【資料圖】
編制或者在計算機程序中插入的破壞計算機功能或者破壞數據����,影響計算機使用并且能夠自我復制的一組計算機指令或者程序代碼被稱為計算機病毒具有破壞性�,復制性和傳染性���。接下來小編為大家整理了木馬病毒的介紹,希望對你有幫助哦!
The world of malicious software is often divided into two types: viral and nonviral. Viruses are little bits of code that are buried in other codes. When the “host” codes are executed, the viruses replicate themselves and may attempt to do something destructive. In this, they behave much like biological viruses.
Worms are a kind of computer parasite considered to be part of the viral camp because they replicate and spread from computer to computer.
As with viruses, a worm's malicious act is often the very act of replication; they can overwhelm computer infrastructures by generating massive numbers of e-mails or requests for connections that servers can't handle.
Worms differ from viruses, though, in that they aren't just bits of code that exist in other files. They could be whole files——an entire Excel spreadsheet, for example. They replicate without the need for another program to be run.
Remote administration types are an example of another kind of nonviral malicious software, the Trojan horse, or more simply Trojan. The purpose of these programs isn't replication, but to penetrate and control. That masquerade as one thing when in fact they are something else, usually something destructive.
There are a number of kinds of Trojans, including spybots, which report on the Web sites a computer user visits, and keybots or keyloggers, which record and report the user''s keystrokes in order to discover passwords and other confidential information.
RATs attempt to give a remote intruder administrative control of an infected computer. They work as client/server pairs. The server resides on the infected machine, while the client resides elsewhere, across the network, where it''s available to a remote intruder.
Using standard TCP/IP or UDP protocols, the client sends instructions to the server. The server does what it's told to do on the infected computer.
Trojans, including RATs, are usually downloaded inadvertently by even the most savvy users. Visiting the wrong Web site or clicking on the wrong hyperlink invites the unwanted Trojan in. RATs install themselves by exploiting weaknesses in standard programs and browsers.
Once they reside on a computer, RATs are hard to detect and remove. For Windows users, simply pressing Ctrl-Alt-Delete won't expose RATs, because they operate in the background and don''t appear in the task list.
Some especially nefarious RATs have been designed to install themselves in such a way that they're very difficult to remove even after they're discovered.
For example, a variant of the Back Orifice RAT called G_Door installs its server as Kernel32.exe in the Windows system directory, where it's active and locked and controls the registry keys.
The active Kernel32.exe can't be removed, and a reboot won''t clear the registry keys. Every time an infected computer starts, Kernel32.exe will be restarted, and the program will be active and locked.
Some RAT servers listen on known or standard ports. Others listen on random ports, telling their clients which port and which IP address to connect to by e-mail.
Even computers that connect to the Internet through Internet service providers, which are often thought to offer better security than static broadband connections, can be susceptible to control from such RAT servers.
The ability of RAT servers to initiate connections can also allow some of them to evade firewalls. An outgoing connection is usually permitted. Once a server contacts a client, the client and server can communicate, and the server begins following the instructions of the client.
Legitimate tools are used by systems administrators to manage networks for a variety of reasons, such as logging employee usage and downloading program upgrades——functions that are remarkably similar to those of some remote administration Trojans. The distinction between the two can be quite narrow. A remote administration tool used by an intruder becomes a RAT.
In April 2001, an unemployed British systems administrator named Gary McKinnon used a legitimate remote administration tool known as RemotelyAnywhere to gain control of computers on a U.S. Navy network.
By hacking a few unguarded passwords on the target computers and using illegal copies of Remotely Anywhere, McKinnon was able to break into the Navy's network and use the remote administration tool to steal information and delete files and logs. The fact that McKinnon launched the attack from his girlfriend's e-mail account left him vulnerable to detection.
Some of the famous RATs are variants of Back Orifice; they include Netbus, SubSeven, Bionet and Hack''a''tack. These RATs tend to be families more than single programs. They are morphed by hackers into a vast array of Trojans with similar capabilities.
惡意軟件的世界常常分成兩類:病毒性和非病毒性�����。病毒是埋藏在其他程序中的很短的程序代碼。當“主”程序執行時�����,病毒就復制自身�,并企圖做些有破壞性的事。在此過程中����,它們的行為很像生物病毒�����。
蠕蟲是一類計算機寄生蟲�����,可以把它們歸到病毒陣營���,因為它們進行復制����,從一臺計算機散布到另一臺計算機��。
作為病毒�����,蠕蟲的有害行為常常只是復制這個行為。它們通過生成大量的電子郵件或申請連接的請求�����,使服務器沒法處理而導致計算機崩潰��。
但蠕蟲也有別于病毒�,它們不是存在于其他文件中的代碼�����。它們可以是整個文件����,如Excel數據表格�����。它們不需要運行另一個程序就進行復制。
遠程管理(病毒)是另一類非病毒性惡意軟件——特洛伊木馬(或更簡單地稱作木馬)的例子。這些程序的目的不是復制,而是滲透進去加以控制�����。它們偽裝成某種東西��,但實際上是另一件東西����,通常具有破壞性���。
有多種類型的木馬病毒�����,其中包括間諜機器人(它在網站上報告計算機用戶來訪)和擊鍵機器人(它記錄和報告用戶的擊鍵�,目的是為了發現口令和其他的保密信息)���。
RAT病毒企圖讓遠程入侵者對受感染的計算機進行管理控制�����。它們以客戶機/服務器那樣的方式進行工作��。服務器駐留在受感染的機器中�,而客戶機位于網絡上能實施遠程入侵的其他地方��。
利用標準的TCP/IP或UDP協議����,該客戶機給服務器發送指令�。服務器在受感染的計算機上做被告知的事情�����。
木馬病毒�����,含RAT病毒,通常由用戶、甚至最聰明的用戶不經意地下載下來�。訪問惡意的網站或者點擊惡意的鏈接都可能招致不想要的特洛伊病毒進入(計算機)�。RAT病毒利用普通程序和瀏覽器中的弱點自行安裝����。
一旦它們駐留在計算機中,RAT病毒是很難發現和去除的���。對于Windows用戶,簡單地擊打Ctrl+Alt+Delete鍵并不能暴露RAT病毒����,因為它們在后臺工作��,不會出現在任務列表中。
有些非常窮兇極惡的RAT病毒設計成以一種即使在被發現后也非常難去除的方式安裝�����。
例如��,Back Orifice RAT病毒的一個變種���,叫G_Door,安裝其服務器作為Windows系統目錄中的Kernel32.exe�,存活并鎖定在那里并控制注冊鍵��。
活動的Kernel32.exe是不能去除的,重新啟動也不能清除注冊鍵�。每次受感染的計算機開機����,Kernel32.exe被再次啟動�,并被激活和鎖定。
有些RAT病毒對已知的或標準的端口進行偵聽��。其他的則對隨機的端口進行偵聽����,通告它的客戶機,電子郵件連接到了哪些端口和哪些IP地址�����。
通過ISP(因特網服務提供商)連接到因特網上的計算機�����,雖然常常被認為比靜態的寬帶連接更安全����,也可能被這樣的RAT病毒所控制�。
RAT病毒服務器這種激活連接的能力,也能讓它們中的一些可以入侵防火墻�����。通常向外的連接是允許的�����,一旦服務器與客戶機建立聯系���,客戶機和服務器就能進行通信�����,服務器就開始遵循客戶機的指令工作。
出于各種原因�����,系統管理員使用合法工具管理網絡����,如記錄雇員的使用和下載程序更新(與某些遠程管理木馬病毒的功能非常相像)。這兩者間的差別可能是非常小的�,遠程管理工具被入侵者使用就成了RAT病毒���。
2001年4月��,一名叫Gary McKin-non的失業的英國系統管理員利用合法的遠程管理工具——Remotely Anywhere成功地控制了美國海軍網絡上的多臺計算機。
McKinnon通過黑客手段獲得目標計算機上未防護的口令和使用非法拷貝的Remotely Anywhere軟件,突破了美國海軍的網絡���,利用該遠程管理工具偷竊信息、刪除文件和記錄。McKinnon從他女朋友的電子郵件賬號發起攻擊,這個賬號給偵查留下了線索�。
一些有名的RAT病毒是Back Orifice的變種����,如Netbus���、SubSeven�、 Bionet 和Hack''a''tack。這些RAT病毒大多是一組程序��,而不是單獨的一個程序��。黑客把它們變成一個龐大的、具有類似功能的木馬病毒陣列。
