金华网页设计-义乌网页设计服务-浙江网络安全维护 提供企业网络安全维护、企业网站建设、企业网站维护、企业服务器维护等服务(金华服务器维护-义乌服务器维护),咨询: 张先生 15924245918 QQ:
posts - 65, comments - 95, trackbacks - 0, articles - 3
  IT博客 :: 首页 :: 新随笔 :: 联系 :: 聚合  :: 管理


  The world of malicious software is often divided into two types: viral and nonviral. Viruses are little bits of code that are buried in other codes. When the “host” codes are executed, the viruses replicate themselves and may attempt to do something destructive. In this, they behave much like biological viruses.

  Worms are a kind of computer parasite considered to be part of the viral camp because they replicate and spread from computer to computer.

  As with viruses, a worm’s malicious act is often the very act of replication; they can overwhelm computer infrastructures by generating massive numbers of e-mails or requests for connections that servers can’t handle.

  Worms differ from viruses, though, in that they aren’t just bits of code that exist in other files. They could be whole files——an entire Excel spreadsheet, for example. They replicate without the need for another program to be run.

  Remote administration types are an example of another kind of nonviral malicious software, the Trojan horse, or more simply Trojan. The purpose of these programs isn’t replication, but to penetrate and control. That masquerade as one thing when in fact they are something else, usually something destructive.

  There are a number of kinds of Trojans, including spybots, which report on the Web sites a computer user visits, and keybots or keyloggers, which record and report the user''s keystrokes in order to discover passwords and other confidential information.

  RATs attempt to give a remote intruder administrative control of an infected computer. They work as client/server pairs. The server resides on the infected machine, while the client resides elsewhere, across the network, where it''s available to a remote intruder.

  Using standard TCP/IP or UDP protocols, the client sends instructions to the server. The server does what it’s told to do on the infected computer.

  Trojans, including RATs, are usually downloaded inadvertently by even the most savvy users. Visiting the wrong Web site or clicking on the wrong hyperlink invites the unwanted Trojan in. RATs install themselves by exploiting weaknesses in standard programs and browsers.

  Once they reside on a computer, RATs are hard to detect and remove. For Windows users, simply pressing Ctrl-Alt-Delete won’t expose RATs, because they operate in the background and don''tappear in the task list.

  Some especially nefarious RATs have been designed to install themselves in such a way that they’re very difficult to remove even after they’re discovered.

  For example, a variant of the Back Orifice RAT called G_Door installs its server as Kernel32.exe in the Windows system directory, where it’s active and locked and controls the registry keys.

  The active Kernel32.exe can’t be removed, and a reboot won''t clear the registry keys. Every time an infected computer starts, Kernel32.exe will be restarted, and the program will be active and locked.

  Some RAT servers listen on known or standard ports. Others listen on random ports, telling their clients which port and which IP address to connect to by e-mail.

  Even computers that connect to the Internet through Internet service providers, which are often thought to offer better security than static broadband connections, can be susceptible to control from such RAT servers.

  The ability of RAT servers to initiate connections can also allow some of them to evade firewalls. An outgoing connection is usually permitted. Once a server contacts a client, the client and server can communicate, and the server begins following the instructions of the client.

  Legitimate tools are used by systems administrators to manage networks for a variety of reasons, such as logging employee usage and downloading program upgrades——functions that are remarkably similar to those of some remote administration Trojans. The distinction between the two can be quite narrow. A remote administration tool used by an intruder becomes a RAT.

  In April 2001, an unemployed British systems administrator named Gary McKinnon used a legitimate remote administration tool known as RemotelyAnywhere to gain control of computers on a U.S. Navy network.

  By hacking a few unguarded passwords on the target computers and using illegal copies of Remotely Anywhere, McKinnon was able to break into the Navy’s network and use the remote administration tool to steal information and delete files and logs. The fact that McKinnon launched the attack from his girlfriend’s e-mail account left him vulnerable to detection.

  Some of the famous RATs are variants of Back Orifice; they include Netbus, SubSeven, Bionet and Hack''a''tack. These RATs tend to be families more than single programs. They are morphed by hackers into a vast array of Trojans with similar capabilities.













  例如,Back Orifice RAT病毒的一个变种,叫G_Door,安装其服务器作为Windows系统目录中的Kernel32.exe,存活并锁定在那里并控制注册键。






  2001年4月,一名叫Gary McKin-non的失业的英国系统管理员利用合法的远程管理工具——Remotely Anywhere成功地控制了美国海军网络上的多台计算机。

  McKinnon通过黑客手段获得目标计算机上未防护的口令和使用非法拷贝的Remotely Anywhere软件,突破了美国海军的网络,利用该远程管理工具偷窃信息、删除文件和记录。McKinnon从他女朋友的电子邮件账号发起攻击,这个账号给侦查留下了线索。

  一些有名的RAT病毒是Back Orifice的变种,如Netbus、SubSeven、 Bionet 和Hack"a"tack。这些RAT病毒大多是一组程序,而不是单独的一个程序。黑客把它们变成一个庞大的、具有类似功能的木马病毒阵列。


# re: 远程管理特洛伊木马(RAT)病毒(中英对照)  回复  更多评论   

2007-01-04 22:09 by 可行性报告

# 高手  回复  更多评论   

2007-04-18 22:51 by 广泛
等我学会了 嘿嘿……