As a website linked to the horse spread, with the aim of the Trojan will be downloaded to the local users and further implementation of the horse when implemented, will mean that more of the Trojan is downloaded, further implementation of a vicious cycle, So that the user's computer attacks and control. To achieve the purpose of the first Trojan to be downloaded to the local. According to the chart on the process, there is a common way of the following:
1. Disguised as a Trojan horse to page elements. Trojan browser will be automatically downloaded to the local.
2. loopholes in the use of scripts to run the download Trojan
3. the use of the loopholes in the script to run the release implicit in the pages of the script Trojan
4. disguised as a Trojan will be missing components or missing components and bundled together (for example: flash player Plug-in). In this way, to achieve the purpose of the download, to download the browser components will be self-executing.
5. script to run through some of the calls com components, the use of its vulnerability to download Trojan horse.
6. in the process of rendering page content use format overflow in the release of Trojan horse (for example: ani format overflow vulnerability)
7. rendering page content in the process of using overflow format to download Trojan (for example: flash9.0.115 loopholes in the play)
the completion of the download After the implementation of the horse following manner:
1. Play up the use of the page elements in the process of implementation of the overflow shellcode format for the further implementation of the Trojan download
2. The use of the loopholes in the implementation of the script running horse
3. Disguised as missing components of the package was installed here Automatic implementation of the
4. Script calls through the use of its components com loopholes in the implementation of the horse.
5. utilization of the page elements in the process of rendering the form of direct implementation of the overflow horse.
6. to use com components and other external communications process through proceedings in other horse (for example: realplayer10.5 existing playlists overflow vulnerability)
network in Malaysia and in the process of struggle, in order to evade anti-virus detection software, some of the network Ma It also has the following acts:
1. Time to amend the system so that the antivirus software failure
2. Antivirus software to remove the link HOOK, so that the anti-virus detection software failure
3. Amend the anti-virus software virus database so that it can not detect malicious code.
4. overflow vulnerability does not directly through the implementation of the malicious code, but implementation of the script for a call to avoid anti-virus software for the father of the testing process.
page linked to the detection Ma
traditional detection methods Defense:
1. characteristics of the match. Ma page will be linked to the script according to the script to deal with HIV testing. But the script page to deformation, the encryption methods than traditional PE format virus is more diverse, it is also more difficult to detect.
2. defense initiative. When the browser to make some moves, to make prompt, for example: to download a plug-in to install the package will be prompted to run it, such as the browser to create a storm when the audio and video player, suggesting that whether or not to allow run. In most cases, users will click yes, the page will be implementation of the horse.
3. Father of the process of checking whether the browser. This approach can be very easy to escape and plug-in will cause a lot of false positives.
days an act of defense analysis:
1. camouflage detection file format. The precise identification of file formats, page elements to determine whether or not to camouflage the malicious code.
2. check whether the source of the page elements for a long time to spread the web site linked to Ma.
3. Detection of specific function call stack to achieve.
(a) to distinguish between the user to download files, the browser automatically download files.
(b) detection of known loopholes in the buffer zone.
(c) the process of testing the creation of call stack, and whether the call parameters of conventional browser, in order to detect unknown vulnerabilities caused by the implementation of the document.
4. documents on the implementation of the monitoring, detection of parameters such as the characteristics of the implementation of the document.
5. on the part of the directory to write files to monitor operations.
6. Detection System to amend the clock.
7. Detection of DLL system memory mirroring Laws (import, export table, body function).
8. inspection PE parcel CAB files and digital signature.
9. Detection of specific file formats, known format overflow detection.
by more than the number of weighted can be effective on the page linked to known and unknown horse detection.

评论暂缺 »

还没有任何评论。

这篇文章上的评论 RSS feed TrackBack URL

留下评论

发表评论您必须先登录。