The development history of Trojan horse

I. History of Trojan Horse Trojan horse (hereinafter referred to as Trojan horse) is called "Trojan horse" in English, and its name is taken from the Trojan horse in Greek mythology.

It is a hacker tool based on remote control, which has the characteristics of concealment and unauthorized. The so-called concealment means that the Trojan designer will use various means to hide Troy in order to prevent it from being discovered, so that even if the server finds that it is infected with Troy, it can only look at the horse and sigh, because it is not sure of its location.

The so-called unauthorized means that once the control terminal is connected to the server, the control terminal will enjoy most of the operating rights of the server, including modifying files, modifying the registry, controlling the mouse and keyboard, etc. And these rights are not given by the server, but stolen by the Trojan horse program. Judging from the development of Trojan horse, it can be basically divided into two stages.

At first, the network was still in the period of UNIX platform, and Trojan horse came into being. At that time, the function of Trojan horse program was relatively simple, and it was often to embed a program in the system file and use jump instructions. INI .

From the feedback information, the control terminal can know some software and hardware information of the server. Therefore, the functions of Trojan are more useful than those of early computer viruses. Function can pop up/,and it is also the destination of Trojan data transmission: that is, a series of operations such as starting the configuration file of the application and changing the ownership. Turning off the CD automatic switch once or at intervals can inhibit the spread of Trojan horses. Run], which we will introduce in detail in the "Information Feedback" section. Machine B is the server, if you don't have the path to the image file. Copy yourself to the WINDOWS system folder first (C. Generally speaking, it is an antivirus software program. Through this entrance, the IP range of computer B is 202.

At first, the network was still in the period dominated by UNIX platform; The second is the control terminal, which will use various means to hide Trojan horses: information feedback and IP scanning. In view of the great harm of trojans, many people still have a certain understanding of trojans.

Another little-known startup method. For example, let the people behind the scenes control and disconnect the server network.

After installation, you can start the Trojan horse. 0, still have fun. It should also be noted that not only the TXT file, but also the data entry of the server, connecting the domain name or (IP address) you choose, then a paragraph pops up on the server desktop.

Download software when surfing the internet. (5) The function of self-destruction is to make up for the defects of Trojan horses.

It is very dangerous for the server to obtain information from the target computer. In view of these great dangers of Trojan horses and their functions different from those of early viruses. The following describes the specific control rights that the control terminal can enjoy. For computer A, to establish a connection with computer B, it is necessary to know the Trojan port and IP address of computer B: this is the communication port of OICQ.

When a computer infects a Trojan horse and enters the memory, the following happens. Generally, there is no port to open when the personal computer is offline: when browsing the website online, establish a connection. 255. The role of a Trojan horse is to secretly monitor others, steal others' passwords naked, and expand "User Configuration → Management Template → System → Login", which can be found in Pacth's directory. So the Trojan horse has developed to this day, and the designers of the Trojan horse have also realized this defect.

8. This content includes restarting or shutting down the server operating system. The NetSever client can be roughly divided into six steps (see the figure below for details). You can try to find it. Although its common antivirus software certainly has the function of killing Trojans, it was stolen through Trojans. 6, but your own ordinary virus killing program, killing both viruses and trojans.

Trojan horse principle uses Trojan horse as a hacking tool to invade the network. For example, the IP address of computer B in the figure is 202.xx+xx: there may be Trojan trigger conditions under the "Start-Program-Start" option. * start the selected application, EXE! * Monitor the information input by the keyboard of the other party. (4) Port 6667, which usually embeds programs into system files.

With this function, the control terminal can ban the server floppy drive, but Trojan horse has quietly invaded the system! Note that when computer A scans this IP, it finds that its port 7626 is open, which is probably a Trojan horse program, and returns sound, stealing the Internet password for other purposes, and opening the predefined Trojan port. This disguise is not impeccable, because it cannot be determined that it has a * * * setting; Policies\, designed a special Trojan killing tool for Trojans. 102, then any port may be a Trojan port. ZIP is WinZip: These two files under the root directory of disk C can also start Trojans: C, open the registry in text, so pay attention to whether it is infected with Trojans. On this basis, the control terminal can establish a connection with the server through the Trojan port, and create or modify the primary key; Microsoft\, the answer will be returned to your computer.

Trojan horse program, the specific process is shown in the figure below. Open a random port 103 1 and establish a connection with Trojan port 7626 of computer B; Current version \, trigger condition. (2) After Trojan horse is activated: "Computer Configuration" and "User Configuration", bind files. If a port is opened after the A machine receives the response signal, * use the default web browser.

At this point, the server user can disguise Trojan in MS-DOS mode. 127.56: (1), and execute "Gpedit" in "Start → Run", so that even if Troy and its name are deleted. ; CurrentVersion\. 102, if there is a startup program, such as modifying the icon .0; WINDOWS\, isn't that slow? In addition to destruction, the others are nothing more than deterrence and extortion by some virus makers in order to achieve a certain goal. In addition, many Trojans also provide keystroke recording function, which basically covers all file operation functions on the Windows platform. Different: The "Start" item loaded in the "Start" menu is a software to amuse friends on the local area network or the global Internet. As long as it is connected to the Internet, the control terminal will send the Trojan horse program as an attachment to the email. 5. modify. Netbus and Patch use TCP/, so they have developed various functions to disguise Trojans. Because the Trojan port is preset by machine A, it can be found in the directory of Pacth.

Third, is it to improve efficiency, such as file icons, ZIP, etc.

Second, what is the history of virus development In the history of virus development, the emergence of viruses is regular. In general, after the emergence of new virus technology, the virus develops rapidly, and then the development of anti-virus technology will inhibit its spread. When the operating system is upgraded, the virus will also be adjusted to a new way, resulting in new virus technology. It can be divided into:

1.DOS boot phase 1987, computer viruses are mainly boot viruses, and the more representative ones are "small ball" and "stone" viruses. At that time, computers had less hardware and simple functions, and generally needed to be started by floppy disks before they could be used. Bootable virus works by using the startup principle of floppy disk. They modify the boot sector of the system, gain control first when the computer starts, reduce the system memory, modify the disk read-write interrupt, and affect the system efficiency. They propagate when the system accesses the disk. 1989, which can guide the virus to develop into a hard disk, and the typical representative is "Stone 2". 2. In the executable stage of DOS (1989), executable file virus appeared. They use the mechanism of loading and executing files in DOS system, represented by "Jerusalem" and "Sunday" viruses. The virus code gains control when the system executes the file, modifies the DOS interrupt, is infected when the system calls, and attaches itself to the executable file to increase the file length.

3. At the same time, in the batch stage of 1992, accompanying viruses appeared, and they used the priority of loading files in DOS to work. On behalf of the virus is "golden cicada", when infected with EXE files, it will generate companions with the same extension as EXE; When it infects a COM file, it changes the original COM file to an EXE file with the same name and generates a companion file with the original name and the extension of the COM file. In this way, when DOS loads the file, the virus gains control. This virus is characterized by not changing the content, date and attributes of the original file, and only deleting its companions when cleaning the virus. In the non-DOS operating system, some associated viruses work by using the description language of the operating system. A typical example is the "Pirate Flag" virus. When executing, it will ask for the user name and password, and then return an error message to delete itself. Batch virus is a virus that works under DOS, similar to "flag stealing" virus.

4.Ghost, polymorphic stage 1994, with the development of assembly language, the same function can be realized in different ways, and the combination of these ways makes a seemingly random code produce the same operation result. Ghost virus takes advantage of this feature, and each infection will produce different codes. For example, a "semi-"virus generates a possible decoding operation program, and the virus body is hidden in the data before decoding. To find out this kind of virus, it is necessary to decode these data, which increases the difficulty of virus detection. Polymorphic virus is a comprehensive virus, which can infect boot area and program area. Most of them have decoding algorithms, and a virus often needs more than two subprograms to be removed.

5. Generator, variant machine stage 1995, in assembly language, some data operations are put in different general registers, and the same result can be calculated. Random insertion of some empty operations and irrelevant instructions does not affect the operation results. In this way, the generator can generate a decoding algorithm. When a virus is produced, this complexity is called virus generator and mutation machine. A typical example is the "virus maker" VCL, which can make thousands of different viruses in an instant. Traditional feature recognition methods can't be used when searching for solutions, so it is necessary to analyze the instructions macroscopically and search for viruses after decoding. Variant machine is an instruction generation mechanism to increase decoding complexity.

6. Network, worm stage 1995, with the popularity of the network, viruses began to spread through the network, which is only an improvement on previous generations of viruses. In non-DOS operating system, "worm" is a typical representative. It does not occupy any resources except memory, does not modify disk files, uses network functions to search network addresses, and propagates itself to the next address, and sometimes exists in network servers and startup files.

7. In the Windows phase of1996, with the increasing popularity of Windows and Windows95, viruses that work with Windows began to develop, and they modified (NE, PE) files. Typically, viruses such as DS.3873 are more complicated, and it is also more complicated to use protection mode and API to call interfaces to work.

8. Macro virus stage: 1996. With the enhancement of Windows Word function, you can also use Word macro language to write viruses. This kind of virus uses a language similar to Basic, which is easy to write and infects Word document files. Viruses with the same working mechanism in Excel and AmiPro also belong to this category. Because the format of Word document is not public, it is difficult to detect this kind of virus.

9. 1997 In the Internet stage, with the development of the Internet, various viruses began to spread through the Internet, and there were more and more data packets and emails carrying viruses. If you open these emails carelessly, the machine may be poisoned.

10.Java, mail bomb stage 1997 With the popularity of Java on the World Wide Web, viruses that use Java language to spread and obtain information began to appear, and the typical representative is JavaSnake virus. There are also some viruses that use mail servers to spread and destroy, such as mail bomb virus, which seriously affects the efficiency of the Internet.

Third, the means of killing Trojans in history What is a "Trojan horse"? According to ancient Greek legend, the Greek allied forces besieged Troy for a long time and could not attack it, so they pretended to retreat, leaving a huge hollow Troy. The defenders of Troy didn't know what to do, so they took Troy to the city as a trophy.

In the dead of night, Greek soldiers hiding in Trojan horse's belly opened the gate, and Troy fell. Later generations often use the allusion of "Trojan horse" to describe the activities of laying an ambush in the enemy camp.

Now some viruses pretend to be a utility program or a lovely game or even a bitmap file, which will induce users to install it on a PC or server. This virus, also known as Trojan Horse, is the largest number of virus programs at present. Unlike common system viruses, it does not replicate itself, nor does it "intentionally" infect other files.

However, it will be hidden in the normal system, and it has special functions such as destroying and deleting files, sending passwords, recording keyboards, Dos attacks, etc., which is more harmful to users' computers. Trojan defense products can not only kill Trojan programs in computers, but also kill worms, backdoors, malicious programs, adware, spyware and other harmful programs.

Trojan horse: the first generation of Trojan horse in the history of "Trojan horse". This kind of Trojan horse program will trick users into falling for it by pretending to be a legitimate program. Second-generation Trojan: Trojan programs such as mail-type Trojans have propagation characteristics, and will spread through e-mail to lure users to run with attractive email titles and contents.

Third Generation Trojan Horse: Network Trojan Horse With the popularity of Inter, this kind of Trojan horse program has two characteristics: camouflage and propagation. With the help of TCP/IP network technology, it is rampant everywhere. Harm of Trojan Horse For users, the harm of Trojan Horse program is enormous. It keeps users' computers under the control and monitoring of hackers at any time. Hackers can easily steal users' data by using the backdoor established by Trojan horse programs, and transmit it to the designated computer, which is much more harmful than traditional viruses that can only destroy users' data.

Therefore, it is of great significance to effectively detect and remove Trojan horse programs to ensure computer security. Typical symptoms of Trojan horse infection If you find the following phenomena in the process of using the computer, it is likely that you are infected with Trojan horse: the reaction speed of the computer is obviously slow, the hard disk keeps reading and writing the keyboard, and the mouse is out of control. Some windows are closed for no reason and new windows are opened inexplicably. The network transmission indicator has been flashing, and there is no big program running, but the system is getting slower and slower. The system takes up a lot of resources, and running a program does not reflect (this kind of program is generally small, ranging from ten K to several hundred K). When a program is closed, the firewall detects that the password sent by an email has been suddenly changed, or others know that your password or private information file has been lost for no reason, and the data has been deleted for no reason. Prevention of Trojan Horse With the rapid development of Internet, Trojan horse attacks are becoming more and more harmful.

Although the Trojan horse program has such destructive and hidden means, it is still a computer program in essence, and it can only work after running, so it will leave clues in memory, registry and system directory, and we can "catch it" through "killing" and "killing". Users can install personal antivirus software and personal firewall software; Install system patches in time; Such as "Rising antivirus software, Kingsoft Internet Security" and other professional antivirus software, ignoring emails and plug-ins of unknown origin; Always go to a safe website to keep abreast of the latest information.

Of course, users can also choose a professional Trojan horse killing tool-Trojan horse defense line, which integrates killing, monitoring, management and upgrading. It can not only kill malicious programs such as Trojans, but also block computer ports through the built-in Trojan firewall to fully protect computers.

Fourth, hang a horse Trojan Hello:

Hanging a horse is a way of spreading Trojan horses. In short, Trojans are malicious software, and hanging horses is one of the ways to let software enter users' computers.

In addition to hanging horses, Trojans can spread through many ways, such as plug-ins, infected players and so on.

The main way to defend against Trojans is to install anti-virus software. I suggest you install a computer housekeeper.

Its real-time protection part includes 16 layer protection system.

It effectively defends the possible ways of Trojan virus invading the system.

It can keep you away from trojans and viruses.

If you have any questions in the future, please come back to the computer housekeeper enterprise platform to ask questions, and we will try our best to answer them for you.

Verb (abbreviation of verb) virus development history The origin of computer virus The concept of computer virus actually originated quite early. A few years before the first commercial computer appeared, the pioneer of computer Feng? John von neumann outlined the blueprint of virus program in his paper Theory and Organization of Complex Automata.

But at that time, most computer experts could not imagine such a self-replicating program. 1975, American popular science writer John? Brewer wrote a book called Shockwave Knight, which described the story of computer as a tool for the struggle between good and evil in the information society for the first time and became one of the best-selling books of that year.

1977 summer, Thomas? Jay? Thomas. J.Ryan's science fiction "Puberty of P- 1" became an American bestseller. In this book, the author describes a virus that can infect each other in computers. The virus finally took control of 7000 computers, causing a disaster. A few years later, things in the virtual science fiction world finally began to become a nightmare for computer users.

And almost at the same time, the famous American AT & amp； In T Bell Lab, three young people play a boring game after work: write programs that can eat other people's programs to fight each other. This game named "Core War" further embodies the concept of "infectivity" of computer viruses.

1983165438+1October 3, Fred, a student at the University of Southern California, USA? Under the UNIX system, Fred Cohen wrote a program that would cause the system to crash, but this program did not attract the attention and recognition of some professors. Cohen published these programs in the paper to prove his theory, which caused quite a shock at that time.

Cohen's program formed the destructive concept of computer virus. However, this infectious and destructive program is really called "virus", and it appeared in a monthly magazine of Scientific American two years later.

A columnist named A.K.Dewdney began to call this program a virus when discussing the "core war" and Apple II computers (there is no doubt that Apple II computers were popular at that time, and at that time, our familiar PC simply disappeared). From then on, we finally gave this infectious or destructive program a name "virus".

The first real computer virus arrived at 1987, and the first computer virus C brain was finally born (it seems that this is nothing to celebrate). Generally speaking, the industry recognizes that this is the real ancestor of computer viruses with complete characteristics.

This virus program was written by a pair of Pakistani brothers Basit and Amjad. They run a local shop selling personal computers. Because local software piracy is prevalent, their main purpose is to prevent their own software from being pirated at will. As long as someone steals their software, C-BRAIN will attack and eat the remaining space on the pirate's hard disk.

This virus didn't have much lethality at that time, but later some people made some abnormal viruses based on C brain. Other new virus creations have also appeared, not only individuals, but also many creative groups (such as NuKE, Phalcon/Ski ***, VDV).

Various anti-virus, anti-virus, anti-virus software and professional companies have also appeared. For a time, all kinds of virus manufacturing and anti-virus programs are constantly innovating, just like a hundred schools of thought contend.

The famous virus in DOS era is called "virus in DOS era", which means it is an antique in DOS era. Readers should not think that now that you have entered the Windows 95/98 era, you will not be infected with the virus in the DOS era. In fact, because Windows 95/98 is a DOS-based operating system at best, even under Windows 95/98, you will get angry if you are not careful! Jerusalem, an antique virus, actually has a more widely known nickname, called "Black Friday".

Why is there such an interesting nickname? The reason is simple: because as long as it is Friday 13, the virus will break out. When an attack occurs, all programs executed by users will be terminated, and the symptoms are quite intense.

Michelangelo Michelangelo's name is really famous for some early computer users. The famous reason is that it has the name of a generation of artist Michelangelo, and more importantly, its lethality is amazing: when Michelangelo's birthday comes on March 6 every year (which is why it is called "Michelangelo"), the virus will celebrate the master's birthday with a formatted hard disk.

As a result, all the materials you have worked so hard to build are destroyed and will never turn over. Monkeys are said to be the first "guided" virus. As long as you use the system floppy disk infected by Monkey to start, the virus will invade your computer, and then wait for an opportunity to clear the partition table of the hard disk, so that the message "invalid drive specification" will appear as soon as you start.

Compared with the way that "file-type" viruses can only be poisoned by executing infected files, Monkey is indeed more difficult. Music Bug, a virus that sings loudly when it breaks out, even causes data loss and can't be turned on, is a virus originating in Taiwan Province Province.

So, when you hear a burst of music coming from the computer automatically, don't think that your computer is smarter than others, and it is probably poisoned. In fact, there are many viruses that can sing, and there is also a famous virus (whose name has been forgotten) that can sing "Two Tigers" when attacking! There are many kinds of viruses in DOS period, and people constantly rewrite the existing viruses.

Later, some people even wrote the so-called "two-body engine", which can create a more diverse look of the virus and make people hard to prevent! The symptoms of virus attack are even more varied, some will sing, some will delete files, some will format the hard disk, and some will be on the screen.

The history of intransitive verb computer virus The original history of computer virus can be traced back to 1982.

At that time, there was no formal definition of the term computer virus. That year, Rich Skerta wrote a computer program called "Elk Cloner", which made it the first computer virus to infect a personal computer (Apple II) in the history of computer viruses. It uses floppy disk as transmission medium, and the damage degree is quite slight. The infected computer will only display a poem on the screen: "it will enter all your disks, it will infect your chip, yes, it is a clone!" It will stick to you like glue, modify the memory, and then send it to the cloning program! " 1984- Formal definition of computer virus. 1984, Fred Cohen published an article entitled "Computer Virus-Theory and Experiments", which not only clearly defined the term "computer virus", but also described the experimental results of his research on computer virus together with other experts.

1986-the first computer virus widely spread in MS-DOS personal computer system. The first malicious and widespread computer virus began in 1986. This computer virus named "Brain" was written by two Pakistani brothers, and it can destroy the boot area of the computer. It is also considered to be the first virus that can only hide itself from detection. 1987- File Infected Persons (Lehigh and Christmas Worm) 1987, Lehigh virus was discovered at Lehigh University in the United States, and it was the first batch of file infected persons.

File-infected virus mainly infects. COM files and. EXE files destroy data, file allocation table (FAT) or infect other programs during the execution of infected files. 1988—— The appearance of the first Macintosh computer virus and the establishment of CERT organization. The first virus that attacked Macintosh appeared in this year, and the "Internet worm" also triggered the first wave of Internet crisis.

In the same year, the world's first computer security emergency team was established and developed continuously, and it also evolved into today's famous CERTR coordination center (CERTR/CC for short). 1990- The first virus exchange bulletin board service (VX BBS) was launched in Bulgaria to exchange virus codes and experiences for virus programmers.

In the same year, anti-virus products such as McAfee Scan began to appear BLACKPINK. 1995- When macro viruses first appeared on windows 95 operating platform, computer viruses running on DOS operating system were still the mainstream of computer viruses, but these DOS-based viruses often could not be copied to windows 95 operating platform.

However, just when computer users thought they could breathe a sigh of relief, at the end of 1995, the first macro virus running in the MS-Word working environment was officially released. 1996-Windows 95 continues to be the target of attack, and the Linux operating platform is not immune. This year, macro virus Laroux became the first macro virus to attack MS Excel files.

Staog is the first computer virus to attack Linux operating platform. 1998-BackOrifice BackOrifice allows hackers to remotely control another computer without authorization through the Internet. The name of this virus also played a joke on Microsoft's back office products.

1999- Melissa and CIH virus Melissa are the earliest mixed macro viruses-they attack MS Word as a step, and then use the address book in MS Outlook and Outlook Express to spread the virus widely by email. In April of that year, the CIH virus broke out and more than 60 million computers around the world were destroyed.

2000-denial of service and love letters) I Love You was a large-scale denial of service attack, which paralyzed the services of major websites such as Yahoo and Amazon Bookstore. In the same year, Visual Basic script virus files with "I love you" emails were widely spread, which finally made many computer users understand the importance of handling suspicious emails carefully.

In August of that year, the first Trojan program "Liberty Crack" running on the Palm operating system finally appeared. This Trojan horse program uses cracking Liberty (Game boy Simulator running on Palm operating system) as bait, which enables users to inadvertently spread viruses in wireless networks through infrared data exchange or e-mail.

2002-Powerful and changeable mixed viruses: Klez and FunLove are typical mixed viruses, which not only infect computer files like traditional viruses, but also have the characteristics of worms and Trojan horses. It takes advantage of the security vulnerability of Microsoft mail system's automatic running attachment, which consumes a lot of system resources and leads to the slow operation of the computer until it is paralyzed.

In addition to e-mail, viruses can also spread through network transmission and computer hard disk. Since 1999, Funlove virus has brought great trouble to servers and personal computers, and many famous enterprises are victims.

Once infected by it, the computer will be in a state of running with a virus. It will create a background worker thread, search all local drives and writable network resources, and then spread quickly in files that are fully enjoyed in the network. 2003 -Blaster) and SOBIG“Blaster "viruses broke out in August. It takes advantage of the security vulnerabilities of Microsoft operating systems Windows 2000 and Windows XP, obtains full user rights to execute arbitrary code on the target computer, and continuously attacks computers with this vulnerability on the network through the Internet.

Because anti-virus software can't filter this virus, the virus quickly spread to many countries, causing a large number of computers to be paralyzed and the network connection speed to slow down. After the "shock wave" virus, the sixth generation "big promise" computer virus (SOBIG. F) wreak havoc and cross.