Discover hidden Trojans step by step

Many hacker tools are added by the author with backdoors, which are easy to trick if you are not careful. How can I determine whether there are any backdoors in the software I downloaded? Today, I will tell you my usual method of detecting software security ......

1. Install the program, and the trojan and backdoor cannot be accessed.

Downloading various software programs from the Internet is a very dangerous behavior. Many download websites are attacked by malicious users or Trojans are bundled in the installation program. Therefore, we first checked the download and installation processes to see if they contain Trojans.

　　1. Build a test environment

Before testing, I often back up the current system first. The most common system backup tool used by the author is the computer protection system (1). This software can create multiple restore points for the system and restore them to any State. The restoration speed cannot exceed 10 seconds, it is most suitable for software installation testing. The procedure is simple. Open the program interface, click the "Create progress" button on the left, and enter the progress name as the description. After confirmation, a backup can be created for the current system.

Figure 1 install "rain over the sky" to protect the computer

At the same time, the author installed the Jiangmin Antivirus Software KV2006 in the system and upgraded the latest virus database. Click "Tools"> "options" in the menu and select the "Real-time Monitoring" tab to enable all projects for Real-Time Virus monitoring.

　　2. Check the download page and Installer

Therefore, before you open the web page for download, make sure that you have enabled the anti-virus software Web page Real-time Monitoring Project (2), and then download a security tool from the test website. During the download process, no alert is reported for the anti-virus software. In the resource manager, right-click the downloaded compressed tool package and select the "Jiangmin Antivirus" command to perform a thorough virus scan. No virus is reported.

Figure 2 Jiangmin prompt no virus

2. Monitor the installation process. Do not mix Backdoors

Check that the "file monitoring" and "Registry monitoring" functions in KV2006 real-time monitoring are enabled to install the downloaded security tool. During the installation process, KV2006 does not prompt for any virus, however, the Registry monitoring function prompts (3 )!

Figure 3 Registry Supervisor prompt

What did the installer do to the registry? Click "Tools"> "Trojan scan" in the KV2006 interface to open the trojan scan tool window. Click "View"> "interception record" in the menu. The modified registry key value "HKEY_LOCAL_MACHINESOFTWARE MicrosoftWindowsCurrentVersionExplorer Browser Helper Objects" is displayed in the List window in the middle ", this registry key is used to manage the loading of the IE Plug-in (4 ). Open the IE browser and you will see an extra "erotic search" button in the toolbar.

Figure 4 the IE Toolbar has an additional "erotic search"

If you have no idea, just input “regedit.exe In the login runtime, Open Registry Manager, find the blocked registry key, and delete it. Finally, scan the installation directory of the program and the entire system with KV2006 again, confirm that the system is not infected with Trojans and viruses, and continue the following detection.

3. footprints left by the survey procedure Although some programs do not bring Trojans and viruses to the system, they cannot be completely uninstalled and cleared, leaving some backdoors in the system to quietly record users' private data. After the system is restored, the author tests the uninstallation as follows: 　　1. Generate a snapshot Before installing the program, run the snapshot tool Regshot (download Regshot) and set "Save the comparison record as HTML document". Check "scan" and set "snapshot directory" to "C: "; in the" output path ", set the comparison file to" D :". Then click the "uptake 1"> "uptake and archiving" command, and the program starts to generate a snapshot of the current system file and registry (5 ). Figure 5 generate a System Snapshot Then install the program. After running for a period of time, uninstall the program and switch back to the Regshot program. Click the "uptake 2"> "uptake and archiving" command on the page. The program starts to scan the system file and registry information after the program is uninstalled and generates a snapshot file. 　　2. snapshot comparison Click "Compare". The program starts to compare the two snapshot files. After comparison, the comparison record file is automatically opened. We can see that after the program is uninstalled, no additional files are retained in the hard disk, but the registry key value is retained (6 ). Figure 6 comparison results

4. Detect associated Trojan processes

Some programs decompress and run hidden backdoors in the memory at the same time. Therefore, it is very important to detect the companion processes of the program.

　　1. generate a process record file

Click "Start with installation" and run the "cmd.exe" command to open the Command Prompt window. Execute the command "tasklist> D: 1.txtsuccess" at the command prompt. After the success, a file named "cmd1.txt" will be generated under the D Drive, which records all the process names in the current system.

After running the program, run the following command again: "tasklist> D: 2.txt" (PConline Note: tasklist command is self-contained in WinXP Pro and not included in WinXP Home .), A new process log file named ". txt" will be generated ".

　　2. Compare the Process List

Run the command "fc d: 1.txt D: 2.txt> D: 3.txt" in the Command Prompt window. After the command is successful, the two process record files are automatically compared and a comparison file is generated. Open the comparison file named 3.txt.pdf. After the program is run, you can see that only one process named "domain3.5.exe" is opened (7 ).

Figure 7 shows an additional domain3.5.exe process.

　　3. detect hidden processes

However, the process management commands in Windows cannot display some kernel-level or hidden processes with ROOTKIT performance. Therefore, you still need to check whether hidden spyware is generated when the program is running. The IceSword tool is easy to use. I will not introduce it here.

5. Detect program Backdoors

Some programs may have backdoor components. If they are not enabled, private user data will be collected in the background. To send data, you must open the port. Therefore, you only need to check whether redundant ports are enabled in the system.

Run IceSword, click "View"> "Port" on the left side, and observe the system port opening status on the right side. After running the program, right-click in the window and select the "Refresh list" command. You can see that the program is connected to port 8080 (8) of the remote host )! There may be some backdoors in the program! Then we will track and analyze what the backdoor program has done!

Figure 8 use IceSword to view program connection status

6. Sniffing Backdoor programs

First, run Winsock Expert, click "open" in the toolbar, click the program process name in the dialog box, and then click "OK" to start sniffing. During the sniffing process, I performed normal network operations and browsed some webpages to write a document. After about 20 minutes, return to the sniffing data window. Check that "send" is marked in the "Status" column. Click the data in this column. The window below shows that the program sent data information to the remote server (9 ). I didn't expect a string like "Username! Although the data string to be sent looks strange, it must have sent the user name data, and the password and other information must have been recorded and sent!

Figure 9 Use Winsock Expert to sniff the sending status

I did not expect this kind of "hacker tool" to be downloaded at will. I closed the program and wiped it out of the system. Exercise caution when using software downloaded from the Internet! If you run into some suspicious programs, you can check them according to the method described by the author to see if the program is really clean!