Remote access type Trojan horse – the use of gray pigeon software
Remote access Trojan – grey pigeon
A remote access Trojan runs a server on the victim’s host and listens on a specific port. The intruder uses the Trojan client to connect to the port and send various instructions to the server to access the victim’s computer resources. 2. With this kind of Trojan horse, as long as someone runs the server program, if the client knows the IP address of the server, it can realize remote control.
3. These programs allow you to observe what the victim is doing.
1. Since the birth of Grey Pigeon in 2001, it has been judged by anti-virus professionals as the most dangerous backdoor program, and has aroused great concern in the security field. In 2004, 2005, 2006, gray pigeon Trojan for three consecutive years by the domestic major antivirus manufacturers for the annual ten viruses. 2. Grey Pigeons appeared using the most discussed “rebound port” connection to evade the interception of most personal network firewalls.
Rebound port connection mode:
I. Purpose of the experiment
1. Understand the realization principle of remote control Trojan horse. Use gray Pigeon Trojan horse to realize remote control of target host; 2, the implementation of the Trojan and picture binding; (two bundled software) 3, the implementation of the Trojan and exe program bundled;
4. Register the Trojan horse as a system service.
2. Experimental equipment and environment
1 computer, VIRTUAL machine XP system, virtual machine 2003 system, gray Pigeon software
3. Experimental steps
1. Configure the experimental environment
Configure the NAT mode for the two VMS, set THEIR IP addresses to the same network segment, and run the ping command to test the connectivity.
2. Install greypigeon
(1) Click to run grey Pigeon software, a duplicate software will be saved in disk C.
(2) Copy the three folders in the original folder to drive C.
(3) Click the Gray Pigeon software on disk C, and the interface is as follows.
3. Configure the server
(1) Click the icon of “Configure Service Program” on the interface:
(2) When a fixed IP address goes online, enter the IP address of the local host, change the save path and name by default, and save the generation server.
4. Trojan horse implantation
Implant the Trojan horse into the target host and click to run, the gray pigeon software will automatically display the host information on the line.
Remote control
Capture the screen, and you can detect what the target host is doing.
Remote control commands You can send system commands to the target host through remote control commands.
Command broadcast through the broadcast command can remotely control the target host switch on and off, and open a specific web page.
Command broadcast message broadcast
Control of computer resources (1) Control of folders, create a new file.
(2) Download the file of the accused party, can also be opened remotely, the accused party does the same operation
5. Trojan binding
5.1. Scatterfile bundler:
Uninstall the Trojan server program first, the source file is the picture, the bundle file is the Trojan, click the icon to change the displayed icon.
Click bundle, generate bundle file, click run, open the picture, Trojan online;
5.2. Multi-file bundler:
Uninstall Trojan server program first; Open bundling software, the picture and the Trojan horse bundling;
Click bundle, generate bundle file, click run, open the picture, Trojan online;
5.3. Exe Bundled software:
Uninstall Trojan server program first; Open exe bundled software, the first to select your game program;
2. Second, choose your Trojan;
3. Specify the save path.
Click on the beginning of the bundle, the Trojan copy will be successfully tested again by the attacker, you can see the Trojan online.
6. Register the Trojan horse as a system service
Uninstall Trojan server program first;
Exe CQLService C:\srvany\srvany.exe CQLService C:\srvany\srvany.exe CQLService C:\srvany\srvany.
2. Open the registry directory: enter regedit and press Enter. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services 3, Find “CQLService”, right-click a new item and name it “Parameters”; 4. After entering Parameters, create a string value named “Application” in the right window. The string value is the path address of the Trojan horse program. 5. Create a string value named “AppDirectory” in the right pane. The string value is the directory where the Trojan horse is stored.
6. Start the service: Enter services. MSC and press Enter
7, Trojan online
8. Uninstall the service: Stop the service before uninstall! instsrv CQLService remove