Anti-Virus Attack and Defense Research: Use WinRAR and AutoRun. inf for self-launch

Anti-Virus Attack and Defense Research: Use WinRAR and AutoRun. inf for self-launch
I. Preface from a series of previous studies, we can find that in order to enable the "virus" to start itself, I am also painstaking and have adopted various methods, it is often necessary to write lengthy code and have a lot of knowledge about the underlying system or registry. This time, I plan to discuss two simple ways to use WinRAR and AutoRun. inf to enable the program. These two methods can take effect when the user's security awareness is not high. Of course, I will discuss this here. The most important thing is to establish a security awareness.


Ii. Using WinRAR to implement auto-start WinRAR is our most common decompression software. In many cases, a file can be used to package the file or compress the target program when the file size is large, can achieve the effect of easy to carry. Slave is automatically started. First, install WinRAR on the computer (my version is 5.10.0.0), right-click the software to be compressed, and select "add to compressed file ":

Figure 1 add to compressed file
Next, select "create self-decompressed compressed file" in "compression options", and then you can name the new file:

Figure 2 set compression options and file names
Select the "advanced" tab to go to "self-extracting options ":

Figure 3 select "self-extract option"
On the "General" tab, enter the decompression path and enter a secret path. For convenience, I will decompress it to the desktop:




Figure 4 enter the decompression path
Finally, on the "set" tab, "extract and run", enter the name of the program to run after decompression:

Figure 5 enter the program to run
Now that all the settings are complete, click "OK" to generate the self-extracting program. In this case, the user can decompress the file and directly run the hacked.exe program. However, there is a question here. The self-decompressed program generated is actually a. EXE file, and the corresponding icon is different from the normal .rar file. The suffix and icon are not conducive to program hiding. However, it is not difficult to solve these two problems. In the tool on the menu bar of the window, there is a "folder option". Under the "View" tab, there is a "Hide extensions of known file types" option:

Figure 6 hide extension options
If this option is checked, it indicates that the file extension is not displayed in the system. Of course, you can also set it in the registry, find the UnCheckedValue in HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ HideFileExt and set it to 1, the file extension cannot be displayed no matter how it is changed in "Folder Options. Here, we assume that the file extension in the system is not displayed. Then we add .rar to the back of the original file name to disguise it as a rarfile.
After that, the file icon is changed. The icon of the exe file is still relatively easy to modify. I am using Resource Hacker (3.6.0.92), which can easily implement the icon change function, change our file to the same icon as the normal rarfile. The specific method is not discussed. Then our disguise is complete (here I did not find the rar icon, instead of other icons ):

Figure 7 comparison before and after icon Modification

At this point, all the work has been completed, and self-extracting files after disguise are often difficult to find exceptions, so we need to get a pair of eye-catching eyes.


Iii. Use AutoRun. inf implementation program self-start using AutoRun. the self-starting method of inf implementation program is already quite old. Microsoft originally set this function to enable the CD or USB flash disk to run automatically, but hackers have been exploiting it, when a user double-click a drive letter, it can enable the malicious program to start itself, which also caused problems for many users. Later, Microsoft thought it was serious and completely banned the function. That is to say, users of the new operating system do not have to worry about it. This problem may occur in the first version of Windows XP.
To implement this function, you can create a text document in the root directory of the drive letter You Want To Enable Automatic startup, rename it autorun. inf, double-click it, and enter the following code:
[Plain] view plaincopy
[Autorun] shell \ auto \ command=Hacked.exe

Hosts program. The premise is that the program has been stored in the root directory of the disk. To achieve the concealed effect, hackers may. inf and the malicious program properties you have written are set to hide. Of course, you can select "show all files and folders" in "Folder Options ",:

Figure 8 hide file and Folder Options

Like the file extension, this item can also be found in the Registry and can be set directly in the registry, located: HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL, set the CheckedValue to 0. In this case, no matter how you set the "Folder Options", files with hidden properties will never be visible. This method can be used with the WinRAR self-extracting program to achieve good results.

 

Iv. Defense methods

Two registry key values are discussed here. In my opinion, they are sensitive key values. After all, these two key values do not need to be changed. If they are tampered, therefore, it is very likely that malicious programs do the same thing and special attention should be paid to it. As long as these two key values have not been changed, you should select "show all files and folders" in "Folder Options" and deselect "Hide extensions of known file types ". The hosts file is disguised. For hidden files, in the example above, you can enter:

Del/ah/f c: \ Hacked.exe & del/ah/f c: \ autorun. inf

 

In this case, you can forcibly Delete the hidden hacked.exe and autorun. inf files in the C root directory.

 

V. Summary

This article discusses two methods to enable the program to start automatically without code. We hope that you can establish a security awareness, learn about possible WinRAR tricks and two important registry locations. Only by constantly learning and constantly improving security awareness can hackers be unable to get started and their dependence on anti-virus software be reduced.