File comparison and detection of embedded Trojan Technology

With the development of computers, Trojan technology continues to develop. The old generation of classic Trojans, headed by glaciers, has gradually disappeared into the ranks of classic Trojans, and replaced by a new generation of embedded Trojans, that is to say, the dll injection trojan uses the dynamic embedding technology. The most common dynamic embedding technology is the hook, API, and remote thread technology, nowadays, most embedded Trojans use remote Thread Technology to hook themselves into a normal system process. It is usually difficult to clear such Trojans.

Embedded Trojan fans

So what is an embedded dll Trojan? The DLL code is almost the same as other programs, except that the interface is different from the startup mode. You just need to change the code entry and the DLL will become an independent program. Of course, there is no program logic in the DLL file. This does not mean DLL = EXE. However, you can still regard the DLL as the EXE without the main entry, each function in the DLL can be regarded as several function modules of a program. A dll Trojan is a code that implements the trojan function, and some special code is written as a DLL file to export related APIs. In others' opinion, this is just a common DLL, however, this DLL carries the complete Trojan function, and the Standard execution portal of the dll Trojan is dllmain, which contains the Running code of the Trojan or points to the execution module of the Trojan, in the dll Trojan, the method for creating a remote thread (RemoteThread) in another process to enter the memory address space of that process is called "injection ", when the carrier creates a remote thread in the injected process and runs the command to load the DLL, the trojan is mounted and executed. No new process is generated. This is the embedded dll Trojan.
For this reason, Hackers often inject dllmu into some critical system processes, such as embedded in the IE browser and assumer.exe, to better start and conceal themselves. In addition to dedicated dll Trojans, there are also many excellent Trojans that can be used to generate general exe Trojans and dll Trojans to provide users with a variety of needs, the typical Trojans are black holes and pigeons. These two classics support the generation of these two types of servers, and the stability of the dll Trojan server generated by these two Trojans is also outstanding, all major anti-virus manufacturers have listed them as key targets for detection and removal.

Find the embedded Trojan

After learning how embedded Trojans work, how can we promptly discover and clear such Trojans? Whether it's a traditional trojan or an embedded Trojan, we should first understand the hiding place of the Trojan. Like a traditional Trojan, system32 is also the favorite hiding place of the embedded Trojan, based on this feature, after installing the system and necessary applications, we will record the exe and dll files in the directory and run CMD -- convert the directory to system32 -- dir *. exe> exe.txt & dir *. dll> dll.txt. The names of all exeand dll files in this example are recorded separately in exe.txtand dllback.txt.

If the system becomes abnormal in future use and cannot be found using the traditional method, we should consider whether the embedded Trojan is in disorder, run CMD -- convert the directory to system32 -- dir * again *. exe> exe1.txt & dir *. dll> dll1.txtseparate exeand dllfiles under system32and record them to exe1.txtand dll1.txt. Next we can compare the two recorded files to determine whether an embedded Trojan exists. The method is as follows: run CMD -- fc exe.txt exe1.txt> change.txt & fc dll.txt dll1.txt> change.txt, which includes two record files that use the fccommand to compare exeand dll, and output the result to change.txt. In this case, we can find the changed exe and dll files and the multiple exe and dll files from change.txt, finally, we can check the creation time, version, and compression of these files to easily determine whether the files have been modified by the DLL Trojan.

If yes, delete the dll file to the recycle bin first, so that the file can be restored after deletion by mistake. If the system has no exception after restart, we can completely delete this dll file. But at the same time, some processes call a lot of DLL files, which makes it unrealistic to verify them one by one. At this time, we can use some tools to help us narrow down the scope, among them, NT process/processes/a/m> logs, and then use fc dll.txt usedll.txt> changenow.txtto output the comparison result to changenow.txt, so that we can greatly narrow down the search scope. Using this shelling tool to view the dll files called by this process, and compare them with the file comparison method described above, making it easier to find the DLL Trojan. For the port, we can also use the sniffing method to sniff the data transmitted by the port. If the data is abnormal, use Fport to find the process corresponding to the port and repeat the preceding steps.
Comparison of actual files

The above describes so many methods to find out the embedded Trojan, maybe you can't start looking at these operations, the following I will give the main steps for file comparison.

◆ Application environment ◆

Comparison of Windows pro, d:/test folders

◆ Practical process ◆

Step 1: Enter the d Drive test folder, record the content in the test folder, and run CMD -- convert directory to d:/test -- dir *. exe> exe.txt & dir *. dll> dll.txt, as shown in:

 

　

In this way, two notepad files, exe and dll, will be generated under d:/test. The content is as follows:

Exe.txt file:

The volume in drive D is entertainment

The serial number of the volume is 6078-F043

D: est directory

11: 59a 26,772,480 dx81setup.exe
11: 59a 473,600 g5setupuncode .exe
2 files in 27,246,080 bytes
0 directories, 505,454,592 available bytes

Dll.txt file:
The volume in drive D is entertainment
The serial number of the volume is 6078-F043

D: est directory

02: 52a 36,924 php5apache. dll
02: 52a 36,925 php5apache2. dll
02: 52a 53,314 php5apache_hooks.dll
3 files in 127,163 bytes
0 directories, 505,454,592 available bytes

Step 2: I will go to the testfolder and repeat several exeand DLL files to get to the exe1.txtand dll1.txt files, which are also located in the test folder.

Step 3: Compare the exe.txtand exe1.txtfiles with the dll.txtand dll1.txt files, and run CMD -- fc exe.txt exe1.txt> change.txt & fc dll.txt dll1.txt> change.txt, as shown in:

After comparison, the contents of changedll.txtand changeexe.txt are as follows:

Changedll.txt:

Comparing files dll.txt and DLL1.TXT

* ***** Dll.txt

02: 52a 36,924 php5apache. dll
* ***** DLL1.TXT

02: 52a 417,792 fdftk. dll
02: 52a 90,112 fribidi. dll
02: 52a 346,624 gds32.dll
02: 52a 36,924 php5apache. dll
*****

* ***** Dll.txt
02: 52a 53,314 php5apache_hooks.dll
3 files in 127,163 bytes
0 directories, 505,454,592 available bytes
* ***** DLL1.TXT
02: 52a 53,314 php5apache_hooks.dll
6 files in 981,691 bytes
0 directories, 475,787,264 available bytes
*****

Here, we only need to look at the bold part above, which is the added file. The contents in "bold Examples" and "dll.txt" show only the content in a row of Information 2005-03-31 02: 52a 36,924, while the contents in "2005-03-31 02: 52a 36,924 php5apache.dll" in" bold Examples "represent all the content in" dll.txt, the rest is the files I added, that is, the added files.

Changeexe.txt:

Comparing exe.txt and EXE1.TXT files

* ***** Exe.txt
11: 59a 473,600 g5setupuncode .exe
2 files in 27,246,080 bytes
0 directories, 505,454,592 available bytes
* ***** EXE1.TXT
11: 59a 473,600 g5setupuncode .exe
12: 02 p 13,058,048 mpsetup.exe
2004-10-30 09: 11a 11,761,184 RealPlayer10-5GOLD_cn.EXE
12: 02 p 3,963,392 Winamp278cn_DFX_Blue.EXE
56,028,704 bytes for five files
0 directories, 475,787,264 available bytes
*****

The content added above is:

12: 02 p 13,058,048 mpsetup.exe
2004-10-30 09: 11a 11,761,184 RealPlayer10-5GOLD_cn.EXE
12: 02 p 3,963,392 Winamp278cn_DFX_Blue.EXE

Step 4: Check whether the added content is your own. If not, delete the exe or dll file installed in the test folder.

Conclusion

All in all, we need to kill this kind of embedded wood.