Byshell: A trojan that passes through active defense

Computer newspaper mentioned a Trojan-free anti-virus that can easily penetrate Kabbah, rising, and Norton's active defense functions: byshell. So I searched the internet and found the byshell promotion version. It indicates that the byshell promotion version can be used through the default settings of kabarex Norton for active defense. I went back to the promotion version and tried to check whether the micro-point could be prevented. After the server was generated, the micro-point was not disappointing. I immediately reported that the unknown monitoring software was found. I also wanted to try remote monitoring to see if there were any suspicious program accesses to the network or something like this, because I gave up my mind when I went to work in the company.

In byshell's description, the advanced Edition uses a new kernel driver to easily penetrate the Za 6/7, coffee security kit, coffee 8.5i Standard Edition, and kis 6 Kabbah security kit (including interactive mode ), the Norton Security set 2007, rising star 2007, red umbrella and trend 2006 are high-level security settings for soft removal. However, we didn't mention verbs. It is estimated that the author hasn't considered verbs yet. If you are interested, you may wish to get an advanced edition to study them and see if they are really cool. It would be nice if we were able to easily win the ransomware through this large batch of well-known kill software.

How to clear Trojans that can break through active defense

Patient: My anti-virus software has an active defense function to intercept Trojans, but my email account has recently been stolen. Why?

Doctor: This is actually quite normal. After all, no anti-virus software is omnipotent and can block all malicious programs. Your email box may be stolen by the kind of anti-Trojan that can break through the initiative, such as the latest byshell Trojan. This is a new type of Trojan. Its biggest feature is that it can easily break through the active defense function of anti-virus software.

Use ssdt to bypass active defense

Patient: How do Trojans like byshell break through active defense?

DOCTOR: The earliest hackers changed the system date to the earlier date, so that the anti-virus software will automatically disable all monitoring functions. Of course, the active defense function will automatically lose the Prevention and control capabilities. There are already many Trojans that can successfully break through the active defense function without adjusting the system time.

In Windows, there is an ssdt table. The full name of ssdt is system services descriptor table. The Chinese name is "System Service Descriptor Table ". This table is a channel for transmitting application-layer commands to the system kernel.

The active defense function of all anti-virus software is to modify the ssdt table so that malicious programs cannot run normally, so that malicious programs can be easily intercepted. If you have installed anti-virus software that includes the active defense function, you can use the ssdt function of the ice edge to view the modified ssdt table information marked in red.

Byshel Trojan searches the ssdt table of the current system, then searches the ssdt table used by the system, and then overwrites the current ssdt table with the previous one. The trojan program can be executed in the normal order. In this way, the active defense function will be permanently invalidated.

TIPS: byshell uses the world's leading penetration technology and the latest kernel-driven technology to break through the active defense of anti-virus software. Common Anti-Virus Software in China, including Kaspersky, rising star, trend, and Norton, as well as the latest anti-virus software versions, can all be broken through by byshell Trojans.

Automatic Defense Trojan Elimination

Patient: I understand the principles of such Trojans, but I still don't know how to clear them?

DOCTOR: The cleanup method is not difficult. It is similar to clearing other Trojans. The following describes how to clear a typical byshell Trojan.

Step 1: Run wsyscheck, a security tool, and click the process management tab to view multiple pink processes. This shows that these processes are all inserted into the trojan thread. Click the pink IE browser process and find a suspicious Trojan module hack. dll (figure 1 ). Of course, sometimes hackers set other names. In this case, we only need to be vigilant if we see no "file vendor" information.

Step 2: click the "Service Management" tab of the program to view multiple red system services. This shows that these services are not the system services. A service named hack is suspicious because it has the same name as the trojan module (figure 2 ).

Similarly, if a hacker customizes a service with another name, the Service marked as "unknown" is displayed in the "status" column. We should pay attention to it. It is best to troubleshoot the service one by one.

Step 3: click the "File Management" tab of the program. In the simulated Resource Manager window, follow the path instructions of the suspicious module and quickly find the suspicious Trojan module File hack. DLL, an executable file with the same name as the module File is also found (Figure 3 ). It seems that this trojan is mainly composed of these two files.

Step 4: now we will start to clear Trojans. In "Process Management", first find the pink IE browser process, select it, And then clear it by right-clicking the "End this process" command. Click the "Service Management" tab, select a service named hack, and right-click the "delete selected service" command in the menu to delete the service.

Then select the "File Management" tab in the program to clear the trojan file. Find the hack.dlland hack.exe files in the system32directory of the system, right-click the "delete file directly" command in the menu to complete the last blow to the Trojan. Restart the system and check whether the trojan is cleared.

Step 5: Because the Trojan Program destroys the content of anti-virus software in the ssdt table, it is recommended that you use the active repair function provided by the software to fix the problem, or directly reinstall the anti-virus software.

Summary

Before Trojans were planted, the most important task for hackers was to eliminate them, so that they could bypass anti-virus software pattern detection. In addition to basic no-kill operations, hackers also need to think about how to break through the active defense function. However, there are already Trojans that can be used to break through active defense, and more such Trojans will be used in the future. Therefore, we must strengthen our security awareness.

Original reference address: http://tech.ddvip.com/2008-01/120094592640939.html