Virus Trojan scan: Basic killing theory and experiment environment Configuration

Virus Trojan scan: Basic killing theory and experiment environment Configuration
I. Preface

The virus trojan detection and removal series takes the real virus Trojan Horse (or collectively known as a malicious program) as the research object, analyzes it through existing technical means, and summarizes its malicious behavior, then, a corresponding response method (such as writing a killing tool) is developed to thoroughly scan and kill the tool. Of course, this series focuses more on how to deal with a specific virus, rather than writing antivirus software in the broad sense. Today, the principle of Soft cutting is very complicated, and it is not done by one person. In addition, my personal level is limited, so it does not involve the problem of soft writing. However, I will analyze this in a later article at the theoretical level.

In this series of articles, I may scan and kill a virus or trojan in the following three ways: manually scan and kill, monitor malicious behaviors, write a killing tool, or use reverse analysis to decompile the code to thoroughly scan and kill. These methods further analyze the virus to more effectively combat malicious programs. It should be noted that manual virus detection and removal is relatively superficial, and it is difficult to completely clear the virus, but sometimes it is fast and effective. However, malicious programs are monitored through behaviors, which is much better than manual detection and removal, but sometimes some omissions may occur. In fact, it is best to use reverse analysis to understand malicious programs, but this often takes a lot of time.

It is hoped that this series of articles will play a popular role, so that everyone can eliminate the fear of virus and Trojan, so that every reader can become an expert of anti-virus.

Ii. Virus analysis methods

In general, unless it is an infectious virus, there is no need to conduct Reverse Analysis of the virus. You only need to analyze the behavior of the virus to write a killing tool. If it is an infectious virus, because it is necessary to repair files infected with viruses, it is not just a simple analysis of virus behavior, but a reverse analysis of the virus is required, in this way, files infected with viruses are repaired. Therefore, the actual analysis methods are as follows:

1. Behavior Analysis. Malicious programs have their own special behaviors to achieve their goals. These special behaviors are not available to normal applications. For example, copy yourself to the system directory (see Anti-Virus Defense Research Article 001st: self-replication and self-deletion), or add yourself to the startup Item (see Anti-Virus Defense Research Article 002nd: use the Registry to enable automatic startup, or inject a DLL file of your own into other processes (see section 010th anti-virus attack and defense research: DLL injection (in) -- DLL injection and uninstallation preparation)…… None of these actions are normal. After we get a virus sample, we usually copy the virus to the virtual machine, and then open the monitoring tool, such as Process Monitor (see article 003rd: ProcessMonitor help document (Part 3, with a simple demo of ProcessMonitor). After all the preparations are completed, run the virus on the Virtual Machine to check the registry, operations on the file, IP addresses connected to the file, and processes created by the virus. By observing this series of operations, you can write a program. As long as the process it creates ends, the content written to the registry is deleted, and the new file is deleted, the virus is killed. This is also the method used to manually scan and kill viruses. Of course, this process is not as easy as it is said.

2. Reverse Analysis. When a malicious program is infected with an executable file, the infected content cannot be found through the behavior monitoring tool. Virus Infection on executable files may be caused by the gap between the section and section in the PE file structure to store the virus code (see article 004th on Anti-Virus Defense Research: you can also add a new section to store the virus code (see article 005th on anti-virus attack and defense: Add a section to implement code implantation). Either method requires reverse analysis. Commonly used reverse analysis tools include OllyDbg, IDA Pro, and WinDBG.

Iii. virus detection and removal methods

There are many methods to scan and kill viruses. Today, with the increasing popularity of network security knowledge, we are vigorously promoting these methods in various major anti-virus software companies, most network security enthusiasts must have some knowledge about virus detection and removal technologies. Today's mainstream virus detection and removal technologies include pattern detection and removal, heuristic detection and removal, virtual machine detection and removal, and active defense.

1. Scan and kill signatures. Pattern scanning and removal is a primitive method to kill viruses by software vendors. It extracts the virus pattern from the virus body to identify the virus. However, this method can only detect and kill known viruses.

2. heuristic detection and removal. The file is determined statically by a series of "combination of Authorization Rules". If the calculated value is higher than a certain threshold, the file is considered a virus; otherwise, the file is not considered a virus. Heuristic detection and removal can relatively effectively identify viruses, but there are often false positives.

3. Scan and kill virtual machines. In the memory, a virtual runtime environment is used to run viruses. It determines whether a virus program is a virus program based on its behavior or the known virus pattern released. This technology is effective against shelling and encryption viruses, because these two types of viruses eventually need to be shelled and decrypted, kill software can be detected and killed after it has its original shape.

4. active defense. Real-time protection technology based on independent analysis and judgment of program behaviors does not use virus signatures as the basis for determining viruses, but starts from the original virus definition, directly use the program behavior as the basis for determining the virus. Active Defense is the process in which anti-virus engineers analyze and Judge viruses using software. It solves the drawbacks of traditional security software that cannot defend against unknown malware, technically, it implements active defense against Trojans and viruses.

Iv. Environment Configuration

All of our virus analysis work is performed on virtual machines. Therefore, installing a virtual machine is a required step. A virtual machine is also a software used to simulate a computer's hardware system. An operating system can be installed in a virtual machine, and various applications can be installed later. This is no different from a real computer. Operations on virtual machines do not affect our real system. However, it should be particularly noted that some particularly powerful viruses can bypass virtual machines and infect our real systems. This situation may be caused by a vulnerability in our virtual machine, which is exploited by the virus. Therefore, you must select the latest version of Virtual Machine Software. In addition to using virtual machines to analyze viruses, virtual machines are often used to debug system kernels (such as WinDBG. Common virtual machines include VMware and Oracle Virtual Machine VirtualBox. I personally like to use VMware because it is very powerful and basically all the tutorials will use this software as an example. However, Vmware always has inexplicable problems in my system. Therefore, in my experiment environment, I chose to use open-source and free VirtualBox.

Figure 1 VirtualBox Virtual Machine Interface

My VirtualBox uses version 4.3.12. The operating system installed in the virtual machine is Windows XP Professional SP3, which is a virtual processor, 1 GB memory, 10 Gb hard disk space, and M memory. While my real system uses Windows 8.1 (64-bit), with Intel Core i5-3230M GHz CPU, 4 GB memory. Unless otherwise specified, all the experiments in this series will be completed in this configuration.

Here we also need to talk about the system backup, because when analyzing virus programs, our virtual system will be more or less damaged by viruses, the backup function can restore the system to the State before being damaged. In VirtualBox, you can select generate backup under the "control" menu, enter the backup name, and save the backup. In this way, if you want to restore the system, you can select "Recover backup", as shown in (note the content in the red box ):

 

 

Figure 2 back up the system

Now, the basic configuration of our experiment environment is complete. The system in the virtual machine has not installed any software. I will explain it in different experiments.