译安 · 09
译安第[9]期
木马的基本概念和分类
木马全称为特洛伊木马,来源于古希腊神话。木马是通过欺骗或诱骗的方式安装,并在用户的计算机中隐藏以实现控制用户计算机的目的。是具有远程控制、信息窃取、破坏等功能的恶意代码。
The full name of the horse is Trojan Horse, which comes from ancient Greek mythology. Trojan horses are installed by deception or deception, and hidden in the user's computer to achieve the purpose of controlling the user's computer. It is a malicious code with remote control, information theft, destruction and other functions.
-
欺骗性
木马都有很强的欺骗性,执行通常都由被攻击者自己执行起来的 -
隐藏性 不易被发现 -
非授权性
执行恶意操作是没有经过用户授权的 -
交互性
主机之外的攻击者可以通过某种方式对主机进行交互
-
deceptive:Trojan horses are very deceptive, and the execution is usually performed by the attacker himself
-
concealment:Not easy to spot
-
Non-delegation:The user is not authorized to perform the malicious action
-
Interactivity:An attacker outside the host can interact with the host in some way
行为视角
粒度细,如卡巴斯基SafeStream病毒库的分类标准。由下图所示,它是卡巴斯基整个对恶意代码分类体系,最上面的是蠕虫(Worm)和病毒(Virus),接着是后门(Backdoor)和Trojan,接着将Trojan按行为分成了很多类,最后是Rootkit和Exploit。从下往上是按照危害程度进行排序,最上面的危害程度最大、最下面的危害程度最小。
Fine granularity, such as the classification standard of Kaspersky SafeStream virus library. As shown in the figure below, it is Kaspersky's entire taxonomy of malicious code. At the top are worms and viruses, followed by backdoors and Trojans, and then Trojans are divided into many classes according to their behavior, and finally Rootkits and exploits. From bottom to top, it is sorted according to the degree of harm, with the highest degree of harm and the lowest degree of harm.
木马分类
下面这张图是卡巴斯基木马的具体分类,木马分为Backdoor、Trojan、Rootkit、Exploit。 按道理说,将Exploit放到木马范畴是不合适的,接着Trojan又分为Trojan-Downloader(下载)、Trojan-Dropper(释放)、Trojan-Spy(间D软件)Trojan-DDoS(拒绝服务)、Trojan-Ransom(磁盘数据加密勒索用户)等。同时,它在命名的时候会根据其行为进行分类。对于卡巴斯基来首,Backdoor包括远程控制型程序,就是这篇文章的远控型木马。
功能视角
远程控制型木马
The remote control can have interactive access to the target computer (real-time or non-real-time), can issue corresponding instructions to trigger the function of the malware, and can also obtain various data of the target. The interaction is bidirectional (attacker-controlled). Typical cases include backdoors such as Trojans under the Kaspersky classification standard, and some actual cases, including Ice River, network god TOU, Guangwai goddess, network bull, black hole, Shangxing, Rainbow Bridge, PCShare, grey pigeon, etc. The following figure shows the grey pigeon code, and the specific test method is recommended.
信息获取型木马
The function of information acquisition Trojan is information acquisition, which can obtain valuable information from keyboard input, memory, files, databases, browser Cookies, etc. The interaction is one-way. The controlled side sends data to the attacker, such as to the attacker's third-party space, file server, designated mailbox, etc., or directly opens the FTP service program, and the attacker directly accesses and downloads the data. The following figure shows the BPK software interface, including screen capture, information recording and other functions, and sending data to the attacker. Typical cases include Trojan-Bank, Trojan-GameThief, Trojan-IM, Trojan-Spy, Trojan-PSW and Trojan-Mailfinder under the Kaspersky classification standard.
它的功能是对本地或远程主机系统进行数据破坏、资源消耗等。其交互性也是单向的,攻击者可以向被控制端发送指令,有的情况也没有任何交互。典型案例包括卡巴斯基分类标准下的Trojan-DDoS、Trojan-Ransom、Trojan-ArcBomb、Trojan-Downloader、Trojan-Dropper等。
原文始发于微信公众号(Eonian Sharp):[YA-09] APT攻击之木马系列—木马的种类
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论