Exposing process camouflage

The development of Trojan camouflage technology is changing with each passing day. From process hiding to process insertion, it becomes increasingly difficult to deal with detection and removal. Generally, Trojan horses with the process insertion function inject themselves into the address space of other applications, and this application is an absolutely secure program for the system.

We found the dllplug-In path. If the path is embedded in the basic process of the system, such as svchost.exe, we cannot end the process.

The following example shows how a thread inserts a class backdoor to run on a machine. Take the popular movie devil4.exe Program (devil 4) as an example.

(Figure 5 ). After the configuration is complete, confirm the operation to make it take effect.

Figure 5

Once the target machine activates the configured program, “devil4.exe will be immediately inserted into the specified process. We can use the "fport v2.0" system tool to view all open TCP and UDP ports and display the corresponding applications (WinNT4/2000/XP is supported ). After running the "command prompt", enter the storage path of the fport program and run it.

When you see that the TCP port opened is the port 9000 customized by the author, it indicates that the virus process is successfully inserted (figure 6 ). When devil4.exe”and the program deldevil4.exe are run, you can clear Backdoors that reside in the system.

Figure 6

TIPS:If you want to block suspicious Ports, you can use third-party port tools such as Active Ports and DBPort. The two software are graphical interfaces, and the operation method is very similar. You can not only automatically refresh the process, but also immediately close the specified port.

It is not easy to scan and kill thread-Inserting Trojans. Because users can specify them at will When configuring the Insert Process, you must install anti-virus software and regularly upgrade the virus database.

To manually scan and kill, you must have a considerable level of knowledge and experience. Here we recommend a process spyware, a relatively good software. You can view the handle, ID, title, and path of the window and sub-window, as well as the number of threads of the parent process ID. You can also find the subordinate modules of the specified parent process ...... We need to focus on using the program's ability to view the DLL module and try to find suspicious insertion processes.

Software name: Process spyware
Software Version: V1.0.2.1
Software language: Simplified Chinese
Software type: Shared Software
Application Platform: Win9X/Me/2000/XP/2003
: Http://www.516688.net/bios/down/dpg1f.exe

After running the "process spyware" program, view the "process Tree" tab, click the "Refresh process" button, and select the process in the list on the left. After a process is elected, the program starts to process related information. Switch to the "module" tab (Figure 7) in the current right-side view, where many DLL threads inserted in the process are displayed, including the "module name" (which needs to be checked), "base address", "size", and "Incoming entry ". You can check the suspicious threads carefully. For example, the DLL insertion thread of girls from other countries is "% system32gwboydll. dll ".

Figure 7