"Deep in the forest" UDP Port Trojan adventure

Currently, Trojans that run on the network usually use TCP ports for remote control. However, such Trojans are easy to detect for friends who are somewhat aware of network security. In the face of this situation, the hacker developed a Trojan using UDP port. This Trojan is characterized by excellent concealment and is not easy to detect. This article introduces how the author handles UDP Trojans and provides some reference.

　　I. Description

After I start the instance, a prompt window is displayed on the network firewall asking if "Internet Explorer" is allowed to connect to the network. I also confirmed from the "Address" column in the prompt box that it is indeed the process of IE browser that requires Internet access, but I have never used Maxthon for Internet access. I thought it was a problem with the system itself and restarted the system. However, shortly after I dial the Internet, IE browser requested access to the Internet. A thorough virus scan was performed on the system, and nothing was found.

　　Ii. Root dig port search clues

Although anti-virus software did not scan the results, I vaguely felt that the behind-the-scenes hacker may be a Trojan program, because rogue software does not determine whether the system is connected to the Internet, and many Trojans will have this function, the reason for not being scanned and killed may be because it is a brand new Trojan program, or it may have been killed by intruders by modifying the signature.

When I attempt to dial up the Internet again, the firewall sends another request to access the Internet from Internet Explorer. Run the trojan helper finder, a tool that can assist users in malicious program checks (figure 1 ). Click the "port information" option. Here, you can not only view which ports are opened for use, but also view which processes open these interfaces, in this way, you can determine whether to terminate the process to close some ports based on the actual situation. Click "refresh" to update the current port status in time.

Figure 1 From the information I found, I found that the IE browser process actually uses the UDP protocol, that is, the trojan program also uses the UDP protocol. Under normal circumstances, TCP is used for data transmission, whether it is Internet access from IE or common trojans.

Now, I only need to find out which trojan programs use UDP protocol for data transmission, and I can find out which trojan programs are working. By searching on the internet, we found that only one kind of Chinese trojan named qinger was transmitted over UDP protocol (figure 2 ).


Figure 2

Afterwards, we found out that it was the first UDP trojan in China. This Trojan is known as "no process, no service, no DLL ". The trojan is started as a system service. Users can customize the name of the Trojan startup service, the name of the server program, the installation directory, and the launched port. This increases the difficulty of discovering the Trojan.

　　3. Remove Trojans Based on Features

Server programs are started through system services, so you need to use the service manager to view suspicious services in the system.

On the "my computer" icon, right-click and select the "manage" command. In the displayed "Computer Management" window, select the "service" option (Figure 3 ), then, find suspicious services in the services of these systems. A suspicious service named SQx was found, and the name of the startup service and the program path Windowssystem32sapoolsv.exe were recorded. Enter CMD in "Start> Run", enter the Command Prompt window, and then enter "SC delete sqe" (figure 4) to delete the service.

Figure 3

Figure 4

Click the "Process Monitoring" option in the Trojan-assisted finder and click the "automatically scan suspicious programs" button. The program will automatically view the current process and determine whether it contains suspicious processes, no suspicious thread is found.

I have to select the IE browser process, and then I can view all the threads in the process in the "DLL name" window. I accidentally found a suspicious thread soul. dll. Terminate the process of this fake IE browser, and then delete the spoollsv.exe and soul. dll files in the C: windowssystem32directory. Then restart the computer and dial the Internet again. No connection request is displayed in the firewall. The Trojan is cleared successfully.