See through the WinRAR bundle of Trojans

With the improvement of people's safety awareness, the survival of the Trojan more and more become a problem, the Trojan growers of course not reconciled to the Trojan is so that people find, so they come up with many ways to disguise their behavior, using WinRAR bundled Trojan is one of the means. So how can we identify a trojan in it? This is the problem that this article tells.

Attackers can put Trojans and other executable files, such as Flash animation under the same folder, and then add the two files to the file, and make the file as an EXE-formatted self release file, so that when you double-click the self release file, Flash animation and other files will be launched at the same time quietly running Trojan files! This has reached the purpose of the Trojan growers, that is, running Trojan server program. And this effect is very good, make the other side difficult to detect, because there is no obvious signs exist, so the current use of this method to run the Trojan is very common. In order to debunk this camouflage, understand its production process, to know each other, the following we look at an example.

Let's take an example to learn about this bundled Trojan method. The goal is to have a Flash animation (1.swf) and Trojan server file (1.exe) bundled together, made from the release of the file, if you run the file, in the display of Flash animation will be in the Trojan! Put the two files in the same directory, holding down the CTRL key while selecting 1.SWF and 1.exe with the mouse and clicking the right mouse button and selecting "Add to Profile" in the pop-up menu, a dialog box titled "Profile Name and Parameters" appears (Figure 2), in the dialog box " File file name "Enter any file name in the column, for example stage comedy. exe (as long as it is easy to attract others to click). Note that the file name extension must be an. exe (that is, the "Create Self release Format profile" is checked), and by default,. rar, to be changed to the line, otherwise the next step can not be done.

Next click on the "Advanced" tab, then click the "SFX Options" button (Figure 3), the Advanced Self Release Options dialog box (Figure 4), the "Release path" field in the dialog box, enter the C:windows emp, in fact, "release path" can be easily filled, It doesn't matter if the folder you set up doesn't exist, because the directory is created automatically when you self-extracting. Enter 1.exe in "Run after release", which is the name of the Trojan file that the attacker intends to run in stealth.

Next, click on the "Mode" tab and select "Hide All" and "Overwrite all Files" on the tab (Figure 5), which is not only safe but also hidden and not easily discovered. If you want, you can also change the window title and icon for this self release file. By clicking on "Text and Icons" (Figure 6), enter what you want to display in the "Self-release File window title" and "display text for the self-release file window" In this tab, which is more deceptive and more gullible. Finally, click on the "OK" button to return to the "Profile Name and Parameters" dialog box.

Below please click on the "Notes" tab, you will see the content shown in the figure (Figure 7), this is winrar according to your previous settings automatically added content, in fact, is the release script command. Among them, C:windows EMP represents the self-extracting path, Setup=1.exe said that after the release run 1.exe files that Trojan server file. Silent and overwrite, respectively, represent hiding and overwriting files, and assigning 1 represents "Hide All" and "Overwrite all files." As a general rule, for the sake of hiding the Trojans, you will modify the above Self release script commands, for example, they will change the script to the following:

Path=c:windows EMP

Setup=1.exe

Setup=explorer.exe 1.swf

Silent=1

Overwrite=1

Look carefully, in fact, is to add the Setup=explorer.exe 1.swf this line, click "OK" The button will generate a self-extracting file named stage comedy. EXE, now as long as someone double-clicks the file, it will open 1.swf this animation file, and when people enjoy the beautiful flash animation, Trojan Horse program 1.exe has been quietly running! More frightening is, can also in the WinRAR can be the self-extracting file default icon to replace, if you are familiar with the software icon, for everyone is not more dangerous?