[YA-09] APT攻击之木马系列—木马的种类

admin 2024年10月24日22:38:10评论28 views字数 4296阅读14分19秒阅读模式

译安 · 09

译安第[9]期

木马的基本概念和分类

木马全称为特洛伊木马,来源于古希腊神话。木马是通过欺骗或诱骗的方式安装,并在用户的计算机中隐藏以实现控制用户计算机的目的。是具有远程控制、信息窃取、破坏等功能的恶意代码。

The full name of the horse is Trojan Horse, which comes from ancient Greek mythology. Trojan horses are installed by deception or deception, and hidden in the user's computer to achieve the purpose of controlling the user's computer. It is a malicious code with remote control, information theft, destruction and other functions.

  • 欺骗性
    木马都有很强的欺骗性,执行通常都由被攻击者自己执行起来的
  • 隐藏性
    不易被发现
  • 非授权性
    执行恶意操作是没有经过用户授权的
  • 交互性
    主机之外的攻击者可以通过某种方式对主机进行交互
  • deceptive:Trojan horses are very deceptive, and the execution is usually performed by the attacker himself

  • concealment:Not easy to spot

  • Non-delegation:The user is not authorized to perform the malicious action

  • Interactivity:An attacker outside the host can interact with the host in some way

[YA-09] APT攻击之木马系列—木马的种类

行为视角

粒度细,如卡巴斯基SafeStream病毒库的分类标准。由下图所示,它是卡巴斯基整个对恶意代码分类体系,最上面的是蠕虫(Worm)和病毒(Virus),接着是后门(Backdoor)和Trojan,接着将Trojan按行为分成了很多类,最后是Rootkit和Exploit。从下往上是按照危害程度进行排序,最上面的危害程度最大、最下面的危害程度最小。

Fine granularity, such as the classification standard of Kaspersky SafeStream virus library. As shown in the figure below, it is Kaspersky's entire taxonomy of malicious code. At the top are worms and viruses, followed by backdoors and Trojans, and then Trojans are divided into many classes according to their behavior, and finally Rootkits and exploits. From bottom to top, it is sorted according to the degree of harm, with the highest degree of harm and the lowest degree of harm.

木马分类

下面这张图是卡巴斯基木马的具体分类,木马分为Backdoor、Trojan、Rootkit、Exploit。 按道理说,将Exploit放到木马范畴是不合适的,接着Trojan又分为Trojan-Downloader(下载)、Trojan-Dropper(释放)、Trojan-Spy(间D软件)Trojan-DDoS(拒绝服务)、Trojan-Ransom(磁盘数据加密勒索用户)等。同时,它在命名的时候会根据其行为进行分类。对于卡巴斯基来首,Backdoor包括远程控制型程序,就是这篇文章的远控型木马。

The following picture is the specific classification of Kaspersky Trojans, Trojans are divided into Backdoor, Trojan, Rootkit, Exploit. Logically, it is not appropriate to put Exploit in the category of Trojan horses. Then the Trojan is divided into Trojan-downloader, Trojan-Dropper, Trojan-Spy, Trojan-ddos, Trojan-Ransom, and so on. At the same time, it is classified according to its behavior when named. For Kaspersky, Backdoor includes the remote control type program, which is the remote control type Trojan of this article.

[YA-09] APT攻击之木马系列—木马的种类

功能视角

包括远程控制型、信息获取型、破坏型等。
Including remote control type, information acquisition type, destruction type and so on.

远程控制型木马

远程控制可以对目标计算机进行交互性访问(实时或非实时),可以下发相应的指令触发恶意软件的功能,也能获取目标的各种数据。其交互性是双向的(攻击者-被控制端)。典型案例包括卡巴斯基分类标准下的木马之类Backdoor,还有一些实际案例,包括冰河、网络神TOU、广外女神、网络公牛、黑洞、上兴、彩虹桥、PCShare、灰鸽子等。下图展示了灰鸽子代码,其具体测试方法推荐作者前文。

The remote control can have interactive access to the target computer (real-time or non-real-time), can issue corresponding instructions to trigger the function of the malware, and can also obtain various data of the target. The interaction is bidirectional (attacker-controlled). Typical cases include backdoors such as Trojans under the Kaspersky classification standard, and some actual cases, including Ice River, network god TOU, Guangwai goddess, network bull, black hole, Shangxing, Rainbow Bridge, PCShare, grey pigeon, etc. The following figure shows the grey pigeon code, and the specific test method is recommended.

[YA-09] APT攻击之木马系列—木马的种类

信息获取型木马

信息型获取木马的功能是信息获取,可以从键盘输入、内存、文件、数据库、浏览器Cookies等中获取有价值的信息。其交互性是单向交互,是被控制端发送数据给攻击者,比如发送至攻击者的第三方空间、文件服务器、指定邮箱等,或者直接开启FTP服务程序,攻击者直接访问从而下载数据。下图展示了BPK软件界面,包括屏幕截屏、信息记录等功能,并发送数据给攻击者。典型案例包括卡巴斯基分类标准下的Trojan-Bank、Trojan-GameThief、Trojan-IM、Trojan-Spy、Trojan-PSW、Trojan-Mailfinder等。

The function of information acquisition Trojan is information acquisition, which can obtain valuable information from keyboard input, memory, files, databases, browser Cookies, etc. The interaction is one-way. The controlled side sends data to the attacker, such as to the attacker's third-party space, file server, designated mailbox, etc., or directly opens the FTP service program, and the attacker directly accesses and downloads the data. The following figure shows the BPK software interface, including screen capture, information recording and other functions, and sending data to the attacker. Typical cases include Trojan-Bank, Trojan-GameThief, Trojan-IM, Trojan-Spy, Trojan-PSW and Trojan-Mailfinder under the Kaspersky classification standard.

[YA-09] APT攻击之木马系列—木马的种类

破坏性木马

它的功能是对本地或远程主机系统进行数据破坏、资源消耗等。其交互性也是单向的,攻击者可以向被控制端发送指令,有的情况也没有任何交互。典型案例包括卡巴斯基分类标准下的Trojan-DDoS、Trojan-Ransom、Trojan-ArcBomb、Trojan-Downloader、Trojan-Dropper等。

Its functions are data corruption, resource consumption, etc., to the local or remote host system. The interaction is also unidirectional: the attacker can send commands to the controlled party, and in some cases there is no interaction at all. Typical cases include Trojan-DDoS, Trojan-Ransom, Trojan-ArcBomb, Trojan-Downloader, Trojan-Dropper and so on.

原文始发于微信公众号(Eonian Sharp):[YA-09] APT攻击之木马系列—木马的种类

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年10月24日22:38:10
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   [YA-09] APT攻击之木马系列—木马的种类http://cn-sec.com/archives/1846510.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息