Analysis on How to Improve Anti-Trojan tracking capability from the perspective of anti-Trojan

Analysis on How to Improve Anti-Trojan tracking capability from the perspective of anti-Trojan

Preface

First, I declare that I am neither a technician of the antivirus software manufacturer nor a hacker. Writing this article only records some analysis of Trojan horse technology, and does not mean that these technologies are the mainstream technologies in the current Trojan technology field. It is only used for sharing and communication.

I personally think that there are two common anti-Trojan technologies. One is to analyze the network characteristic behaviors of Trojans, for example, you can use wireshark or other packet capture tools to analyze network characteristics (which is common for analyzing a single host), or use a hardware firewall to analyze network protocol data packets (which is common for analyzing intranet data traffic ); the other is to analyze the file feature behavior of the Trojan, such as using process monitor to analyze the modification of a suspicious process to the system, in addition, antivirus software vendors often use reverse analysis on Trojan pe files.

This article focuses on the research of Trojan network characteristic behavior to improve the trojan anti-tracking capability.

Here I will give a sketch of the Trojan design ideas, as shown below:

 

??

The source code is provided in reverse analysis.

Next I want to analyze the trojan capture and use IDA PRO to reverse analyze the network characteristic behavior of the Trojan.

To synchronously demonstrate Trojan behavior, the controlled Trojan will also run at the same time and output debugging information.

For example:

 

The following is wireshark packet capture:

 

This is the packet captured when a TCP bounce connection is established.

 

This is the packet captured when a UDP bounce connection is established.

The following is an analysis of the controlled terminal shell.exe using ida pro 6.6.

 

The IP addresses shown here are the same as those obtained from wireshark packet capture, both of which are 23.218.27.34.

This IP address is only used for interference and disguise. It can be an IP address from any country.

The UDP online IP address or domain name is encrypted and assigned in the source code. ida pro is used to analyze the result as follows:

 

The corresponding C ++ source code section is as follows:

 

Of course, this encrypted online IP address has been provided in the UDP packet capture and debugging information of the controlled terminal.

Through wireshark and IDA's Trojan analysis, we can conclude that the online IP address may be 23.218.27.34, and the real online IP address and port may be ignored. Because most Trojans use TCP bounce connections, UDP features are not easy to notice when analyzing Trojans.

Presented by the author

As a reward for reading this article, I have a small gift for you.

Network Connection Viewer (ver 0.5)

Main function: View TCP and UDP connections of the current network

Usage:

On the> = Win7 System, right-click the system and run it as an administrator;

As follows:

 

Download link: http://pan.baidu.com/s/1pJvHs6Z password: rgir