Nowadays, the popular Trojans on the Internet basically adopt C/S structure (client/server). If you want to use Trojan horse to control the other computer, you need to implant and run the server program in the other computer, and then run the client program in the local computer to connect the other computer and control the other computer.

Second, the use of trojans.

After successfully implanting a Trojan horse server into others, you need to wait patiently for the server to go online. Because Black Hole 2004 uses reverse connection technology, the server will automatically connect with the client after it goes online. At this time, we can control the client to remotely control the server. In the list below Black Hole 2004, randomly select an online computer, and then you can control this computer through the command button above. Let's briefly introduce the meaning of these commands.

File management: After the server is online, you can download, create, rename and delete files in the server computer through the "File Management" command. You can drag files or folders directly to the target folder through the mouse, which supports breakpoint continuation. Simple, right?

Process management: check, refresh and close the opposite process. If you find antivirus software or firewall, you can close the corresponding process to protect the server-side program.

Window management: manages the program window of the server computer. You can maximize, minimize and close programs in another window, which is more flexible than process management. You can play many practical jokes, such as maximizing and minimizing each other's window.

Video monitoring and voice monitoring: If the remote server computer is equipped with a USB camera, images can be obtained through it, and can be directly saved as Mpeg files that can be directly played by MediaPlay; If you need a microphone, you can still hear their conversation. Isn't that terrible?

In addition to the above functions, it also includes keyboard recording, restart and shutdown, remote uninstall, screen capture and password check. The operation is simple, understand? Being a hacker is actually very easy.

3 hide

With the upgrade of virus database of antivirus software, Troy will be killed by antivirus software soon. Therefore, in order to let Trojan server kill antivirus software and hide it in other people's computers for a long time, several feasible methods are provided for Trojan hackers.

1. Self-protection of Trojans

As mentioned earlier, when Black Hole 2004 generates a server, users can change the icon and use the software UPX to automatically compress and hide the server.

2. Bundle servers

Users use the file binder to bind the Trojan server with ordinary files, thus deceiving each other. File binders include Guangwai File Binder 2002, General File Binder, exeBinder, etc.

3. Make your own server

Although these methods mentioned above can fool anti-virus software for a period of time, they can't escape the killing of anti-virus software in the end, so it is a more radical method to disguise the existing Trojan so that anti-virus software can't distinguish it. You can use compression software to compress EXE and DLL files to protect the server. For example, UPX in 1 is such a compression software, but by default, the software compresses the server according to its own settings, so the result is the same, so it is difficult to avoid anti-virus software for a long time; If you compress the server yourself, you can choose different options and compress a different server, which is difficult for antivirus software to judge. Let me take glaciers as an example to briefly explain the process of shelling (decompression) and shelling (compression) for everyone.

If you use anti-virus software to kill glaciers, you will definitely find two viruses, one is the client of glaciers and the other is the server. Use the software "PEiD" to check whether the server of the software has been bombarded by the author, and you can see that the server has been compressed by UPX.

Now, we need to shell the software, which is a decompression process. I used "UPXUnpack" here. After selecting the required files, I clicked "Decompress" and began to shell.

After removing the shell, we need to add a new shell for the server. There are many softwares for shelling, such as: ASPack, ASProtect, UPXShell, Petite and so on. Take "ASPack" as an example, click the "Open" button and select the server program that has just been shelled. When selected, ASPack will automatically shell the server. Use antivirus software to kill this server again, and find that it is impossible to identify and judge. If your antivirus software can still kill, you can also shell the server several times with multiple softwares. After using Petite and ASPack to shell the server twice, I tried all kinds of antivirus software, but none of them were scanned. Nowadays, many XX glaciers popular on the Internet are made by netizens after modifying the server and re-crusting it.

In order to avoid users who are not familiar with Trojans from mistakenly running the server, the popular Trojans do not provide a separate server program, but generate the server through users' own settings, and so does Black Hole 2004. First, run Black Hole 2004, click "Function/Generate Server" to open the "Server Configuration" interface. Since Black Hole 2004 adopts rebound technology (please participate in the prompt), click the "View" button next to it, set a new domain name in the pop-up window, enter the domain name and password of the space you applied for in advance, and click "Domain Name Registration" to reflect the registration situation in the following window. After the domain name is successfully registered, return to the "Server Configuration" interface and fill in the domain name you just applied for, as well as items such as "Online Display Name" and "Registry Start Name". To confuse others, you can click the Change Server Icon button to select an icon for the server. After all the settings are completed, click "Generate EXE Server" to generate the server. When the server is generated, the software will automatically use UPX to compress the server, which plays the role of hiding and protecting the server.

After the server is generated, the next step is to implant the server into someone else's computer? Common methods include: invading other people's computers through loopholes in systems or software, and implanting Trojan horse's server into their own computers; Or send the server as an attachment to the other party through email entrainment; And put the server in its own * * * shared folder in disguise, and let netizens download and run the server program defenseless through P2P software (such as PP Click, Bai Bao, etc.).

Because this article is mainly aimed at ordinary Internet enthusiasts, I will explain it to you with a simple email folder. Let's take the Flash animation that we often see as an example, create a folder named "Good-looking Animation" and then create a folder named "Animation". Files "In this folder, put the Trojan server software in this folder and assume the name is" abc.exe ",then create a flash file in this folder and enter the text" Your playback plug-in is incomplete, click the button below, and then click the Open button to install the plug-in. Create a new button component, drag it to the stage, open the action panel, and type "on(press){getURL ("animation. files/ABC . exe ")； } ",which means the abc file is executed when the button is clicked. Create a new webpage file named "Animation". "Beautiful Animation" in the "htm" folder, and put the animation just made into this webpage. See the doorway? Usually, the website you download is usually. Html file and a file named. Documents. The reason why we construct it this way is also to confuse the initiator. After all, few people will experience it. File folder. Now we can write a new email, compress the folder "beautiful animation" into a file, put it in the attachment of the email, and then write an attractive theme. As long as you convince the other party to run it and restart the system, the server will be successful.

Third, prevention.

Prevention is more important than cure. Before our computer is hit by Trojan horse, we need to do a lot of necessary work, such as installing anti-virus software and network firewall; Update virus database and system security patch in time; Back up the files on the hard disk regularly; Don't run unsolicited software and open unsolicited e-mail.

Finally, the author would like to remind everyone that Trojan horse not only has powerful remote control function, but also is extremely destructive. We learn it only to understand its technology and methods, not to steal passwords and other sabotage activities. I hope you all take care.

Little knowledge:

Rebound technology solves the problem that traditional remote control software can't access remote computers through firewalls and control local area networks. The principle of rebound port software is that the client logs in to the FTP server first, edits a file in the preset home page space in Trojan software, opens the port monitor and waits for the connection of the server. The server regularly reads the contents of this file with HTTP protocol, and when it finds that the client wants to start the connection, it will take the initiative to connect, so that the connection can be completed.

So you can access the computers in the local area network through NAT (transparent proxy) proxy on the Internet, and you can cross the firewall. Contrary to the traditional remote control software, the server of rebound port software will actively connect with the client, and the listening port of the client is generally 80 (that is, the port used for web browsing). In this way, even if users use the command "netstat-a" at the command prompt to check their own ports, they will find something similar to "TCP userip: 3015 controller IP: http established", which is somewhat neglected. Therefore, contrary to general software, the server of rebound port software actively connects with the client, so that it can easily break through the firewall.