Anti-Virus Defense Research: self-replication and self-Deletion

Anti-Virus Defense Research: self-replication and self-Deletion
I. Preface
Based on Computer Security knowledge, the series of anti-virus attack and defense studies anti-virus Trojan technology by analyzing common techniques implemented by virus and Trojan horses. Here, we will conduct in-depth Attack and Defense Simulation to continuously improve our awareness of defense and the technical level of anti-virus Trojans. I will propose and discuss this technology only when a virus Trojan technology has a method to crack it.
Unless otherwise stated, all the programs have passed the test in VC ++ 6.0 of Windows XP Professional SP3.
This series of research is based on the assumption that MessageBox is a virus. As long as the following dialog box pops up, it is considered that the computer has a virus.

Figure 1 "virus" dialog box
All subsequent research will focus on how to bring up the MessageBox dialog box (simulate a virus), and the most important thing is to discuss how to avoid this dialog box pop-up (virus prevention simulation).


2. always-on "virus code"
The following is the MessageBox code used to simulate viruses throughout this series:

#include<windows.h>   int main()  {           MessageBox(0,"You have been hacked! (by J.Y.)","Warning",0);          return 0;   }  

After the program is successfully compiled and connected, an EXE file is generated. Once the file is opened by double-clicking, the program will be executed and a dialog box will pop up, prompting the user with a "virus ".

Therefore, the simplest way to avoid virus attacks is not to run executable programs with unknown experience. If you do not double-click them, the virus will naturally fail to run.

 

Iii. implement self-replication and self-Deletion

In general, virus Trojans like to copy themselves to the system directory (system32) and Windows directory to hide themselves so that users can think this is a normal system file. (In this case, I searched for it easily and did not change the name of hacked.exe copied to the system file folder or in the Windows directory. In fact, it can be changed to a file name like a system file, which makes it more difficult to find out). Then we compile a function to implement this function:

Void CopySelf () {char szSelfName [MAX_PATH] = {0}; char szWindowsPath [MAX_PATH] = {0}; char szSystemPath [MAX_PATH] = {0 }; char szTmpPath [MAX_PATH] = {0}; // obtain the path GetModuleFileName (NULL, szSelfName, MAX_PATH) where your program is located; // obtain the Windows directory GetWindowsDirectory (szWindowsPath, MAX_PATH ); // obtain the system directory GetSystemDirectory (szSystemPath, MAX_PATH); strcat (szWindowsPath, "\ Hacked.exe"); strcat (szSystemPath, "\ Hacked.exe"); CopyFile (szSelfName, szWindowsPath, FALSE); CopyFile (szSelfName, szSystemPath, FALSE );}

However, this is not enough. Because of the real Trojan virus, it often disappears after the first run, which is the self-deletion function. The easiest way to perform auto-deletion is to create a ". cmd" batch file. In a batch file, run the doscommand del to delete the executable file and then delete itself through del. The implementation code is as follows:

Void DeleteSelf () {HANDLE hFile = CreateFile ("DelSelf. cmd ", GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile = INVALID_HANDLE_VALUE) {return;} char szBat [MAX_PATH] = {0 }; // "virus" File Deletion code strcat (szBat, "del Hacked.exe"); strcat (szBat, "\ r \ n "); // Delete the code strcat (szBat, "del DelSelf. cmd "); DWORD dwNum = 0; WriteFile (hFile, szBat, strlen (szBat) + 1, & dwNum, NULL); CloseHandle (hFile ); // hide the WinExec ("DelSelf. cmd ", SW_HIDE );}

One disadvantage of batch processing is that the file path and file name cannot contain spaces, otherwise the batch processing will become invalid. If no path name is added to the batch processing command, the files in the current path will be deleted by default and no errors will occur.

The preceding Implementation implements a simple "virus" behavior, namely copying itself to a sensitive system directory, and then deleting itself to hide it. This section describes the encoding of the "virus.

 

4. Use kill software for Detection

Now, let's test some anti-virus software's opinions on this program. The first is Kingsoft's "Eye of Fire". The analysis report is as follows:

Figure 2 "Fire eye" Detection

It can be seen that the "Eye of Fire" identified it as a suspicious program, and the analysis was very good, and did not waste my software. It can be seen that it is necessary to install a software program on a computer. It is not surprising that the program has not been killed. The kill-free technology should be discussed in the comparison section.

Let's take a look at the file operation monitoring:

Figure 3 "Fire eye" File Operation Monitoring

It can be seen that this software will copy itself to the % system % and % windir % directories (if you want to know what these two directories are on the local machine, you can enter "set system" and "set windir" in command line mode "). So far, the "Eye of Fire" has given us a more detailed analysis. Next, it is necessary to use other anti-soft tools for detection and removal to see the results of other anti-soft tools. Here, you can use the online drug detection site (https://www.virustotal.com) for detection, the results are as follows:

Figure 4 Online Virus Detection results

As you can see, there are still six kill software that think this software is faulty, so we can basically determine that this is indeed a suspicious software.

 

5. Manual Analysis

Generally, you can use manual analysis to obtain the detailed operation process of a virus Trojan. In addition, manual analysis is often more accurate than soft removal, but less efficient. Generally, analysis is performed on virtual machines. However, since the program I wrote is only a dialog box and there is no malicious code, you can directly run it on a real machine. Reverse Analysis is divided into static and dynamic analysis. Different analysis requires different software. Here I use IDA Pro for static analysis.

Because the code is simple and not encrypted, The MessageBox function can be quickly found using IDA:

.

text:0040136A    push    0                  ; uType   .text:0040136C    push    offset Caption   ; "Warning"  .text:00401371    push    offset Text      ; "You have been hacked!(by J.Y.)"   .text:00401376    push    0                  ; hWnd  .text:00401378    call    ds:MessageBoxA  

Next, two functions will be called:

. Text: 00401385 call sub_401005. text: 0040138A call sub_40100A go to view each call separately. The first is sub_401005: [plain] view plaincopy. text: 004010B4 push 104 h; nSize. text: 004010B9 lea eax, [ebp + ExistingFileName]. text: 004010BF push eax; lpFilename. text: 004010C0 push 0; hModule. text: 004010C2 call ds: GetModuleFileNameA. text: 004010C8 cmp esi, esp. text: 004010CA call _ chkesp. text: 004010CF mov esi, esp. text: 004010D1 push 104 h; uSize. text: 004010D6 lea ecx, [ebp + NewFileName]. text: 004010DC push ecx; lpBuffer. text: 004010DD call ds: GetWindowsDirectoryA. text: 004010E3 cmp esi, esp. text: 004010E5 call _ chkesp. text: 004010EA mov esi, esp. text: 004010EC push 104 h; uSize. text: 004010F1 lea edx, [ebp + Dest]. text: 004010F7 push edx; lpBuffer. text: 004010F8 call ds: GetSystemDirectoryA. text: 004010FE cmp esi, esp. text: 00401100 call _ chkesp. text: 00401105 push offset Source; "\ Hacked.exe ". text: 0040110A lea eax, [ebp + NewFileName]. text: 00401110 push eax; Dest. text: 00401111 call _ strcat. text: 00401116 add esp, 8. text: 00401119 push offset Source; "\ Hacked.exe ". text: 0040111E lea ecx, [ebp + Dest]. text: 00401124 push ecx; Dest. text: 00401125 call _ strcat. text: 0040112A add esp, 8. text: 0040112D mov esi, esp. text: 0040112F push 0; bFailIfExists. text: 00401131 lea edx, [ebp + NewFileName]. text: 00401137 push edx; lpNewFileName. text: 00401138 lea eax, [ebp + ExistingFileName]. text: 0040113E push eax; lpExistingFileName. text: 0040113F call ds: CopyFileA. text: 00401145 cmp esi, esp. text: 00401147 call _ chkesp. text: 0040114C mov esi, esp. text: 0040114E push 0; bFailIfExists. text: 00401150 lea ecx, [ebp + Dest]. text: 00401156 push ecx; lpNewFileName. text: 00401157 lea edx, [ebp + ExistingFileName]. text: 0040115D push edx; lpExistingFileName. text: 0040115E call ds: CopyFileA

The decompiled Code clearly shows the running process of the entire program and the API functions that are called and the parameters of each function. It is relatively simple, so we will not repeat them here. Next is the disassembly code of sub_40100A:

.text:00401200     push    0                ; hTemplateFile   .text:00401202     push    80h              ; dwFlagsAndAttributes  .text:00401207     push    2                 ; dwCreationDisposition   .text:00401209     push    0                 ; lpSecurityAttributes  .text:0040120B     push    1                 ; dwShareMode   .text:0040120D     push    40000000h        ; dwDesiredAccess  .text:00401212     push    offset CmdLine  ; "DelSelf.cmd"   .text:00401217     call    ds:CreateFileA  

This Code calls the CreateFileA function and creates a file named "DelSelf. cmd. At this point, we have understood the functions of the entire program through disassembly. The next step is to use the above analysis to kill this program.

 

6. Delete viruses"

After the above analysis, we can know that this program will copy itself to the system directory and Windows directory, and then create a batch file to delete itself. As mentioned before, in general, if you do not run an unknown program, it will not be infected with viruses. However, after the program is run, the dialog box pops up, indicating that the computer is already in the "virus". Although the analysis shows that the "virus" is not suspicious, however, it is still necessary to delete the virus from the system. Because the "virus" is relatively simple, you can directly Delete the "virus" file in the corresponding directory. The simplest way is to right-click "delete. However, you can also enter:

Del/f % windir % \ Hacked.exe & del/f % windir % \ system32 \ Hacked.exe

Alternatively, you can use NotePad to create a. bat file and write it into the following content:

@ Echo off del/f % windir % \ Hacked.exe & del/f % windir % \ system32 \ Hacked.exe save and double-click to run the batch file. These two methods are also common methods for manually killing viruses and Trojans.

 

VII. Summary

This chapter simulates common methods of virus and Trojan Horse-copy itself to the system directory and delete itself, and briefly introduces how to use online virus detection tools and manual virus detection and removal. This virus is simple and easy to handle, but it can lay a good foundation for future research.