Rising latest Technical Analysis report confirms

Buckle The Bodyguard In addition to have its declared 11 categories of visible features, at least 4 hidden functions, these features only for QQ, and have users can not see, uncontrollable and other characteristics. These hidden features are active at any time and can be opened remotely by 360 of companies.

Yesterday, there have been media reports buckle bodyguards exist four back door technology, can be opened remotely at any time. But 360 denies it. Now finally obtained from the third party anti-virus agency rising Iron general confirmation.

The following is the full report:

360 Why does the bodyguard annoy Tencent?

----Third party independent research Report (I.)

October 29, 2010, 360 companies announced in Beijing, the introduction of a "buckle bodyguard" security tools, a comprehensive protection of the security of QQ users. The tool includes preventing privacy leaks, preventing Trojans from stealing QQ accounts, and speeding up the functions of QQ. 360 said, buckle buckle bodyguard default does not modify QQ any settings, all features must be triggered by the user active choice, and can be enabled and restored at any time.

Rising research and development department through the buckle Buckle bodyguard (1.0.0.1004 version) The main function of the implementation module QGuard.dll analysis: found that the software in addition to its declared 11 categories of visible features, at least 4 hidden functions, these features only for QQ, and have users can not see, uncontrollable and other characteristics. These hidden features are active at any time and can be opened remotely by 360 of companies.

Buckle Guard 4 Hidden features detailed analysis

Buckle The Bodyguard In addition to the visible function of the interface, there are shielding QQ software upgrades, hijacked Tencent browser, screen QQ to start a specific process list, backup and restore QQ software, etc. 4 hidden functions, they are controlled by the config.ini file switch. After analysis, the control file in the Buckle bodyguard installation package does not provide, after installation will not be automatically generated, only 360 "cloud Server" direct remote delivery (or users can manually generate activation hidden function). That is, the user has no control over these hidden functions and is not aware of their activation and validity.

Technical details:

Users use buckle bodyguard (1.0.0.1004 version), it will be its main function module QGuard.dll through the global hook way into Tencent QQ process, and intercept the QQ process system calls SHELLEXECUTEEXW and CREATEPROCESSINTERNALW, and always pay attention to config.ini file (Hidden function activation file), once found that the file exists, will be based on the contents of the file related to the hidden function of the activation action.

By analyzing the existing 4 hidden function codes, we can infer that there are at least 4 switches in the Config.ini file:

[Main]

disableupdate=1//Automatic shielding QQ upgrade, resulting in the user does not know the situation QQ software can not upgrade.

Disablebrowser=1//Hijack QQ to start the browser and replace it with 360 "safe" browsers.

com=< filtered process filename 1>;< filtered process file name 2>

Automatic shielding QQ starts the process of specifying the Mirror name sample table.

Enable_repair=1//Open Backup QQ parameters: whether to open the frame to guide users to backup QQ software

Maxnotifycount = 50//Open Backup QQ parameters: Maximum number of bomb frames

Firstnotify=1//Open Backup QQ parameters: QQ After the launch of the frame time (seconds)

The following is the code for the implementation of Windows API interception and API interception function by the buckle bodyguard QGuard.dll

Buckle bodyguard in the QQ IM process to intercept the relevant system API will be real-time monitoring QQIM START process action (users can not use any feature settings to hide the function to close the operation)

Hidden function: Automatic shielding QQ software upgrade after activation

The hidden feature affects the domain:

The hidden function activated, QQ security components, QQ itself and other software can not update the normal upgrade (users do not know, also will not get any error prompts), QQ software will become a "dead" software.

The following is a buckle security QGuard.dll in the interception of SHELLEXECUTEEXW and CREATEPROCESSINTERNALW after the launch of the QQ IM upgrade process (shielding QQ upgrade) recognition and shielding to upgrade part of the code.

If it is found that Auclt.exe, SelfUpdate.exe and QQSafeud.exe are initiated and disableupdate=1 in the Config.ini file, it will bypass the real system call, causing the QQ upgrade process to fail. These actions will have no hint to the user!

Hide two: After activation, according to the designated process list for the QQ Start program interception

The hidden feature affects the domain:

The hidden function after activation, will be based on the 360 delivery of the Config.ini designated process name for the QQ start program filtering. This will allow 360 to be very convenient for the controllable QQ launcher to intercept.

Buckle guards will also attempt to read the COM field under main primary key in Config.ini under 360\360safe\360qguard\ in the installation directory (refer to the config.ini structure described above). Because Config.ini does not exist under the default installation, there is no way to know the process that needs to be masked, but by analyzing the code you can tell that this field is a list of processes that are split by ";" The buckle bodyguard will intercept the start of a process with the same file name in this list.

The following is the QQ launcher block list Part code

The following are: Buckle bodyguard QGuard.dll Mask list Read code

In addition, the component field is read in the%appdata% profile Userconfig.ini, where 0 and 1 followed by each mirror name are the process mask switches.

%appdata%\360qguard\userconfig.ini contents are as follows:

[Component]

< file name and extension >=0|1 to block

Hidden function Three: After the activation of the QQ software browser hijacked (replaced by 360 browser)

The hidden feature affects the domain:

After this feature is activated, the QQ process launches the browser process (with the parameter browsing URL method) will be replaced with the start 360SE to browse (with 360 browsers installed). Since this feature is a blocking API implementation, no matter what the default browsing settings are for the user, Also regardless of Tencent QQ currently choose which browser will be hijacked into 360SE (with: This hidden function can not only hijack ttraveler.exe,qqbrowser.exe, but also according to the upgrade configuration at any time to specify the hijacked browser process name. ）

This QQ software users chat with all the URL link will be 360SE access to the amount of browsing.

Buckle Buckle Bodyguard QGuard.dll intercept program, found that QQ im start the program for Tencent Browser (TTraveler.exe and QQBrowser.exe), and Config.ini file content in Disablebrowser=1, will QQ The IM-initiated browser is automatically replaced by a 360 browser.

In addition, the last line of call InitComponent reads whether the component item in the profile Userconfig.ini in%appdata% has a mirror name of the specified name and is replaced with a 360 browser if it is found.

Hidden features four: After activation to deceive users to the QQ software backup (and can do recovery operations)

The hidden feature affects the domain:

The hidden function after activation, will be based on the 360 delivery of the parameters of the Config.ini configured to guide users to backup QQ software to 360 designated directory, and can be recovered through the deduction of bodyguards.

Fill in the above content in the Config.ini, the following dialog box will appear when starting QQ.

Here you can disable the automatic Update function of QQ. The backup button backs up all of the QQ data to the 360 configuration directory. The following figure:

The relevant code is as follows:

Analysis Summary:

Due to the 360 buckle security of these 4 hidden features highly targeted (for QQ software) and has:

1, without being informed by the user to destroy other software normal operation of the rogue software characteristics.

2, bypassing the user to control the hidden trigger door function characteristics.

3, the injection of other processes, modify its normal function of the operating mode of the plug-in characteristics.

These techniques are usually only seen in Trojans, backdoor, viruses and other malicious software, in a "security-name" software appears and for the normal use of software is extremely rare. It's also a good way to understand why 360 makes it so short-lived and why Tencent is so angry.

Attached：

From Baidu Encyclopedia to identify some of the definition of public awareness:

Plug: plug generally refers to the computer in operation, a program through some kind of event triggered to be linked to another program space (commonly used trigger events have keyboard trigger, mouse trigger, message triggering, etc.), the purpose of the hook is usually to change the way the hook program.

Backdoor function: A method of obtaining access to a program or system from a more covert channel, bypassing the security controls of the software.

New development of Rogue Software: New Rogue Software may not have bundled plug-ins, new rogue behavior, including deliberately hinder the use of other similar software, new rogue behavior, including the act of their own rogue as a bug or good function to cover up their dirty purposes, the new Rogue is proficient in psychology, The user's psychological research thoroughly thorough, and use this kind of psychology to do favor oneself of thing.