Byshell: A Trojan horse through active defense

Source: Internet
Author: User
Tags date ssdt

"Computer newspaper" mentioned a can easily through the Kabbah, rising, Norton's active defensive function of the Trojan: Byshell. So search on the Internet, search to the Byshell promotion version of the description is: can cross the Norton rising through the default settings active defense. I put a promotion version back to try the micro-point can prevent, the generation of server after the operation, micro-point did not disappoint, immediately reported that the discovery of unknown monitoring software. would also like to try remote monitoring to see if the micro-point will be prompted to have a suspicious program access to the network and so on, because in the unit to work, or give up the idea.

Byshell said that the advanced version of the new kernel-driven, can easily penetrate ZA 6/7 version, mccafés Security Suite, Mccafés 8.5i Standard Edition, KIS 6 Kabbah security Suite (including interactive mode), Norton Security Set 2007, rising 2007, small red umbrella and trend 2006 These kill soft high level security settings. However, there is no mention of micro-points, the authors estimate that the author has not included in the scope of consideration, if the micro-point of the engineers are interested may wish to get an advanced version of the study, to see if it is really so cow X. If you can go through this big row of well-known kill soft but be slightly easy to win that is happy.

How to remove the Trojan that can break through the active defense

Patient: I use anti-virus software has active defense function, can intercept Trojan, but recently my mailbox account or was stolen, why this?

Doctor: This is also very normal, after all, no anti-virus software is omnipotent, can prevent all the current malicious programs. Your email is probably stolen by the kind that can break the active defensive trojan, such as the latest Byshell Trojan. This is a class of new Trojan, its biggest feature is easy to break through the anti-virus software active defense function.

Using SSDT to bypass active defense

Patient: A Trojan like Byshell, how do they break out of active defense?

Doctor: The earliest hackers by changing the system date to the earlier date, so that the anti-virus software will automatically turn off all monitoring functions, of course, the active defense function will automatically lose the ability to control. Now there are many Trojans do not need to adjust the system time can successfully break through the active defense function.

There is a SSDT table in the Windows system, SSDT's full name is System Services descriptor table, and the Chinese name is "Systems Service descriptor". This table is a channel that transmits application-level instructions to the kernel of the system.

And all antivirus active defense function is to modify the SSDT table, so that the malicious program can not follow the normal situation to run, so you can easily intercept the malicious program. If you install antivirus software that includes active defense, you can use the SSDT function of the ice blade to view it, and you will find the modified SSDT table information with red annotations.

And the Byshel Trojan by the current system of the SSDT table search, and then search the system used the original SSDT table, and then with the previous coverage of the present SSDT table. Trojan Horse program can be in the normal order to execute, so that the ultimate active defense function completely ineffective.

Tips: Byshell adopts the international leading penetration technology, using the latest kernel-driven technology to break the active defense of antivirus software. Including Kaspersky, rising, Trends, Norton and other domestic common anti-virus software, and these anti-virus software the latest related version, can be Byshell Trojan successful breakthrough.

The active defense Trojan Horse skillfully clears

Patient: I understand the principle of this kind of trojan, but still do not know how to clear?

Doctor: Clear method is not difficult, and remove other Trojan program method similar. Below we take clear typical Byshell Trojan as an example to explain the concrete operation.

The first step: Run the Security tool Wsyscheck First, click on the "Process management" tab can see a number of pink process, which shows that these processes are inserted into the Trojan thread. Click on the process for the pink IE browser, which includes a suspicious Trojan module Hack.dll (Figure 1). Of course, sometimes hackers will set other names, when we see no "file Manufacturer" information, we need to improve their vigilance.

The second step: then click on the program's "Service Management" tab, you can also see a number of red system services, which means that these services are not the system itself services. After viewing, a service named hack was found to be suspicious because it has the same name as the Trojan module (Figure 2).

Also if the hacker custom other name of the service, then in the "status" bar to see labeled "Unknown" service, we should pay attention, the best one by one troubleshooting.

Step three: Click on the program "file Management" tag, in the simulation of the Explorer window, according to the path of the suspect module, quickly found that suspicious Trojan module file Hack.dll, but also found a module file with the same name executable (Figure 3). It seems that this trojan is mainly composed of these two files.

The fourth step: now we start to do the Trojan removal work. In process management, you first find the pink IE browser process, select it, and then clear it by using the "End this process" command in the right mouse button. Then click on the "Service Management" tab, select the service named Hack, click on the right menu of the "Delete selected services" command to remove.

Then select the program "File Management" tab, the Trojan file for the final cleanup operation. After you find Hack.dll and Hack.exe files in the system's System32 directory, click the "Delete files directly" command from the right menu to complete the last hit on the Trojan horse. Now reboot the system and check to make sure the Trojan is cleared clean.

The fifth step: Because Trojan program destroys antivirus software in the SSDT table content, therefore everybody best uses the software to take the active repair function to carry on the repair, or directly again installs the anti-virus software to be possible.


Before the Trojan planted before, the most important task of hackers is to kill the operation, so you can avoid the signature detection of anti-virus software. Is the hacker now in addition to the basic kill, but also how to break the active defense function. However, there are Trojans can break through the active defense, this kind of Trojan will be more and more, so we must strengthen their safety awareness.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.