This article is suitable for intermediate anti-virus software users.
What is a DLL injection Trojan? Is to use DLL files, insert into the key processes of the system, and call the system process to start the running Trojan. DLL files are library links in Windows and are required by many drivers and programs in Windows. Different from an EXE file, a DLL file cannot be run directly. Simply put, a so-called DLL Trojan is like a parasite that is hosted in an important system process; A separate DLL file cannot be executed. Just as the parasite leaves the host and cannot survive, the DLL Trojan must call the DLL file through the host to implement remote control. But it is because of the special nature of DLL files injected into the system process that it is difficult for general anti-virus software to query and kill.
For example, you can open the KV2007 process viewer, select any process, right-click it, and select the "module list" command. In the displayed dialog box, you can see the information of various modules called by this process ().
= 700) window. open ('HTTP: // forum.jiangmin.com/UploadFile/2007-5/2007515161329471.jpg'); "src =" http://forum.jiangmin.com/UploadFile/2007-5/2007515161329471.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
Among these modules, there may be a DLL Trojan module. It is precisely because the DLL Trojan is hidden in the process, rather than as a separate process that is difficult to check out. It is difficult to clear Trojans. Why? Because some DLL Trojans are called by the process, when you want to delete the DLL Trojan file, it is often prompted that the file is in use and thus cannot be deleted. The Trojan can be deleted only when the process injected by the DLL Trojan is terminated. However, if some dllmu is injected into a process such as “csrss.exe”or “winlogon.exe (for example, a popular hacker Trojan), once such a process is terminated, the system will restart. Therefore, Trojans become stubborn and cannot be cleared. Moreover, the DLL Trojan has a unique advantage, that is, it is hidden in normal system processes, so it can break through the network firewall and be controlled by hackers or malicious attackers. For example, assume that a DLL Trojan is injected into the IE process. When the trojan is connected to the remote control end, the firewall considers that the IE process is using the network, as a result, the DLL Trojan hidden in it can penetrate the network without hindrance.
Maybe trojan virus attacks such as "pandatv" and "ANI vulnerability Trojan" only result in a wave of virus attacks, so DLL inserts Trojans, it is truly threatening many computer users!
Typical DLL plug-in Trojan-"shangxing remote control"
You may not know much about DLL Trojans. Here is an example of a Trojan called "shangxing remote control, what if such a trojan is implanted in your system?
Shangxing Remote Control Trojan is an extremely powerful DLL injection Trojan. It supports domain name bounce connections for remote control and can be injected into various system programs to Effectively Penetrate the firewall, it is not detected or killed by anti-virus software. The key to making a fortune is the configuration of the Trojan. Second "(2 ).
= 700) window. open ('HTTP: // forum.jiangmin.com/UploadFile/2007-5/2007515161329326.jpg'); "src =" http://forum.jiangmin.com/UploadFile/2007-5/2007515161329326.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
The hypothetical option is "“ipolice.exe", which is the process of IE browser. We tried to run the generated Trojan on our computer, and we can see that the control side can manipulate the computer where the trojan is located, you can easily obtain the IP address, host name, and Ping value of your host, and perform various remote control operations to Easily upload, download, or delete files on the hard disk of the controlled host, supports system management, remote Shell, screen capture, and keyboard record (3 ).
= 700) window. open ('HTTP: // forum.jiangmin.com/UploadFile/2007-5/2007515161329661.jpg'); "src =" http://forum.jiangmin.com/UploadFile/2007-5/2007515161329661.jpg "width = 700 onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
In addition, shangxing trojan provides functions such as remote screen control (4), camera monitoring, and keyboard record, expose the privacy and confidential data of computer users to "hackers!
Generally, when anti-virus software is run, an alarm is triggered to detect the virus. However, when anti-virus software is used to clear the virus, the trojan file "rejoice. dll "and" rejoice0.dll "; manually clear or delete the virus file. This is because the DLL Trojan file is embedded in a running system process, files in use cannot be deleted! Of course, the DLL Trojan is embedded in the zookeeper er.exe.exe or “ipolice.exe process, which is easy to clear. You only need to stop the two processes and delete the trojan file, or delete the virus file when you restart the system. However, if a process such as svchost.exe0000000000000000smss.exe00000000000000000000csrss.exe0000or cmdwinlogon.exe is entered, the process is terminated and restarted! Especially for DLL trojans such as NameLess BackDoor and hacker's door, port multiplexing, registration as system services, and multi-thread daemon can also be implemented, which makes DLL Trojans more concealed, it is more difficult to scan and kill. Moreover, the kill-free DLL Trojan is not detected by anti-virus software, so it is not easy to detect.
During routine operations, the overall system speed is slow, especially when typing such as chatting and office is slow and webpage access is slow, or even when the game or QQ password account or file is deleted or modified, we need to focus on DLL injection Trojans.
Although Jiangmin firewall cannot directly intercept the communication between the DLL Trojan and the external server, it can display all connections between the local server and the external server. Listener "a process listens to a port connecting to the remote server. That is to say, we close all IE browser windows, and then click "program network status" on the panel of Jiangmin firewall to expand the network status list of local programs. If you find that the Internet Explorer has an iexplorer.exe process, and the process has been connected to port 80 or port 8181 () of the same host for a long time, you can preliminarily conclude that it is definitely not an Internet Explorer to initiate these connections, it is a trojan.
|
| [Content navigation] | |
| Page 1st: Develop anti-virus software to completely clear DLL injection Trojans [graphic] | Page 2nd: Develop anti-virus software to completely clear DLL injection Trojans [graphic] |
| Page 3rd: Develop anti-virus software to completely clear DLL injection Trojans [graphic] | Page 4th: Develop anti-virus software to completely clear DLL injection Trojans [graphic] |
| Page 5th: Develop anti-virus software to completely clear DLL injection Trojans [graphic] | Page 6th: Develop anti-virus software to completely clear DLL injection Trojans [graphic] |
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
