hay thm ch cc file .CLASS vit bng Java. VIRUS TIN HC V MNG MY TNH Virus cn c kh nng s dng nhng tnh nng ca h iu hnh hay ng dng truyn b , ly nhim trn mng . Do kh nng , nhng virus ny c kh nng ly lan nhanh chng v rng ri hn hn nhng virus khc . Virus cng tn dng nhng kh nng ca mng my tnh tin hnh nhng hot ng ph hoi ,do thm trn mng my tnh , gy nh hng nghim trng n s n nh ,tin cy v an ton ca mng . V vy , cn phi nghin cu cc k thut c bit ca loi virus ny , m bo phng chng virus c hiu qu . TNH CHT CA VIRUS TIN HC Virus l nhng chng trnh my tnh c thit k vi mc ch c bit , v vy chng ta c nhng tnh cht c bit nh sau : Tnh ly lan : y l tnh cht cn ban , xc nh mt chng trnh c phi l virus hay khng . Cc virus u c thit k theo hng pht trin

c kh nng ly lan mnh nht . cng chnh l yu t dn n s ra i ca cc virus trn mng . Tnh cht ph hoi : y l tnh cht nguy him nht ca virus , mc d khng phi tt c cc loi virus u c tnh cht ph hoi . Mt s t virus c thit k vi mc ch ph hoi, bao gm ph hoi d liu (n cp thng tin, xa thng tin , gy li chng trnh ) v ph hoi my tnh (format cng , xa sch BIOS , ) , lm nh hng n mng my tnh M s virus khng c thit k ph hoi , nhng do li logic lp trnh, i khi cng gy ra nhng hiu ng khng km nguy him, c bit l nhiu virus cng tn ti trn mt my tnh. Tnh nh gn : Hu ht cc virus u c kch thc rt nh so vi chng trnh bnh thng :trong khong 4KB tr xung ( ngoi tr cc virus c vit bng ngn ng bc cao ). Cng vi tnh cht ly nhim, tnh cht ny to nn tn gi : VIRUS. Tnh tng thch : L nhng chng trn my tnh, virus cng c tnh tng thch nh nhng chng trnh khc . Mt virus c thit k trn h thng / mi trng khng th ly nhim trn mt h thng / mi trng khc . khc phc nhc im ny, ngy nay cc virus c xu hng pht trin theo hng lai, mt virus gm nhiu phn khc nhau , c tc dng ly nhim trn cc mi trng khc nhau. Tnh pht trin k tha : Cc virus ra i sau thng c xu hng k tha nhng { tng / k thut c cc virus trc pht trin theo cch ny hay cch khc , gi nguyn hoc ci tin, sa i. Mt trng hp l cc virus c pht trin dn thnh h virus nh h virus Date, h virus CIH, h virus Tiny

PHN LOI VIRUS TIN HC C th phn loi virus theo nhiu cch , da trn nhng tiu ch khc nhau, nhm xc nh nhng kh nng / tnh cht ring bit ca mi nhm, t c phng php phng chng vi mi loi. 1) Phn loi theo i tng ly nhim v mi trng hot ng: Vi nhng i tng ch khc nhau, virus s c cu trc v k thut khc nhau tin hnh ly nhim . Mt khc, trn mi trng hot ng ca mi i tng ch, virus cng phi c nhng k thut ring bit , ph thuc vo mi trng . V vy, phng php ny cn c vo i tng ch m virus s ly nhim v mi trng hot ng cua3virus phn loi. Vi phng php ny c th chia ra nhng loi virus sau :

a. Virus Boot: Cc loi virus ly nhim ln BootSector / MasterBoot trn a mm / a cng. b. Virus File : Cc loi virus virus ly nhim cc dng file (c cha ni dung thi hnh c Execu table Content). Bao gm nhng loi file cha m my (Machine Code) nh cc file .COM, .EXE v nhng loi file cha nhng loi m gi (Psedu Code ) nh cc file .BAT, .DOC, .XLS, chia thnh 3 loi nh : Cc Virus file hot ng trn mi trng DOS. Cc Virus file hot ng trn mi trng Windows 3x/9x/NT. Bao gm cc virus ly nhim cc file thi hnh trn cc h iu hnh tng ng. Cc Virus file hot ng trn mi trng cc ng dng khc. Bao gm cc Virus macro v cc loi Virus khc nh script virus, java virus 2) Phn loi theo phng php tm i tng ly nhim : Cc loi virus thng tr c phng php tm i tng ly nhim rt khc vi virus khng thng tr, do c cu trc v k thut khc nhau. V vy chia thnh 2 loi virus : i. Virus thng tr (Resident Virus) : Kim sot hot ng ca mi trng v tin hnh cc tc v ngy trang, ph hoi, anti-tunnel.. mi khi pht hin cc tc v trn i tng ch, virus s ting hnh ly nhim. ii. Virus khng thng tr (Transient Virus hay Runtime Virus ) : Virus khng kim sot hot ng ca h thng. Mi khi c kch hot (khi i tng ch c thi hnh ) virus s tin hnh tm kim cc i tng khc ly nhim. 3) Phn loi theo phng php ly nhim : Dng phn loi cc virus file, cn c vo cc phng php ly nhim ln i tng ch. Bao gm cc loi : Ghi (Overwitting) Ghi bo ton ( Non-Destuctive Overwritting) Dch chuyn (Shifting) Song hnh (Comantion) Ni them (Appending) Chn gia (Mid-File) nh hng li lnh nhy (Jump Redirection) iu khon trng ( Space Filler) 4) Phn loi theo mc ph hoi :

Cch phn loi ny ch gip nh gi s b v s ph hoi ca virus, c phng n phng chng thch hp. C th chia thnh 2 loi : Virus thng thng ( Normal Virus ) : Cc loi virus khng tin hnh ph hoi hoc khng c nh hng nguy him n d liu / my tnh. Virus hy dit ( Destructive Virus) :Cc loi virus tin hnh cc hot ng ph hoi d liu my tnh in hnh nh Date,CIH 5) Phn loi theo h virus : Mt s loi virus c pht trin ci tin lin tc t khi ra i, to thnh mt h c virus c cu trc, k thut tng i ging nhau . Nhng virus c th phn thnh mt h . Chng hn nh h virus date,virus CIH,h tiny K THUT LY NHIM TRN MNG K thut ly nhim trn mng LAN da trn 1 { tng chnh : s dng tin li trong lin h gia cc my tnh ly nhim cc chng tnh t xa. Sau y l mt s k thut : 1) S dng hm GetLogicalDriveStrings: Hm ny in vo vng m mt chui k t xc nh cc a hp l trong h thng . C php ca hm ny (trong ngn ng C) nh sau : DWORD GetLogicalDriveStrings ( DWORD nBufferLength, //kch thc ca vng m LPTSTR lpBuffer //con tr n vng m cho cc chui a ); Nu ngi s dng nh x mt s a t xa thnh cc tn a cc b, cc a ny s xut hin trong chui tr v t hm GetLogicalStrings . Sau virus s dng hm GetDriveType xc nh loi a s tin hnh ly nhim (Remoable, Fixed, CD-ROM, RAM Disk hay a mng ) . C php : UINT GetDriveType ( LPCTSTR lpRootPathName //con tr ti th mc gc ); 2) Lit k cc a m ngi s dng kt ni :

Mc d ngi dng cha nh x chng thnh cc k t a cc b . tin hnh k thut ny, phi s dng hm API trong th vin MPR.DLL: WNetOpenEnum, WNetEnumResource v WNetCloseEnum. Chi tit s dng hm ny nh sau: Hm WnetOpenEnum bt u mt qu trnh lit k cc ti nguyn mng hoc cc kt ni ang tn ti : DWORD WnetOpenEnum ( DWORD dwScope, DWORD dwType, DWORD dwUSage, LPNETRESOURCE lpNetResource, LPHANDLE lphEnum ); Hm WnetEnumResource tip tc s lit k mt ti nguyn mng bt u vi hm WnetOpenEnum function : DWORD WnetOpenResource ( HANDLE hEnum, //handle lit k LPDWORD lpcCount, //con tr ti im vo danh sch LPVOID lpBuffer, //con tr ti vng m kt qu LPDWORD lpBufferSize //kch thc ca vng m ); Hm WnetCloseEnum kt thc mt s lit k ti nguyn mng bt u bi hm WnetOpenEnum: DWORD WnetCloseEnum ( HANDLE hEnum //handle lit k );
K THUT PH HOI TRN MNG Virus c th s dng mt s k thut khc nhm mc ch ph hoi/do thm trn mng nh : +To ra cc cng nghe i sn (Listen Port), cc lnh c th ch th cho virus tin hnh cc hot ng ph hoi hay do thm : gi cc file no , ly trm cc mt khu, khi ng li hay thm ch ph hoi h thng .

//phm vi lit k //kiu ti nguyn cn lit k //ti nguyn cn lit k //con tr ti cu trc lit k //con tr ti handle lit k

+Tn cng theo cc phng php ngn chn dch v (DOS Denial of Service): mt virus to cc kt ni ti my ch HTTP/FTP no v chng m . Nu c nhiu ngi s dng b ly nhim virus, s kt ni c th vt qu s lng ti a m my ch cung cp. Virus cng c th gi cc thng ip lien tip ti my ch gy qu ti hot ng, gy ra nhng hu qu nghim trng cho cc giao dch trn mng v d liu my ch . Ly nhim bng cch kt ni n nhng cng c bit trn my ch v s dng giao thc Internet Replay Chat Protocol . +Cho php kt ni trn mt cng no , sau khi nh hng li mt my / cng khc . +Tin hnh cc hot ng khc trn mng, s dng a ch ca ngi khc, thay v s dng a ch ca ngi vit virus . Mt s k thut cao cp, c th thit k ra mt virus l iu khin t xa . D y l on m minh ha vit bng Visual C++. Chng trnh th nht : SERVER.CPP hot ng nh mt ng dng ch , v l phn t trong virus, phn ny s ch lnh t chng trnh th hai. Chng trnh th hai : CLIENT.CPP hot ng nh mt ng dng khch, l chng trnh m ta s dng lien lc vi virus. Chng trnh ch s to mt soket v ch i ch th ca ta, khi nhn c mt gi tin, n s hin th ni dung gi tin trn mt hp thng bo. //SERVER.CPP // # include stdafx.h #include windows.h #include winsock2.h #define LISTEN_PORT 16384 Int main (int argc, char* argv []) { Char Buffer [128]; Int retval, fromlen; Struct sokaddr_in local, from; WSADATA wsaDATA; SOCKET listen_socket; If (WSAStartup (0x202, &wsaData) == SOCKET_ERROR) { WSACleanup (); Return -1; } Local.sin_family = AF_INET; Loclal.sin_addr.s_addr = INADDR_ANY; Local.sin_port = htons (LISTEN_PORT); If ((listen_socket = socket (AF_INET, SOCK_DGRAM, 0)) == INVALID_SOCKET) { WSACleanup ();

Return -1; } If (bind (listen_socket, (struct sockaddr *) & local, sizeof (local)) == SOCKET_ERROR) { WSACleanup (); Return -1; } Fromlen = sizeof (from); Printf (Waiting for incoming messages \n\n); Do { Retval = recvfrom (listen_socket, Buffer, sizeof (Buffer), 0, (struct sockaddr*) & from, &fromlen) If (retval! = SOCKET_ERROR) { Buffer [retval] = NULL; MessageBox (NULL, Buffer, inet_ntoa (from.sin_addr), MB_ICONINFORMATION | MB_OK); } } while (1); Closesocket (listen_socket); WSACleanup (); Return 0; } III. Cc bin dng VIRUS nh th no?
Su my tnh (worm) l mt chng trnh my tnh c kh nng t nhn bn ging nh virus my tnh. Trong khi virus my tnh bm vo v tr thnh mt phn ca m my tnh c th thi hnh th su my tnh l mt chng trnh c lp khng nht thit phi l mt phn ca mt chng trnh my tnh khc c th ly nhim. Su my tnh thng c thit k khai thc kh nng truyn thng tin c trn nhng my tnh c cc c im chung- cng h iu hnh hoc cng chy mt phn mm mng - v c ni mng vi nhau. Spam hay spam mail, l cc th in t v b thng cha cc loi qung co c gi mt cch v ti v v ni nhn l mt danh sch rt di gi t cc c nhn hay cc nhm ngi v cht lng ca loi th ny thng thp. i khi, n dn d ngi nh d, tm cch c s th tn dng v cc tin tc c nhn ca h . Phn mm c tnh (malware): (ch ghp ca maliciuos v software) ch chung cc phn mm c tnh nng gy hi nh virus, worm v Trojan horse. Trojan Horse: y l loi chng trnh cng c tc hi tng t nh virus ch khc l n khng t nhn bn ra. Nh th, cch lan truyn duy nht l thng qua cc th dy chuyn tr loi ny ngi ch my ch vic tm ra tp tin Trojan horse ri xa n i l xong. Tuy nhin, khng c ngha l khng th c hai con Trojan horse trn cng mt h thng . Chnh nhng k to ra cc phn mm ny s s dng k nng lp trnh ca mnh sao lu tht nhiu con trc khi pht tn ln mng. y cng l loi virus cc k nguy him . N c th

hy cng, hy d liu . Phn mm gin ip (spyware): y l loi virus c kh nng thm nhp trc tip vo h iu hnh m khng li "di chng". Thng mt s chng trnh dit virus c km trnh dit spyware nhng dit kh km i vi cc t "dch". Phn mm qung co (adware): Loi phn mm qung co, rt hay c trong cc chng trnh ci t ti t trn mng. Mt s phn mm v hi, nhng mt s c kh nng hin th thng tin kt mn hnh, cng ch ngi s dng . Botnet: Trc y, loi ny thng dng nhm vo cc h thng iu khin my tnh t xa, nhng hin gi li nhm vo ngi dng. Keylogger l phn mm ghi li chui phm g ca ngi dng. N c th hu ch cho vic tm ngun gc li sai trong cc h thng my tnh v i khi c dng o nng sut lm vic ca nhn vin vn phng. Cc phn mm kiu ny rt hu dng cho ngnh lut php v tnh bo - v d, cung cp mt phng tin ly mt khu hoc cc kha mt m v nh qua mt c cc thit b an ninh. Tuy nhin, cc phn mm keylogger c ph bin rng ri trn Internet v bt c ai cng c th s dng cho mc ch ly trm mt khu v cha kha m ha . Phishing: l mt hot ng phm ti dng cc k thut la o. K la o c gng la ly cc thng tin nhy cm, chng hn nh mt khu v thng tin v th tn dng, bng cch gi l mt ngi hoc mt doanh nghip ng tin cy trong mt giao dch in t. Phishing thng c thc hin bng cch s dng th in t hoc tin nhn, i khi cn s dng c in thoi. Rootkit: l mt b cng c phn mm dnh cho vic che du lm cc tin trnh ang chy, cc file hoc d liu h thng. Rootkit c ngun gc t cc ng dng tng i hin, nhng nhng nm gn y, rootkit b s dng ngy cng nhiu bi cc phn mm c tnh, gip k xm nhp h thng gi c ng truy nhp mt h thng trong khi trnh b pht hin. Ngi ta bit n cc rootkit dnh cho nhiu h iu hnh khc nhau chng hn Linux, Solaris v mt s phin bn ca Microsoft Windows . Cc rootkit thng sa i mt s phn ca h iu hnh hoc t ci t chng thnh cc driver hay cc mdule trong nhn h iu hnh (kernel module) . Phn mm tng tin (Ransomware): l loi phn mm c tnh s dng mt h thng mt m ha yu (ph c) m ha d liu thuc v mt c nhn v i tin chuc th mi khi phc li. Ca hu (Backdoor): trong mt h thng my tnh, ca hu l mt phng php vt qua th tc chng thc ngi dng thng thng hoc gi ng truy nhp t xa ti mt my tnh, trong khi c gng khng b pht hin bi vic gim st thng thng. Ca hu c th c hnh thc mt chng trnh c ci t (v d Back Orifice hoc ca hu rookit Sony/BMG rootkit c ci t khi mt a bt k trong s hng triu a CD nhc ca Sony c chi trn mt my tnh chy Windows), hoc c th l mt sa i i vi mt chng trnh hp php - l khi n i km vi Trojan. Virus ly qua passport: Loi virus ny ly qua cc th RFID c nhn thay i ni dung

ca th, buc ti ngi dng v c th n cp passport. V sng RFID khng ly qua kim loi nn khi khng cn dng, bn nn trong hp kim loi. Virus in thoi di ng: ch ring h thng PC lm ngi dng au u, nay li c virus in thoi di ng. Loi ny thng ly qua tin nhn. Mt vi virus TD cng nh sp HH v lm hng thit b . Mt s khc ch gy kh chu nh thay i cc biu tng lm thit b tr nn kh s dng . Mt s t cn nhm vo tin . V d, mt Trojan ly lan cc in thoi Nga gi tin nhn ti nhng dch v tnh tin ngi gi.

IV.

TROJAN l g?

Trojan l: + Mt chng trnh bt hp php c cha bn trong mt chng trnh hp php. Chng trnh khng hp php ny thc hin nhng hm b mt m ngi dng khng bit hay khng cn n. V chc nng ca trojan, ti s cp n trong phn sau. + Trojan cng c th cng c gi l mt con chut hay l nhng cng c qun tr t xa. + Trojan c tn t mt cu chuyn thn thoi c v nhng ngi Hi Lp trong thi gian chin tranh, h tng cho k th ca mnh mt con nga lm bng g khng l. K th ca nhng ngi Hi Lp chp nhn qu tng ny v h mang vo trong thnh, v ngay trong m , nhng ngi lnh ting Hy-Lp chui ra khi con nga v tn cng thnh ph, hon thnh vic nh chim thnh Trojan ngy nay. - Ngy nay, trojan lun lun l vn ln trong bo mt v an ton trn mng. - Nhiu ngi khng bit Trojan l g v h ti xung nhng file m khng bit r ngun gc. - Hin nay, ti c bit c hn 1000 Trojan v ti bit rng vn cn rt rt nhiu na, v mi Hacker, lp trnh vin hay mi nhm Hacker u vit trojan ring cho mnh v nhng con trojan ny s khng c cng b ln mng cho n khi n b pht hin.. - Khi mt ngi no bt u hc "Winsock", u tin h to ra mt chng trnh Chat

hay mt con Trojan. Thm ch mt chuyn vin Antivirus cng c th b nhim trojan ca chnh mnh, hay ca mt hacker no . Chng trnh chng virus - Nhiu ngi ngh rng khi h c mt chng trnh qut virus tt v c bn cp nht mi nht th h s an ton, my h s khng b nhim trojan hay khng ai c th truy cp my tnh ca mnh. iu ny hon ton sai . Mc ch ca nhng ngi vit chng trnh chng virus l pht hin ra nhng virus mi ch khng phi l nhng con Trojan . Nhng khi nhng con trojan c nhiu ngi bit n th nhng chuyn vin chng virus s np thm n vo trong chng trnh qut ca mnh. Ti ni ti bit n 1000 trojan, v ti bit n 1000 con trojan ny t mng, t&# 7915; nhng chng trnh qut virus, nhng y ch l mt phn rt nh m nhng chuyn vin anti-virus pht hin c. - Nhng chng trnh qut virus ny khng phi l firewalls, n s khng pht hin ra trojan v bo v bn trong khi bn ang trn mng. - Hu ht ngi dng Internet ch bit n Back Orifice v NetBus ch l nhng Trojan . C vi cng c c bit trn mng s qut sch nhng con trojan c cng b ny, v mt ln na, ngi dng ngh rng h c bo v khi bt kz trojan no Ti b nhim Trojan nh th no? Mi ngi hi cu hi ny v mi ngi cng c gng t tm cho mnh cu tr li nhng hu ht h khng thnh cng . Bi v c khi mt chuyn vin hi bn c ti xung, hay chp file t u khng th 90% tr li l khng, nhng thc s h lm iu trc vi ngy . Bn c th b nhim trojan t rt nhiu ngun v Ti s th gii thch vd cho bn t nhng ngun di y: I. T ICQ Mi ngi bit ICQ khng an ton nh th no v l v sao vi ngi s s dng n. Nhng nhiu ngi li ngh rng trojan khng th ly lan trong khi h ang ni chuyn trn ICQ nhng h qun l ngi ang ni chuyn c th gi cho h mt ch Trojan. C th bn bit n ICQ c mt bug cho php bn gi mt file .e xe ti ngi no nhng ngi nhn nhn nh c v bn ang gi cho h file hnh nh, m thanh.... VD c ngi no s thay i biu tng ca file .e xe thnh file .bmp, v ni vi bn rng y l hnh ca anh ta. Bn s download n v v bum bum bum !!! Nhng nu ngi gi file ngu ngc i tn file .e xe thnh .bmp th bn an ton, v khi file .e xe i tn thnh .bmp th file .e xe khng th thc hin. Nhng khi file gi n bn ng l mt con trojan uc kp chung v 899;i file hnh nh v ngi gi thay i icon ca file .ex e, bn s

chy con trojan v khng h nghi ng, v khi chy file .e xe , n vn hin ln hnh nh ca mt ai . l l{ do hu ht ngi dng ni rng h khng chy bt kz file no trong khi h l lm. Mt cch ngn nga bug ny trong ICQ l bn lun lun kim tra kiu file trc khi chy n. V bn sai lm khi b qua giai on kim tra v chy ngay file khi c ngi gi n. II. T IRC Ging trn, cng bng cch nh la bn nhn trojans bn chy n . III. T files nh km trong mail Chc bn cng bit c rt nhiu trojans, virus c ly lan bng mail, v tc ly lan ca n rt nhanh. Mt cch n gin v thng dng l trojan s ly a ch mail trong adress book pht tn cho nhng ngi bn ca bn. Ngay by gi, bn hy ci ngay chng trnh no c th kim tra mail trc khi download v v kim tra nhng mail c send ra ngoi. IV. Truy cp trc tip Kh kh, bn chuyn nghip, bn c chng trnh chng trojan tt nht, bn download file bt kz u, k c ngi bn thn nht ca mnh gi. Bn an ton . Nhng khng c g nguy him hn khi c k ch t bn trong nh ra . Hm, bn ca bn n nh chi, tranh th lc bn i pha nc chng hn, bn ca bn nhanh chng m my, cha y 5 pht, my ca bn s ngp trong bin trojan. V. Mnh khe. Bn thch xxx, bi hack cn bn hay bt kz ti liu no bn xin mi thng bn nhng n khng cho, bng mt hm p tri no , bng n cho bn, thng bn m ra v chy file ngay m khng kim tra, khi khng ng ti liu bn cn, bn s nghi ng v kim tra, pht hin n l trojan, nhng khi t c mc ch th t ai kim tra xem file c km g nh km g hay khng. Trn y ch l vi VD nh, v ti khng th cp n tt c mnh khe c. Trojan nguy him nh th no? - Nhiu ngi, khng bit trojan l g th ngh rng khi chy chng, h khng thy Iu g xy ra, v h ngh rng trojan khng c g nguy him, bi v my tnh ca h vn lm vic v tt c d liu vn cn , nu l mt con virus th d liu c th mt sch hay my ngng hot ng. - Khi my bn b nhim trojan, tt c d liu trn my u c th b nguy him, thng th hacker khng xa tt c h s ny m h s chp v khai thc nh ti liu b mt ca cng ty, ti khon internet, credit card v khi khng c g khai thc, c th hacker xa sch d liu ca bn. i khi hacker cn dng trojan ci t virus ph hoi nh

CIH chng hn. l mt vi VD hacker c th thc hin khi h ci thnh cng Trojan .

CHNG II: Trojan HOT NG, CCH PHNG CHNG V DIT N NH TH NO?
I. Th Trojan hot ng nh th no? H c mn c mt m chng bit trojan n hot ng th no c! T t, ng nng, ti s giI thch ngay y. Khi nn nhn chy file nhim trojan, nu l trojan truy cp t xa (remote access ), file server s lun ch ch. N s ch, ch mi cho n khi n nhn tn hiu ca client, ngay lp tc n s m ngay mt cng no hacker c th truy cp vo. N c th s dng TCP hay nghi thc UPD. Khi bn kt ni vo IP ca nn nhn, bn c th lm bt kz Iu g bn mun v con trojan bao hm nhng lnh trn. Mt vi trojan c np ngay khi Windows c khi ng bng cch sa file win.ini, system.ini hay sa registry. Mt vi cng ca mt s con Trojan thng dng : Tn Attack FTP Back Orifice Back Orifice BackDoor BigGluck Blade Runner Blade Runner 1.x Blade Runner 2.x BO jammerkillahV BOWhack Bugs Deep Throat DeepBO DeepThroat DeepThroat Delta Devil Devil 1.03 Doly Trojan Evil FTP Firehotcker Fore S cng 666 31337 31338 1999 34324 5400 5401 5402 121 34324 2115 2140 31339 6670 6771 26274 65000 65000 1011 23456 5321 50766

II.

Fore, Schwindler FTP99CMP GabanBus GateCrasher GirlFriend Gjamer Hack?99 KeyLogger Hackers Paradise ICKiller ICQKiller ICQTrojan Indoctrination InIkiller Kuang Master Paradise Masters Paradise Masters Paradise Masters Paradise 1.x Masters Paradise 2.x Masters Paradise 3.x Millenium Millennium NetBus NetBus 1.x NetBus 2 Pro NetBus Pro NetMonitor NetMonitor NetMonitor 1.x NetMonitor 2.x NetMonitor 3.x NetMonitor 4.x NetSphere Netspy NetSpy DK NetSpy DK Pass Ripper Phase0 Phineas Phineas Phucker Portal of Doom Portal of Doom

50766 1492 1245 6969 21544 12076 12223 456 7789 7789 4590 6939 9989 30999 40423 30129 40421 40422 40423 40426 20000 20001 1245 123456 20034 20034 7300 7306 7301 7306 7307 7308 30100 1033 31666 31339 2023 555 2801 2801 3700 9872

Portal of Doom Portal of Doom 1.x Portal of Doom 2.x Portal of Doom 3.x Portal of Doom 4.x Portal of Doom 5.x PortalOfDoom Priority Priority Priotrity Progenic Trojan ProgenicTrojan Prosiak Prosiak Prosiak 0.47 Psyber Stream Server Psyber Streaming Server Remote Grab Remote Windows Shutdown Ripper RoboHack Satanz Backdoor Senna Spy Senna Spy Trojans Shiva Burka Shockrave Silencer Socket23 Sockets de Troie Sockets de Troie Sockets de Troie 1.x SpySender Stealth Spy Streaming Audio Trojan Striker SubSeven Telecommando The Invasor The Spy The tHing TheSpy Tiny Telnet Server

9875 9873 9874 9875 10067 10167 9872 6969 16969 16969 11223 11223 22222 33333 22222 1170 1509 7000 53001 2023 5569 666 11000 11000 1600 1981 1001 30303 5000 50505 5001 1807 555 1170 2565 1234 61466 2140 40412 6400 40412 34324

III.

Trojan Cow 2001 Ugly FTP 23456 Ultors Trojan 1234 Vodoo 1245 VooDoo Doll 1245 WebEx 1001 Whack-a-mole 12361 Whack-a-mole 1.x 12362 WhackJob 23456 WinCrash 4092 Wincrash 5742 Wincrash2 2583 Phn loi cc dng Trojan : Th c bao nhiu loi trojan? - C rt nhiu trojan, nhng ch yu n c chia ra lm cc dng cn bn sau : +Remote Access Trojans Cho k tn cng kim sot ton b h thng t xa. + Data-Sending Trojans Gi nhng thng tin nhy cm cho k tn cng + Destructive Trojans Ph hy h thng + Denied-of-Service DoS Attack Trojan: Trojans cho tn cng DoS. + Proxy Trojans + HTTP, FTP Trojans: - Trojan t to thnh HTTP hay FTP server k tn cng khai thc li. + Security Software Disable Trojan C tc dng tt nhng tnh nng bo mt trong my tnh ca nn nhn.

I - Trojan dng truy cp t xa: Hin nay, trojan loi ny c s dng rt nhiu. Chc nng chnh ca trojan ny l m mt cng trn my nn nhn hacker c th quay li truy cp vo my nn nhn. Nhng con trojan ny rt d s dng. Ch cn nn nhn b nhim trojan v hacker c IP ca nn nhn th hacker c th truy cp ton quyn trn my nn nhn. Ty loi trojan m chc nng ca n khc nhau ( keylogger, download, upload file, thc hin lnh .. ) bn phi c k hng dn s dng hiu qu tt c chc nng ca n. Hin c nhiu con ni ting loai ny nh: netbus, back orifice ... II - Keylogger Con ny qu quen thuc vi bn, n ghi li tt c hnh ng trn bn phm ri gi

v cho hacker khi nn nhn online. Vd: kuang keylogger III - Trojan gi mt khu c tt c mt khu lu trong cache v thng tin v my nn nhn ri gi v cho hacker mi khi nn nhn online. Vd: barok, kuang, bario ... IV - Trojan ph hy Loi trojan ny rt d s dng. Nhng con trojan ny ch c mt nhim v duy nht l git git git, tiu dit tiu dit tiu dit tt c file trn my bn ( VD file .e xe, .dll, .ini .... ). Nhng con trojan ny rt nguy him v khi my bn b nhim ch mt ln thi th tt c d liu mt sch snh sanh, ch cn ci g c. Vd : Trojan loi ny con nt ln 3 cng bit vit, khi cho VD. V - FTP trojan Loi trojan ny s m cng 21 trn my ca bn v cho tt c mi ngi kt ni n my tnh ca bn m khng c mt khu v h s ton quyn ti bt kz d liu no xung. y l nhng loi trojan chung, hay c s dng nht. V bn hy cn thn khi s dng chng ko chi dao t tay! Th Hacker tm kim nhng g trn my ca ti ? Nhiu ngi ngh rng hacker dng trojan ch ph hoi my ca h, iu hon ton sai lm. Trojan l mt ip vin rt hu hiu gip hacker tm c rt nhiu thng tin trn my ca nn nhn . H c th tm kim nhng thng tin sau : + Thng tin v Credit Card, + Tm kim thng tin v account ca bn trn server + Account ca bn trn server khc + D liu b mt + Danh sch a ch mail ( cc spammer rt khoi ci ny ) + a ch nh ring ca ai + Account Passwords + Thng tin v khch hng ca bn + Tt c nhng thng tin c mt cng ty ca bn +S dng my tnh ca nn nhn thc hin mt tc v no , nh tn cng, scan, hay lm ngp h thng mng ca nn nhn. Ni chung l rt nhiu, ci g ng gi, ng khai thc l ly.

IV.

Cc con ng thng b nhim Trojan:

- Qua cc ng dng CHAT online nh IRC Interney Relay Chat - Qua cc file c nh km trn Mail - Qua tng vt l nh trao i d liu qua USB, CD, HDD - Khi chy mt file b nhim Trojan - Qua NetBIOS FileSharing - Qua nhng chng trnh nguy him - T nhng trang web khng tin tng hay nhng website cung cp phn mm min ph - N c kh nng n trong cc ng dng bnh thng, khi chy ng dng lp tc cng chy lun Trojans. nhn bit nhng Port no trn my tnh ang Active chng ta dng cu lnh: Netstat -an

V.

Cc cch nhn bit my b nhim Trojan:

- CD-ROM t ng m ra ng vo . - My tnh c nhng du hiu l trn mn hnh. - Hnh nn ca cc ca s Windows b thay i - Cc vn bn t ng in - My tinh t ng thay i font ch v cc thit lp khc - Hnh nn my tnh t ng thay i v khng th i li. - Chut tri, chut phi ln nn - Chut khng hin th trn mn hnh. - Nt Start khng hin th . - Mt vi ca s cht bt ra Cc Port s dng bi cc Trojan ph bin.

Back Orifice S dng UDP protocol S dng Port 31337 v 31338 Deep Throat S dng UDP protocol S dng Port 2140 v 3150 NetBus S dng TCP Protocol S dng Port 12345 v 12346 Whack-a-mole S dng TCP Qua Port 12361 v 12362 Netbus 2 Pro S dng TCP Qua Port 20034 GrilFriend - S dng Protocol TCP Qua Port 21544 Masters Paradise - S dng TCP Protocol qua Port 3129, 40421,40422, 40423 v 40426.

VI.

nhn bit nhng Port no trn my tnh ang Active chng ta dng cu lnh: Cch s dng mt s Trojan :
Vi mc ch ca bi vit cc bn hiu v Trojan, s dng Trojan l mt trong nhng ni dung c bn ca nghin cu v bo mt.Khi bit cch s dng v cch hot ng ca cc loi Trojan bn c th t a ra cc gii php an ninh mng cho doanh nghip ca mnh cng nh nhng d liu quan trng ca chng ta. Trong phn ny ti gii thiu vi cc bn nhng loi Trojan sau: - Tini - iCmd - Netcat - HTTP RAT a. Trojan Tini Bt k mt my tnh no nu b nhim Trojan ny u cho php Telnet qua Port 7777 khng cn bt k thng tin xc thc no. - Trojan ny nhim vo h thng th ch cn chy mt ln hoc Enter file l OK mi th hon tt v i nhng thng tin Telnet ti port 7777. - Trn my 192.168.1.33 chy file tini.exe gi ti ng trn bt k my no cng c th dng lnh: Telnet 192.168.1.33 7777 l c th console vo c my .

b. iCmd Trojan Tng t nh Tini Trojan nhng khc mt iu l cho php la chn port telnet v Password truy cp vo my b nhim trojan ny. VD: My b nhim Trojan chy file iCmd.exe vi cu lnh - iCmd.exe vne 8080 C ngha my ny enable telnet trn port 8080 v password l "vne" Trong v d ny ti file: iCmd.exe ti th mc vnexperts.net trn C:\

- Trn my khc ti c th telnet ti my ny vi cu lnh: - Telnet port - Nh v d trn ti g: telnet 192.168.1.33 8080 H thng bt ti nhp password ti g vne vo v Enter

V kt qu

c. Netcat Trojan. Trojan ny cho php chng ta la chn kh nhiu Options nh Port, chy ch n, cho php telnet .. chy Trojan ny ti g cu lnh: Nc.exe L p -t e -L l hot ng ch nghe -p l Port s dng nghe. -t cho php s dng Telnet .

-e chy mt chng trnh no . Trn v d ny ti chy vi cu lnh - Nc.exe L p 8800 t e cmd.exe

Gi th ti c th ng bt k trn my no c th telnet ti my ny qua cng 8800, v hon ton c th kim sot c my tnh qua giao din command line.

d. HTTP RAT Vi tnh nng hot ng nh mt Web Server c lp trnh sn cho php qun l my tnh trn

giao din Web. Bn hon ton c th thc hin c trn Internet, khi mt my nhim Trojan ny s t ng gi mail v cho bn qua cu hnh.

Gi ng trn bt k my no bn cng c th vo my ny qua ca s ca mt trnh duyt web bt k: http://192.168.1.33 Ti c th chy xa hay download bt k file no t my nn nhn

e. ICMP Trojan S dng tunnel l ICMP gn nh c s ng ca bt k firewall no hay cc h thng. - Trn my nn nhn s dng ICMP Trojan Server chng ta phi ci Trojan ny vi cu lnh

- Ngi trn bt k my no bn s dng ICMPsend remote ti h thng b nhim ICMP Trojan .

Trn thc t cn rt nhiu loi Trojan khc bn c th tm hiu trn cc trang web chuyn v security, trong bi vit ny ti ch Demo mt s loi Trojan dng trainning m thi . 6. Cch n mt hoc nhiu Trojan vo mt file .exe hay file chy bnh thng My phn bn trn l cch s dng Trojan c bn. V d bn mun s dng con trojan l iCmd .exe bn phi lm th no? Copy file vo my v chy vi cu lnh iCmd.exe vne 8800? iu ny khng th thc hin bi ai cho bn ngi trn my . Vy lm th no ly nhim Trojan ny vo my ca nn nhn? Tht khng may nhng k tn cng khn ngoan n mt hay nhiu Trojan vo mt file Exe bnh thng, nh mt chng trnh c, mt file exe b ci windows, file chy ca cc phn mm min ph m c khi n lun vo b ci cc chng trnh dit virus. Cch n Trojan vo file .exe l cng ngh Wrapper. Cc phn mm thng dng: - One file EXE Maker - Yet Another Binder - Pretator Wrapper. a. S dng One file EXE Maker du v chy file iCmd.exe Download b ci ca phn mm ny ci ra my sau l chy ghp cc file File EXE m ti la chn l mt chng trnh c Caro rt ph bin Fiver6_8.exe. - File c caro ti chy bnh thng

- file iCmd.exe ti chy n v copy vo h thng - Cu lnh thm trn file iCmd.exe ti chn l vne 8800 cho php telnet vo port 8800 v password l vne.

Nhn Save hon thnh qu trnh. - Ti save ra vi tn l caro.exe Nhn dung lng ca file ti thy: - iCmd.exe dung lng 36KB - Fiver6_8_en.exe dung lng 310K - Caro.exe c to t hai file trn dung lng 353KB

Gi ti th chy file Caro.exe Ch c ca s nh c caro c bt ra nhng c mt file iCmd.exe c hot ng, kim tra trong Task Manager:

ng trn bt k my no ti cng c th remote ti my ny qua port 8800 v password l vne

Trong bi vit ny ti ch Demo mt chng trnh n file Exe cc bn c th tm kim cc phn mm ny trn Internet.

VII.

Cch pht hin Trojan bng cch s dng tool:

Cch pht hin Trojan : C ba nguyn l ca bt k chng trnh Trojan no: - Mt trojan mun hot ng phi lng nghe cc request trn mt cng no - Mt chng trnh ang chy s phi c TN trong Process List - Mt chng trnh Trojan s lun chy cng lc khi my tnh khi ng. a. Pht hin Port s dng bi Trojans - Dng cu lnh Netstat an trong windows bit ht thng ang lng nghe trn cc port no + Hnh di ta thy c port 7777 th ra l port ca Tini Trojan + My ca ti u c s port no l 8800 sao li ang ch nghe v c my ang kt ni n nh chc l ca Trojans

- Dng phn mm Fport - Dng phn mm TCPView Tht may ti c th xem ton b cc port ang s dng v chng trnh g ti ang s dng port no. T y ti c th kim tra cc dch v mng ca ti vi nhng Port nghi ng ti c th dng Firewall ng li .

b. Cch pht hin cc chng trnh ang chy - Dng phn mm Process Viewer tt c cc Process s c hin th d c ang chy ch n v khng hin trn Task Manager ca Windows.

c. Tm mt chng trnh chy lc khi ng - Trong Satup - Trong Registry: a s s nm ti y: Chng ta s dng cu lnh Msconfig trong Table Starup chng trnh no mun chy t ng s phi nm ti y. Trong v d ny ti thy c file nc.exe chy lc khi ng v tr ca n l ti folder c:\vnexperts.net

VIII.

Cch phng chng Trojan v mt s Trojan thng gp:

Cch phng chng Trojans v Backdoor - Khng s dng cc phn mm khng tin tng (i khi tin tng vn b dnh Trojans) - Khng vo cc trang web nguy him, khng ci cc ActiveX v JavaScript trn cc trang web bi c th s nh km Trojans - Ti quan trng l phi update OS thng xuyn - Ci phn mm dit virus uy tn: Ti hay dng: Kaspersky Internet Security, Norton Internet Security, v Mcafee Total Security, nhng nghe ni cn rt nhiu phn mm dit Virus v chng Trojan hay khc. Sau khi ci cc phn mm ny bn hy update n thng xuyn.

Ngoi ra, cn c cch hay nht phng chng phn mm gin ip l s dng mt h iu hnh khng phi l Windows (nh OS X, Linux, v.v.) v c rt t phn mm gin ip c vit cho nhng h iu hnh ny. Hn na, rt nhiu phn mm gin ip c ci t dng ActiveX trong Internet Explorer (IE), cho nn nu mt ngi dng mt trnh duyt khc nh Firefox, Opera, th h s b t phn mm gin ip hn. Sau y l mt s cch phng chng cho Windows (h iu hnh ph bin nht hin nay):

S dng bn Windows gc: Mt khi xi bn gc, ngi dng khng phi lo lng v nhng l hng c to ra mt cch v tnh hay c ca nhng cracker. Nn bt chc nng auto update ca h iu hnh Windows h iu hnh c th t cp nht cc bn sa li. Phn quyn s dng khc nhau vi nhng cng vic c th khc nhau. Ngi dng nn to mt account windows vi quyn va xi cc ng dng thng thng (c bit khng c quyn ci t cc phn mm) v account c th c bo v bi mt m hoc m (cho ngi thn xi chung my chng hn). Mt account khc c nhiu quyn hn hn (administrative account) c to bi chnh ngi ch ca my v ch dng cho cc cng vic lin quan n ci t phn mm mi, bo tr hay nng cp my. Account ny phi c bo v bng mt m (nn t mt m di trn 8 k t, gm nhng ch v s v khng c nhng k t bt hp l no). Nu c s c nghim trng m cc chng trnh dit virus khng th sa c, ngi dng nn khi ng my trong ch "safe mode" (bm F8 trc khi windows kp load, chn "safe mode") v dng chc nng "System Restore" a my bn tr li thi im trc khi xy ra "tai nn".

Nng mc an ton ca IE chng phn mm gin ip

Trong cc bn giao ko v quyn s dng (License Agreement) ca cc cng ty cho ti phn mm i khi c ni r rng h s ci spyware chung vi phn mm nhng cc bn giao ko ny thng t c chng ta c hon tt k lng v cng bi v cc lu { v ci t spyware

thng nm trong nhng on kh thy (nh ch nh). Do , trc khi ti v my bt k mt phn mm no hy c k cc giao c ny. Trnh xa cc trang web khiu dm, ni lun cung cp cc tp tin nh hay phim ngn min ph. Nu bn ti cc hnh nh hay on phim ny, spyware s theo xm nhp vo my ca bn. Hy dng phn mm chng spyware. Qut thng xuyn loi b spyware. Khi ng li my v chy kim tra li ln na sau mi ln li b nhim spyware mi chng s ti nhim (tickler). Phn mm chng spyware ni ting trn th trng l Spy Sweeper.

Mt s chng trnh chng spyware rt hu hiu v b sung cho nhau c th ti min ph v my, l:

Ad-aware ca Lavasoft c PC Magazine bu chn nm 2005. Spybot - Search & Destroy ca Safer Networking Limited. SpywareBlaster ca Javacool.

Hng Microsoft c xut bn vi cng c tng cng an ninh cho h windows l 'Microsoft Antispyware' (mua li ca Giant Anti Spyware), Microsoft Defense, Security Analyser... Cc phn mm trn c ti v min ph bng cch vo www.download.com v g ng tn cc phn mm chng gin ip m bn mun ti v. Du sao, khng c mt phn mm chng gin ip no l tuyt i hiu nghim c.

Phi c chng trnh chng virus v tng la cho my (chng trnh tng la min ph www.sygate.com hay l www.zonelabs.com). Khi s dng cc nh cung cp dch v Internet (ISP: Internet Service Provider) cng c th h cung cp cho chng ta cc cng c min ph bo v my (chng hn nh Yahoo, AOL v ngay c hp th th nghim ca Google) t nhng vic nh nh chng trnh ngn chn ca s ny (Popup Blocker) ngn chn cc mn hnh qung co t hin th cho n cc phn mm ci t bo v nh tng la, chng virus, chng spyware v lc th nhng lm (spam mail). Hy dng chng nu bn khng c ci tt hn v lun lun nh cho rng cc phn mm ny ch gip bn hn ch ch kh lng m tuyt dit c cc loi spyware mi. Phi lun nh cp nht cc tp d liu (data files) cho cc phn mm bo v my ca bn t nht l hng tun. Coi chng cc dch v peer-to-peer chia s chung cc tp tin (peer-to-peer files sharing service). Hu ht cc ng dng thng dng s c spyware trong cc th tc ci t. Trnh ti v cc tp mnh lnh ngoi tr chng c cung cp t cc nh sn xut ln hay cc trang "tt". Coi chng cc cookie: cc d liu thu thp bi cc cookie c th trng lp vi cc thng tin mt ni no cung cp nhng thng tin ca bn mt cch ng ngc nhin. Bn c th ti chng trnh Cookie Cop 2 kim sot cc cookie. www.pcmag.com/utilities Hy nng mc an ton ca IE cao ln t nht l mc trung (medium). Hy mc khng cho php ci t tt c cc "ActiveX control" m bn cha yu cu. Spyware c th n t cc ngun th in t dng HTML. Hy xo thng tay nhng in th m bn khng bit r xut x v khng h c lin lc. Nu dng Outlook 2003, dng Tools Options tab Security chn "Change Automatic Download Settings". Kim tra chc chn rng bn chn chc nng "Don't download pictures or other content automatically in HTML e-mail". C thm hiu bit v spyware mi s gip ban trnh c chng hiu qu hn. Hy vo trang www.pestpatrol.com/pestinfo xem thm tin v cc spyware mi.

IX.

Th d v mt s cch dit mt s loi Trojan c bn : 1) Cch dit Trojan.Batnari

Pht hin: 14 thng 4 nm 2010 Cp nht: 15 thng 4 nm 2010 1:25:20 AM Kiu : Trojan Kch thc: 861,696 bytes Mc pht trin: Trung bnh H thng b nh hng : Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Nhng ch dn sau y gn lin vi mi sn phm dit virut ca Symantec hin thi v gn y, bao gm chng trnh dit virut Symantec v nhng sn phm dt virus ca Norton 1. Tt ch System Restore (Windows Me/XP) 2. Cp nht chng trnh dit virus mi 3. Scan ton b h thng 4. Xo cc gi tr c ghi vo Registry Cch dit 1. Click Start > Run 2. nh Regedit 3. Click chn OK 4. Tm v xo cc gi tr c ghi vo Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 \"%Temp%\IXP000.TMP\\"" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"wextract_cleanup1" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 \"%Temp%\IXP001.TMP\\"" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"wextract_cleanup2" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 \"%Temp%\IXP002.TMP\\"" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\"ConsoleTracingMask" = "4294901760" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\"EnableConsoleTracing" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\"EnableFileTracing" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\"FileDirectory" = "%Windir%\tracing" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\"FileTracingMask" = "4294901760" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\"MaxFileSize" = "1048576"

5.Thot khi Registry

2) WildTangent:Phn mm ny c ci t thng qua American Online Instant Messenger (AIM). Theo AOL (American Online) th n cn dng to ni kt gia cc thnh vin trong cc tr chi trn Internet. Mt khi c ci t, n s ly cc thng tin v tn h, s in thoi, a ch th in t cng nh l tc ca CPU, cc tham s ca video card v DirectX. Cc thng tin ny c th b chia s cho cc ni khc chim dng. Nu bn khng chi game th loi b n bng cch nhn nt: 1. Start -> Run -> g ch regedit -> vo nhnh HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run 2. Kim gi tr "wcmdmgr" trong bng bn phi ri xo n. 3. Sau ng chng trnh ny li v ti khi ng my. 4. Sau xo lun th mc con WT nm trong th mc Windows hay WINNT.

3) Trojan-Downloader.Win32.Agent.mee
Ngy pht hin: 28/03/2008 Chi tit k thut Chng trnh nguy him ny l mt trojan. N l mt file Windows PE. Kch c ca file tim nhim c th vo khong t 70KB n 260KB. N khng c nn v c vit bng Delphi. Ci t Khi khi ng, trojan ny copy bn thn n vo th mc con "intetsrv" ca th mc Windows vi ci tn "lsass.exe" %System%\inetsrv\lsass.exe Hai thuc tnh "Hidden" v "read only" c gn cho file ny. m bo cho Trojan ny c khi ng t ng mi khi h thng khi ng li, n s ng k file thc thi ca n vo trong registry nh sau: [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows] "load" = "%System%\inetsrv\lsass.exe" Kho ny m rng Trojan s c khi ng trc khi user truy cp vo Windows Trojan cng to mt gi tr n nht, "izokraSizokras" lm tn hiu nhn bit cho s c mt ca n trong h thng N to ra kho registry sau: [HKLM\Software\Microsoft\Internet Explorer\inet.] "Day" = "" Hot ng Trojan copy bn thn n vo tt c cc a logic, a di ng, a mng (c kh nng ghi) nh di y: :\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\lsass.exe ch n a ng thi n cng thm vo file sau trn mi th mc gc ca mi a: :\autorun.inf File ny s khi ng file thc thi ca trojan mi khi user m a b tim nhim bng cch nhp trc tip vo a . Thuc tnh "Hidden" v "Read only" c gn cho tt c cc file c to bi Trojan. Hng dn g b

Nu my tnh ca bn khng c mt trnh antivirus c cp nht thng xuyn, hoc khng c mt gii php antivirus hiu qu, hng dn sau s gip bn xo n: 1. Dng Task Manager xc nh tin trnh ca Trojan 2. Xo cc kho registry sau: [HKLM\Software\Microsoft\Internet Explorer\inet.] "Day" = "" 3. Xo cc gi tr tham s registry sau: [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows] "load" = "%System%\inetsrv\lsass.exe" 4. Xo file Trojan gc (ng dn ph thuc vo vic chng trnh gc tim nhim vo h thng nh th no) 5. Xo cc file sau: %System%\inetsrv\lsass.exe :\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\lsass.exe :\autorun.inf 6. Cp nht c s d liu ca trnh antivirus v thc hin qut "full scan".

4) Trojan-Spy.Win32.Zbot.ikh
Ngy pht hin: 21/12/2008 Chi tit k thut Trojan ny c thit k n cp d liu ring t, b mt. Dung lng ca n l 67072 bytes. Ci t N t ng copy file thc thi ca n vo th mc h thng ca Windows: %System%\twex.exe m bo rng Trojan c khi ng mt cch t ng khi h thng khi ng li, n thm mt ng link n file thc thi ca n trong h thng registry: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system 32\twex.exe," Hot ng Trojan s tim nhim on code ca n vo trong tt c cc tin trnh trn my nn nhn v ci t cc hm API sau:

NtCreateFile NtQueryDirectoryInformation LdrLoadDll LdrGetProcedureAddress NtCreateThread EndDialog DestroyWindow TranslateMessage GetClipboardData Trojan ny s dng cc hm API trn ghi du cc hot ng ca ng dng WebMoney Keeper. Khi ng dng ny c dng chng thc user trn cc trang thanh ton tin, Trojan s thu hoch c nhng thng tin sau: S ti khon (WMID); Mt khu Mode Phin bn WebMoney Keeper Ti khon hin ti ca user

Trojan cng tm kim cc lp sau: SunAwtDialog javax.swing.Jframe Nhng lp ny c phn headings nh sau: [Vkhod v sistemy Enter system] [Sinkhronizatsiya s Bankom Synchronization with bank] Nu Trojan tm kim trong windows, n s tm kim cc folder bao gm cc chng trnh ph thuc vo nhng ca s ny cho nhng file sau: prv_key.pfx sign.cer *.jks *.db3 *.key *.cnf N t ng nn chng vo: %Temp%\interpro.cab N cng thu thp nhng d liu t clipboard khi n c copy n mt ca s v chn d liu nhp vo thng qua bn phm N chn cc yu cu HTTP t cc a ch sau:

https://ibank*.ru/* https://bc.nsk.*.ru/* https://www.faktura.ru/enter.jsp?site= N trch ra gi tr ca cc trng ca tt c cc trang web t nhng d liu thu thp c bng cch s dng nhng mt n sau: *<SELECT* * Hng dn xa b

Nu my tnh ca bn khng c mt trnh antivirus c cp nht thng xuyn, hoc khng c mt gii php antivirus hiu qu, th nhng hng dn di y s gip xo chng trnh nguy him ny: 1. S dng Task Manager xc nh tin trnh ca chng trnh nguy him 2. Xo file trojan gc (ng dn ph thuc vo cch chng trnh tim nhim vo h thng nh th no.) 3. Thay i gi tr ca cc kho registry sau: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "userinit" = "C:\WINDOWS\system32\userinit.exe, " 4. Khi ng li my tnh 5. Xo file sau: %System%\twex.exe 6. Xo b ton b ni dung th mc tm (%Temp%) 7. Cp nht c s d liu cho trnh antivirus ca bn v thc hin vic qut "full scan".

5)

Net-Worm.Win32.Kido.bt

Ngy pht hin: 02/01/2009 Chi tit k thut Con Worm ny ly lan thng qua mng local v thit b lu tr di ng nh USB. N thc cht l mt file PE DLL. Dung lng ca n vo khong 155KB n 165 KB. N c ng gi bng UPX. Ci t N copy file thc thi ca n n th mc h thng ca Windows nh sau: %System%\.dll

vi l mt chui k hiu ngu nhin. ng thi n to ra mt dch v m bo n s c kch hot mi khi Windows khi ng trn h thng ca nn nhn. Cc kha registry sau s c to ra: [HKLM\SYSTEM\CurrentControlSet\Services\netsvcs] N cng thay i gi tr registry sau: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] netsvcs = %System%\.dll S ly lan trn mng Khi tim nhim vo my tnh, n s kch hot HTTP server trn mt cng TCP ngu nhin. Cng ny sau s c s dng ti file thc thi ca con worm ny n mt my tnh khc. N s ly a ch IP ca nhng my tnh trn cng mng v tn cng chng thng qua li trn b m trn dch v Server. N gi mt yu cu RPC la o n mt my tnh xa, yu cu ny s lm trn b m khi hm wcscpy_s c gi trong th vin netapi32.dll. iu ny lm kch hot mt on code download con worm ny v, kch hot v ci t n ln nhng h thng mi. khai thc l hng c m t trn, worm ny s n lc kt ni n mt ti khon administrator trn my tnh xa. N s dng nhng password di y kt ni n ti khon ny theo phng php brute force
Code:

Content visible to registered users only Ly lan thng qua phng tin l tr di ng (nh USB) N copy file thc thi ca n: :\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\.vmx vi rnd l mt chui cc k hiu ngu nhin (ch in thng); X l a. N cng ng thi thay th file sau trong mi th mc gc ca a: :\autorun.inf iu ny m bo rng file thc thi ca n s c chy mi khi ngi dng m a b

tim nhim s dng Windows Explorer Hot ng Khi c kch hot, n s tim nhim on m ca n vo khng gian a ch ca mt trong nhng tin trnh h thng svchost.exe. on m ny s chu trch nhim v vic load vo nhng tnh nng nguy him ca worm. - V hiu ha System Restore. - Kha cc a ch bao gm chui sau:
Code:

Content visible to registered users only ng thi n cng download mt file t ng link di y: http://trafficconverter.biz/*****/an...re/loadadv.exe File ny s c lu tr trong th mc h thng ca Windows v sau s kch hot. Ngoi ra Worm ny cng download cc file t ng link di y: http:///search?q= rnd2 l mt s ngu nhin. URL l mt ng link c to nn bi mt thut ton c bit s dng ngy thng hin ti. Worm ny ly v ngy thng hin ti t mt trong cc site sau: http://www.w3.org http://www.ask.com http://www.msn.com http://www.yahoo.com http://www.google.com http://www.baidu.com Nhng file c download bi worm ny s c lu vao trong th mc h thng ca Windows vi tn gc ca n. Hng dn g b Nu my tnh ca bn cha c mt trnh antivirus c cp nht bn mi nht, hoc cha c mt gii php antivrus hiu qu, bn c th lm theo cc hng dn sau: 1. Xa cc kha registry di y: [HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]

2. Xa %Sytem%\.dll t tham s kha registry di y: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs" 3. Khi ng li my tnh 4. Xa file worm gc (ng dn ph thuc vo cch worm ny thm nhp vo my tnh nh th no) 5. Xa file sau: %System%\.dll 6. Xa cc file sau trong thit b lu tr di ng: :\autorun.inf :\RECYCLER\S-5-3-42-2819952290-8240758988879315005-3665\.vmx 7. Download v ci t bn cp nht mi cho h iu hnh ti y. 8. Cp nht c s d liu ca trnh antivirus trn my tnh v thc hin vic qut full scan trn my tnh ca bn.

NOTE: Tuy nhiu loi Trojan ra i mi ngy nhng nu bn phng chng tt th chuyn b nhim Malware t khi b xy ra.

THE END! (^.^)